C. Bechstein Pianofortefabrik Aktiengesellschaft is responsible for this website. C. Bechstein Pianofortefabrik AG is legally represented by Stefan Freymuth (chairman of the executive board), Ralf Dewor, and Werner Albrecht.
Headquarters: Berlin, Germany
Registered with the Charlottenburg commercial register under no. HRB 61824
Tax identification number: DE136567813
C. Bechstein Pianofortefabrik Aktiengesellschaft, im stilwerk, Kantstrasse 17, 10623 Berlin, Germany
Phone: + 49 30 22 60 55 912
Fax: + 49 30 22 60 55 915
Types of data processed
- Identifying data (e.g. name, address)
- Contact details (e.g. e-mail address, telephone number)
- Content data (e.g. text input, photographs, videos)
- Usage data (e.g. websites visited, interest in content, access time)
- Communications data/metadata (e.g. device data, IP address)
Purpose of processing
- Providing the online presence with its functions and content
- Answering contact inquiries and communicating with users
- Implementing security measures
- Marketing and audience measurement
1. Relevant legal basis
- GDPR Article 6 Paragraph 1 (a) and Article 7
– Obtaining consent;
- GDPR Article 6 Paragraph 1 (b)
– Processing for the provision of our services and execution of contractual obligations as well as for answering inquiries;
- GDPR Article 6 Paragraph 1 (c)
– Processing for compliance with our legal obligations;
- GDPR Article 6 Paragraph 1 (d)
– Processing to protect the vital interests of the data subject or other natural person;
- GDPR Article 6 Paragraph 1 (f)
3. Security measures
3.1. In accordance with GDPR Article 32, we shall implement appropriate technical and organizational measures to ensure a level of security commensurate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. Such measures shall in particular ensure the confidentiality, integrity and availability of data by controlling physical access to the data as well as access to and input, transmission, security and non-merging of the data. Furthermore, we have established procedures to ensure that data subjects can exercise their rights, and to guarantee proper deletion of data and reaction to endangerment of data. In addition, we take the protection of personal data into account as we develop or select hardware, software and procedures using appropriate technology design and configurations (GDPR Article 25).
3.2. The security measures include in particular the encryption of data transfer between your browser and our server.
4. Cooperation with processors and third parties
4.1. If, in the course of our processing, we disclose data to companies or individuals (processors or third parties), transfer data to them or otherwise grant them access to the data, this shall take place only if you have consented, or if a legal obligation provides for this, or on the basis of legal permission (data transfer to payment service providers as required for contract fulfillment in accordance with GDPR Article 6 Paragraph 1 (b), etc.), or on the basis of pursuing our legitimate interests (commission to agents, hosting-service providers, etc.).
4.2. If we commission third parties with the processing of data on the basis of an order processing contract, this is done on the basis of GDPR Article 28.
5. Data transfers to third countries
If we process data in a third country (i.e. outside the European Union or the European Economic Area) or if this occurs because we are using third-party services or after we disclose or transfer data to third parties, it is done in order to fulfill our contractual/pre-contractual obligations, or on the basis of your consent, a legal obligation or our legitimate interests. Subject to legal or contractual permissions, we process or leave the data in a third country only if the special prerequisites specified in GDPR Article 44 ff. are given. This is the case, for example, when the processing complies with a data protection procedure approved by the EU such as the “Privacy Shield” developed in the US, or with officially recognized special contractual obligations called “standard contractual clauses”.
6. Rights of data subjects
6.1. In accordance with GDPR Article 15, you have the right to obtain confirmation as to whether or not your personal data are being processed, to access your data and further information, and to request a copy of the data.
6.2. In accordance with GDPR Article 16, you have the right to request additions to your personal data and to correct them if they are inaccurate.
6.3. In accordance with GDPR Article 17, you have the right to demand that your personal data be deleted immediately or, alternatively, to demand a restriction on the processing of the data in accordance with GDPR Article 18.
6.4. In accordance with GDPR Article 20, you have the right to receive the personal data which you have provided to us and to transmit them to other parties responsible for data processing.
6.5. In accordance with GDPR Article 77, you have the right to lodge a complaint with the competent supervisory authority.
7. Right of withdrawal
In accordance with GDPR Article 7 Paragraph 3, you have the right to withdraw consents granted; your withdrawal of consent is not retroactive, however.
8. Right of objection
In accordance with GDPR Article 21, you can object to future processing of your personal data at any time. The objection may be lodged in particular against processing for direct marketing purposes.
