Privacy Policy


The Controller in the meaning of the European General Data Protection Regulation (GDPR) and other national data protection legislation as well as other data protection regulations is:

"Nena" Musikverlag GmbH
Managing Director: Gabriele Kerner
Jakobikirchhof 8
20095 Hamburg
Germany

Tel: +49 40 / 69909249
Email: shop@nena.de
www.shop.nena.de

I. Provision of our website and log files

1. Scope of processing of personal data
If you access our website, your browser will establish a connection with the web server of our host ALL-INKL.COM – Neue Medien Münnich, Owner Rene Münnich, Hauptstr. 68, 02742 Friedersdorf. In the process, connection data will be created and this will be stored by ALL-INKL.COM in ‘log files’.

Log files contain

- Time / date of the request
- Your operating system and browser type
- The URL being requested
- Your IP address

2. Purpose of the data processing
ALL-INKL.COM uses the data on our behalf for the presentation and delivery of our content as well as for statistical purposes.

3. Legal basis for processing
Legal basis for the temporary storage of data and log files is Article 6 (1) point (f) of the GDPR. 

4. Duration of the storage
Your IP address and other data will be stored by ALL-INKL.COM for 10 days. 

5. Option to object and have data deleted
The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. As a result, the user does not have any option to object.

II. Registration

1. Scope of processing of personal data
On our website, we offer users the opportunity to register by submitting their personal data. This involves the entering of data into an input screen and sending it to us, where it will be stored. Sharing of data with third parties will not take place during the registration process. The following data is collected and stored in this respect:

- First name, surname 
- Salutation and/or gender
- Title
- Email address
- Password (encrypted)
- Telephone number
- Billing address
- Delivery address
- Type of device with which you are accessing our web shop
- Time of your registration
- Time of your last visit
- Payment method

In the event that your email address contains personal data which differs from the existing data, we shall also store this data. After registration, you can change your registration details under the menu item “My Account” and also manage other details, such as the payment method. Furthermore, you can also view your already completed orders there. 

You can of course also purchase goods from us, even if you do not want to first register with us and set up a user account. The purchase will then be done using Paypal Direct.

2. Purpose of the data processing
Data collection and storage in the context of pure registration is done for purposes of pre-contractual measures. 

3. Legal basis for processing
The legal basis for processing of data in the case of pure registration – without placing an order - is the provision of your consent in accordance with Article 6 (1) point (a) of the GDPR. 

4. Duration of the storage
We shall store the data for as long as you maintain the registration.

5. Option to object and have data deleted
You can send an email to us any time at 
shop@nena.de, in order to delete the data stored in your account completely and/or partly, and hence revoke your consent; in addition, you can also personally undertake some changes and partial deletion of your data using the “My account” menu function. If the data is required for the fulfilment of a contract or for carrying out pre-contractual measures, then premature full deletion of the data will only be possible, if there are no contractual and legal obligations which preclude such a deletion. This can be the case, for instance, if you have placed an order.

III. Orders

1. Scope of processing of personal data
If you place an order with us, we shall use the data mentioned in section II above to process the transaction with you. 

a. Shipping process
The personal data you submitted to us in connection with a goods order will be shared with third parties within the context of contract processing by the service partners engaged by us, namely DHL Paket GmbH, Kruppstr. 74, 45145 Essen. 

b. Payment processing
We process personal data in connection with the processing of payment. The exact nature of personal data processed will vary depending on the payment method.

a.a. We offer PayPal as a payment method. PayPal is an online payment service provider that operates independently of us. PayPal makes it possible to send payments online to third parties, or also to receive payments. PayPal also assumes a trustee role and offers buyer protection services. The company that operates PayPal in Europe is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxemburg.

Provided that you select PayPal as your payment method, your data will automatically be transmitted to PayPal. The personal data sent to PayPal generally includes first name, surname, address, postal address, email address, IP address, telephone number, mobile telephone number or other data necessary for payment processing. Personal data associated with the respective order is also necessary for the processing of the applicable order(s).

