A. COLLECTION AND PROCESSING OF PERSONAL DATA
We collect and process personal data, i.e. information that identifies, or at least makes it possible to identify, you as a natural person (e.g. your name, your address and/or e-mail address) when you decide to actively communicate with us, when you subscribe to services we may provide, and when you use our online client platform (the “Platform”) as a Producer or other contracting partner of BMG (jointly “BMG Partner(s)”) on our website (see sections A.1 and A.2 below). Furthermore, we collect and process certain technical data that results from you visiting our website (see section B below) which is also considered personal data. Processing means any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, any kind of disclosure, erasure or destruction or other use.
1. The Public Section of the Website
There are certain data that you may – but by no means must – submit to us when using the public parts of our website.
1.1 When you subscribe to services that we may offer our users from time to time you will obviously have to submit your email address as well as any other data necessary for the provision of the service. Also, there are means on our website to get in touch with us directly, especially our contact form or webchat, which in turn requires you to submit personal data, such as your name and email address, but also the very content of your request.
1.2 Whenever you contact us, we collect, store and use such data to fulfil your corresponding request. For this, the legal basis is Article 6 sec. 1 sent. 1 lit. b GDPR. Your data will not be collected, stored or used in any other way or for any other purpose. Hence, as an example, if you submit your email address via our contact form with a request for certain information, we will use only your email address to get back to you with – so we hope – the information you requested. Hence, you fully control the information you provide BMG about yourself and how it may be used. We also provide you the opportunity to communicate with us via our webchat, which is hosted by a third-party provider. This provider may process your data as specified in Section B.
1.3 On our website, you can opt into our newsletter to receive information regarding our platform and services we offer. You can opt-out of the newsletter and any marketing communication at any time and free of charge (notwithstanding provider fees) by sending an email to firstname.lastname@example.org or clicking this link. Data processing for the newsletter is based on your consent (i.e. your “opt-in”), Art. 6 sec. 1 lit. a GDPR. Furthermore, you may from time to time take part in contests and competitions hosted on our website. In this case we will process the data provided upon entering such contest (in most cases your email address) based on Art. 6 sec. 1 lit. b GDPR exclusively for the purposes of your participation in such contest, unless you provide consent for further use separately.
2. Our Online Client Platform
The Platform under “bmgproductionmusic.co.uk is a service for producers of media content (the “Producers”) to licence music and keep track of their licensed products. For Producers we provide an online interface to our corresponding databases, to access sample music and to download tracks for their production. For this, the legal basis is the performance or the preparation of a contract, Article 6 sec. 1 sent. 1 lit. b GDPR.
2.1 To use our Platform you must register online for our services by submitting the required personal information, including:
- Contact information (Email, Phone, Address)
- Business information
We use this information to create your account and to contact you regarding relevant licensing opportunities. Considering potential licensing contracts, this is based on Art. 6 sec. 1 lit. b GDPR. Upon registration, our team will evaluate the soundness of your business by matching it to additional data collected a public internet search. We use this information to prevent fraudulent behaviour on our platform to protect our and our client’s interests, Art. 6 sec. 1 lit. f GDPR.
2.2 Upon registering to our platform, you can opt into our newsletter to receive information regarding our platform and services we offer. You can opt-out of the newsletter and any marketing communication at any time and free of charge (notwithstanding provider fees) by sending an email to email@example.com or clicking this link. Data processing for the newsletter is based on your consent (i.e. your “opt-in”), Art. 6 sec. 1 lit. a GDPR. Furthermore, you may from time to time take part in contests and competitions hosted on our website. In this case we will process the data provided upon entering such contest (in most cases your email address) based on Art. 6 sec. 1 lit. b GDPR exclusively for the purposes of your participation in such contest, unless you provide consent for further use separately.
2.3 We will collect and maintain a history of your use of our website, especially of your browsing of our music library, download and licensing history, we will use this information to assess and detect any case of possibly unlicensed use of our music products. For this purpose, we match your use of the website regarding browsing, listening and download history to our directory of anonymized download patterns of Producers. For this the legal basis is Article 6 sec. 1 lit. f GDPR, as it is in our legitimate interest to detect such use.
2.4 In case we directly license our music products to you we will further collect and maintain a record of any contractual information gathered upon closing a licensing agreement. For this, the legal basis is Article 6 sec. 1 lit. f GDPR.
2.5 While not being required to submit personal data through the Platform, you can edit certain personal data in the "Settings" section of the Platform. We will store and use edited personal data to, as applicable, continue providing the services of the Platform for you and/or to fulfil our obligations towards you. For example, by informing us of a new postal address, you allow us to send you any statements or other documents we may owe you to that address, unless stipulated otherwise in your contractual documentation. For this, the legal basis is Article 6 sec. 1 sent. 1 lit. b GDPR, as the data is used for the provision of our services
2.6. Personal data that is collected for our Platform is retained until you decide to close your account and properly erased afterwards.