9. Deletion of data
9.2. In accordance with German law, documents such as inventories, books of account, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc. shall be kept for six years (§257 Abs. 1 HGB), while documents such as books, records, management reports, accounting and tax documents, commercial and business letters, etc. shall be kept for ten years (§147 Abs. 1 AO).
10.1. We have contracted the following hosting services for the purpose of operating our online presence: infrastructure and platform services, computing capacity, storage space, database services, security services, technical maintenance.
10.2. We, or our provider of hosting services, process identifying data, contact details, content data, contract data, usage data, metadata and communications data from actual and potential customers and visitors to our online presence; the data are processed in accordance with GDPR Article 28 (“Processor”) on the basis of our legitimate interest in efficient and secure provision of our online presence in accordance with GDPR Article 6 Paragraph 1 (f).
11. Performance of contractual services
11.1. In accordance with GDPR Article 6 Paragraph 1 (b), we process identifying data (names, addresses, contact details, etc.) and contract data (services used, names of contact persons, payment information, etc.) for fulfilling our contractual obligations and services. The entries marked as obligatory in online forms are required for entering into the contract.
11.2. When you use our online services, we store your IP address and the time of your visit. These data are stored on the basis of our legitimate interests as well as in the interest of safeguarding you from any unauthorized use of the data. These data are not transferred to third parties unless such transfer is necessary for the pursuit of our claims or to meet a legal obligation in accordance with GDPR Article 6 Paragraph 1 (c).
11.3. We process usage data (pages of our online presence you have visited, interest shown in our products, etc.) and the data entered in contact forms to develop a user profile that fulfills advertising purposes and enables us to display product information based on your activity.
11.4. Data are deleted after the expiry of statutory warranty obligations and comparable obligations; every three years, we check whether data may be deleted or not in accordance with the statutory obligations (six-year storage for commercial data and ten-year storage for tax data).
12. Establishment of contact
12.1. The contact data that you enter via e-mail or the contact form are processed in accordance with GDPR Article 6 Paragraph 1 (b).
12.2. User information may be stored in our customer relationship management (CRM) system or comparable inquiry management systems.
12.3. We delete the inquiries once they are no longer necessary. We review user data every two years with regard to continued necessity of storage. If a statutory archiving obligation exists, the data are deleted after the obligation expires (at the end of six years for commercial data and ten years for tax data).
13. Administration, office organization and contact management
13.1. We process data within the scope of our administration, organization and accounting tasks and in order to comply with legal obligations, such as archiving. These are the same data that we process in the course of providing our contractual services, as outlined above. The bases for processing are GDPR Article 6 Paragraph 1 (c) and (f). We process data from actual and potential customers, business partners and visitors to our website. The purpose of and our interest in the processing lies in the administration, financial accounting, office organization, and archiving of data; in other words, tasks that serve the maintenance of our business activities and the provision of our services. The deletion of data related to our communication and contractual duties is performed in accordance with the statements related to these activities.
13.2. We disclose or transfer data to tax authorities and to partners such as auditors, tax consultants, fee offices, payment service providers, etc.
13.3. Furthermore, we store information about suppliers, event organizers and other business partners on the basis of our business interests, e.g. for making contact at a later date. Such data are mainly of internal interest and we store them permanently.
14. Business analyses and market research
14.1. In order to operate our business efficiently, to identify market trends and to discern customer and user preferences, we analyze the data available to us regarding contracts, inquiries, business transactions, etc. We process metadata and identifying, communication, contract, payment and usage data of actual and potential customers, business partners and visitors to our online presence in accordance with GDPR Article 6 Paragraph 1 (f).
14.2. The analyses are carried out for the purpose of economic evaluations, marketing and market research. In these analyses, we can consider the profiles of registered users and in particular their purchases. The analyses help us improve the user interface, optimize our online presence and increase our economic efficiency. They are exclusively used by us and not disclosed to third parties, with the exception of those made using anonymous and aggregated data.
14.3. You can request that your personal data from an analysis or your profile be deleted or rendered anonymous; such data are deleted two years after the conclusion of a contract in any case. Macroeconomic analyses and general trend determinations are rendered anonymous wherever possible.
15. Data security in job application procedures
15.1. We process job application data only for the purpose, and in the context, of the application procedure. The processing, necessary for fulfilling our (pre)contractual obligations or performed within the scope of legal procedures, complies with the legal requirements (GDPR Article 6 Paragraph 1 (b) and (f) plus, in Germany, §26 BDSG).
