Datenschutzvereinbarung V1.1, gültig ab 01.01.2020

1. Name and address of the person responsible

The person responsible within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is the:

MusicDNA A.S.
Nygårdsgaten 25
5015 Bergen
Norway

Phone: +47 905 59 364
Email: support@bachtechnology.com
Website: www.musicdna.com

2. General information about data processing

2.1 Scope of personal data processing

In principle we only process personal data of our users when it is deemed necessary to provide a functional website as well as to ensure the availability of our service and also when it is governed by legal requirements.

2.2 Legal basis for personal data processing

The legal basis for consent requiring processing operations of personal data is art. 6(1)(a) of the General Data Protection Regulation (GDPR).

The legal basis for processing personal data that is necessary for the compliance of a contract to which the data subject is party is art. 6(1)(b) of the GDPR. This also applies to processing operations required to carry out pre-contractual actions.

The legal basis for processing personal data required to fulfill a legal obligation that is subject to our company is art. 6(1)(c) of the GDPR.

The legal basis for processing personal data that is necessary to safeguard a legitimate interest of our company or a third party, and the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, is art. 6(1)(f) of the GDPR.

2.3 Data deletion and storage period

Personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases. In addition, further storing may take place if it is intended by the European or national legislator in EU regulations, laws, or other regulations to which the person responsible is subjected to.

Unless there is a need for further storage of the data for a conclusion of contract or for a fulfillment of the contract, personal data will be deleted or blocked when the mentioned storage regulations expire.

2.4 Security

Personal data is only collected to an extent as it is necessary for the use or operation of the service.

Access to this data will only be granted to selected employees and kept to a minimum. We do not create profiles of our users and only evaluate their activities on our websites as far as it is essential for providing our services.

All data on our website (this applies in particular to passwords) are always transmitted encrypted.

For the purchase transaction of our products we cooperate with the company Cleverbridge. With more than 10 years experience, Cleverbridge is one of the leading providers of global billing and e-commerce services.

3. Provision of the website and creation of logfiles

3.1 Description and scope of data processing

Each time our website is accessed the system automatically collects data and information from the computer system of the connecting computer.

The following data is hereby collected:

1. information about browser type and used version
2. the operating system of the user
3. the IP address of the user
4. date and time of the connection
5. internal user ID (registered users)

This data is stored in the log files of our system. This data is not stored together with other personal data.

In addition, to improve the service the current filter and page settings of the respective registered user are saved when logging out of a user account. The consent to the processing of this data takes place during the registration process.

Furthermore we point out that our website is provided by the external service provider Hetzner (www.hetzner.de).

To provide the service our hosting provider processes data which is technically necessary. The legal basis for the processing is stated in art. 6(1)(f) of the GDPR. Further information can be found in the data protection FAQ of Hetzner (https://wiki.hetzner.de/index.php/Datenschutz-FAQ).

3.2 Legal basis for data processing

The legal basis for the temporary storage of data and log files is stated in art. 6(1)(f) of the GDPR.

The legal basis for the storage of the settings is stated in art. 6(1)(a) of the GDPR.

3.3 Purpose of data processing

The temporary storage of the users IP address by the system is necessary to allow delivery of the website to the computer of the user. Therefore the users IP address must be kept for the duration of the session.

The storage of the data in log files is done to monitor the functionality of our website and thus to ensure the operations of the site, as well as to ensure the security of our information technology systems.

An evaluation of the data for marketing purposes does not take place in this context.

For these purposes our legitimate interest in the processing of data is justified in accordance with art. 6(1)(f) of the GDPR.

In cases of abuse or attacks on the system art. 100(1) of the Telecommunications Act forms the basis for the extended processing of the collected data.

The storage of the filter and page settings is done solely with the aim of making the operation of the website user-friendly.

3.4 Duration of storage

The data for the provision of the website will be deleted as soon as they are no longer necessary for the purpose of their survey.

This is the case after 4 weeks when storing data in log files. Any further storage is possible but only to prove an improper use or their attempt.

The filter and page settings are saved until the next login and will be deleted no later than eight weeks after expiration of the product.

3.5 Possibility for revocation and removal

3a. Provision of the service for registered users - activation and deactivation of recordings

3a.1 Description and scope of data processing

When a user is activating or deactivating a recording for the monitoring, the following data is collected:

1. Internal ID number of the recording

2. Time of activation or deactivation

3. Internal ID of the order and the linked product

These data are stored in the database of our system.

To optimize the service and the products, we collect anonymous statistics on the activation and deactivation of recordings. The product / user assignment is completely removed.

