Privacy policy according to the GDPR

We attach a great deal of importance to protecting your personal data. Personal data processing therefore takes place in compliance with the applicable European and national legislation.

You may naturally revoke your declaration(s) of consent at any time with effect for the future. Please contact the controller according to § 1 to do so.

The following policy provides an overview of what type of data is collected, how it is used and disclosed, what security measures we take to protect your data, and how you can obtain information about the information we gather.

Legal basis for personal data processing
Insofar as we obtain the data subject’s consent to process their personal data, Art. 6, Para. 1, Clause 1, lit. a) of the EU General Data Protection Regulation (GDPR) shall apply as the legal basis.
In the event of personal data which is necessary to fulfilling a contract, the contracting party for which is the data subject, being processed, Art. 6, Para. 1, Clause 1, lit. b) of the GDPR shall apply as the legal basis. This also applies to processing which is required to carry out pre-contractual measures.
If personal data needs to be processed to fulfil a legal obligation to which we are subject, Art. 6, Para. 1, Clause 1, lit. c) of the GDPR shall apply as the legal basis.
If processing is necessary to protecting a legitimate interest on the part of our company or a third party, and if the data subject’s interests, fundamental rights and fundamental freedoms do not take precedence over the former interest, Art. 6, Para. 1, Clause 1, lit. f) of the GDPR shall apply as the legal basis for processing.

Deletion of data and duration of storage
The data subject’s personal data shall be deleted or blocked as soon as the purpose of storage ceases to apply. Storage can also take place if this was stipulated by the European or national legislator in Union regulations, legislation or other specifications to which we are subject. Blocking or deletion of the data also takes place if a storage period stipulated by the aforementioned standards elapses, unless the data must be stored for longer to conclude or fulfil a contract.

 

§ 1 The controller and the data protection officer

(1) Name and address of the controller
The controller under the terms of the General Data Protection Regulation, other national data protection legislation of the member states and other provisions under data protection legislation is:

MAHA Maschinenbau Haldenwang GmbH & Co. KG
Hoyen 20
87490 Haldenwang
Germany
Phone +49 8374 585 0
Mail maha@maha.de
Website https://www.maha.de/

(2) Name and address of the data protection officer
The controller’s data protection officer is:

Dieter Grohmann | AKWISO Datenschutz & Audit
Beethovenstraße 23
87435 Kempten
Deutschland | Germany
Phone +49 831 5124 7030
Mail dg@akwiso.de
Website www.akwiso.de

 

§ 2 Definitions

The privacy policy is based on the terms used by the European regulatory authority when adopting the EU General Data Protection Regulation (hereinafter referred to as the “GDPR”). The privacy policy should be easy to read and understand. To ensure that this is the case, explanations of the most important terms are provided below:

a) Personal data means all information which relates to an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is one who can be identified either directly or indirectly, particularly by means of assignment to an identifier such as a name, to an ID number, to location data, to an online ID or to one or several particular features which are an expression of this natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.

b) Data subject means any identified or identifiable natural person whose personal data is processed by the controller responsible for processing.

c) Processing means any listed operation carried out with or without the help of automated methods or any such series of operations associated with personal data such as collection, recording, organisation, arrangement, storage, adaptation or modification, reading, querying, use, disclosure through transfer, dissemination or provision in another way, comparison or linking, restriction, deletion or destruction.

d) Profiling means any kind of automated personal data processing which is characterised by the fact that this personal data is used to evaluate certain personal aspects relating to a natural person, and particularly to analyse or predict aspects concerning job performance, economic situation, health, personal preferences, interests reliability, behaviour, location or movements.

e) Pseudonymisation means personal data processing in such a way that the personal data can no longer be assigned to a specific data subject without the help of additional information, provided that this additional information is stored separately and subject to technical and organisational measures which guarantee that the personal data cannot be assigned to an identified or identifiable natural person.

