Heinrich-Roller-Str. 16 B
Phone: +49 30 232 57 94 0
Fax: +49 30 232 57 94 10
Legal Notice: https://masali.de/impressum
Types of Data Processed:
Basic user information (e.g., names, addresses)
– Contact information (e.g., e-mail, phone numbers)
– Content data (e.g., text entries, photos, videos)
– Use data (e.g., websites visited, interest in content, access times).
– Metadata/communications data (e.g., device information, IP addresses)
Data Subject Categories
Visitors and online content users (we also refer to these data subjects below collectively as “users”).
The Purpose of Processing
To ensure that our online content, its functions and details are accessible
– To respond to contact requests and communicate with users
– Security measures
– Reach measurement/marketing
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.“Processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means. The term is used broadly and encompasses virtually every way in which data is handled.“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant Legal Basis
In accordance with Art. 32 of the GDP, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk while taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures include in particular ensuring the confidentiality, integrity, and availability of data by controlling physical access to data, as well as by controlling other access, input, and disclosure of data, and by ensuring its availability and its separation. Furthermore, we have established procedures that ensure the enjoyment of data subjects’ rights, the deletion of data, and a response to the potential compromise of data. Additionally, we take the protection of personal data into consideration as early as the development stage or, respectively, in the selection of hardware, software, and processes so as to effectively implement the principles of data protection by design and by default. (Art. 25 of the GDPR).
Cooperation with Processors and Third Parties
Insofar as we disclose data to other individuals and companies (external data processors or third parties) in connection with our processing activities, transmit or otherwise grant such parties access to data, this will occur only on the basis of permission afforded under the law (e.g., if the transmission of data to third parties, such as payment services providers, is necessary for the performance of a contract as per Art. 6 (1) (b) of the GDPR), where you have granted your consent, where doing so is necessary for compliance with a legal obligation, or for purposes of pursuing our legitimate interests (e.g., where authorized agents or webhosts are involved, etc.).
Insofar as we engage third parties to process data on the basis of a so-called data processing agreement, this occurs on the basis of Art. 28 of the GDPR.
Transfers to Non-EU (“Third”) Countries
Insofar as we process data in a “third country” (i.e., outside of the European Union (EU) or the European Economic Area (EEA)) or this occurs in connection with the use of third-party services, or where data is disclosed or transmitted to third parties, this will occur only for purposes of satisfying our (pre-)contractual duties, on the basis of your consent, for purposes of compliance with a legal obligation, or for purposes of pursuing our legitimate interests. Subject to the permissions afforded under the law or by contract, we process or arrange for data to be processed in a third country only when the special conditions set out in Art. 44 et seq. of the GDPR have been met. This means, for example, that data is processed on the basis of certain guarantees, such as the officially recognized assessment of a level of protection equivalent to that provided in the EU (e.g., for the United States by means of the “Privacy Shield” program) or compliance with officially recognized, special contractual obligations (so-called standard contract clauses).
Data Subjects’ Rights
You have the right to request confirmation as to whether relevant data is being processed and to receive information regarding such data, as well as to receive further information and copies of the data as set out in Art. 15 of the GDPR.
Pursuant to Art. 16 of the GDPR, you have the right to the completion of data concerning yourself or to the rectification of incorrect data concerning yourself.
In accordance with Art. 17 of the GDPR, you have the right to request that relevant data be erased immediately, or alternatively, in accordance with Art. 18 of the GDPR, you have the right to request that the processing of data be restricted.
Under Art. 20 of the GDPR, you have the right to request to be sent the data concerning yourself that you provided to us and to request that such data be transmitted to another controller.
Furthermore, pursuant to Art. 77 of the GDPR, you have the right to lodge a complaint with the supervisory authority of jurisdiction.
Right to Withdraw Consent
In accordance with Art. 7 (3) of the GDPR, you have the right to withdraw any consent previously granted, effective for the future.
Right to Object
Under Art. 21 of the GDPR, you can object to the future processing of data concerning yourself at any time. The objection can be raised specifically against processing for purposes of direct marketing.