15.2. The application procedure requires that applicants provide us with their data. These are marked in the online form or the job offer and generally include identifying data, postal and contact addresses, cover letter, curriculum vitae and certificates. Applicants may voluntarily provide additional information.
15.4. The data that belong to special categories as defined in GDPR Article 9 Paragraph 1 (ethnic origin, health data such as “severely disabled”, etc.) and are voluntarily communicated within the scope of the application procedure are processed in accordance with GDPR Article 9 Paragraph 2 (b). If we request data that belong to special categories as defined in GDPR Article 9 Paragraph 1 (for example health data relevant to the tasks to be performed within the scope of the job), they are processed in accordance with GDPR Article 9 Paragraph 2 (a).
15.5. Applications can be sent via e-mail. Please note, however, that e-mail is not generally transferred in encrypted form, and that you must personally ensure that your data are encrypted. We cannot accept liability for the transmission path between you and our server, and therefore recommend that applications be sent by post. The option of sending applications by post is still available to all applicants.
15.6. If the application succeeds and you are hired, we can further process your data for the purpose of employment. If, on the other hand, your application is not successful, your data will be deleted. Your data are also deleted if you withdraw the application, which you are entitled to do at any time.
15.7. Unless you withdraw the relevant consent with a legitimate reason, your application data are not deleted until after a period of six months has elapsed, so that we can answer any follow-up questions regarding the application and meet our obligations under the General Act on Equal Treatment. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.
16. Access data and log files
16.1. On the basis of our legitimate interests as defined in GDPR Article 6 Paragraph 1 (f), every time the server that hosts our website is accessed, corresponding data are written in log files. The server log files include the following data: address of the accessed web page, file and transferred data volume, date and time of access, notification of successful access, browser type and version, operating system, referrer URL (the previously visited page), IP address, and Internet service provider.
16.2. The log files are stored for a maximum of seven days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data that are required to be stored longer for evidentiary purposes are excluded from deletion until the incident concerned has been resolved.
17. Presence in social media
17.1. Our online presence includes various accounts within social networks and platforms, through which we communicate with active and potential customers, and provide information about our services.
17.2. Your personal data may be processed outside the European Union. This could result in hazards; for example, it might be more difficult for you to exercise your rights. Please note that US service providers participating in Privacy Shield have undertaken to comply with the data privacy standards applied in the EU.
17.3. Furthermore, your data are generally processed for market research and advertising purposes. For example, a user profile may be created based on your behavior and the range of interests it indicates. The user profile may in turn be used, for example, to place advertisements, both on the social platforms and elsewhere, that are presumed to correspond to your interests. For such purposes, cookies that contain data on your behavior and presumed interests are usually stored on your computer. Furthermore, data may be stored in your user profile independently of the devices used. This applies in particular when you are logged on to a social platform.
17.4. Your personal data are processed on the basis of our legitimate interest in providing information and communicating with you in accordance with GDPR Article 6 Paragraph 1 (f). Moreover, GDPR Article 6 Paragraph 1 (a) and GDPR Article 7 apply when the provider of the social platform asks you to consent to data processing (e.g. by ticking a checkbox or clicking on a button).
17.5. Please follow the links below for details on the processing of your data by the social platforms and your right to object (opt-out options).
17.6. Requests for information and assertions of your rights are most effective when made directly to the providers of social platforms. Only they have access to your personal data and can directly take appropriate steps and provide information. But do not hesitate to contact us if you need further assistance.
18. Cookies and audience measurement
18.1. “Cookies” are small files that are stored on your computer. Various data can be stored in cookies. A cookie is primarily used to gather information about you or the device you are using during or after your visit to an online presence.
18.2. Temporary cookies, also called “session” or “transient cookies,” are deleted after you leave an online presence and close the browser. Permanent or persistent cookies, on the other hand, remain stored even after the browser is closed. Third-party cookies are installed on your device without the involvement of the person responsible for our online presence.
18.4. If you do not wish cookies to be stored on your computer, we invite you to configure your browser settings accordingly. Stored cookies can be deleted using the browser settings. The exclusion of cookies may restrict the proper functioning of our online presence, however.
19. Google Analytics
19.2. Google is certified under the Privacy Shield Agreement (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active), which constitutes a guarantee to comply with European data protection law.