PayPal will share the personal data with affiliated companies and service providers or subcontractors, provided this is necessary for the fulfilment of contractual obligations, or if the data has to be processed on PayPal’s behalf.

b.b. If you opt for a pre-payment by bank transfer within the context of the payment process, your bank will transmit your personal data to us, and this includes your first name, surname, your IBAN and BIC as well as the amount of money involved. The data will not be shared with third parties.

You can also place orders without registering. To do this, you simply place items in the shopping cart and then use the “PayPal” option directly. In this case your data will be sent to us by Paypal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxemburg, which data shall include your billing and delivery address, together with your first name and surname, as well as your email address.

2. Purpose of the data processing
The collection and storage of data is done in order to identify you as a customer, to enable the processing, fulfilment and completion of your order together with your payment, to conduct correspondence or telephone calls with you, to deliver invoices and to process claims against you.

3. Legal basis for processing
The processing of the data takes place based on your order and in accordance with Article 6 (1) point (b) of the GDPR.

4. Duration of the storage
We shall store your data for as long as your account exists with us in the scope indicated and/or up to the expiry of the stipulated legal retention period.

5. Option to object and have data deleted
Deletion of the order details through the deletion of your account undertaken by you is only possible in the event that no contractual and legal obligations precluding such deletion exist.

IV. Contact form / email contact

1. Description and scope of data processing
There is a contact form on our website which can be used for contacting us electronically. If you decide to use this option, data entered into the input screen will be transmitted to us and stored. The data processed is: Salutation, first name, surname, email address as well as any other personal data found in your message. When you press the “Send” button, an email message will be generated and sent to us. In this process other data is generated and stored by us, for instance the time you made contact with us.

Alternatively, it is possible to make contact using the email address provided. In this case, the personal data transmitted through the email is stored.

In this connection, no sharing of data with third parties takes place. The data is used exclusively for processing the conversation.

2. Legal basis for processing of the data
The legal basis for processing of the data is Article 6 (1) point (a) of the GDPR - provided you have given your consent. The legal basis for the processing of data transmitted in the process of sending an email message to us is Article 6 (1) point (f) of the GDPR. If the time of email contact is based on the conclusion of the contract, the supplementary legal basis for the processing shall be Article 6 (1) point (b) of the GDPR.

3. Purpose of the data processing
The processing of personal data from the input screen is used by us for the sole purpose of processing the inquiry. If we are contacted via email, we necessarily also have a legitimate interest in processing the data.

4. Duration of the storage
The data will be erased as soon as it is no longer required for fulfilment of the intended purpose of their collection. For personal data from the input screen of the contact form and that sent to us by email, this erasure will then take place when the conversation exchange with you has ended. The conversation shall be deemed to have ended, if it can be deduced from the circumstances that the issue raised has been clarified.

5. Option to object and have data deleted
You have the option of revoking your consent for the processing of personal data any time by sending an email message to 
shop@nena.de. If you contact us by email, you can revoke consent to the storage of your personal data at any time. In such cases, the conversation cannot be continued. All personal data which was collected and stored during the process of making contact will be erased in this case.

VI. Your rights

If your personal data is being processed, then you are a data subject in the meaning of the GDPR and you can assert the following rights against the Controller:

1. The right to information
You can demand confirmation from the Controller, as to whether we process personal data relating to you. If such processing is taking place, you can then demand information about the following aspects from the Controller:

(1) the purpose for which the personal data is being processed;
(2) categories of personal data being processed;
(3) recipients and/or categories of recipients to whom your personal data was disclosed or is still being disclosed;
(4) the planned duration of storage of your personal data or, in case it is not possible to get concrete information on this, criteria for determining the storage duration;
(5) the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by the Controller or a right to object to this processing;
(6) the existence of the right to complain to a supervisory authority;
(7) all available information about the origin of the data, if the personal data was not collected from the data subject;
(8) the existence of an automated decision making process, including profiling, pursuant to Article 22 (1 and 4) of the GDPR, and - at least in these cases - meaningful information about the logic involved as well as the scope and desired effect of such processing on the data subject.

You have the right to demand information as to whether your personal data is being transmitted to third countries or to an international organisation. In this connection, you can demand to be informed about appropriate guarantees, pursuant to Article 46 of the GDPR, in relation to this transmission of data.