3a.2 Legal basis for data processing

The legal basis for the temporary storage of data is stated in art. 6(1) of the GDPR.

3a.3 Purpose of data processing

The temporary storage of order activation and deactivation data of items for orders by the system is necessary to enable proper reporting in current and future products.

For these purposes, our legitimate interest in the processing of data is justified in accordance with art. 6 of the GDPR.

In cases of abuse or attacks on the system art. 100(1) of the Telecommunications Act forms the basis for the extended processing of the collected data.

3a.4 Duration of storage

The data for the provision of services for registered user will be deleted as soon as they are no longer necessary for the purpose of their survey.

When saving the activation or deactivation data, this will be performed together with deleting the user account.

3a.5 Possibility for revocation and removal

Collecting the data to provide the service to registered users - enabling and disabling recordings and storing the data in the system database is essential to the operation of the service. There is consequently no possibility for revocation on the part of the user.

The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website. There is consequently no possibilty for revocation on the part of the user.

4. Use of Cookies

4.1 Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored from the web browser on the users computer system. When a user opens a web page, a cookie can be stored on the users computer. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened.

Some elements of our website require that the calling browser can be identified even when a new subpage is opened.

The following data is stored and transmitted in the cookies:

1. information about the validity of the session
2. language settings

In addition, we do not store any information in cookies that allow an analysis of the browsing behavior of users.

Maps are created on our website to provide a clear overview of the detection results for users with active products. For presenting these maps we use software from Openlayers.org. The cfduid-cookie of CloudFlare (www.cloudflare.com) is necessary to use this software. According to CloudFlare, this cookie is used to unambiguously identify the user, e.g. behind firewalls, and stores no personal data. Further information can be found at:

• What does the Cloudflare cfduid cookie do?
• privacy policy of CloudFlare

4.2 Legal basis for data processing

The legal basis for processing personal data using technically necessary cookies is art. 6(1)(f) of the GDPR.

The legal basis for processing personal data using cookies for analysis purposes when consent of the user in this regard has been obtained is art. 6(1)(a) of the GDPR.

4.3 Purpose of data processing

Some features of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page break.

1. identification of the browser to validate the session
2. assumption of language settings

The user data collected through technically necessary cookies will not be used to create user profiles.

For these purposes, our legitimate interest in the processing of data is justified in accordance with art. 6(1)(f) of the GDPR.

4.4 Duration of storage, possibility for revocation and removal

Cookies are stored on the computer of the user and transmitted by that to our site. Therefore, every user maintains full control over the use of cookies. By changing the settings in the respective Internet browser each user can disable or restrict the storage of cookies. Already saved cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may not be possible to use all features of the website fully.

5. Registration

5.1 Description and scope of data processing

On our website, we offer users the opportunity to register with the necessary personal data. In doing so we restrict ourselves to the minimum necessary amount of information. Thereby the data is entered into an input mask, transmitted to us and stored. A transfer of data to third parties does not take place. The following data is collected during the registration process:

1. login / username
2. email address
3. password

At the time of registration the following data will also be stored:

1. the IP address of the user
2. date and time of the registration

The consent of the user to process this data is obtained as part of the registration process.

The specification of further data is not necessary. Registered users can voluntarily leave their name in the member area to be contacted. They can also delete this information themselves.

For registered users, the following additional data points are collected during a session and stored until the next session:

1. login time
2. logout time

5.2 Legal basis for data processing

The legal basis for processing this data is art. 6(1)(a) of the GDPR.

5.3 Purpose of data processing

User registration is required for the provision of certain content and services on our website.

The registration on our website and the completed purchase of one of our products is necessary in order to use our reporting and monitoring products. The purchase of the products is handled by our payment provider Cleverbridge.

To use our chargeable offers a unambiguous identification of the user is necessary to prevent misuse. For identification we only use username and password.

The user identification is particularly required for chargeable orders, invoicing, handling of complaints as well as licensing-relevant transactions.

5.4 Duration of storage

The data will be deleted as soon as they are no longer necessary for the purpose of their survey.

For the data collected during the registration process, this is the case when the registration on our website is canceled or modified.

Without active products, registration data is automatically deleted 8 weeks after the end of the service period.

Accounts containing only open orders will be removed three weeks after receipt of the most recent order in accordance with point 9 of the terms and conditions.

5.5 Possibility for revocation and removal

The users of our service have the possibility to dissolve the registration at any time. They can change the data stored about them at any time.