19.3. Google uses the data on our behalf to evaluate the activity of users of our online presence, to compile activity reports and to provide us with further services related to the use of our online presence and other Internet services. Pseudonymized user profiles can be created from the processed data.
19.4. Thanks to Google Analytics, we display the advertisements placed by Google and its partners only to those users who have shown an interest in our online presence or match certain criteria (interest in certain topics or products, as determined from the web pages visited) which we previously transmitted to Google. With the help of this procedure, called “remarketing” or “Google Analytics audiences”, we ensure that our ads correspond to the interests of the users and do not annoy them.
19.5. We use Google Analytics only with IP anonymization enabled. This means that Google truncates the IP address of users within member states of the European Union or in other states that are signatories of the Agreement on the European Economic Area. In a few exceptional cases, the full IP address is transmitted to a Google server in the USA and truncated there.
19.6. The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent the storage of cookies by configuring their browser settings accordingly; moreover, they can prevent Google from collecting and processing their usage data by downloading and installing the browser plug-in available at the following address: https://tools.google.com/dlpage/gaoptout?hl=en.
As an alternative to the browser plug-in or within browsers on mobile devices, please click on the following link to set an opt-out cookie that will prevent future collection by Google Analytics within this website (this opt-out cookie only works in this browser and only for this domain, if you delete your cookies in this browser, you must click this link again): Disable Google Analytics.
19.8. In addition, personal data are rendered anonymous or deleted after a period of fourteen months.
20. Google marketing/remarketing services
20.1. On the basis of our legitimate interests in the analysis, optimization and economic operation of our online presence as defined in GDPR Article 6 Paragraph 1 (f), we use Google marketing and remarketing services (hereinafter referred to as “Google marketing services”) provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as “Google”).
20.2. Google is certified under the Privacy Shield Agreement (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active), which constitutes a guarantee to comply with European data protection law.
20.3. Google marketing services allow us to present ads for and on our website that target potentially interested users. “Remarketing” is a technique through which a user is presented with ads for products that he or she showed an interest in on other websites. For this purpose, remarketing tags (i.e., invisible graphics, also known as "web beacons") are inserted through Google proprietary code which runs automatically upon opening a web page in which Google marketing services are activated. These tags cause a cookie (see above) to be stored on the user’s device (other, comparable technologies may be used instead of cookies). These cookies can be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. The cookie is a text file which in this case contains data indicating which websites the user visits, what contents he or she showed an interest in, what he or she clicked on, as well as technical information about the browser and operating system, referring websites, visiting time and additional details on the use of the online presence. The IP address of the user is also recorded; Google Analytics truncates the IP address within member states of the European Union or in other states that are signatories of the Agreement on the European Economic Area; only in exceptional cases is the entire IP address transmitted to a Google server in the USA and truncated there. The IP address is not merged with other user data within other Google sites. The collected information, described above, may be linked by Google to similar information from other sources. When the user visits other websites, ads tailored to his or her interests may be displayed.
20.4. The Google marketing services process pseudonymized user data. This means that Google does not store and process, for example, the names or e-mail addresses of users, but processes the relevant data in relation to cookies within pseudonymized user profiles. From Google’s perspective, the ads are not managed and displayed for a specifically identified person, but for the company that generated the the company that generated the cookie, regardless of who it is. This does not apply, however, if a user has expressly permitted Google to process the data without pseudonymization. The information about users collected by Google marketing services are transmitted to Google and stored on Google’s servers in the USA.
20.5. One of the Google marketing services we use is the online advertising program called “Google AdWords.” Each Google AdWords customer receives a different “conversion cookie.” Thus the cookies cannot be traced through the websites of Google AdWords customers. The information collected by the cookie is used to generate conversion statistics for Google AdWords customers who have opted for conversion tracking. These customers see the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that identifies users.
20.8. We may use the Google Optimizer function provided by Google marketing services that allows us to perform A/B testing, i.e. to track the effects of changes to our website (new design, new input fields, etc.). This function stores cookies on the user’s devices for test purposes. The cookies process only pseudonymized user data.
20.9. We may use Google Tag Manager to integrate and manage Google analytics and marketing services on our website.
20.11. If you wish to opt out of interest-based advertising by Google marketing services, you can use the configuration options provided by Google at adssettings.google.com.
21.1. Information is provided below about our newsletter (subscribing, content, sending, evaluation statistics, right of objection). By subscribing to the newsletter you agree to receive it, and agree to the procedures described below.