2. Right to correction of data
You have the right to demand correction and/or completion of your data from the Controller, provided the processed personal data relating to you is false or incomplete. The Controller must undertake the correction without delay.

3. Right to restriction of data processing
You can demand the restriction of processing of your personal data on the following conditions:

(1) if you have been disputing the correctness of your personal data for some time, a fact which enables the Controller to check the correctness of the personal data;
(2) if the processing is unlawful and yet you reject the deletion of the personal data, but instead demand restriction on the use of the personal data;
(3) if the Controller no longer needs the personal data for the intended purposes of the processing, but you need them for purposes of asserting, exercising or defending legal claims, or
(4) if you have raised objection against the processing in accordance with Article 21 (1) of the GDPR, and it has not yet been established whether the Controller’s legitimate reasons override yours.

If the processing of your personal data was restricted, then this data may - except for its storage - only be processed with your consent or for purposes of asserting, exercising or defending legal claims, or for the protection of the rights of another natural person or legal entity, or for important reasons of public interest of the Union or any other Member State. If the processing of the data was restricted on the above-mentioned conditions, you will be informed by the Controller before the restriction is lifted.

4. Right to deletion of data

a. Obligation to delete
You can demand from the Controller, that your personal data be deleted immediately, and the Controller is obliged to delete this data without undue delay, as long as one of the following reasons applies:

(1) Your personal data is no longer required for the purposes, for which it was collected or otherwise processed. (2) You are revoking your consent, upon which the processing was based, in accordance with Article 6 (1) point (a) or Article 9
(2) point (a) of the GDPR, and there is no other legal basis for the processing.
(3) You are raising a complaint against the processing in accordance with Article 21 (1) of the GDPR, and there are no overriding legitimate reasons for the processing, or you are raising a complaint against the processing in accordance with Article 21 (2) of the GDPR.
(4) Your personal data was unlawfully processed.
(5) The deletion of your personal data is necessary for the fulfilment of a legal obligation according to EU legislation or legislation of the Member States, to which the Controller is subject.
(6) Your personal data was collected in relation to the services offered by the information society, in accordance with Article 8 (1) of the GDPR.

b. Information to third parties
If the Controller has disclosed your personal data, and if he is obliged to delete it in accordance with Article 17 (1) of the GDPR, he shall take appropriate measures, even of a technical nature, taking into consideration the available technology and the costs of implementation, to inform the person responsible for data processing and who processes the personal data, that you as the data subject have demanded from them the deletion of all links to this personal data or of all copies or replications of this personal data.

c. Exceptions
The right to deletion of data does not arise, provided the processing is necessary

(1) for exercising the right to freedom of expression and information;
(2) for the fulfilment of a legal obligation which demands that the processing be done according to the legislation of the Union or of Member States, to which the Controller is subject, or for carrying out a task which is in the public interest or if the processing is done in exercise of public authority vested on the Controller;
(3) for reasons of public interest in the area of public health in accordance with Article 9 (2) points (h and i), as well as Article 9 (3) of the GDPR;
(4) for purposes of archives, scientific or historical research purposes or for statistical purposes - all of which are in public interest - in accordance with Article 89 (1) of the GDPR, provided that the right mentioned in section a) probably makes the realisation of the aims of this processing impossible or restricts it considerably, or
(5) for purposes of asserting, exercising or defending legal claims.

5. Right to being informed
If you have asserted the right to correction, deletion or restriction of processing against the Controller, the latter is obliged to inform all recipients, to whom your personal data was disclosed, about this deletion, correction or restriction of processing, unless this turns out to be impossible or is associated with disproportionate expenses. You have the right to demand from the Controller that you be informed about these recipients.

6. Right to transfer of data
You have the right to receive your personal data, which you submitted to the Controller, in a structured, standard and machine-readable format. You also have the right to transfer the data to another Controller without hindrance from the Controller, to whom the personal data was submitted, provided

(1) the processing is based on consent in accordance with Article 6 (1) point (a) or Article 9 (2) point (a) of the GDPR, or on a contract in accordance with Article 6 (1) point (b) of the GDPR. and
(2) the processing is done using automated methods.

