Data protection and legal notice
Carl Bechstein Stiftung
C/o C. Bechstein Pianoforte AG
Kantstrasse 17, 10623 Berlin, Germany
Phone: + 49 30 22 60 55 93 23
Fax: + 49 30 22 60 55 92 90
Tax identification number: 27/643/05726
The Foundation is legally represented by Karl Schulze (chairman of the board), Stefan Freymuth, Berenice Küpper and Gregor Willmes.
Types of data processed
– Identifying data (e.g. name, address)
– Contact details (e.g. e-mail address, telephone number)
– Content data (e.g. text input, photographs, videos)
– Usage data (e.g. websites visited, interest in content, access time)
– Communications data/metadata (e.g. device data, IP address)
Purpose of processing
– Providing the online presence with its functions and content
– Answering contact inquiries and communicating with users
– Implementing security measures
– Marketing and audience measurement
1 Relevant legal basis
– GDPR Article 6 Paragraph 1 (a) and Article 7 – Obtaining consent;
– GDPR Article 6 Paragraph 1 (b) – Processing for the provision of our services and execution of contractual obligations as well as for answering inquiries;
– GDPR Article 6 Paragraph 1 (c) – Processing for compliance with our legal obligations;
– GDPR Article 6 Paragraph 1 (f) – Processing in the pursuit of our legitimate interests.
3 Security measures
3.1 In accordance with GDPR Article 32, we shall implement appropriate technical and organizational measures to ensure a level of security commensurate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. Such measures shall in particular ensure the confidentiality, integrity and availability of data by controlling physical access to the data as well as access to and input, transmission, security and non-merging of the data. Furthermore, we have established procedures to ensure that data subjects can exercise their rights, and to guarantee proper deletion of data and reaction to endangerment of data. In addition, we take the protection of personal data into account as we develop or select hardware, software and procedures using appropriate technology design and configurations (GDPR Article 25).
3.2 The security measures include in particular the encryption of data transfer between your browser and our server.
4 Cooperation with processors and third parties
4.1 If, in the course of our processing, we disclose data to companies or individuals (processors or third parties), transfer data to them or otherwise grant them access to the data, this shall take place only if you have consented, or if a legal obligation provides for this, or on the basis of legal permission (data transfer to payment service providers as required for contract fulfillment in accordance with GDPR Article 6 Paragraph 1 (b), etc.), or on the basis of pursuing our legitimate interests (commission to agents, hosting-service providers, etc.).
4.2 If we commission third parties with the processing of data on the basis of an order processing contract, this is done on the basis of GDPR Article 28.
5 Data transfers to third countries
If we process data in a third country (i.e. outside the European Union or the European Economic Area) or if this occurs because we are using third-party services or after we disclose or transfer data to third parties, it is done in order to fulfill our contractual/pre-contractual obligations, or on the basis of your consent, a legal obligation or our legitimate interests. Subject to legal or contractual permissions, we process or leave the data in a third country only if the special prerequisites specified in GDPR Article 44 ff. are given. This is the case, for example, when the processing complies with a data protection procedure approved by the EU such as the “Privacy Shield” developed in the US, or with officially recognized special contractual obligations called “standard contractual clauses”.
6 Rights of data subjects
6.1 In accordance with GDPR Article 15, you have the right to obtain confirmation as to whether or not your personal data are being processed, to access your data and further information, and to request a copy of the data.
6.2 In accordance with GDPR Article 16, you have the right to request additions to your personal data and to correct them if they are inaccurate.
6.3 In accordance with GDPR Article 17, you have the right to demand that your personal data be deleted immediately or, alternatively, to demand a restriction on the processing of the data in accordance with GDPR Article 18.
6.4 In accordance with GDPR Article 20, you have the right to receive the personal data which you have provided to us and to transmit them to other parties responsible for data processing.
6.5 In accordance with GDPR Article 77, you have the right to lodge a complaint with the competent supervisory authority.
7 Right of withdrawal
In accordance with GDPR Article 7 Paragraph 3, you have the right to withdraw consents granted; your withdrawal of consent is not retroactive, however.
8 Right of objection
In accordance with GDPR Article 21, you can object to future processing of your personal data at any time. The objection may be lodged in particular against processing for direct marketing purposes.
9 Deletion of data
9.2 In accordance with German law, documents such as inventories, books of account, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc. shall be kept for six years (§257 Abs. 1 HGB), while documents such as books, records, management reports, accounting and tax documents, commercial and business letters, etc. shall be kept for ten years (§147 Abs. 1 AO).
10.1 We have contracted the following hosting services for the purpose of operating our online presence: infrastructure and platform services, computing capacity, storage space, database services, security services, technical maintenance.
10.2 We, or our provider of hosting services, process identifying data, contact details, content data, contract data, usage data, metadata and communications data from actual and potential customers and visitors to our online presence; the data are processed in accordance with GDPR Article 28 (“Processor”) on the basis of our legitimate interest in efficient and secure provision of our online presence in accordance with GDPR Article 6 Paragraph 1 (f).
