We here at Masali GmbH (also referred to below as: “the Company”, “we”, or “us”) would like to take this opportunity to provide you with information regarding the data protection relevant to your visit to our website and to your communications with us via e-mail.

In connection with our legal responsibility for data protection pursuant to Regulation (EU) 2016/679 (the General Data Protection Regulation: “GDPR”), we are subject to certain duties to ensure the protection of the personal data of individuals (we also refer below to you, as such an individual, as “customer”, “user”, “you”, “your” or “data subject”) whose data undergoes processing.

Where we make decisions, either on our own or together with other parties, regarding the purposes and means of data processing, our primary duty is to provide you with transparent information regarding the nature, scope, purpose, period, and legal basis of the processing (see Art. 13 and 14 GDPR). We have created this Privacy Notice to provide you with information regarding the ways we process your personal data.

A. General Information

(1) Definitions

This Privacy Notice uses certain terms that are defined in line with Art. 4 GDPR as follows:

(2) Name and address of the controller responsible for processing

The controller responsible for the processing of your personal data within the meaning of Art. 4(7) GDPR is:

For further information on our company, please see our Legal Notice.

(3) Legal basis for data processing

All processing of personal data is prohibited by law and is permitted only when one of the following circumstances providing justification is applicable with respect to the data processing:

• Art. 6(1) sentence 1 a) GDPR (“consent”): The data subject has freely and unambiguously indicated from an informed position, by way of a statement or other clear affirmative action, that the data subject is in agreement with the processing of personal data for one or more specific purposes;
• Art. 6(1) sentence 1 b) GDPR: The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• Art. 6(1) sentence 1 c) GDPR: The processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., a statutory retention requirement);
• Art. 6(1) sentence 1 d) GDPR: The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• Art. 6(1) sentence 1 e) GDPR: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• Art. 6(1) sentence 1 f) GDPR (“legitimate interests”): The processing is necessary for the purposes of the legitimate (especially legal or economic) interests pursued by the controller or by a third party, except where such interests fail to override the conflicting interests of the data subject (in particular where the data subject is a minor).

The storage of information on the end user’s terminal equipment and the retrieval of information already stored on the end user’s terminal equipment is permitted only where one of the following circumstances providing justification applies:

• Sec. 25 (1) of the German Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG): The end user has granted consent on the basis of clear and comprehensive information; the consent must be granted in accordance with Art. 6(1) sentence 1 a) GDPR;
• Sec. 25 (2) no. 1 TTDSG: The sole purpose is to transfer a message via a public telecommunications network, or
• Sec. 25 (2) no. 2 TTDSG: The storage or retrieval is absolutely necessary for the provider of a telemedia service in order to be able to provide a telemedia service expressly requested by the user.

Below we state the applicable legal basis for each of the processing operations undertaken by us. A processing operation may also have more than one legal basis.

(4) Erasure of data and storage period

We state below for each of the processing operations undertaken by us how long we store data and when it is erased or access is blocked. Where no specific storage period is stated, your personal data will be erased or access will be blocked as soon as the purpose or legal basis for storage no longer applies. As a rule, your data is stored only on our servers in Germany, with the exception of any transfers as may be undertaken as per the provisions in A.(6) and A.(7).

However, data may be stored beyond the stated period in the event of (an imminent) legal dispute with you or other legal proceedings, or if the data is required to be stored under provisions of law that we are subject to as the controller (e.g., Sec. 257 of the German Commercial Code (Handelsgesetzbuch, HGB), Sec. 147 of the German Fiscal Code (Abgabenordnung, AO)). When the storage period required by the statutory provisions expires, the personal data is erased or access is blocked, except where it is necessary that we continue to store the data and there is a legal basis for doing so.

(5) Data security

We implement appropriate technical and organizational security measures to protect your data against accidental or deliberate manipulation, partial or total loss, destruction, or unauthorized third-party access (for example: TLS encryption for our website), weighing the state of the art, implementation costs, the nature, scope, context, and purpose of the processing, as well as the risks for the data subject in the event of a data protection incident (including the probability and consequences of such). Our security measures are continuously improved in parallel with technological development. We will be happy to provide you with more detailed information on request.

(6) Cooperation with processors

We, like all larger companies, also engage external service providers to assist us with our business activities. They perform their work exclusively according to our instructions and have been required by contract as set out in Art. 28 GDPR to comply with the legal provisions concerning data protection.

(7) General principles for the transfer of personal data to third countries

In the course of our business relationships, your personal data may be transferred or disclosed to external companies. It is possible that such companies may be located outside of the European Economic Area (EEA) (“third countries”). Any such processing is undertaken exclusively for the purpose of satisfying contractual and business obligations and to attend to your business relationship with us (the legal basis is Art. 6(1) b) or f) in conjunction with Art. 44 et seq. GDPR). We provide you with more details regarding transfer and disclosure in the relevant sections below.