In exercise of this right, you furthermore have the right to cause the direct transfer of your personal data from one Controller to another, provided that this is technically feasible. In so doing, the freedoms and rights of other persons should not be interfered with. The right to transfer of data does apply to the processing of personal data, which is necessary for carrying out a task which is in the public interest or if the processing is done in exercise of public authority vested on the Controller.

7. Right of objection
You have the right, for reasons arising from your particular situation, to raise objection, any time, against the processing of your personal data, which is being done in accordance with Article 6 (1) point (e or f) of the GDPR; this also applies to profiling based on these provisions. The Controller will not process your personal data anymore, unless he can cite compelling legitimate reasons for the processing, which override your interests, rights and freedoms, or unless the processing serves the purpose of asserting, exercising or defending legal claims.

If your personal data is being processed for purposes of direct advertising, you have the right at any time to raise objection against the processing of your personal data for such direct advertising purposes; this also applies to profiling, provided it is associated with such direct advertising.

If you object to processing for direct advertising purposes, your personal data will no longer be processed for such purposes.

You have the option, within the framework of using the services of the information society - Directive 2002/58/EG notwithstanding - to exercise your right to objection through automated methods, for which technical specifications are used.

8. The right to revoke consent to provisions of the privacy policy
You have the right to revoke your consent to provisions of the privacy policy at any time. The legality of the processing done up to the time of revocation, and based on your consent, will not be affected by this revocation of consent.

9. Automated decisions on a case-by-case basis including profiling
You have the right to reject being subjected to a decision exclusively based on automated processing - including profiling - which has legal implications on you or affects you considerably in any similar way. This does not apply if the decision

(1) is required for the conclusion or fulfilment of a contract between you and the Controller,
(2) is permissible on the basis of legal provisions in the Union or Member States, to which the Controller is subject, and these legal provisions contain appropriate measures for safeguarding your rights and freedoms, as well as your legitimate interests, or
(3) happens with your express consent.

Nevertheless, these decisions are not to be based on special categories of personal data in accordance with Article 9 (1) of the GDPR, as long as Article 9 (2) point (a or g) of the GDPR does not apply and provided appropriate measures have been taken to protect your rights and freedoms, as well as your legitimate interest. In view of the cases mentioned in (1) and (3), the Controller shall take appropriate measures to safeguard your rights and freedoms, as well as your legitimate interest, which includes at least the right to cause the intervention of a person on the part of the Controller, to present one’s own point of view and to contest the decision.

10. The right to complain to a supervisory authority
Other administrative or judicial measures of redress notwithstanding, you have the right to complain to a supervisory authority, in particular in the Member State of your residence, your place of work or place of alleged infringement, if you believe that the processing of your personal data constitutes a breach of the GDPR. The supervisory authority, to which the complaint is submitted, shall inform the complainant about the status and outcome of the complaint, including the possibility of legal redress in accordance with Article 78 of the GDPR.

V. Cookies

1. General description
Our website uses cookies. Cookies are text files that are stored on the Internet browser or stored by the Internet browser on the user’s computer system. When a user accesses a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string that enables the browser to be clearly identified the next time the website is accessed.

We use cookies to make our website more user-friendly. Some elements of our website require the requesting browser to be recognised even after you have moved to a different page. To this end, the following data is stored in the cookies and transmitted:

a) Items in a shopping basket
b) Log-in information relating to your user account

2. Purpose of the data processing
The purpose of using these technically necessary cookies is to make it easier for users to navigate websites. Some functions of our website are not available without the use of cookies. These functions require the browser to be recognised even after you have moved to a different page.

3. Legal basis for data processing
Art. 6 (1) (f) GDPR provides the legal basis for processing the personal data with the use of cookies.

4. Storage period, objection and erasure options
Cookies are stored on the user’s computer and transmitted by it to our website. As a user, you therefore have full control over the use of cookies. You can disable or restrict the transmission of cookies by adjusting the settings in your Internet browser accordingly. Cookies that have already been stored can be erased at any time. This can also occur automatically. If cookies are disabled for our website, not all of the functions of this website may be fully available to you.