Cookies and the Right to Object to Direct Marketing
“Cookies” refers to small files that are stored on users’ computers. There are various pieces of information that can be stored in cookies. The primary function of a cookie is to store information on a user (for example the device on which the cookie is stored) during or even after the user’s visit to the online content. Cookies referred to as “session cookies” or “transient cookies” are deleted once a user leaves the online content and closes his or her browser. This type of cookie may, for example, store the content of a shopping cart in an online shop or a login status. Cookies referred to as “permanent” or “persistent” remain stored after the browser is closed. This allows the login status to be stored, for example, if the user wants to look up the site again several days later. This type of cookie may also store users’ interests, which can be used for reach measurement or marketing purposes. Cookies referred to as “third-party cookies” are cookies offered by providers other than the controller providing the online content (otherwise, cookies belonging solely to the controller are referred to as “first-party cookies”).
Erasure of Data
In accordance with the statutory provisions in Germany, data is to be stored in particular for 10 years pursuant to Sec. 147 (1) of the German Tax Code (Abgabenordnung), Sec. 257 (1) nos. 1 and 4, and Sec. 257 (4) of the German Commercial Code (Handelsgesetzbuch) (accounts, records, company status reports, account posting documentation, ledgers, for corroboration of the relevant records, etc.), and for six years pursuant to Sec. 257 (1) nos. 2 and 3, and Sec. 257 (4) of the same (business correspondence).
In accordance with the statutory provisions in Austria, data is to be stored in particular for seven years pursuant to Sec. 132 (1) of the Austrian Federal Tax Code (Bundesabgabenordnung; receipts/invoices, accounts, dockets, business documents, income statements, etc.), for 22 years in connection with real estate, and for 10 years in the case of records associated with electronically supplied services, telecommunications, radio and television services that are provided to non-business entities in EU member states and for which a mini-one-stop-shop (MOSS) is used.
In addition, we process the
– contract information (e.g., contract subject matter, term, customer category)
– payment information (e.g., bank details, payment history)
of our customers, prospective customers, and business partners for purposes of providing contracted services, general service and customer care, marketing, advertising, and market research.
We process our customers’ data in connection with our contracted services, which include concept and strategic consulting, campaign planning, software and design development/consulting or updating, implementation of campaigns and processes/handling, server administration, data analysis/consulting services, and training services.
As part of this we process basic user information (e.g., key customer information such as names and addresses), contact information (e.g., e-mail, phone numbers), content data (e.g., text entries, photos, videos), contract information (e.g., contract subject matter, term), payment information (e.g., bank details, payment history), and use data and metadata (e.g., in connection with the evaluation and measurement of the success of marketing measures). As a general rule, we do not process special categories of personal data except where this is a component of outsourced processing. Data subjects include our customers, prospective customers and their customers, users, website visitors, or employees as well as third parties. The purpose of the processing comprises the performance of contracted services, invoicing, and our customer service. The legal bases for the processing are established in Art. 6 (1) (b) of the GDPR (contracted services) and in Art. 6 (1) (f) of the GDPR (analysis, statistics, optimization, security measures). We process data that is necessary for the establishment and performance of contracted services and indicate the necessity of providing such data. The data is disclosed to external parties only if this is required in connection with an order. When processing data provided to us in connection with an order, we act in accordance with the instructions of the party placing the order and the statutory provisions regarding data processing agreements pursuant to Art. 28 of the GDPR, and we do not process the data for any purposes other than those required for the order.
We delete the data once the statutory warranty and comparable requirements have expired. The necessity of storing the data is reviewed every three years; where statutory archiving requirements exist, the data is deleted once such requirements expire (six years under Sec. 257 (1) of the German Commercial Code, 10 years under Sec. 147 (1) of the German Tax Code). In the case of data that was disclosed to us in connection with an order by the party placing the order, we delete the data in accordance with the provisions in the order, as a general rule once the order is terminated.