f) Controller, or controller responsible for processing means the natural or legal person, authority, establishment or other body which, either alone or together with others, decides on the purposes and means of personal data processing. If the purposes and means of such processing are stipulated by Union or member state law, the controller and the specific criteria of their appointment may be provided for under Union or member state law.

g) Processor means a natural or legal person, authority, establishment or other body which processes personal data on the controller’s behalf.

h) Recipient means a natural or legal person, authority, establishment or other body to whom personal data is disclosed, regardless of whether or not it is a third party. However, authorities which may receive personal data in the context of a specific investigation mandate under Union or member state law are not considered to be recipients.

i) Third party means a natural or legal person, authority, establishment or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.

j) Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes in the form of a declaration or another clear and affirmative act, by which the data subject signifies agreement to the processing of the personal data concerning them.

 

§ 3 Providing the website and creating log files

(1) When you are merely using the website for information purposes, i.e. if you do not register or otherwise transfer information to us, each time our website is accessed we automatically collect the following data and information from the accessing computer’s computer system:

a) Date and time of access
b) Content of hits (specific pages)
c) The names of downloaded files
d) The user’s IP address
e) Information about the browser type and the version used
f) The language and version of the browser software
g) The amount of data transferred

The data is also stored in our system’s log files. This data is not stored together with other personal data belonging to the user.


(2) The legal basis for the temporary storage of the log files is Art. 6, Para. 1, Clause 1, lit. f) of the GDPR.
(3) The temporary storage of the IP address by the system is necessary to

a) enable delivery of the website to the user’s computer. The user’s IP address must remain stored for the duration of the session for this purpose.
b) optimise the contents of our website and advertising for the same
c) guarantee the functionality of our IT systems and our website’s technology
d) provide law enforcement authorities with necessary information in the event of a cyber attack

Storage in log files is carried out to guarantee the functionality of the website. Additionally, we also use the data to optimise the website and to ensure the security of our IT systems. Evaluation of data for marketing purposes does not take place in this regard.

In these purposes, we also have a legitimate interest in data processing according to Art. 6, Para. 1, Clause 1, lit. f) of the GDPR.

(4) The data shall be deleted as soon as it is no longer required to achieve the purpose for which it was collected – in this case, when the usage process ends.

If data is stored in log files, this is done seven days afterwards at the latest. Extended storage is possible. In this case, the IP addresses are deleted or anonymised so that they can no longer be allocated to the accessing client.

(5) Data must be recorded under all circumstances to provide the website and store the data in log files for the purpose of operating the website, which is why there is no opportunity to object.

 

§ 4 Use of cookies

(1) This website uses “cookies”. Cookies are small text files which, as soon as you visit a website, are sent to your browser by a web server and are saved locally on your terminal device (PC, notebook, tablet, smartphone, etc.) and stored on your computer and allow the user (i.e. us) to receive certain information. Cookies are used to make the website more customer-friendly and secure, and particularly to collect usage-related information such as frequency of use and the number of page visitors, as well as website activity. Cookies do not damage the computer in any way and do not contain any viruses.

This cookie contains a characteristic character string (“cookie ID”), which enables unique identification of the browser the next time the website is called up.

(2) We use cookies to make our website more user-friendly. Some elements of our website require the accessing browser to also be identifiable after a page change. The following data is stored and transferred in the cookies:

  • Language settings
  • Session information
  • Login information

The legal basis for personal data processing using cookies is Art. 6, Para. 1, Clause 1, lit. f) of the GDPR.

(3) The purpose of using technically necessary cookies is to simplify use of the website for you. Some functions of our website cannot be offered without the use of cookies. To this end, the browser must be recognised even after a page change.

We need cookies for the following applications:

  • Application of language settings
  • Adoption of login information

The user data collected by technically necessary cookies is not used to create user profiles.

(4) Cookies remain stored even if the browser session is ended and can be called back up the next time you visit a web page. However, cookies are stored on your computer and transmitted to our site by it. You therefore have full control over the use of cookies. If you do not want data to be collected by cookies, you can make settings in your browser using the menu under “Settings” to ensure that you are informed about cookies being set, can categorically refuse the setting of cookies, or can also delete cookies on an individual basis. However, deactivating cookies may impair the functionality of this website. If the cookies are session cookies, they are automatically deleted once the user leaves the website anyway.
 

