This Privacy Notice describes how Thomann.io GmbH (hereinafter referred to as “we” or “us”) processes and protects the data you provide us with when using our website in accordance with the General Data Protection Regulation (GDPR) and the relevant German data protection laws, in particular the German Federal Data Protection Act (BDSG).
The security of personal data such as name, address, telephone number or email, is a serious and important concern for our company. Therefore, we conduct our online activities in compliance with the respective statutory provisions relating to data protection and data security. Below, you can find the information we process.
The responsible authority within the meaning of the data protection regulations for all data processing through our website is:
Thomann.io, Nägelsbachstraße 33, 91052 Erlangen, Deutschland
In the event of any questions, comments, complaints or to exercise your rights as a data subject in connection with our Privacy Notice and the processing of your personal data by our websites, you can contact our Data Protection Officer directly by email (email@example.com). They will gladly take care of your data protection concerns.
As a principle, the protection of your personal data is of highest priority for us. You decide whether or not you wish to make such data known to us, for example when using our application form or making an email enquiry. Such information on your part is relevant for your enquiry, but you provide it on a voluntary basis. An exception to this rule is when prior consent cannot be obtained for practical reasons and the processing of data is permitted by law.
If we obtain the consent of the data subject to process their personal data, Article 6(1)(a) GDPR serves as the legal basis for the processing of personal data.
When processing personal data necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR shall serve as the legal basis. This also applies to any processing required to perform pre-contractual measures.
If processing of personal data is necessary for compliance with a legal obligation to which we are subject, Article 6(1)(c) GDPR shall serve as the legal basis.
In the event that the vital interests of the data subject or of another natural person necessitate the processing of personal data, Article 6 (1)(d) GDPR shall serve as the legal basis.
If processing is necessary to safeguard the legitimate interests of our company or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR shall serve as the legal basis for processing.
Should we access your device and the information stored there or should we save information on your device as part of our processing (e.g. by using cookies), the primary legal basis is § 25(1)(1) TTDSG if we require your consent for this access, or § 25(2)(2) TTDSG if the access concerns processing that is technically absolutely necessary.
The data subject’s personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Data may be stored beyond this if provisions have been made for this by the European or national legislator in Union regulations, laws or other rules to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the standards mentioned above expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
In addition to the types of use described above, we will transfer your data to third parties that are involved in the processing of contracts or orders. Data will only be transmitted to the extent required in order to fulfil an existing contract with you or to process an enquiry. The legal basis for this is the fulfilment of the contract concluded with you or the initiation of a contract (Article 6(1)(b) GDPR).
We will also transmit personal data to third parties where we are required to do so by law. The legal basis in this instance is Article 6(1)(c) GDPR.
We welcome everybody to visit and use our website free of charge. When you visit our website, we record the following general usage data in order to assess which parts of our website you visit and how long you stay there:
This data is stored in log files for technical and administrative purposes as well as for IT security purposes.
The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.
The temporary storage of IP addresses by the system is required in order to enable the delivery of the website to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session.
Data is stored in log files to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. These purposes are also the basis for our legitimate interests in data processing pursuant to Article 6(1)(f) GDPR.
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. If data is stored in log files, this is the case after no more than thirty days. Further storage is possible. In this case, the users’ IP addresses are deleted or distorted, so that it is no longer possible to associate them with the calling client.
The collection of data in order to provide the website and the storage of the data in log files is essential for the operation of the website. Therefore the user cannot opt out.
Like many other commercial websites, we use the technology known as “cookies” to ensure your visit runs smoothly and so that you can use our website with all the technically necessary functions.
Cookies are text files that are stored in the Internet browser or come from the Internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a distinctive string that allows the browser to be uniquely identified when the website is visited again.
Cookies cannot read any information from your computer or interact with other cookies on your hard disk. However, cookies enable us to recognise you when you revisit our website.
Only so-called transient cookies are used on our website. These are essential for technical reasons in order to be able to deliver and display the website and to provide you with essential functions for its use.
Transient cookies are automatically erased when you close your browser. In particular, these include session cookies. These store a “session ID” with which various requests from your browser can be assigned to the joint session. This enables our website to recognise your computer when you return. Sessions cookies are erased when you close your browser.
We use transient cookies to make our websites more user-friendly. Some elements on our website require the browser to be identified even after you have moved to a different page. The following transient cookies are used:
The legal basis for processing personal data using technically necessary cookies is § 25(2)(2) TTDSG for the setting of such cookies on your device, as well as Article 6(1)(1)(f) GDPR, e.g. for any subsequently necessary processing on our systems.