The deletion of a user account and the associated data is done manually according to a defined instruction by one of our employees. An order for deletion can be made via the contact form on our website or by email at support@musicdna.com.

6. Contact form and mail contact

6.1 Description and scope of data processing

Our website contains a contact form which can be used for electronic contacting. If a user utilizes this option, the data entered in the input mask will be transmitted to us and saved. These data are:

1. name
2. email address

At the time of sending the message the following data is also stored in the log files of the web server:

1. the IP address of the user
2. date and time of the call

For processing the data the consent of the user is obtained in the context of the sending process and a reference is made to this privacy policy.

Alternatively, you can contact us via the provided email address support@muscdna.com. In this case, the users personal data transmitted by email will be stored.

In this context, there is no disclosure of the data to third parties. The data is used exclusively for processing the conversation.

6.2 Legal basis for data processing

The legal basis for processing this data when consent of the user has been obtained is art. 6(1)(a) of the GDPR.

The legal basis for processing data which has been transmitted in the course of sending an email is art. 6(1)(f) of the GDPR. If the email contact aims to conclude a contract, art. 6(1)(b) of the GDPR is an additional legal basis for processing data.

6.3 Purpose of data processing

The processing of personal data from the input mask is solely for processing the contact. In the case of contact via email, this also leads to the required legitimate interest in processing data.

The other personal data processed during the sending process serve to prevent misuse of the contact form and to guarantee the security of our information technology systems.

6.4 Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose of the survey. Data sent to us via email as well as the data of the input mask of the contact form will be stored until reaching the legal guidelines (6 years regarding paragraph 147 of the German Fiscal Code).

6.5 Possibility for revocation and removal

The user has the possibility to revoke his consent to processing personal data at any time. If the user contacts us by email, he may object to the storage of his personal data at any time.

The revocation must be made in writing in each case. This is possible either by email to the known support address or by mail to the above mentioned address.

All personal data stored in the course of contacting will be deleted in this case.

7. External payment service providers

7.1 Description and scope of data processing

Regarding the execution of the purchase we rely on the external payment service provider Cleverbridge (www.cleverbridge.com).

Users can choose their desired product on our website, both in the freely accessible area and in the account settings. After accepting the terms of use, an ID of the process and the product ID will be transmitted to Cleverbridge to identify the order. To finish the purchase, the user will be directed to Cleverbridges website.

After the user has completed the process, Cleverbridge sends us a part of the invoice data (as far as specified by the user):

1. name
2. address
3. email
4. company
5. language
6. telefon number
   

Account or credit card related information will not be sent to us. Only information about confirmation or negative disclosure of the payment.

For further information, we refer to the terms and conditions and privacy policy of Cleverbridge.

7.2 Legal basis for data processing

The legal basis for processing personal data that is necessary for the compliance of a contract to which the data subject is party is art. 6(1)(b) of the GDPR.

7.3 Purpose of data processing

The data is transmitted solely for identity and credit checks.

7.4 Duration of storage

The data is stored until reaching the legal guidelines. For accounting vouchers the legislator intend a period of 10 years according to paragraph 257 of the German commercial code.

7.5 Possibility for revocation and removal

Within the framework of the purchase transaction no data is collected and transmitted which is not necessary for fulfilling the contract. Therefore the data processing can not be contradicted.

8. Rights of the data subject

If personal data of a user is processed, this person is data subject within the meaning of the GDPR and has the following rights to the person responsible:

8.1 Right to information

The person concerned may demand from the person responsible a confirmation as to whether personal data relating to him are being processed.

If such processing exits the person concerned may request information from the person responsible about the following information:

(1) the purposes for which the personal data is processed,

(2) the categories of personal data that are processed,

(3) the planned duration of storage personal data concerning him or, if specific information is not possible, criteria for determinating the retention period,

(4) the existence of a right to rectification or erasure of personal data concerning him, a right to restriction of processing by the person responsible or a right to object to such processing,

(5) the existence of a right of appeal to a supervisory authority.

8.2 Right to rectification

The data subject has a right of rectification and/or completion to the person responsible if the processed personal data concerning him are incorrect or incomplete. The person responsible must make the correction immediately.

8.3 Right to restriction of processing

Subject to the following conditions the person concerned may request the restriction of processing personal data concerning him:

(1) if the person concerned disputes the accuracy of the personal data for a period of time which enables the person responsible to verify the accuracy of the personal data,

(2) the processing is unlawful and the person concerned refuses to delete the personal data and instead requests the restriction of the use of the personal data,

(3) the person responsible no longer needs the personal data for the purposes of the processing, but the person concerned needs them for the assertion, exercise or defense of legal claims, or

(4) if the person concerned has lodged an objection to the processing pursuant to art. 21(1) of the GDPR and it is not yet certain whether the legitimate reasons of the person responsible outweigh his reasons.

