Website Privacy Policy and provision of information to Data Subjects according to Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) GEMA takes the protection of your personal data very seriously. Where we alone or jointly with others determine the purposes and means of data processing, we are required under Articles 13 and 14 of the General Data Protection Regulation (GDPR) to provide you with transparent information about the nature, scope, purpose, period and legal basis of the processing. The purpose of this Privacy Policy is to inform you about how we process personal information about you. This Privacy Policy includes general information about all processing of personal data and processing situations (Part A.) and specific information for visitors of this Website and users of our “Artistmatch” service (Part B.) and for other music creators (Part C.).
A. General Controller and contact details The controller processing your personal data is GEMA Gesellschaft für musikalische Aufführungs- und mechanische Vervielfältigungsrechte [
GEMA Society for Musical Performing and Mechanical Reproduction Rights], hereinafter referred to as “GEMA”, Postal address: Rosenheimer Str. 11, 81667 Munich, Germany Email:
datenschutz@gema.de For more information about us, please refer to the legal notice of this website:
www.artistmatch.io/imprint
Data Protection Officer If you have any questions regarding data protection law, please do not hesitate to contact our Data Protection Officer Dr. Sebastian Kraska using the following contact details: Dr. Sebastian Kraska Postal address: Marienplatz 2, D-80331 Munich Email:
datenschutzbeauftragter@gema.de
Data security We use appropriate technical and organisational safeguards to protect all data we process against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties. In selecting and implementing security controls, we consider the current state of the art, the existing risk of data breach, the likelihood of this risk occurring and its implications for data subjects. We continuously improve our security policies and procedures as technology progresses. If you would like to know more about this, please do not hesitate to contact us using the contact details provided in section 1 or 2 above.
No automated decision-making Your personal data will not be used for automated decision-making (including profiling).
Your rightsThe applicable data protection laws (GDPR, the German Federal Data Protection Act [
Bundesdatenschutzgesetz – BDSG]) give you, the data subject, certain rights regarding your data as set out below. These rights can be exercised by giving notice (personally, by email or by post) to the Company or to our Data Protection Officer using the contact details provided in section 1 and section 2, respectively. Except for the right to withdraw your consent, these rights are not absolute but may depend on the circumstances of the individual case concerned.
a. Right of access You have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed. Where that is the case, you have the right to request access to your personal data and information about, for example, the purposes of the processing, the categories of personal data concerned and the recipients or categories of recipients to whom the personal data have been or will be disclosed. In this context, you have the right to obtain a copy of the personal data undergoing processing.
b. Right to rectification You have the right to obtain from us the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed by means of providing a supplementary statement.
c. Right to erasure In certain cases, you shall have the right to obtain from us the erasure of personal data concerning you, and we may have the obligation in the individual case concerned to erase personal data about you.
d. Right to restriction of processing Subject to certain conditions, you have the right to obtain from us restriction of processing of your personal data. Where this is the case, we will flag the data concerned accordingly and process them only for specific purposes.
e. Right to data portability In certain cases, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. Where this right applies, you also have the right to transmit those data to another controller without hindrance from us.
f. Right to object You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR. In this case we may be required to stop processing your personal data.
g. Withdrawal of consent If you have given your consent for certain processing activities, you have the right to withdraw your consent to further processing at any time. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. If you wish to withdraw any consent you have given us, please notify us using the contact details of the Company provided in section 1 or those of our Data Protection Officer provided in section 2.
h. Right to lodge a complaint Moreover, you have the right to lodge a complaint regarding the processing of your personal data with the competent data protection supervisory authority, the Bavarian State Office for Data Protection Supervision [
Bayrisches Landesamt für Datenschutzaufsicht].
Updates or amendments to this Privacy Notice Our Privacy Notice is regularly reviewed and updated (if necessary) to reflect changes in data protection legislation and technological or organisational developments. This Privacy Notice was last updated in December 2022.
B. Visitors to this website; users of the Service
On this website and its various pages (hereinafter collectively referred to as the “Website”) we offer our Artistmatch service. The purpose of this Privacy Policy is to inform you about how we process personal information about you through your use of our Website and our services.
Categories of personal data processed, purposes and legal basis of processing, duration of storage
In connection with your use of the Website, we only process personal data we obtain directly from you through your use of the Website and, if you register for Artistmatch, through your registration and use of the service. The purposes and legal basis of processing depend on the features and functionality of the Website and of the service you use. The following table describes in more detail how your personal data are processed through your use of the Website:
Purposes of processing Categories of personal data Legal basis for processing*) Duration of storageLogging of Website visits to analyse user requests and analyse attack and defence scenarios Time of visit User’s IP address Article 6(1)(f) GDPR: Our legitimate interest consists in protecting GEMA’s IT infrastructure and offering a functional Website Your data are deleted 30 days after they have been collected. Only if you register for the waiting list: Registration for the waiting list Email address Name Article 6(1)(a) GDPR: You will be registered for the waiting list only with your consent. Up to 1 year from registration for the waiting list Only if you register: Registration, use of the services, user administration Email address Article 6(1)(b) GDPR: Provision and delivery of the service Up to 3 years after last use of the service Only if you use the service: Optimisation of user experience Your filter settings Article 6(1)(f) GDPR: Enhancing the user experience of using the service You may delete your filter settings yourself. They will in any case be deleted when you unregister from the service. Only if you use the service: Displaying a user profile, user administration Name Social media profiles (e.g. on Instagram, TikTok etc.) Company affiliation Job position Article 6(1)(a) GDPR: You may provide this information voluntarily in your user profile. Therefore this information will be processed only with your consent. You may delete this information from your user profile at any time. It will in any case be deleted when you unregister from the service.
