Privacy Policy

olino media GmbH & Co KG takes the protection of your personal data very seriously. We want you to know when and whether we store your data, and how we use it. As a private company, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the supplementary requirements of the German Federal Data Protection Act (BDSG, as amended). To ensure our compliance and that of our external service providers with the data protection requirements, we have taken appropriate technical and organizational measures.

The tolino brand websites (hereinafter “website[s]”) are provided and operated by tolino media GmbH & Co KG (hereinafter “tolino media” or “we”). The tolino brand is also found on the social media channels Twitter and YouTube.

This general privacy policy applies to all tolino brand online offerings provided by tolino media, including websites, functions and content, as well as our online presence through social media profiles, for example. Below you will find both general and mandatory information as part of the new General Data Protection Regulation, as well as information about data processing activities carried out on our brand websites.
The tolino brand’s online websites, profiles and channels at a glance:

1. Responsible entity (controller)

The entity responsible (controller) for tolino’s online websites, profiles and channels is:

tolino media GmbH & Co KG
Managing Director Dr. Bernhard Mischke
Albrechtstraße 14
80636 Munich, Germany

Contact details (please use our contact form below):

Phone: +49 89 4522018-6680
Fax: +49 89 4522018-6688

Privacy Officer:

Leopoldstr. 21
80802 München

2. Definitions to aid understanding

We use terms in our privacy policy that are used and defined in the GDPR. We wish to explain the key terms to ensure that you know what they mean. Our explanations are located in the FAQ section.

3. General information about data processing

3.1 Scope of personal data processing

In general, we only process your personal data to the extent that it is necessary for providing our online offerings, content and services. Your data is regularly collected and used only after you have provided consent or if processing of the data is permitted by law.

3.2 Legal basis for personal data processing

When it comes to data protection, the principle of prohibition subject to permission applies. According to this principle, the processing of personal data is generally unlawful unless the data subject has given consent or processing is justified due to legally regulated grounds for permission. We are obligated to inform you about the legal bases for data processing.

The legal basis in cases where we obtain your consent for the processing of personal data is Art. 6 (1) (a) GDPR.

The legal basis for data processing that is necessary for the performance of a contract concluded between you and us or for taking steps prior to entering into a contract is Art. 6 (1) (b) GDPR.

The legal basis for processing personal data for compliance with a legal obligation to which we are subject, such as statutory retention and storage obligations, is Art. 6 (1) (c) GDPR.

In the event that processing personal data is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis is Art. 6 (1) (d) GDPR.

Art. 6 (1) (f) GDPR provides for the processing of personal data if processing is necessary for the purposes of the legitimate interests pursued by us or by a third party and your interests or fundamental rights and freedoms do not override the interests of the former.

3.3 Sharing personal data with third parties and order processors

As a rule, we do not share your personal data with third parties without your express consent. If, however, as part of processing we disclose your data to third parties, transmit it to them or otherwise grant them access to the data, we do so solely on the basis of the aforementioned legal grounds. We transmit data to payment service providers, for example, if doing so is necessary to perform a contract. If we are obligated to do so by law or a court order, we must transmit your data to those authorities entitled to receive such information.

3.4. Data transfer to third countries

The GDPR ensures the same high level of data protection within the European Union. We therefore opt for European partners, whenever possible, when selecting our service providers in cases that involve the processing of your personal data. We only have data processed outside the European Union or the European Economic Area in cases of exception when using services provided by third parties.

We only permit your data to be processed in a third country if the specific conditions outlined in Art. 44 et seqq. GDPR are met. This means that your data may only be processed based on specific guarantees, such as the determination officially recognized by the EU Commission of an adequate level of data protection in line with that of the EU or adherence to specific contractual obligations known as the standard contractual clauses. We require U.S. service providers to use these standard clauses or to submit to the Privacy Shield, which is the data protection agreement negotiated between the European Union and the United States (

3.5 Erasure of data and storage period

Once the purpose for storing your data has been served, we will erase or block your personal data. However, your data may also be stored if provided for by European or national lawmakers in EU regulations, laws or other rules to which we are subject. This pertains, for example, to data that must be retained for reasons relating to commercial or tax law, such as billing data for subscriptions. Your data will be blocked or erased if a storage period specified by these provisions and regulations expires, unless there is a need to continue storing the data for concluding or performing a contract.