The right to object is excluded for technically essential cookies as these are required to display the website and its contents and to make the functionalities of the website available to you.
The user data collected through technically necessary cookies is not used to create user profiles.
You can contact us via the email address provided on our website. In this case, we will process your personal data transmitted in the email.
No data is passed on to third parties in this context. The data is used exclusively for processing the conversation.
The legal basis for processing the data transmitted in the course of sending an email is Article 6 (1)(f) GDPR. If the purpose of the email is to conclude a contract, the additional legal basis for the processing shall be Article 6(1)(b) GDPR.
The personal data is only processed so that we can process the contact. This is also the basis for the required legitimate interest in the processing of data.
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data sent by email, this is the case if the respective conversation with the user has ended. The conversation is deemed to be ended if it can be inferred from the circumstances that the relevant facts have been conclusively clarified.
If you subscribe to our company's newsletter, the data in the respective input mask will be transmitted to the controllers. The registration for our newsletter takes place in a so-called double opt-in procedure. This means that after registration, you will receive an e-mail in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with third-party e-mail addresses. When registering for the newsletter, the user's IP address and the date and time of registration are stored. This serves to prevent misuse of the services or the e-mail address of the person concerned. The data is not passed on to third parties. An exception exists if there is a legal obligation to pass on the data. The data is used exclusively for sending the newsletter. The subscription to the newsletter can be cancelled by the data subject at any time. Likewise, consent to the storage of personal data can be revoked at any time. For this purpose, a corresponding link can be found in each newsletter. The legal basis for the processing of the data after registration for the newsletter by the user is, if the user has given his consent, Art. 6 para. 1 lit. a) DSGVO. The legal basis for sending the newsletter as a result of the sale of goods or services is Section 7 (3) UWG.
Description and purpose: We use rapidmail to send newsletters. The provider is rapidmail GmbH, Wentzingerstraße, 21, 79106 Freiburg, Germany. Among other things, rapidmail is used to organize and analyze the dispatch of newsletters. The data you enter for the purpose of receiving the newsletter is stored on rapidmail's servers in Germany. If you do not want any analysis by rapidmail, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. Furthermore, you can also unsubscribe from the newsletter directly on the website. For the purpose of analysis, the e-mails sent with rapidmail contain a so-called tracking pixel, which connects to the servers of rapidmail when the e-mail is opened. In this way, it can be determined whether a newsletter message has been opened. Furthermore, with the help of rapidmail, we can determine whether and which links in the newsletter message are clicked. All links in the e-mail are so-called tracking links, with which your clicks can be counted. Depending on the font with which the respective newsletter is designed, a connection to external servers such as Google Fonts takes place.
Legal basis: The legal basis for data processing is Art. 6 para. 1 lit. a) DSGVO.
Recipient: The recipient of the data is rapidmail GmbH.
Transmission to third countries: There is no transmission of data to third countries.
Duration: The data stored by us within the scope of your consent for the purpose of the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from our servers as well as from the servers of rapidmail after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the member area) remain unaffected by this.
Possibility of revocation: You have the possibility to revoke your consent to data processing with effect for the future at any time. The legality of the data processing operations already carried out remains unaffected by the revocation.
Further data protection information: For more details, please refer to the data security notices of rapidmail at: https://www.rapidmail.de/datensicherheit. For more details on the analysis functions of rapidmail, please refer to the following link: https://www.rapidmail.de/wissen-und-hilfe
We have included an application form on our website that you can use to apply online for vacancies advertised by us. You can also use the application form to upload your application documents and send them to us, specifying the data relevant to your application.
We process the data you provide to us when you submit the application form in order to check your suitability for the position and to conduct the application process.
We only process information that is essential for the specific application and its completion.
The categories of personal data processed include the data you voluntarily provide to us with your application, such as first name and surname, as well as your contact details (private address, (mobile) phone number and email address). This may also include special categories of personal data such as your religious affiliation if you have indicated this, for example, in your curriculum vitae.
The processing is carried out primarily for the purpose of handling the application process and initiating an employment relationship, although this does not result in any right to the conclusion of such an employment relationship. The primary legal basis for the processing is Article 6(1)(b) GDPR in conjunction with § 26(1) BDSG.