Adjust privacy settings

 

§ 5 Disclosure of data to third parties

(1) Links to external web page
This website contains links to external pages. We are only responsible for our own content. We do not have any influence over the content of external links and are therefore not responsible for the same, and in particular we do not make such content our own. If you are redirected to an external page, the privacy policy provided there shall apply. If you become aware of illegal activities or contents on such pages, please do not hesitate to contact us. In this case, we shall check the content and respond accordingly (“notice and take down” procedure).

 

§ 6 Contact form and email contact

(1) On our website, there is a contact form which can be used to contact us electronically. If you use this option, the data entered in the input screen shall be transferred to us and stored. This data includes:

  • First name
  • Surname
  • Company
  • Street, no.
  • P.O. box
  • Postcode
  • Town / city
  • Country
  • Telephone number
  • Email address

The following data is also stored when the message is sent:

  • The user’s IP address
  • Date and time

Your consent for data processing is obtained during the sending process, and reference is made to this privacy policy.
Alternatively, you can also contact us on the email address provided. In this case, the personal data which is transferred with the email is stored.
If this information relates to communication channels (e.g. your email address or telephone number), you are also consenting to the fact that we may, if necessary, contact you using these communication channels to respond to your request.
Your data shall not be disclosed to third parties in this regard. The data is only used for processing the conversation.

(2) The legal basis for data processing, provided that the user has given their consent to this effect, is Art. 6, Para. 1, Clause 1, lit. a) of the GDPR. The legal basis for processing data transferred in the course of sending an email is Art. 6, Para. 1, Clause 1, lit. f) of the GDPR. If you have contacted us by email with the aim of concluding a contract, Art. 6, Para. 1, Clause 1, lit. b) of the GDPR forms an additional legal basis.

(3) We only process personal data from the input screen to process the contact request. We shall naturally only use the data from your email enquiry for the purpose for which you are providing it during such contact. If the user makes contact by email, there is also a required legitimate interest in data processing when we reply. The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our IT systems.

(4) The data shall be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the contact form’s input screen and the data sent by email, this is the case when the respective conversation with the user has ended. The conversation is ended when the circumstances indicate that the situation concerned has been conclusively clarified. The personal data also collected during the sending process is deleted after a period of seven days at the latest.

(5) You have the opportunity to revoke your consent to the processing of your personal data at any time. If you contact us by email, you can object to the storage of your personal data at any time. The conversation cannot be continued in a case such as this. With regard to revocation of consent / objection to storage, we ask that you contact the controller or the data protection officer according to § 1 by email or post. All personal data stored during the course of contact is deleted in this case.

 

§ 7 Google Analytics

(1) On our website, we use the service provided by Google Inc. (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to analyse our users’ surfing behaviour. The software sets a cookie on your computer (see (4) for information about cookies). If individual pages of our website are viewed, the following data is stored:

  • Two bytes of the IP address of the user’s accessing system
  • The web page viewed
  • Entry pages, exit pages
  • The time spent on the web page and the cancellation rate
  • The frequency of visits to the web page
  • The country of origin and regional origin, language, browser, operating system, screen resolution, use of Flash or Java
  • Search engines and search terms used

(2) The information generated by the cookie about the users’ use of this website shall generally be transmitted to and stored on a Google server in the USA.

(3) The legal basis for personal data processing is Art. 6 (1), sentence 1 (a) of the GDPR. 

(4) Google shall use this information on our behalf to evaluate your use of the website and to compile reports on website activities. Evaluation of the obtained data allows us to compile information about the use of our websites’ individual components. This helps us to constantly improve our website and its user-friendliness.

(5) The data shall be deleted as soon as it is no longer required for the purposes that it was collected for. In our case, this is after 14 months.