The European Commission has confirmed that several third countries provide data protection comparable to the EEA standard by way of “adequacy decisions” (you can find a list of these countries and a copy of the adequacy decisions here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). However, in other third countries where personal data might be transferred, in some cases there may be no consistently high level of data protection due to a lack of statutory provisions. Where this is the case, we will ensure that your data is sufficiently protected. This is possible via binding corporate rules, standard contractual clauses issued by the European Commission for the protection of personal data pursuant to Art. 46(1) and (2) c) GDPR (the standard contractual clauses from 2021 are available here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en), certificates, or other approved codes of conduct. Please contact us if you would like to receive more information in this regard.

(8) No automated decision-making (including profiling)

We have no intention of using the personal data collected from you for any automated decision-making process (including profiling).

(9) No requirement to provide personal data

We do not require that you first provide personal data to us before entering into contracts. There is also no statutory or contractual requirement for you, as a customer, to provide us with your personal data; however, if you do not provide the necessary data, we may be able to make certain offers available to you only with limitations or we may not be able to make them available to you at all. If this turns out to be the case in connection with the products later offered by us, you will be specifically advised of the situation.

(10) Statutory requirement to turn over certain data

In certain circumstances, we may be subject to a special statutory or legal requirement to provide the lawfully processed personal data to third parties, particularly public authorities (Art. 6(1) sentence 1 c) GDPR).

(11) Your rights

You can assert your rights as the data subject regarding your processed personal data to us at any time using the contact information stated at the top in A.(2). As a data subject, you have the right:

• pursuant to Art. 15 GDPR, to obtain information regarding your data that we process. In particular, you may request information on the purposes of the processing, the categories of data, the categories of recipients to whom your data will be or has been disclosed, the envisaged storage period, the existence of a right to rectification, erasure, restriction of processing or to object, the existence of a right to lodge a complaint, the source of your data in cases where it was not collected by us, and regarding the existence of any automated decision-making, including profiling, and any meaningful information regarding the details of such;
• pursuant to Art. 16 GDPR, to request the rectification of inaccurate data or the completion of incomplete data without undue delay;
• pursuant to Art. 17 GDPR, to request the erasure of your data stored by us to the extent that the processing is not necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims;
• pursuant to Art. 18 GDPR, to request the restriction of the processing of your data where you contest the accuracy of the personal data or the processing is unlawful;
• pursuant to Art. 20 GDPR, to receive your data that you provided to us in a structured, commonly used and machine-readable format, or to request that the data be turned over to another controller (“data portability”);
• pursuant to Art. 21 GDPR, to object to the processing where the processing is based on Art. 6(1) sentence 1 e) or f) GDPR. This is the case in particular where the processing is not necessary for the performance of a contract with you. Where the objection does not concern direct marketing, when exercising your right to object we request that you state the reasons why we should not process your data as we normally would. Where you raise a legitimate objection, we will review the situation and either discontinue or adjust the data processing, or advise you of our compelling and overriding grounds for continuing the processing;
• pursuant to Art. 7(3) GDPR, to withdraw, at any time, the consent you once gave to us – i.e., the freely given, informed, and unambiguous indication of your wishes by which you, by a statement or other clear affirmative action, signified your agreement to the processing of personal data for one or more specific purposes, provided that you once gave such. Subsequent to such withdrawal, going forward, we are no longer permitted to continue the data processing that was based on such consent; and
• pursuant to Art. 77 GDPR, to lodge a complaint with a supervisory authority regarding the processing of your personal data by our company, for instance, with the data protection supervisory authority with jurisdiction over us: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, E-Mail: .

(12) Changes to the Privacy Notice

We regularly review our Privacy Notice to determine whether it needs to be adapted or amended in line with continuing developments in data protection law as well as technological and organizational changes. This Privacy Notice takes effect on October 2024.

B. Visiting our website

(1) Explanation of the function

One particular way in which we provide you with information on our Company and the services we provide is via our internet address masali.de, together with the associated subpages (collectively: “website”). When you visit our website, your personal data may be processed.

(2) Personal data processed

When you use our website for information purposes, we collect, store, and process the following categories of personal data:

“Protocol data”: When you visit our website, our web server temporarily stores a so-called protocol data set (also called server log files) in an anonymized format. This data consists of:

• the site from which the page was requested (known as the referrer URL)
• the name and URL of the requested page
• the data and time of the request
• a description of the type, language, and version of the web browser used
• the IP address of the requesting device, shortened so that it can no longer be associated with a particular individual
• the amount of data transmitted
• the operating system
• a report of whether the request was successful (access status/HTTP status code)
• the GMT time zone difference

(3) Purpose and legal basis for the data processing

We process the personal data described in more detail above in compliance with the provisions of the GDPR as well as other applicable data protection provisions, and only to the extent necessary. Where processing of personal data is based on Art. 6(1) sentence 1 f) GDPR, the stated purposes also comprise our legitimate interests.

