LDD Music GmbH Privacy and Data Handling Policy

Ensuring Compliance with GDPR, BDSG, and Data Protection Best Practices

1. Context and Overview

Key Details

  • Policy Prepared By: Bärbel Domm
  • Approved By CEO/Management On: 31.12.2024
  • Policy Became Operational On: 01.01.2025
  • Next Review Date: Annually

This document outlines LDD Music GmbH’s privacy and data handling policy, ensuring full compliance with:

  • General Data Protection Regulation (GDPR – EU)
  • Federal Data Protection Act (BDSG – Germany)
  • Amazon’s Selling Partner Data Protection Policy (for Amazon-related data, see Section 9)

1.1 Scope of Policy

This policy applies to:

  • All employees, contractors, and third-party vendors handling data on behalf of LDD Music GmbH.
  • All categories of data, including customer, employee, vendor, business, and Amazon marketplace data.
  • Data collected through websites, services, internal databases, third-party platforms, and Amazon APIs.

This policy defines how data is collected, processed, stored, used, shared, and securely disposed of, ensuring protection against unauthorized access, data breaches, and improper handling.

2. How Data is Collected

LDD Music GmbH collects data from multiple sources to support business operations, legal compliance, customer interactions, and fulfillment processes.

2.1 Categories of Collected Data Data Category

Examples

Collection Methods

Customer Data

Name, email, phone number, address, purchase history

Online checkout, customer service requests, CRM systems

Employee Data

Full name, tax ID, payroll details, emergency contacts

HR systems, employment contracts, payroll processing

Vendor & Business Partner Data

Company name, contract details, payment records

Vendor agreements, invoice processing, business transactions

Website & Marketing Data

IP address, browsing behavior, newsletter subscriptions

Website analytics, cookies, online forms, tracking pixels

Amazon Buyer Data

Customer details, order information, shipping data

Amazon Seller Central API

2.2 Collection Methods

  1. Direct User Input: Data collected through checkout forms, customer service inquiries, and subscriptions.
  2. Automated Systems: Data captured through website analytics, cookies, and transaction records.
  3. Third-Party Integrations: Information received from Amazon, logistics providers, and payment processors, all under GDPR-compliant agreements.

3. How Data is Processed

LDD Music GmbH ensures that all data is processed ethically, securely, and in compliance with legal requirements.

3.1 Processing Purposes & Restrictions Processing Purpose

Data Involved

Processing Restrictions

Order Fulfillment

Customer name, shipping address, payment details

Used only for delivery and financial records

Customer Support & Complaint Handling

Customer queries, order history

Access restricted to support teams, deleted after dispute resolution

Employee HR & Payroll Management

Employee ID, tax records, salary information

Access limited to HR and Finance teams

Website & Marketing Analytics

User interactions, IP addresses, tracking cookies

Consent-based, anonymized for analytics

Amazon Data Processing

Buyer details, transaction logs

Complies with Amazon’s Data Protection Policy

  • Data is processed internally, and external access is restricted to authorized partners.
  • Sensitive data such as payment details is encrypted and securely stored.
  • Amazon customer data is only used for order fulfillment, tracking, and required analytics.

4. How Data is Stored

LDD Music GmbH follows strict security measures to store and protect collected data.

4.1 Data Storage Locations & Security Measures Data Type

Storage Location

Security Measures

Retention Period

Customer Data

Internal CRM System

AES-256 Encryption, RBAC, MFA

5 years (or as required by law)

Employee Records

HR & Payroll System

Secured access, encrypted database

10 years

Website Analytics & Tracking Data

Internal Analytics System

No personally identifiable information stored, anonymized data

12 months

Amazon Data

Amazon Secure Cloud (AWS)

TLS 1.2+, restricted API access

30 days post-fulfillment

  • Multi-Factor Authentication (MFA) is required for accessing customer and employee records.
  • Amazon API data is restricted based on Role-Based Access Control (RBAC).

5. How Data is Used

LDD Music GmbH only uses collected data for essential business operations such as:

  1. Processing orders, shipments, and payments.
  2. Customer service interactions and complaints resolution.
  3. Legal and compliance reporting.
  4. Analyzing business performance (excluding PII in reports).
  5. Amazon transaction processing, ensuring compliance with Amazon’s policies.

5.1 Prohibited Data Uses

  • Amazon buyer data cannot be used for external marketing or advertising.
  • Personal data cannot be sold, rented, or shared with unauthorized third parties.
  • Data access is strictly limited to employees with a legitimate business purpose.

6. How Data is Shared

LDD Music GmbH follows a strict data-sharing policy, ensuring data is only shared with authorized third parties under GDPR-compliant agreements.

6.1 Authorized Data Sharing Partners Recipient

Purpose of Sharing

Data Shared

Security Measures

Amazon Seller Central

Order fulfillment & compliance

Order details, shipping info

Encrypted API exchange

Logistics Providers (DHL, FedEx, UPS)

Order delivery tracking

Customer address, tracking number

Limited access, encrypted data

Government & Regulatory Bodies

Legal compliance

Tax documents, payroll data

Shared only if required by law

  • Third-party vendors must sign GDPR-compliant Data Processing Agreements (DPAs).

7. How Data is Disposed

LDD Music GmbH follows strict data disposal practices to ensure secure deletion of sensitive data. Data Type

Deletion Method

Disposal Timeline

Customer Data

Automated deletion

5 years after last interaction

Employee HR Records

Secure purge

10 years after employment ends

Amazon Buyer Data

Secure deletion via Amazon API

30 days after order completion

Device & Hardware Data

Military-grade data wipe & destruction

As needed

8. Compliance & Auditing

  • Quarterly compliance audits to ensure adherence to GDPR and Amazon policies.
  • Annual cybersecurity training for all employees handling sensitive data.
  • Amazon compliance reports are submitted every six months.
  • Data breach response plans in place, with mandatory reporting to authorities within 72 hours as required by GDPR.

Final Statement & Contact Information

For inquiries regarding LDD Music GmbH’s privacy and data protection policies, contact:

  • Data Protection Officer – service@lddmusic.com

This document ensures LDD Music GmbH remains fully compliant with GDPR, BDSG, and Amazon’s Data Protection Policy, safeguarding customer, employee, vendor, and Amazon marketplace data with strict retention, deletion, and access control measures.