(6) The cookies used are stored on and transmitted to our site by your computer. If you do not agree to the usage data being collected and evaluated, you can prevent this from happening by making the relevant setting in your browser software, i.e. by disabling or restricting the use of cookies. You can delete cookies that have already been stored at any time. However, if you do this, you may not be able to use all of this website’s functions in full. Furthermore, you can prevent Google’s collection and processing of the data generated by the cookie and related to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link. The current link is: https://tools.google.com/dlpage/gaoptout?hl=en-GB. You can revoke your consent to personal data processing at any time. If you contact us by email, you can object to the storage of your personal data at any time. With regard to revocation of consent / objection to storage, we ask that you contact the controller according to (1) by email or post.

(7) If you visit our website using your mobile device, you can also object to the use of Google Analytics here by deactivating Google Analytics by clicking on the following link: <a href=“javascript:gaOptout()”>Deactivate Google Analytics</a>. In this case, a cookie that tells Google to stop tracking is set in your browser.

(8) The controller is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. You will find further information in the terms of use at https://marketingplatform.google.com/about/analytics/terms/us/, in the data protection overview at https://www.google.com/intl/gb/analytics/learn/privacy.html and in the privacy policy at https://policies.google.com/privacy?hl=en-GB.

(9) According to Art. 13 and Art. 14 of the GDPR, we hereby inform you that we collect your data and process it in the course of further processing. You hereby agree to the disclosure of your personal data. Of course, according to Art. 15 of the GDPR, you have a right of access at any time to confirm our processing activities, a right of rectification (Art. 16 of the GDPR), a right of erasure (Art. 17 of the GDPR) and a right to restriction of processing (Art. 18 of the GDPR).
You shall be notified of your personal data being rectified or erased, or of processing of your data being restricted, on request according to Art. 19 of the GDPR. Furthermore, you can request that data be transmitted to another controller at any time under the conditions set down in Art. 20 of the GDPR. You also have the right to object at any time to the processing of personal data concerning you according to Art. 21 of the GDPR by emailing at dg@akwiso.de.


§ 8 Integration of Google Maps

(1) Our website uses the services of Google Maps. This allows us to display interactive maps on our website and permits you convenient usage of the map function.

(2) When you visit the website, Google receives the information that you have accessed the respective sub page of our website. In addition, the data listed under § 7 of this statement is transmitted. This is the case irrespective of whether or not you have a Google user account and are logged into it. If you are logged into a Google account, your data is associated directly with your account. If you do not wish for your data to be associated with your Google profile, log out before activating the button. Google saves your data as usage profiles and uses it for the purposes of promotion, market research and/or tailoring its website to the users' needs. In particular, this evaluation is conducted (even for users not logged into a user account) to provide tailored advertising and to inform other users of the social network about your activities on our website. You have a right to object to the creation of these user profiles, but in order to exercise this right, you will have to contact Google.

(3) For further information on the purpose and extent of data collection and processing thereof by the plug-in provider, refer to the provider's data privacy statement. It also contains information on your associated rights and setting options to protect your privacy: https://www.google.de/intl/de/policies/privacy.

 

§ 9 E-Commerce

(1) You can order brochures and advertising materials using our website’s Support section. To complete an order, you must provide personal data or have specified your data when you registered your personal customer account. We require this data to process your order. The following data is collected when you use the shop:

  • Name / Company name
  • Address (or an alternative delivery address, if necessary)
  • Email address
  • Phone number
  • IP address
  • Date and time of the order

Your data is only passed on to third parties if we are required to transfer the same for the purposes of processing a contract, billing, or collecting money, or if you have expressly consented to the same. In this respect, we only transfer the data required on a case-by-case basis.

(2) The shop is maintained by Druckerei Rieder GmbH & Co. KG, Magnusstr. 14, 87437 Kempten, Tel.: +49 (0)831 63250 and +49 (0)831 5655217, Email info@rieder-druck.de, www.rieder-druck.de / www.rieder-werbemittel.de by means of a service contract.