We process the data of the parties with whom we contract and interested parties, as well as other ordering parties, customers, clients, patrons, or contracting parties (referred to collectively as “contracting parties”) pursuant to Art. 6 (1) (b) of the GDPR in order to provide our contracted services or services prior to entering into a contract. The data processed in such situations, the type, scope, and the purpose and necessity of the processing are determined according to the underlying contractual relationship. The processed data includes contracting parties’ key information (e.g., names and addresses), contact details (e.g., e-mail address and phone numbers), as well as contract information (e.g., services utilized, contract content, communications under the contract, names of contact persons), and payment information (e.g., bank details, payment history).
As a general rule, we do not process special categories of personal data except where this is a component of outsourced processing or processing as stipulated in the contract. We process data that is necessary for the establishment and performance of contracted services and indicate the necessity of providing such data insofar as this is not evident for the contracting party. The data is disclosed to external individuals or companies only if this is required in connection with a contract. When processing data provided to us in connection with an order, we act in accordance with the instructions of the party placing the order and the statutory provisions. When our online services are used, we may store the IP address and the time of the respective actions by the user. The data is stored on the basis of our legitimate interests as well as users’ interests in protection from abuse and from other unauthorized use. As a general rule, this data is not disclosed to third parties except where this is necessary to pursue our rights in accordance with Art. 6 (1) (f) of the GDPR or there is a legal obligation to do so as set out in Art. 6 (1) (c) of the GDPR. The data is deleted once it is no longer needed to satisfy contractual or statutory duties of care or for dealing with any warranty and comparable obligations, whereby the necessity of storing the data is reviewed every three years; the statutory retention requirements apply in all other respects.
Data Privacy Notices in the Job Application Process
We process job applicant information only for the purposes of and only in connection with the application process in compliance with the statutory guidelines. Applicant information is processed in order to satisfy our (pre-)contractual obligations in connection with the application process within the meaning of Art. 6 (1) (b) and Art. 6 (1) (f) of the GDPR insofar as the data processing is necessary for us, for example in connection with legal proceedings (in Germany, Sec. 26 of the German Federal Data Protection Act (Bundesdatenschutzgesetz) also applies).
Insofar as special categories of personal data within the meaning of Art. 9 (1) of the GDPR are voluntarily provided in connection with the application process, such data is also processed in accordance with Art. 9 (2) (b) of the GDPR (e.g., health data such as disability status, or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 (1) of the GDPR are requested from applicants in connection with the application process, such data is also processed in accordance with Art. 9 (2) (a) of the GDPR (e.g., health data, where such is required for the performance of the role).
Where available, applicants can send us their applications by means of an online form on our website. The data is transferred to us in an encrypted form using state-of-the-art technology.
Furthermore, applicants can also send us their applications via e-mail. It is important to note, however, that as a rule, e-mails are not sent in encrypted form and that applicants themselves would need to arrange for encryption. We are therefore unable to assume any responsibility for the transmission between the sender and receipt on our server and therefore recommend instead that applicants use an online form or send their documents through the mail. The option to send us the application through the mail remains open to the applicant in lieu of applying using the online form or by e-mail. In the event an application is successful, we may process the data further for the purposes of the employment relationship. Otherwise, where the application for a job opening is unsuccessful, applicants’ data will be deleted. Applicants’ data will also be deleted when an application is withdrawn, which applicants have the right to do at any time.
Subject to any legitimate withdrawal by applicants, the data is deleted after a period of six months has elapsed, allowing us to be able to respond to any follow-up questions regarding the application and to satisfy our documentation requirements under the German Equal Treatment Act (Gleichbehandlungsgesetz). Invoices for any reimbursement of travel expenses are archived in accordance with the tax code guidelines.
Talent Pool In connection with their application, we offer applicants the option of being added to our “talent pool” for a period of two years on the basis of consent granted within the meaning of Art. 6 (1) (b) and Art. 7 of the GDPR. The application documents in the talent pool are processed solely in connection with future vacancy notices and the search to fill positions, and are destroyed no later than when that period expires. Applicants are informed that their consent to being added to the talent pool is given at their complete discretion, that it will have no influence on the current application process, and that they can withdraw such consent for the future at any time as well as object within the meaning of Art. 21 of the GDPR.