4. Data subject rights

You have the right to object at any time to the processing of your personal data carried out under Art. 6 (1) (e) or (f) GDPR, insofar as there are grounds for doing so relating to your particular situation and personal data is collected. We will then no longer process the personal data, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. Your rights include:

  • the right of access,
  • the right to rectification or erasure,
  • the right to restriction of processing,
  • the right to object to processing and
  • the right to data portability.

4.1 Right to withdraw a declaration of consent under data protection law

If personal data is processed based on consent that you have given, you have the right to withdraw this consent at any time. Withdrawal does not affect the lawfulness of processing performed based on your consent up to the point at which it is withdrawn.

Please contact us using the contact form below to exercise your rights or withdraw your consent.

4.2 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The following data protection supervisory authority is responsible for tolino:

Bayerisches Landesamt für Datenschutzaufsicht
Promenade 27 (Schloss)
91522 Ansbach
Telefon: +49 (0) 981 53 1300
Telefax: +49 (0) 981 53 98 1300

5. Use of our online offerings

You are able to use our online offerings without disclosing your identity. In this section, we explain to you when and in what connection we process data with regard to the use of our online offerings, what offerings from service providers and partners we have implemented, how they work and what happens with your data.

5.1 Data collection when visiting our websites

Since our tolino brand website can be used strictly for informational purposes, meaning you do not have to register, enter into a contract with us or otherwise disclose information to us (with the exception of the contact form), we only collect the personal data that your browser transmits to our servers. When you visit our websites, we collect the following data that is technically necessary in order to display our websites to you and ensure their stability and security.

  • User’s IP address
    Date and time of access
    Content of the request (specific page)
    Access status/HTTP status code
    The amount of data transmitted in each case
    The website from which the request for access occurs
    User’s operating system
    Language and version of the browser software

This information is stored temporarily in our system’s log files for a period of no more than seven days. Storage of this information that exceeds this period is possible. In such an event, the IP addresses are partially erased or distorted so that it is no longer possible to match them to the clients who accessed the site. Log files are not stored together with other personal data relating to you in this context. The legal basis for these processing activities is Art. 6 (1) (f) GDPR.

Since the collection of data for displaying websites and the storage of data in log files is absolutely necessary to operate our websites and preserve IT security, you have no possibility to object in this respect.

5.2 Use of cookies

Apart from the previously mentioned data, cookies are stored on your device in relation to the use of our websites during and also after your visit to our online offerings. Cookies are small text files that can be sent from a website to the browser, stored by the browser and sent back. It is possible to store various information in cookies that the site setting the cookie can retrieve. Cookies usually contain a distinct string of characters (ID) that makes it possible to clearly identify the browser if users access the website again or switch pages. They primarily serve to make our online offerings more effective and user-friendly overall. As a basic principle, data collected from users in cookies is pseudonymized, which means that, as a rule, it is no longer possible to match the data with the user accessing the site.

We use different types of cookies:

Transient cookies – also known as temporary or session cookies – are cookies that are deleted after you leave our website and close your browser. Language settings, for example, are stored in such cookies.

Persistent or permanent cookies remain stored on the device, even after the browser has been closed. We use such cookies to measure reach or for marketing purposes, among other reasons. Persistent cookies are automatically deleted after a specified period of time, which may vary depending on the cookie. However, you are able to delete these cookies at any time in your browser’s security settings. Please note that deleting these cookies may mean that not all functions of our online offerings will be available to you any longer.

The legal basis for processing personal data through the use of cookies is Art. 6 (1) (f) GDPR.