B. LOG FILES, COOKIES, WEB ANALYTICS AND SOCIAL MEDIA PLUGINS
1. General and Error Log Files
When you visit our website, our webservers automatically store certain data in log files.
1.1 The general log files may tell us which Internet browser and operating system you were using, and which IP address was allocated to your Internet access when you were visiting the site, the URL of the internet page from which you arrived at our website, the exact time when you accessed and left our website, the amount of data transmitted, and the pages you accessed on our website. The last octet (8-bit byte) of the IP address in the general log files will be masked, thereby restricting our (or a third party’s) ability to connect the IP address to your specific Internet access. The personal data automatically collected is necessary for us to provide the website (Article 6 sec. 1 sent. 1 lit. f GDPR), and for our legitimate interest to guarantee the website’s stability and security (Article 6 sec. 1 sent. 1 lit. f GDPR). Personal data that is collected automatically is retained for 35 days and properly erased afterwards.
1.2 Should our web server(s) detect an error in processing requests, it will send the corresponding information to an error log file. Those log files for technical reasons also record the client IP address from which the request was sent, i.e. your IP address if your request caused the error.
1.3 We have no means, and no interest in, identifying you through the general or error log file data. We use the general log file data for statistical purposes. The information we can from time to time retrieve from the files relates to, for example, peak times of the use of our website, which information our users are most interested in on the website, how users navigate on our website and which browsers and operating system our users use. We use that information to improve the technical setup as well as the design of our website. The error log files are used to diagnose and fix the error. The personal data collected during this process is necessary for our legitimate interest to guarantee the website’s stability and security (Article 6 sec. 1 sent. 1 lit. f GDPR).
2. Platform Log Files
In addition to the general and error log files, we keep log files of all logins to and logouts from, and downloads of documents from, the Platform under bmg.com (http://bmg.com) to protect you and ourselves from any misuse of the service. For that purpose, we also display the exact time and date of your latest login in the "Settings" section of your account on the Platform, which we store in our database. The personal data collected during this process is necessary for our legitimate interest to guarantee the website’s security, Article 6 sec. 1 sent. 1 lit. f GDPR. Platform Log Files are retained for 35 days and properly erased afterwards.
3.1 Our website uses http cookies. An http cookie is a piece of text stored on your computer by your web browser. Cookies are sent as a field in the header of the http response by our web server(s). It is then sent back by your browser every time it accesses the respective web server.
• Our website uses session and persistent cookies to provide you with an easy and comfortable web service. They allow us to, for example, display the German contact information any time you visit our website if your first visit to the site came from Germany.
• The Platform under bmg.com (bmgproductionmusic.com) uses session cookies (which are automatically deleted at the end of each session) that, for example, allow us to identify you as the same user (but no more) over a session on our website and to “keep” certain data across more than one webpage so that you don’t have to reinsert the same data or set your personal settings over and over again. Also, bmg.com (http://bmg.com) sets a persistent cookie to keep the language that you prefer so that you can use the Platform in that language without having to change your settings each time you access the Platform.
4. Google Analytics
We will use the Information gathered by cookies deployed by Google Analytics to analyse your use of our website, to generate reports on website activities and to perform other website related services to you.
The legal basis for this processing is Art. 6 sec. 1 sent. 1 lit. f GDPR and represents our legitimate interest to analyse our website’s traffic to improve the user’s experience and to optimize the website in general.
You will find further information on Google and Google Analytics:
(http://www.google.com/intl/en/privacy/) or here
As already explained above, you can use your browser settings to prevent the acceptance and storage of new cookies. Should you disagree with the analysis of your use of our website you can also deactivate Google Analytics and thus declare your objection to the collection and processing of the respective data.
To do this, please download and install the browser plugin that Google provides for this purpose. The plugin is available at [http://tools.google.com/dlpage/gaoptout?hl=en].
Once the plugin has been installed, it will prevent the recollection of the data related to your use of our website that has been generated by the cookie (including your IP address).
Our website uses Olark, a Service provided by Habla, Inc., 205 ½ N Main St. Ann Arbor, MI 48104, USA. This allows us to communicate directly with you via instant messaging on our website. We use the information provided by you in the chat solely to answer to your requests. Olark may process certain technical personal data, such as your IP-Adress or Browser-Version for the purpose of the provision of their Service. In this context, personal data may be transferred outside the EEA. To ensure the safety of your data in this case, Olark has committed to the EU-US-Privacy-Shield.
C. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES
The data collected by us will only be transmitted if:
- you have given your express consent pursuant to Art. 6 sec. 1 sent. 1 lit. a GDPR,
- the disclosure pursuant to Art. 6 sec. 1 sent. 1 f GDPR is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
we are legally obliged pursuant to Art. 6 sec. 1 sent. 1 lit. c GDPR to pass on or
this is legally permissible and is required under Art. 6 sec. 1 sent. 1 lit. b GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that are taken at your request.
In addition, it may be disclosed in connection with official inquiries, court orders and legal proceedings if it is necessary for legal prosecution or enforcement.