When a user contacts us (e.g., using the contact form, by e-mail, by phone, or via social media), the user’s information is processed for purposes of processing and handling the contact request pursuant to Art. 6 (1) (b) of the GDPR. The user’s information may be stored in a customer relationship management system (“CRM system”) or comparable query organization system.
We delete inquiries once they are no longer needed. We review their necessity every two years; furthermore, the statutory archiving requirements apply.
We are providing you with the following information in order to inform you of the content of our newsletter and the registration, mailing, and statistical analysis processes as well as your rights to object. By subscribing to our newsletter, you are granting your consent to being on the receiving end of the processes described.
Newsletter content: We send newsletters, e-mails, and other electronic messages with promotional information (“newsletters”) only with recipients’ consent or permission afforded under the law. Insofar as the specific content of the newsletter is described in connection with registering for the newsletter, such content is authoritative for users’ consent. In other respects, our newsletters contain information about our services and us.
Double-opt-in and logging: Users register for our newsletter in a so-called double-opt-in procedure. This means that after registering you will receive an e-mail in which you are requested to confirm your registration. This confirmation is necessary so that no one can register with someone else’s e-mail addresses. Registrations for the newsletter are logged in order to be able to document the registration process in accordance with the legal requirements. This includes the storage of the time of registration and of the confirmation as well as the IP address. Changes to your information stored with the marketing service are also logged.
Registration information: Providing your e-mail address is sufficient to register for the newsletter. As optional information, we ask you to provide a name so that we can address you personally in the newsletter.The newsletter is sent and the associated measurement of success is undertaken on the basis of consent granted by recipients pursuant to Art. 6 (1) (a) and Art. 7 of the GDPR in conjunction with Sec. 7 (2) no. 3 of the German Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb) and/or on the basis of permission afforded under Sec. 7 (3) of the same. The registration process is logged on the basis of our legitimate interests pursued in accordance with Art. 6 (1) (f) of the GDPR. Our interest is aimed at the deployment of a user-friendly and secure newsletter system that both serves our business interests and meets users’ expectations while also allowing us to document consents granted.
Canceling/withdrawing: You can cancel our newsletter – or in other words, withdraw your consent to receiving it – at any time. You will find a link for canceling the newsletter at the end of every newsletter. Because of our legitimate interests, we can store the removed e-mail addresses for up to three years before we delete them in order to be able to document consent previously given. The processing of such data is limited to the purpose of potentially defending against claims. An individual deletion request is possible at any time insofar as the former existence of consent is confirmed at the same time.
Newsletter – MailChimp
The marketing service can use recipients’ data in pseudonymized form, i.e., without attribution to a user, for the optimization and improvement of its own services, e.g., for technically optimizing the mailing and presentation of the newsletter or for statistical purposes. However, the marketing service does not use our newsletter recipients’ data in order to write to the recipients itself or to disclose the data to third parties.
Newsletter – Measuring Success
The newsletters contain a so-called web beacon, which is a one-pixel file that is retrieved from our server or, where we utilize a marketing service, from that company’s server when the newsletter is opened. At the time the file is retrieved, the first thing that happens is technical information such as information on the browser and on your system, as well as your IP address and the time of retrieval is collected.
This information is used in order to improve the technical aspects of the service based on the technical data or the target groups and their reading behavior on the basis of their access locations (which can be determined with the aid of the IP address) or the access times. The statistical information collected also includes the determination of whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, these items of information can actually be attributed to individual newsletter recipients. However, it is not our intention – and also not that of the marketing service in the event one is engaged – to monitor individual users. Rather, the analyses assist us in identifying the reading habits of our users and in adapting our content to them or sending different content according to our users’ interests.
The hosting services we use facilitate the provision of the following services: Infrastructure and platform services, computing capacity, disk space and database services, security services and technical maintenance services that we utilize for purposes of the operation of this online content.
For these services we process or, respectively, our hosting service processes basic user information, contact information, content information, contract information, use data, metadata, and communications data from customers, prospective customers, and visitors to the online content on the basis of our legitimate interests in the efficient and secure provision of this online content pursuant to Art. 6 (1) (f) in conjunction with Art. 28 of the GDPR (entering into a data processing agreement).