11 Services performed in accordance with the statutes of the Foundation
11.1 In accordance with GDPR Article 6 Paragraph 1 (b), we process the data of Foundation members and sponsors, as well as those of persons who have expressed an interest in the Foundation, to deliver services to them and/or receive services or benefits from them within the scope of business relationships. Moreover, we also process the data of concerned data subjects in accordance with GDPR Article 6 Paragraph 1 (f) for various tasks (administration, public relations, etc.) on the basis of our legitimate interests.
11.2 The manner, scope, purpose and necessity of data processing result from the related contractual relationship. The processed data include identifying data (name, address, etc.), contact details (e-mail address, phone number, etc.), and contract data (delivered services, communicated contents and information, names of contacts, etc.)
11.3 We erase data that are no longer necessary for fulfillment of services in accordance with the statutes of the Foundation. Necessity is determined on the basis of the various tasks and contractual obligations. Business data are not erased as long as they are necessary for business processing or to meet guarantee and/or statutory liability requirements. We review data every three years with regard to continued necessity of storage; moreover, we store data according to statutory archiving obligations.
12 Establishment of contact
12.1 The contact data that you enter via e-mail or the contact form are processed in accordance with GDPR Article 6 Paragraph 1 (b).
12.2 We delete the inquiries once they are no longer necessary. We review user data every two years with regard to continued necessity of storage. If a statutory archiving obligation exists, the data are deleted after the obligation expires (at the end of six years for commercial data and ten years for tax data).
13 Administration, office organization and contact management
13.1 We process data within the scope of our administration, organization and accounting tasks and in order to comply with legal obligations, such as archiving. These are the same data that we process in the course of providing our contractual services, as outlined above. The bases for processing are GDPR Article 6 Paragraph 1 (c) and (f). We process data from actual and potential customers, business partners and visitors to our website. The purpose of and our interest in the processing lies in the administration, financial accounting, office organization, and archiving of data; in other words, tasks that serve the maintenance of our business activities and the provision of our services. The deletion of data related to our communication and contractual duties is performed in accordance with the statements related to these activities.
13.2 We disclose or transfer data to tax authorities and to partners such as auditors, tax consultants, fee offices, payment service providers, etc.
14 Access data and log files
14.1 On the basis of our legitimate interests as defined in GDPR Article 6 Paragraph 1 (f), every time the server that hosts our website is accessed, corresponding data are written in log files. The server log files include the following data: address of the accessed web page, file and transferred data volume, date and time of access, notification of successful access, browser type and version, operating system, referrer URL (the previously visited page), IP address, and Internet service provider.
14.2 The log files are stored for a maximum of seven days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data that are required to be stored longer for evidentiary purposes are excluded from deletion until the incident concerned has been resolved.
15 Presence in social media
15.1 On the basis of our legitimate interests as defined in GDPR Article 6 Paragraph 1 (f), we are active on social media for communication with actual and potential customers and users of our online services in order to provide them with information on our services. When accessing such social media, the terms and conditions and the data processing guidelines of their respective operators apply.
16 Cookies and audience measurement
16.1 “Cookies” are small files that are stored on your computer. Various data can be stored in cookies. A cookie is primarily used to gather information about you or the device you are using during or after your visit to an online presence.
16.2 Temporary cookies, also called “session” or “transient cookies,” are deleted after you leave an online presence and close the browser. Permanent or persistent cookies, on the other hand, remain stored even after the browser is closed. Third-party cookies are installed on your device without the involvement of the person responsible for our online presence.
16.4 If you do not wish cookies to be stored on your computer, we invite you to configure your browser settings accordingly. Stored cookies can be deleted using the browser settings. The exclusion of cookies may restrict the proper functioning of our online presence, however.
17 Google Analytics
17.2 Google is certified under the Privacy Shield Agreement (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active), which constitutes a guarantee to comply with European data protection law.
17.3 Google uses the data on our behalf to evaluate the activity of users of our online presence, to compile activity reports and to provide us with further services related to the use of our online presence and other Internet services. Pseudonymized user profiles can be created from the processed data.
17.4 We use Google Analytics only with IP anonymization enabled. This means that Google truncates the IP address of users within member states of the European Union or in other states that are signatories of the Agreement on the European Economic Area. In a few exceptional cases, the full IP address is transmitted to a Google server in the USA and truncated there.
17.5 The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent the storage of cookies by configuring their browser settings accordingly; moreover, they can prevent Google from collecting and processing their usage data by downloading and installing the browser plug-in available at the following address: tools.google.com/dlpage/gaoptout.
As an alternative to the browser plug-in or within browsers on mobile devices, please click on the following link to set an opt-out cookie that will prevent future collection by Google Analytics within this website (this opt-out cookie only works in this browser and only for this domain, if you delete your cookies in this browser, you must click this link again): Disable Google Analytics.