(3) The legal basis is Art. 6 (1), sentence 1 (b) of the GDPR. With respect to the voluntary data, the legal basis for data processing is Art. 6 (1), sentence 1 (a) of the GDPR.

(4) The collected mandatory data is required to fulfil the contract with the user (for the purpose of sending the goods and confirming the contents of the contract). We therefore use the data to answer your enquiries, to process your order and for the purpose of technical administration of the website. Any voluntary information you provide is used to prevent misuse and investigate criminal offences if necessary. We may also process the data you provide to tell you about other interesting products from our range or to send you emails containing technical information.

(5) The data shall be erased as soon as it is no longer required to achieve the purpose for which it was collected. We are obligated under specifications in commercial and tax law to save your address, payment and order details for ten years following performance of the contract. However, we undertake to restrict processing after two years, i.e. your data shall only be used to adhere to legal obligations. If a continuing obligation has been established between ourselves and the user, we shall store the data for the entire term of the contract and for the duration of ten years thereafter (see above). With respect to the voluntary information you provide, we shall erase the data once two years after performance of the contract have elapsed, provided that no further contracts have been concluded with the user in this period; if a contract is concluded with the user in the same period, the data shall be erased once two years after processing of the most recent contract have elapsed. Statutory retention periods shall remain unaffected and take precedence.

(6) If the data is required to fulfil a contract or to implement pre-contractual measures, the data may only be erased prematurely provided there are no contractual or legal obligations to the contrary.
Otherwise, you are free to have us completely erase the personal data you provided on registration from the database maintained by the controller responsible for processing. The controller responsible for processing shall provide you with information about the personal data we store about you at any time on request. Furthermore, the controller responsible for processing shall rectify or erase personal data on the data subject’s request following submission of proof, provided there are no statutory retention obligations to the contrary. You may contact the controller or the data protection officer under Section 1 at any time by email or post and request that they erase / modify your data.

 

§ 10  Rights of the data subject

If personal data about you is processed, you are the data subject under the terms of the GDPR, and you are entitled to the following rights vis-à-vis the controller:

  1. Right of access
  2. Right to correction
  3. Right to restriction of processing
  4. Right to deletion
  5. Right to information
  6. Right to data portability
  7. Right to object to processing
  8. Right to revocation of consent under data protection legislation
  9. Right to not be subject to automated decision-making
  10. Right to lodge complaints with a supervisory authority

1. Right of access

(1) You can request confirmation of whether personal data concerning you is processed by us from the controller. If such
processing takes place, you may request free information about the personal data stored about you and about the following from the controller:

a) The purposes for which the personal data is being processed;
b) The categories of personal data which are processed;
c) The recipients or categories of recipients to whom the personal data concerning you was or shall be disclosed;
d) The planned duration of storage of the personal data concerning you or, if specific information cannot be provided on this matter, criteria for defining the duration of storage;
e) The existence of a right to correct or delete the personal data concerning you, a right to restrict processing by the controller, and a right to object to such processing;
f) The existence of a right to lodge a complaint with a supervisory authority;
g) All of the available information about the origin of the data, if the personal data was not collected from the data subject;
h) The existence of automated decision-making, including profiling according to Art. 22, Paras. 1 and 4 of the GDPR, and – at least in these cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

(2) You are entitled to the right to request information about whether the personal data concerning you is transferred to a third country or an international organisation. In this context, you can request to be informed of the appropriate safeguards according to Art. 46 of the GDPR in connection with such transfer.

2. Right to correction

You have a right to immediate correction and/or completion vis-à-vis the controller, provided that the processed personal data concerning you is incorrect or incomplete.

3. Right to restriction of processing

(1) You can request from the controller that processing of the personal data concerning you be immediately restricted under the following conditions:

a) If you dispute the accuracy of the personal data concerning you for a duration that enables the controller to check the accuracy of the personal data;
b) If processing is unlawful and you refuse deletion of the personal data and instead request restriction of your personal data’s use;
c) The controller no longer needs the personal data for the purposes of processing, but you require the same to establish, exercise or defend legal claims; or
d) If you have objected to processing according to Art. 21, Para. 1 of the GDPR and it has not yet been determined whether the controller’s legitimate grounds take precedence over your grounds.