Collection of Access Data and Log Files
We collect or, respectively, our hosting provider collects data regarding each time our server where the service is located is accessed (so-called server log files) on the basis of our legitimate interests within the meaning of Art. 6 (1) (f) of the GDPR This access data includes the name of the website visited, file, date, and time of the visit, volume of data transmitted, notification of successful access, type of browser including the version, the user’s operating system, the referrer URL (site previously visited), IP address, and the requesting provider. For security reasons (e.g., for discovering abusive or fraudulent actions), log file information is stored for a maximum period of seven days and then deleted. Data that is required to be stored longer for evidentiary purposes are excluded from deletion up to the time at which the respective incident has been thoroughly clarified.
Online Presences in Social Media
Integration of Third-Party Services and Content
We place content or service offers from third-party providers within our online content on the basis of our legitimate interests (i.e., interest in the analysis, optimization, and business operation of our online content within the meaning of Art 6 (1) (f) of the GDPR) in order to integrate their content and services, such as videos and fonts (collectively referred to below as “content”).
In order for this to happen, the third-party providers of such content need to have access to users’ IP addresses, because the content cannot be sent to the users’ browsers without the IP address. In other words, the IP address is required in order to display the content. We make every effort to use only the content of providers who themselves use IP addresses exclusively to deliver content. Furthermore, third-party providers may use so-called pixel tags (invisible graphics, also called “web beacons”) for statistical or marketing purposes. The pixel tags can be used to analyze information such as visitor traffic to the pages of this website. Furthermore, the pseudonymized information can be stored in cookies on the user’s device and can contain, among other things, technical information on the browser and operating system, referring websites, time of visit and other information on the use of our online content, and they can also be associated with such information from other sources.
Use of Facebook Social Plugins
We use social plugins (“plugins”) on the basis of our legitimate interests (i.e., interest in the analysis, optimization, and business operation of our online content within the meaning of Art 6 (1) (f) of the GDPR) from the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins can present interactive elements or content (e.g., videos, graphics, or text posts) and can be recognized by one of the Facebook logos (white “f” on a blue tile, the term “Like”, or a “thumbs-up” symbol) or are identified by the label “Facebook Social Plugin”. The list and appearance of the Facebook Social Plugins can be viewed at: https://developers.facebook.com/docs/plugins/. Facebook is certified under the Privacy Shield Framework, thereby providing a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
When a user requests a function of this online content containing one of these plugins, the user’s device will establish a direct connection with Facebook’s servers. The content of the plugins is sent directly from Facebook to the user’s device and integrated by this into the online content. As this happens, use profiles for the users can be generated from the processed data. Consequently, we have no influence over the scope of the data collected by Facebook with the help of this plugin and have therefore informed users to the extent of our knowledge accordingly. The integration of the plugins allows Facebook to receive the information that the user has accessed the corresponding page of the online content. If the user is logged into Facebook, Facebook can associate the visit with the user’s Facebook account. When users interact with the plugins, for example using the Like button or making comments, the corresponding information is sent from your device directly to Facebook and stored there. If a user is not a member of Facebook, there is still a chance that Facebook can learn the user’s IP address and store it. According to Facebook, in Germany, only an anonymized IP address is stored.
Users can learn the purpose and scope of the collection of data and the further processing and use of data by Facebook as well as the relevant rights and settings options for the protection of users’ privacy from the Facebook data privacy notice: https://www.facebook.com/about/privacy/. If a user is a Facebook member and does not want Facebook to collect data about the user via this online content and associate this with the member data stored by Facebook, he or she will need to log out of Facebook before using our online content and delete his or her cookies. Further settings and objections to the use of data for advertising purposes are possible in Facebook’s profile settings: https://www.facebook.com/settings?tab=ads or via the American site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. The settings are not dependent on the platform; in other words, changes are implemented for all devices, such as desktop computers or mobile devices.
Created with Datenschutz-Generator.de from Attorney Dr. Thomas Schwenke