Some of your data may be processed on servers which are provided by Amazon Web Services, a service of Amazon Web Services Inc., 410 Terry Avenue North, Seattle, Washington 98109, USA (“AWS”). Via these AWS servers your device will be connected with the contents in our website. The servers which we use are normally located inside the European Union. For technical reasons, however, portions of your data may be processed outside the European Economic Area, particularly in the USA. To ensure the protection of your data in this case too, AWS participates in the EU-US-Privacy-Shield. In addition, we have concluded a contract with AWS which meets the requirements stipulated by the standard clauses of the European Commission. The legal basis is Art. 6 sec. 1 lit. f GDPR, grounded on our legitimate interest in storing the contents of our website securely and reliably through external service providers while reducing our own expenditure of resources for the provision of our website’s infrastructure.
D. TRANSFER OF PERSONAL DATA OUTSIDE EEA
The information we collect from you may be transferred to, processed and stored at a destination outside the European Economic Area ("EEC"), e.g. when we transfer data to third parties or members of BMG's group of companies. The Recipients outside the EEA are either Privacy Shield certified or bound by Standard Contractual Clauses of the EU Commission for the protection of personal data, or they are located in countries in regard to which the EU Commission issued an adequacy decision according to Art. 45. GDPR.
BMG takes great care to ensure the security of personal data. Your data is conscientiously protected from loss, destruction, distortion/falsification, manipulation and unauthorized access or unauthorized disclosure through appropriate technical and organizational measures. However, due to the inherent nature of the Internet as an open global communications vehicle, we cannot guarantee that information, during transmission through the Internet or while stored on our system or otherwise in our care, will be safe from intrusion by others, such as hackers.
You are responsible for maintaining the strict confidentiality of your account password, and you shall be responsible for any access to or use of the website by you or any person or entity using your password, whether such access or use has been authorized by you or on your behalf.
F. THIRD PARTY SITES
Third party sites linked to from this website may have different privacy policies and practices. We are not responsible for the information practices of third party sites, or channels or areas of this website, that are operated by third parties. You should carefully review these other privacy policies to determine how each third party may use any personal information you provide.
G. DATA RETENTION
We strive to keep our processing activities with respect to your personal data as limited as possible. Personal data provided by you upon using our services (Service Data as described in Section A.1.) will be retained only for as long as we need it to fulfil the purpose for which we have collected it or as long as required by statutory retention requirements.
Technical Data will be retained only as long as it is necessary to provide access to our site. The IP-Address will be retained for 7 days to enable us to engage in effective defense against attacks on our site, i.e. DDOS attacks. However, we may retain Technical Data as long as certain marketing purposes require. In no event will we retain your Technical Data longer than 35 days, provided storage of data is not required by statutory retention requirements. As far as data collected during the use of the Platform is relevant for taxes or accounting reasons we are obliged to keep such data up to 10 years according to German Tax and Commercial Law.
H. YOUR RIGHTS
Right of access (Art. 15 GDPR);
You have the right to information regarding the data we process concerning you. Upon request we will provide you a copy of the data together with additional information to the extent defined in Art. 15 GDPR .
Right to rectification (Art. 16 GDPR);
You have the right to rectification of your data, wherever such data is incorrect or incomplete.
Right to erasure (Art. 17 GDPR);
You have a right to erasure regarding data that is no longer required for the original purposes or that is processed unlawfully, as described in Art. 17 GDPR. Wherever certain data is subject to retention periods, instead of deleting the data we will restrict processing to the duration and intended purposes of such period.
Right to restriction of processing (Art. 18 GDPR);
Upon your request, we will restrict processing of personal according to Art. 18, wherever there are uncertainties regarding our right to process such data or while a decision regarding your objection to such processing is pending. In such cases we will only retain data, restrict any processing to the minimal extent necessary and withdraw access to your data from our employees.
Right to data portability (Art. 20 GDPR);
Upon your request we will transfer any personal data you have provided to us during the use of our services based on consent or any contractual or pre-contractual relationship to you or any third party, provided secure communication with third party is technically feasible. We will provide the data in [a structured and machine-readable format]
Right to object to processing based on Art. 6 Abs. 1 lit. f GDPR (Art. 21 GDPR);
Upon your objection we will cease any processing of your personal data based on Art. 6 lit. f. Wherever we have compelling legitimate grounds to process your data, we are allowed to further process such data, provided our interest in doing so prevails in a weighting against your interest against the processing activity. Therefore, to allow us to evaluate your request, please let us know the reason for your objection.
Wherever you gave consent to a data processing, in accordance with Article 7 (2) GDPR, you have the right to withdraw your consent to us at any time. As a result, we will not continue processing data based on this consent in the future. The withdrawal of consent does not affect the legality of the processing carried out based on the consent until the withdrawal.
Furthermore, you have the right to lodge a complaint with a data privacy supervisory authority.
The contact details of our data protection officer are:
Effective Date: 2018-05-24