(2) If processing of the personal data concerning you is restricted, such data may – with the exception of storage – only be processed with your consent, for the establishment, exercise or defence of legal claims, for the protection of rights of another natural or legal person, or for reasons of important public interest of the Union or of a member state. If restriction of processing was not carried out according to the aforementioned conditions, you shall be informed by the controller before the restriction is removed.

4. Right to deletion

(1) You can ask the controller to immediately delete the relevant personal data if one of the following grounds apply:

a) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
b) You revoke your consent on which processing according to Art. 6, Para. 1, lit. a) or Art. 9, Para. 2, lit. a) of the GDPR was based, and there are no other legal grounds for processing.
c) You object to processing according to Art. 21, Para. 1 of the GDPR and there are no other overriding legitimate grounds for processing, or you object to processing according to Art. 21, Para. 2 of the GDPR.
d) The personal data concerning you was processed unlawfully.
e) Deletion of the personal data concerning you is required to fulfil a legal obligation under Union law or the law of the member states to which the controller is subject.
f) The personal data concerning you was collected in relation to the offer of information society services according to Art. 8, Para. 1 of the GDPR.

(2) If the controller has made the personal data concerning you public and is obligated to delete the same according to Art. 17, Para. 1 of the GDPR, taking account of the available technology and the associated implementation costs the controller shall take appropriate measures, including those of a technical nature, to inform other controllers processing the personal data that you as the data subject have requested the deletion of all links to this personal data or to copies or replications of the same.

(3) The right to deletion does not exist insofar as processing is required

a) to exercise the right to freedom of expression and information;
b) to fulfil a legal obligation which requires processing according to Union or member state law to which the controller is subject, to perform a task carried out in the public interest, or to exercise official authority vested in the controller;
c) for reasons of public interest in the area of public health according to Art. 9, Para. 2, lit. h) and i), as well as Art. 9, Para. 3 of the GDPR;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes according to Art. 89, Para. 1 of the GDPR, insofar as the right mentioned under a) is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
e) for the establishment, exercise or defence of legal claims.

5. Right to information

If you have asserted your right to correction, deletion or restriction of processing vis-à-vis the controller, the controller is obligated to inform all the recipients to whom the personal data concerning you was disclosed of this correction or deletion of data or of the restriction of processing, unless doing so proves to be impossible or would involve a disproportionate effort. You are entitled to receive information about these recipients from the controller.

6. Right to data portability

(1) You have the right to receive the respective personal data which you provided to the controller in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the controller to whom the personal data was provided, insofar as

a) processing is based on consent according to Art. 6, Para. 1, lit. a) of the GDPR or Art. 9, Para. 2, lit. a) of the GDPR or on a contract according to Art. 6, Para. 1, lit. b) of the GDPR; and
b) processing is carried out by automated means.

(2) In exercising this right, you further have the right to have the personal data concerning you transferred directly from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected by the exercising of this right.

(3) The right to data portability does not apply to the processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

(4) With regard to asserting the right to data portability, the data subject can contact the controller responsible for processing at any time.

7. Right of objection

(1) You have the right, on grounds relating to your particular situation, to object at any time to processing of the personal data concerning you based on Art. 6, Para. 1, lit. e) or f) of the GDPR; this also applies to profiling based on these provisions.

(2) The controller shall no longer process the personal data concerning you unless they can demonstrate compelling and legitimate grounds for processing which outweigh your interests, rights and freedoms, or if processing serves to establish, exercise or defend legal claims.

(3) If the personal data concerning you is processed for the purpose of carrying out direct advertising, you have the right at any time to object to processing of the personal data concerning you for the purposes of such advertising; this also applies to profiling if it is in conjunction with such direct advertising. If you object to processing for the purposes of direct advertising, the personal data concerning you shall no longer be processed for these purposes.