Protocol data is processed for statistical purposes and to improve the quality of our website, in particular the stability and security of the connection (legal basis is Art. 6(1) sentence 1 a) or f) GDPR).

Where the processing of data requires the storage of information on your terminal equipment and the retrieval of information already stored on the terminal equipment, Sec. 25 (1), (2) TTDSG provides the legal basis.

(4) Data processing period

Your data will only be processed for as long as it is necessary to achieve the aforementioned processing purposes; the corresponding legal bases outlined in connection with these purposes apply. Regarding cookies, please refer to Section B.(6). Third parties engaged by us will store your data on their systems for as long as it is necessary to provide their services to us in accordance with the respective contract.

(5) Transmission of personal data to third parties; justification basis

The following categories of recipients, which generally consist of processors (see A.(6) in this regard), may obtain access to your personal data:

• Service providers for the operation of our website and the processing of the data stored or transmitted via the systems (e.g., computer center services, payment processing, IT security). Where such parties are not processors, the legal basis for disclosure is Art. 6(1) sentence 1 b) or f) GDPR;
• Government offices/agencies, provided this is necessary in order to satisfy a statutory obligation. In this case, the legal basis for the disclosure is Art. 6(1) sentence 1 c) GDPR;
• Individuals engaged to handle our business operations (e.g., auditors, banks, insurance companies, legal advisors, regulatory authorities, parties involved in company acquisitions or establishing joint undertakings). In this case, the legal basis for the disclosure is Art. 6(1) sentence 1 b) or f) GDPR.

For information on how an adequate level of data protection is ensured when data is transferred to third countries, see A.(7).

Moreover, we disclose your personal data to third parties only once you have given your express consent pursuant to Art. 6(1) sentence 1 a) GDPR.

(6) Cookie technology/use of cookies

Cookies
We do not use cookie technologies (called “cookies” in this Privacy Notice) on our websites. Cookie technologies are technical tools that allow information to be digitally stored on your device when you access a website and later retrieved using a character string defined by the website operator.

C. Contact with us via e-mail

(1) Explanation of the function and purpose of the data processing

When you use e-mail to contact us for a reason unrelated to any kind of application on your part, we process the data communicated by you in order to respond to your message.

(2) Personal data processed

When you use e-mail to contact us, this involves processing your e-mail address and, as applicable, your name and telephone number, and possibly other personal data you yourself communicate to us.

(3) Legal basis for the data processing

Provided that your e-mail involves an inquiry unrelated to an existing, concrete contract between you and us or preliminary agreement regarding such, the legal basis is Art. 6(1) sentence 1 f) GDPR.

By contrast, if your e-mail involves an inquiry regarding an existing, concrete contract between you and us or involves pre-contractual communication regarding such, the legal basis for the processing is Art. 6(1) sentence 1 b) GDPR.

(4) Data processing period

We will promptly delete the data arising in this connection once storage is no longer necessary in order to handle the exchange with you. A review of the necessity of storage is undertaken every two years. In the event that there are statutory retention requirements, the legal basis for the processing is also Art. 6(1) sentence 1 b) GDPR. In the event that statutory retention requirements exist, the data subject to the retention requirement will continue to be stored for the period required by law. However, once we have handled your inquiry to its conclusion, we will then restrict further processing such that data is stored solely in order to satisfy any applicable statutory retention requirement.

D. Applications

(1) Explanation of the function and purpose of the data processing

When you use e-mail to contact us in connection with an application submitted by you, we process the data communicated by you in order to handle your application.

(2) Personal data processed

When you use e-mail to contact us, this involves processing your e-mail address and your name, also frequently your telephone number and any other personal data you yourself provide to us.

(3) Legal basis for the data processing

We process your personal data in connection with your application to the extent required to complete the application process. The legal basis for this processing is Sec. 26 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) in conjunction with Art. 88 and Art. 6(1) sentence 1 b) GDPR.

(4) Data processing period

We will promptly delete your personal data relating to your application once storage is no longer necessary.

In this connection, we also reserve the right to apply the basis of Art. 6(1) sentence 1 f) GDPR to retain your personal data for up to six months starting from the end of the application process (rejection or withdrawal of your application) for evidentiary purposes in the event of a legal dispute. Should it turn out that we do need to continue to store the data due to an imminent or pending legal dispute, we will not delete your data until after the purpose for this continued storage no longer applies.

Additionally, we will only consider further processing of your personal data where a statutory retention requirement bars the possibility of deletion. In the event that statutory retention requirements exist, the data that is subject to the retention requirement will continue to be stored for the period required by law. However, we will then restrict further processing such that data is stored solely in order to satisfy any applicable statutory retention requirement.

October 2024 – Law Firm Mai