Please note that we may process your personal data for other purposes only if we are obligated to do so on the basis of legal requirements (e.g. disclosure of personal data to courts or to law enforcement agencies), if you have given your consent for the processing of your personal data or if processing is for other reasons permissible under applicable law. Once the retention period has expired, your personal data will be deleted from our systems and/or records and/or take appropriate steps to anonymise them so that you can no longer be identified from them.
Use of cookies We use cookies on our Website and in our Online Portal. Cookies are small files sent from a webserver to your browser and stored on your computer. We use both session cookies and persistent cookies. Session cookies expire once you have closed your browser. Persistent cookies stay on your computer even after you have closed your browser and may be sent back by your browser whenever you visit our Website again. Your browser may have settings allowing you to manage cookies. Please note that certain features of our Website may not be available if you delete or reject cookies. Some of the cookies we use are necessary to deliver the correct user experience of our Website, while others are used to analyse user behaviour across different devices. This helps us to improve our Website based on the needs of our visitors. Where cookies are not strictly necessary for the provision of our Website and services, we will use them only with your express prior consent. Therefore, when you first visit our Website, you will be asked to choose whether you wish to accept cookies and which ones. The following table gives you an overview of the cookies we use:
Description of cookies used Categories of personal data and further information on use of cookies (if applicable) Legal basis for processing and types of cookies used Life of cookies Cookies to improve user experience Our website uses cookies created by ourselves (first-party cookies). Their sole purpose is to enhance the user experience of our Website. No personal data are processed in connection with our use of cookies to enhance your user experience. Technically necessary cookies; legitimate interest (Article 6(1)(f) GDPR) These cookies are deleted as soon as you close your browser.
Analytics services using Hotjar including Hotjar’s feedback tool Our Website uses Hotjar to analyse how visitors use it. Hotjar works with cookies to collect information about users’ browsing behaviour on our Website and about the devices they use to access it. Hotjar stores this information in a pseudonymised user profile. Neither Hotjar nor we will use this information to identify users or combine it with other information about individual users. The following personal data of visitors to our Website are processed by Hotjar analytics: Date and time of their visit Information about their browser Usage data Their click path IP address Device operating system Geographic location Browser language Display resolution Consent (Article 6(1)(a) GDPR); performance cookie When you first visit our Website, you will be asked whether you wish to accept our cookies. Your consent is voluntary. You can use our Website also without accepting cookies. If you have given your consent for the processing of your personal data, you may withdraw your consent at any time. Please note that the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Data will be deleted when they are no longer necessary for analysis.
Web analytics services using Google Analytics Our Website uses Google Analytics by Google Ltd. Google Analytics is a web analytics service that allows us to analyse usage patterns on our Website. It uses cookies to collect information about users’ behaviour and their devices, including the truncated IP address. This truncation removes the identifiability of your IP address, making it impossible for us to identify you. The information collected through cookies is usually transmitted and saved by a server of Google, Inc. in the US. The following personal data of visitors to our Website are processed by Google Analytics: Date and time of their visit App updates Information about their browser Their click path Information about their device Downloads Flash version Location information IP address (in truncated form) JavaScript support Pages visited Purchasing activity Referrer URL Usage data Widget interaction Consent (Article 6(1)(a) GDPR); performance cookie When you first visit our Website, you will be asked whether you wish to accept our cookies (and agree to the information collected being transferred to the US). Your consent is voluntary. You can use our Website also without accepting cookies. If you have given your consent for the processing of your personal data, you may withdraw your consent at any time. Please note that the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Data will be deleted when they are no longer necessary for analysis.
Embedding of the Spotify Player We incorporate the player from Spotify on our website. Through the integration of the player, Spotify sets cookies on our website. The collection of cookies is carried out exclusively by Spotify. We do not have access to this data and no other evaluations. Therefore, we do not have the ability to identify individuals based on this information. Spotify uses the collected information for purposes of advertising, market research, and demand-oriented design of its offerings. In context with the embedding of the Spotify player on our website, Spotify receives the following information and data about you: URL information IP address Device information Operating system Browser information Set language Location information Connection information Consent (Art. 6 para. 1 lit. a) GDPR); Performance Cookie You will be asked upon your first visit to the website whether you agree with the use of cookies. You can provide your consent voluntarily. You can also revoke your once given consent at any time. Please note that the revocation does not affect the legality of the processing that occurred based on the consent until the revocation. The storage of the collected information and data is carried out by Spotify AB. You can refer to the privacy policy of Spotify AB (
https://www.spotify.com/uk/legal/privacy-policy/) for the duration of storage provided by the service.