(4) In connection with the use of information society services – notwithstanding Directive 2002/58/EC – you can exercise your right of objection by automated means where technical specifications are used.

(5) To exercise the right of objection, the data subject can contact the controller responsible for processing.

8. Right to revocation of your declaration of consent under data protection legislation

You have the right to revoke your declaration of consent under data protection legislation at any time. Revocation of consent does not affect the lawfulness of processing carried out based on consent up until the same is revoked. You can contact the controller for this purpose.

9. Automated decision on a case-by-case basis, including profiling

(1) You have the right to not be subjected to a decision based solely on automated processing – including profiling – which has legal implications for you or significantly affects you in another way. This does not apply if the decision

a) is required to conclude or fulfil a contract between you and the controller;
b) is permissible based on Union or member state legislation to which the controller is subject, and this legislation contains appropriate measures to protect your rights and freedoms as well as your legitimate interests; or
c) is made with your express consent.

(2) However, these decisions may not be based on specific categories of personal data according to Art. 9, Para. 1 of the GDPR, insofar as Art. 9, Para. 2, lit. a) or g) of the GDPR does not apply and appropriate measures were taken to protect rights and freedoms as well as your legitimate interests.

(3) With regard to the cases mentioned in (1) and (3), the controller shall take appropriate measures to protect rights and freedoms as well as your legitimate interests, which at least includes the controller’s right to request someone’s intervention, present their own point of view and contest the decision.

(4) If the data subject would like to assert rights in relation to automated decision-making, they can contact the controller for data processing concerning this matter at any time.

10. Right to lodge complaints with a supervisory authority

Regardless of another administrative or judicial legal remedy, you have the right to lodge complaints with a supervisory authority, particularly in the member state where your place of residence, your workplace or the place of the suspected violation is located if you believe that the processing of the personal data concerning you is in violation of the GDPR. The supervisory authority with whom the complaint was lodged informs the complainant of the status and results of the complaint, including the possibility to appeal according to Art. 78 of the GDPR.
 

§ 10 Amendments to the privacy policy

We reserve the right to amend our data protection practices and this policy at any time in order to adapt it to amendments to relevant laws and regulations or to better meet your needs. Any amendments to our data protection practices shall be announced accordingly at this time. Please note the privacy policy’s current version date for this purpose.

 

Data protection information for Microsoft Forms

In the following, we provide information about the processing of personal data in connection with the use of „Microsoft Forms“.

We use the "Microsoft Forms" tool for internal and external surveys and queries, e.g. evaluation of actions carried out, registration for company events, etc.

"Microsoft Forms" is a tool within the Microsoft 365 used by MAHA Maschinenbau Haldenwang GmbH & Co. KG and a service of Microsoft Ireland Operations Limited. The data of users from the European Union is processed in data centers within the European Economic Area (EEA). Nevertheless, it may be necessary to process data at the headquarters of Microsoft Inc. in the USA in order to provide the service and for support purposes. We have concluded an order processing agreement with Microsoft within the framework of the "Online Service Terms" (OST), which complies with the requirements of Art. 28 GDPR. In addition, the EU standard contractual clauses have been contractually agreed for data transfers to third countries. The EU standard contractual clauses constitute a guarantee of an adequate level of EU data protection in accordance with Art. 46 para. 2 lit. c GDPR. We inform you that the USA is currently not a safe third country within the meaning of EU data protection law according to ECJ case law. Due to the surveillance laws in the USA, US service providers may be obliged to hand over personal data to security authorities without data subjects being able to appeal against this. It can therefore not be ruled out that US authorities, such as intelligence agencies, will process, evaluate and permanently store your data on the servers of US service providers for surveillance purposes. We have no influence on these processing activities.