If processing personal data concerning the user has been restricted, this data may only be used – disregarding storage – with the consent of the user or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for important reasons of public interest of the EU or member state.

If processing has been restricted following the above mentioned conditions the user will be informed by the person responsible before the restriction is lifted.

8.4 Right to deletion

8.4.1 Obligation to deletion

Data subjects may require the person responsible to delete the personal data concerning them without delay and the person responsible is required to delete that data immediately, provided one of the following is true:

(1) The personal data concerning the user are no longer necessary for the purposes for which they were collected or otherwise processed.

(2) Users revoke their consent to which the processing relates according to art. 6(1)(a) or art. 9(2)(a) of the GDPR and there is no other legal basis for processing.

(3) Users lodge an objection to the processing according to art. 21(1) of the GDPR and there are no prior justifiable reasons for the processing or users oppose the processing according to art. 21(2) of the GDPR.

(4) The personal data concerning the user were processed unlawfully.

(5) The deletion of the personal data concerning the user is necessary for the fulfillment of a legal obligation under Union law or the law of the Member States to which the controller is subject.

(6) The personal data concerning the user were collected in relation to offered services of the information society according to art. 8(1) of the GDPR.

8.4.2 Information to third parties

If the person responsible made the personal data concerning the user public and is this person obligated to delete this data according to art. 17(1) of the GDPR, he takes appropriate measures for this taking into account the available technology and the costs of implementation. Responsible persons processing the personal data must be informed in this regard that the data subject has requested the deletion of all links to this personal data or of replications of this personal data.

8.4.3 Exceptions

The right to deletion does not exist if the processing is necessary

(1) to exercise the right to freedom of expression and information,

(2) to fulfill a legal obligation required by the law of the Union or of the Member States to which the person responsible is subject, or to carry out a task of public interest or in the exercise of public authority delegated to the controller,

(3) for reasons of public interest in the field of public health according to art. 9(2)(h) and (i) and art. 9(3) of the GDPR,

(4) for archival purposes of public interest, scientific or historical research purposes or for statistical purposes according to art. 89(1) of the GDPR, to the extent that the law referred to in subparagraph 8.4.1 is likely to render impossible or seriously affect the achievement of the objectives of that processing or

(5) to assert, exercise or defend legal claims.

8.5 Right to consultation

If a user has asserted the right of rectification, deletion or restriction of processing his personal data to the controller, the latter is obliged to notify all recipients, to whom the personal data relating to the user have been made public, about the correction or deletion of the data or about the restriction of processing unless this proves impossible or involves disproportionate effort.

The user is entitled to the person responsible to be informed about these recipients.

8.6 Right to data portability

Users have the right to receive the personal data they provided to the person responsible in a structured, common and machine-readable format. In addition users have the right to transfer this data to another person without hindrance by the person responsible to whom the personal data has been provided, provided that

(1) the processing is based on a consent according to art. 6(1)(a) or art. 9(2)(a) of the GDPR or on a contract according to art. 6(1)(b) of the GDPR and

(2) the processing is done using automated procedures.

In exercising this right users also have the right to obtain that personal data relating to them be transmitted directly from one person responsible to another where technically feasible. Freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data necessary to carry out a task of public interest or in the exercise of public authority delegated to the controller.

8.7 Right of objection

At any time for reasons arising from their particular situation users have the right to lodge an objection against the processing of personal data relating to them which occur according to art. 6(1)(e) of the GDPR. This also applies to profiling based on these provisions.

The controller no longer processes the personal data concerning the user unless he can demonstrate compelling legitimate grounds for processing that outweigh the interests, rights and freedoms of the user, or the processing is intended to assert, exercise or defend legal claims.

If the personal data relating to the user are processed in order to operate direct mail the user has the right to object at any time to the processing of his personal data for the purposes of such advertising. This also applies to profiling insofar as it is associated with such direct mail.

If users object to the processing for direct marketing purposes their personal data will no longer be processed for these purposes.

Users have the option in the context of the use of information society services – regardless of directive 2002/58/EC – to exercise their right of objection through automated procedures using technical specifications.

8.8 Right to revoke the data protection consent declaration

Users have the right to object their declaration of consent in terms of data protection at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

The use of Bachs service is no longer possible after the revocation.