If special categories of personal data are processed in accordance with Article 9(1) GDPR, this is done exclusively in order to process your application and for the subsequent selection procedure within the scope of the application process. The legal basis for this is Article 9(2)(b) GDPR.
If we wish to process your personal data for a purpose not mentioned above, we will inform you of this in advance.
Once you have applied for an advertised position, only the HR department and the department that advertised the position will have access to your data, unless you have expressly consented to your data being passed on to other recipients. If you have submitted a speculative application, your details will be made available to the departments whose vacancies clearly match your applicant profile.
To conduct the application process, we use the application tool provided by our technology partner Recruitee B.V., Keizersgracht 313, 1016 EE Amsterdam, Netherlands (“Recruitee”). Recruitee provides the application form for integration into our website and electronically supports the online application process and the internal management of applications. We have contractually obligated Recruitee to comply with data protection requirements via a corresponding data protection agreement on commissioned data processing.
In the event of employment, all data will be transferred to your personnel file or to our personnel information system. If your application is unsuccessful, your data will be completely deleted after six months or stored in our applicant pool for a period of two years if you have separately agreed to this.
If your personal data is processed, you are a data subject as defined in the GDPR and you have the following rights with regard to the controller:
Information, rectification, restriction and deletion You have the right to access the data stored about you and information concerning its origin, recipient and the purpose of data processing by our website free of charge at any time. In addition, you have the right to rectify, delete or restrict the processing of your personal data, provided the legal requirements to do so are met. Details can be found in the relevant statutory provisions, Articles 15 to 19 GDPR.
Right to data portability You have the right to receive the personal data concerning you that you have provided to us as the controller, in a structured, commonly used and machine-readable format. We can comply with this right by providing a csv export of the customer data processed about you.
Right to information If you have exercised your right to rectification, deletion or restriction of processing against the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification or deletion of data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort. You have the right to be informed about these recipients by the controller.
Right to object You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is based upon point (e) or (f) of Article 6(1) GDPR, including profiling based upon those provisions. The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
Revocability of declarations of consent under data protection law You may also revoke your consent with regard to us at any time with effect for the future using the contact details below.
Right to lodge a complaint with a supervisory authority Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
We may update this Privacy Notice from time to time. Any changes will be displayed on the website. If you have any comments or questions regarding this Privacy Notice or any other guidelines on this website, please contact us in writing.
Work from home or any of our offices. Our team is 100% remote and will stay this way. You need a stable internet connection and your laptop. Currently our way of work supports the central European timezone +/-2h.
Our Thomann headquarters. Just a few minutes’ drive outside of Bamberg. Come by to visit our shop or meet with colleagues outside of tech & data.
Our thomann.io office in the heart of Berlin. Easily reachable at Rosenthaler Platz. Perfect for workshops and team building.
Our thomann.io office in Nuremberg's metropolitan area. Just a few minutes by foot from Erlangen station. Nice, quiet location to do some deep work.
Nov 10, 2022 - Markus Melber
The right amount of spice makes our solutions tasty
Sep 21, 2022 - Frederik Heins
Finding your next team member by mapping your team’s skills and visualizing what is currently lacking.
Jul 13, 2022 - Oliver Dolgener
Developing the most appic Thomann App while hunting for 5-star reviews and perfect burndown charts!
Jun 30, 2022 - Heiko Terfloth
Bad jokes, burgers, and developers... Did someone call us?
May 13, 2022 - Ralph Cibis
We went fully cyberpunk! Our branding community's last side and heart project.
Jan 3, 2022 - David Beuchert
My provoking approach wooing for more in-house development.
Dec 8, 2021 - Nadine
Why we redesigned our shop - and why purple's the new blue.
Oct 18, 2021 - Julia Manger
Summer 2021 - Home office, lockdown, a fourth wave and: huh?! An Open Space!
Aug 6, 2021 - Stefan Stammler
Someone needs to bring our shop online. This is our mission.
Jul 7, 2021 - Ralph Cibis
We are the Thomann Web Team. We create thomann.de and the Thomann App.
Jan 27, 2021 - Nadine
The idea behind moving cards - with a crispy epilogue.
Sep 7, 2020 - Francesco
Our developer Francesco provides you with behind the scenes insights
Jul 14, 2020 - Thomas Tischner
Our Sysadmin Thomas tells you from his day-to-day work
Nov 4, 2019 - Domi
This year under the Slogan "ready for our collective take-off".