Microsoft has therefore taken additional technical and organizational measures to protect personal data. In particular, personal data is only transmitted in encrypted form via Forms. In addition, Microsoft has contractually undertaken to fend off requests for disclosure from US authorities in court as far as possible. Therefore, an adequate level of protection can generally be assumed for the processing of personal data by Microsoft.

The controller within the meaning of Art. 4 No. 7 GDPR for the data processing of the forms is

(1) Name and address of the controller

MAHA Maschinenbau Haldenwang GmbH & Co. KG
Hoyen 20
87490 Haldenwang
Deutschland
Phone +49 8374 585 0
Mail maha@maha.de
Website https://www.maha.de/

(2) Name and address of the data protection officer
The controller’s data protection officer is:

Dieter Grohmann | AKWISO Datenschutz & Audit
Beethovenstraße 23
87435 Kempten
Deutschland | Germany
Phone +49 831 5124 7030
Mail dg@akwiso.de
Website www.akwiso.de

In this respect, Microsoft is merely a processor. Insofar as the Microsoft website www.Office.com or "Microsoft Forms" processes personal data or uses cookies, Microsoft is responsible for data processing. Microsoft cookies are used on the survey page to provide the Microsoft Forms service. Further information on data protection at Microsoft can be found at https://privacy.microsoft.com/de-de/privacystatement.

Various types of data are processed when "Microsoft Forms" is used. The scope of the data depends on the questions asked and answered as well as any upload of additional services.

In principle, the following personal data is processed:

  • Surname, first name
  • e-mail address
  • Company name
  • Date and time of opening the questionnaire
  • Date and time the response was sent

If you participate in an anonymous survey, your response will not contain any contact information and cannot be traced back to you.

Form owners have access to Forms and can create and distribute surveys, forms and questionnaires directly, either alone or with other owners. They are also the sole recipients of the responses. These are processed graphically in Microsoft and are available to the person responsible.

The data from surveys/forms/questionnaires (questions and answers) are stored in the Microsoft Cloud and retrieved from there by the controller. Unless there is an operational necessity, legal obligation or a special operational interest in permanent storage, all data will be deleted within one year after the purpose no longer applies.

Participation in our surveys is generally voluntary. Insofar as consent is given by participating in the survey, the legal basis is then Art. 6 para. 1 lit. a GDPR. Consent that has been granted can be withdrawn at any time with effect for the future. Withdrawal or non-granting of consent does not result in any disadvantages. If surveys are carried out as part of an employment relationship that are necessary for the performance of the employment relationship, this is done in accordance with Section 26 BDSG. If surveys are necessary for the initiation and/or fulfillment of contracts, personal data is processed in accordance with Art. 6 para. 1 lit. b GDPR. If there is no contractual relationship, surveys may also be necessary to safeguard our legitimate interests in the effective planning and implementation of projects and processes in accordance with Art. 6 para. 1 lit. f GDPR.

Personal data that is processed in connection with participation in "MS Forms surveys and forms" is generally not passed on to third parties unless the data is intended to be passed on or is necessary to fulfill the purpose. If external service providers are used to fulfill the purpose, data may be passed on to them for a specific purpose.

The provider of "Microsoft Forms" necessarily receives knowledge of this data as a processor in the course of providing its services.

Participation in company events

If a query is made about participation in company events, participation is generally voluntary. If participation is confirmed, the processing of personal data for the organization of the event is carried out in accordance with Art. 6 para. 1 lit. b GDPR. A confirmation of participation can be withdrawn at any time. When registering for a company event, mainly the surname, first name and email address are processed. Depending on the type of event, further details may be requested. This information is only given to internal employees who need it to fulfill the purpose or perform their professional duties. If external service providers are used to fulfill the purpose, the data may be forwarded for a specific purpose, insofar as this is necessary for the fulfillment of the task. The personal data will be deleted after the purpose has been fulfilled, unless they are required for billing purposes or statutory retention obligations exist.

In principle, you have the right to information, correction, deletion, restriction and objection to the processing of personal data as well as the revocation of any consent given. You also have the right to lodge a complaint with a data protection supervisory authority.