17.7 In addition, personal data are rendered anonymous or deleted after a period of fourteen months.
18 Friends of the Carl Bechstein Foundation/Newsletter
18.1 You may join the “Friends of the Carl Bechstein Foundation” association via our website. Upon registration, you will receive a newsletter with information and invitations to events at irregular intervals. Information is provided below about our newsletter (subscribing, content, sending, evaluation statistics, right of objection). By subscribing to the newsletter, you agree to receive it, and agree to the procedures described below. By becoming a member of the association you agree to receive the newsletter and to the procedures described below.
18.2 Contents of the newsletter – We send our newsletter, e-mails and other electronic notifications containing invitations and information (hereinafter referred to as “newsletter”) only with the consent of the recipient or with legal permission. Our newsletter contains information about the Foundation’s activities and events.
18.3 Subscription data – To subscribe to the newsletter, the only data required is your e-mail address. Optionally, you may also enter your name, so we can address the newsletter to you personally.
18.4 Double opt-in and logging – To subscribe to the newsletter, you need to send us an e-mail that indicates the address at which you wish to receive the newsletter. A log is kept of your subscription as proof in accordance with legal requirements. The stored subscription data include the time of login and of confirmation.
18.5 Cancellation – You can cancel your registration to the association and your subscription to the newsletter at any time. You just need to send us an e-mail from the address at which you receive the newsletter. Subsequently, we will delete your data from our mailing list.
19 Newsletter – Sending service provider
19.1 The newsletter is sent via MailChimp, a newsletter distribution platform from Rocket Science Group LLC, 675 Ponce de Leon Ave NE #5000, Atlanta, GA 30308, USA. The data protection regulations of the sending service provider can be viewed here: mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active), which constitutes a guarantee to comply with European data protection law.
19.2 The sending service provider may use pseudonymized data (i.e. without allocation to a user) to optimize or improve its own services (statistics, sending and presentation of the newsletter, determination of the destination countries, etc.). However, the sending service provider does not use the data from the recipients of our newsletter to contact said recipients, nor does it transfer their data to third parties.
20 Newsletter – Audience measurement
The newsletters contain what is called a “web beacon;” this is a pixel-sized file that is retrieved from the server of the sending service provider when you open the newsletter. Simultaneously, technical information (browser, operating system) as well as your IP address and the time of retrieval are collected. These technical and target-group data (retrieval time and location, the latter determined from the IP address) are used to improve the service. The statistical data also include whether the newsletter is opened, when it is opened and which links you clicked. Technologically, this information can be matched to the individual newsletter recipients. It is not our intention, however, nor that of the sending service provider, to monitor individual users. The evaluations simply help us to learn about the reading habits of the users and to adapt our contents to them, or to send different contents according to their interests.
20.1 Both the sending of the newsletter and the audience measurement are based on the consent of the recipient in accordance with GDPR Article 6 Paragraph 1 (a) and GDPR Article 7 in conjunction with §7 Abs. 2 Nr. 3 UWG and the legal permission in accordance with §7 Abs. 3 UWG. 20.2 The registration procedure is recorded on the basis of our legitimate interests in accordance with GDPR Article 6 Paragraph 1 (f) and serves as proof of consent to receipt of the newsletter.
21 Newsletter – Cancellation
Newsletter recipients can cancel their subscription to our newsletter at any time, i.e. revoke their consent. There is a link for cancellation at the end of each newsletter. Cancellation also revokes your agreement to the audience measurement. A separate revocation of the audience measurement is unfortunately not possible; the only way to revoke consent to the audience measurement is to cancel the entire newsletter subscription. With the cancellation of the newsletter your personal data are deleted, unless their storage is legally required or justified for a particular purpose, in which case processing is limited to that purpose. In particular, we may store the e-mail addresses of cancelled subscriptions for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove previously granted consent. Processing of these data is limited to the purpose of a possible defense against claims. You may at any time request your data be deleted, provided that you confirm your previous consent at the same time.
22 Integration of third-party services and content
22.1 On the basis of our legitimate interests in the analysis, optimization and economic operation of our online presence as defined in GDPR Article 6 Paragraph 1 (f), we integrate content and/or services from third parties into our online presence, such as videos and fonts (hereinafter referred to as “content”). This entails the user’s IP address being supplied to the third-party content provider as this is necessary for sending the content to the user’s browser. In other words, the IP address is required for the display of this content. We endeavor to present only those contents that are supplied by providers who use these IP addresses only for the delivery of the specific content. Third-party providers may also use pixel tags (i.e. invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as the amount of visitor traffic on our website. Cookies on users’ devices may store pseudonymized data (browser, operating system, referring websites, visiting time and other information concerning the use of our online presence) and be merged with information from other sources.
22.2 Below is a list of third-party content and service providers with links to their privacy policies, which contain further information on the processing of data and, as mentioned above, on how to exercise your right to object (opt-out options):