Click on the links below for information about how you can manage (including deactivate) cookies with the most commonly used browsers:

5.3. Matomo for web analytics

Based on our legitimate interest in the statistical analysis of user behavior for optimization and marketing purposes pursuant to Art. 6 (1) (f) GDPR, data is collected and stored on the tolino brand websites through the use of the open-source-software tool Matomo (, a service from the provider InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand (“Matomo”). Pseudonymized usage profiles can be created from this data and evaluated for the same purpose. Cookies may be used to this end (refer to the “Cookies” section link). These cookies make it possible to recognize the internet browser, among other things. The data collected using Matomo technology (including your pseudonymized IP address) is exclusively processed locally on our server and not passed on to third parties.

As part of your use of our online offerings, some information transmitted by your browser is collected and analyzed for our web analytics. Collection occurs through a pixel that is embedded on every website. The following data is stored on our server for the statistical analysis of your website visit:

  • IP address – immediately anonymized and then deleted after processing
  • The website accessed
  • The website from which the user accesses the requested page (referrer URL)
  • The subpages accessed from the requested website
  • Length of time spent on the website
  • How often the website is accessed
  • Request (file name of the requested file)
  • Information about the device and the user agent or the user-agent profile (e.g., language, type and version, operating system, device model, screen resolution)
  • JavaScript activation
  • Java enabled/disabled
  • Cookies enabled/disabled
  • Time of access
  • Content of forms (with regard to free-form text fields, e.g., name and password, only “filled out” or “not filled out” is sent)

As part of our web analytics powered by Matomo, your IP address is stored only in abbreviated and thus anonymized form, and used only for session recognition, for geolocation (down to city level) and for defense against attacks. The IP address is then immediately deleted so that the collected data is anonymous and it is no longer possible to establish the user’s identity, even through a roundabout approach via the ISP.

Data is not shared with third parties.

If you do not agree to the pseudonymized storage and analysis of this data from your website visit, you can object to its storage and use at any time by clicking on the link below. In this case, an opt-out cookie will be placed in your browser, which means that Matomo will not collect session data of any kind. Please note that deleting all of your cookies will also delete the opt-out cookie, which you may then need to reactivate.

5.4. Registration function / Customer account

We do not offer users any opportunity on tolino brand websites to register by providing personal data. Accordingly, no personal data is recorded, stored or used on mytolino brand websites.

Please contact the local customer service team if you have any questions about registering with your tolino bookstore. You will find our contact form for conveniently contacting the responsible bookstore at the end of this website.

5.5. Contact forms and email contact

You will find contact forms and email links (mailto) on our online offerings, which you can use to establish electronic contact. We thereby meet the legal requirement, among other things, for facilitating swift electronic contact with us. If you use these options to contact us, your information will be processed for the purposes of responding to your inquiry pursuant to Art. 6 (1) (c) GDPR. In this context, processing merely means the one-time transmission of the contact inquiry to the relevant customer service team (of a tolino bookstore) or a contact person at tolino media. Even in these instances, the tolino brand websites only serve as a portal of the tolino alliance; contact is regularly established here with the relevant bookstore selected by the user in the contact form.

The transmitted data is not stored in connection with this. Rather, the data is automatically deleted once the customer inquiry has been sent to the party responsible.

If an email inquiry related to business matters happens to be addressed to a contact at tolino media (e.g., higher-level inquiries to the tolino PR team), the transmitted data is deleted once it is no longer necessary for establishing contact and the matter in question has been fully resolved. The data transmitted to tolino media in connection with this is used exclusively for processing the correspondence.

5.6 Newsletter

No newsletters are sent to website users or tolino bookstore customers via the tolino brand websites. Please contact the local customer service team if you have questions about your tolino bookstore’s newsletter.

5.7. External links

Our online offerings contain links to other websites. We have no influence over whether the operators of those websites comply with data protection regulations.

If you have questions about how personal data is handled at the individual tolino bookstores, please contact the customer service team of your tolino bookstore directly. You can do so by using our contact form below, for example.

6. Changes

The internet’s fast-paced development makes it necessary to amend our privacy policy from time to time. We will inform you here about those changes.

Munich, Germany, May 25, 2018