Recipients and authorised persons We will share your personal information within our Company strictly on a need-to-know basis to those departments and individuals who require this information to analyse user requests and analyse attack and defence scenarios, to register you for the waiting list or for the provision and delivery of the service (e.g. IT staff, relevant departments). We will disclose data to third parties outside our Company only where permitted or required by applicable law, to analyse attack and defence scenarios and to register you for the waiting list or for the provision and delivery of the service, where we have your consent (where required) to do so, where we are authorised to disclose information or where necessary to meet the legitimate interests of the Company. In addition, we work with in-house and third-party service providers to provide our Website and the features it offers to you. These service providers may be given access to your personal information as necessary to allow them to provide their services to GEMA. Our cooperation with these service providers is based on data processing agreements pursuant to Article 28 GDPR. This is how we ensure that the processing of personal data is in accordance with the GDPR, and in particular that data are processed only under our specific instruction and only for the specified purposes and that appropriate safeguards are taken to protect your personal information. Therefore, the categories of recipients may include:
Recipient or category of recipients Purpose of processing Safeguards in place for international transfers where the recipient is based outside the European Economic Area Providers of services for the operation of our Website and processing of the data stored or transmitted by the systems (e.g. data centre services, IT security) The purpose of processing is to ensure the functioning of our Website and to ensure the IT security of GEMA, in particular to provide security against attacks on the network. No transfer of data to recipients outside the European Economic Area.
In certain circumstances, we may transfer your personal information also to government bodies, courts, third-party experts and other third parties where required or permitted by law in order to (i) ensure compliance with applicable law, (ii) to respond to requests from authorities, (iii) to comply with applicable legal procedures, (iv) to protect and enforce the rights, security, privacy or property of GEMA, of visitors to our Website, our staff or the general public, (v) to allow us to pursue available remedies or limit the damage we may sustain, and (vi) to respond to emergencies. Such transfers are permitted under Article 6(1)(c) and/or Article 6(1)(f) GDPR.
C. Other music creators If you are a music creator (performer, author, producer), we may process personal information about you in connection with this Website and our “Artistmatch” service. The following sections describe how your personal data are processed in this context.
Categories and sources of personal data processed We only process information that we need to provide our service to the relevant users. This includes your name (stage or pen name), your country and your profiles on social media and streaming platforms (including the number of followers, views, etc.). We obtain this information from third parties, including publicly available databases or from the operators or providers of the relevant platforms.
Purposes and legal basis of processing We process the above-mentioned personal information as necessary to provide our service. The legal basis for this processing is Article 6(1)(f) GDPR. We only use information obtained from publicly available databases or from the operators or providers of the relevant platforms. In other words, we only process information about you that is already publicly available. Therefore, we do not see any interest of you in protecting the confidentiality of your personal data that would override the business interest we pursue.
Retention period We will retain your personal data in accordance with the requirements of applicable data protection laws only for as long as it is necessary for us to perform the business activities referred to in section 2. If we determine that your personal data are no longer needed or required, we will stop processing the data and erase them from our systems in compliance with applicable laws or internal policies and/or take action to duly anonymise the data, unless we are required to retain your data to comply with statutory or regulatory requirements we are subject to.
Recipients and authorised persons We will share your personal information within our Company strictly on a need-to-know basis to those departments and individuals who require this information for the provision and delivery of the service (e.g. IT staff, relevant departments). In addition, we work with in-house and third-party service providers to provide our Website and the “Artistmatch” service. These service providers may be given access to your personal information as necessary to allow them to provide their services to GEMA. Our cooperation with these service providers is based on data processing agreements pursuant to Article 28 GDPR. This is how we ensure that the processing of personal data is in accordance with the GDPR, and in particular that data are processed only under our specific instruction and only for the specified purposes and that appropriate safeguards are taken to protect your personal information. We also share personal information about you with the users of our service. Therefore, the categories of recipients are as follows:
Recipient or category of recipients Purpose of processing Safeguards in place for international transfers where the recipient is based outside the European Economic Area Providers of services for the operation of our Website and processing of the data stored or transmitted by the systems (e.g. data centre services, IT security) The purpose of processing is to ensure the functioning of our Website and to ensure the IT security of GEMA, in particular to provide security against attacks on the network. No transfer of data to recipients outside the European Economic Area. Users of the service The purpose of processing is to provide our service. Users can access our service also from outside the European Economic Area. In this case, the legal basis for processing is our legitimate business interest (see section 2) and processing is performed in accordance with Article 49(1) sentence 1 lit. c) GDPR.