21.2. Contents – We send our newsletter, e-mails and other electronic notifications containing promotional information (hereinafter referred to as “newsletter”) only with the consent of the recipient or with legal permission. If the contents of a newsletter are specifically described in the subscription offer, they are relevant to obtaining the consent of the user. Our newsletter contains information about our products, offers, events and our company.
21.3. Login data – To subscribe to the newsletter, the only data required is your e-mail address. Optionally, you may also enter your name, so we can address the newsletter to you personally.
21.4. Double opt-in and logging – Subscription to our newsletter is implemented using a double opt-in procedure. This means that you first indicate your intention to subscribe, and subsequently receive an e-mail asking you to confirm your subscription. This procedure ensures that no one can log in with someone else’s e-mail address. A log is kept of your subscription as proof in accordance with legal requirements. The stored subscription data include the time of login and of confirmation, as well as your IP address. Any changes to your data stored with the sending service provider are also logged.
22. Newsletter – Sending service provider
22.1. The newsletter is sent via MailChimp, a newsletter distribution platform from Rocket Science Group LLC, 675 Ponce de Leon Ave NE #5000, Atlanta, GA 30308, USA. The data protection regulations of the sending service provider can be viewed here: mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active), which constitutes a guarantee to comply with European data protection law.
22.2. The sending service provider may use pseudonymized data (i.e. without allocation to a user) to optimize or improve its own services (statistics, sending and presentation of the newsletter, determination of the destination countries, etc.). However, the sending service provider does not use the data from the recipients of our newsletter to contact said recipients, nor does it transfer their data to third parties.
23. Newsletter – Audience measurement
23.1. The newsletters contain what is called a “web beacon;” this is a pixel-sized file that is retrieved from the server of the sending service provider when you open the newsletter. Simultaneously, technical information (browser, operating system) as well as your IP address and the time of retrieval are collected. These technical and target-group data (retrieval time and location, the latter determined from the IP address) are used to improve the service. The statistical data also include whether the newsletter is opened, when it is opened and which links you clicked. Technologically, this information can be matched to the individual newsletter recipients. It is not our intention, however, nor that of the sending service provider, to monitor individual users. The evaluations simply help us to learn about the reading habits of the users and to adapt our contents to them, or to send different contents according to their interests.
23.2. Both the sending of the newsletter and the audience measurement are based on the consent of the recipient in accordance with GDPR Article 6 Paragraph 1 (a) and GDPR Article 7 in conjunction with §7 Abs. 2 Nr. 3 UWG and the legal permission in accordance with §7 Abs. 3 UWG.
23.3. The registration procedure is recorded on the basis of our legitimate interests in accordance with GDPR Article 6 Paragraph 1 (f) and serves as proof of consent to receipt of the newsletter.
24. Newsletter – Cancellation
Newsletter recipients can cancel their subscription to our newsletter at any time, i.e. revoke their consent. There is a link for cancellation at the end of each newsletter. Cancellation also revokes your agreement to the audience measurement. A separate revocation of the audience measurement is unfortunately not possible; the only way to revoke consent to the audience measurement is to cancel the entire newsletter subscription. With the cancellation of the newsletter your personal data are deleted, unless their storage is legally required or justified for a particular purpose, in which case processing is limited to that purpose. In particular, we may store the e-mail addresses of cancelled subscriptions for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove previously granted consent. Processing of these data is limited to the purpose of a possible defense against claims. You may at any time request your data be deleted, provided that you confirm your previous consent at the same time.
25. Integration of third-party services and content
25.1. On the basis of our legitimate interests in the analysis, optimization and economic operation of our online presence as defined in GDPR Article 6 Paragraph 1 (f), we integrate content and/or services from third parties into our online presence, such as videos and fonts (hereinafter referred to as "content"). This entails the user’s IP address being supplied to the third-party content provider as this is necessary for sending the content to the user’s browser. In other words, the IP address is required for the display of this content. We endeavor to present only those contents that are supplied by providers who use these IP addresses only for the delivery of the specific content. Third-party providers may also use pixel tags (i.e. invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as the amount of visitor traffic on our website. Cookies on users’ devices may store pseudonymized data (browser, operating system, referring websites, visiting time and other information concerning the use of our online presence) and be merged with information from other sources.
25.2. Below is a list of third-party content and service providers with links to their privacy policies, which contain further information on the processing of data and, as mentioned above, on how to exercise your right to object (opt-out options):