Data protection

---

1. General information and controller

This data protection declaration clarifies the type, scope and purpose of the processing (including collection, processing and use as well as obtaining consent) of personal data within our online and offline offer and our websites, functions and content (hereinafter jointly referred to as "mah-ATN offer") in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") as well as the processing of personal data of the employees of our business partners that we process in the ordinary course of business.

The provider of the mah-ATN offering and the controller under data protection law is

mah-ATN GmbH

Isarstr. 1

D-82065 Baierbrunn

Baierbrunn, Germany

Telephone: +49-89-74 48 24 82

(hereinafter referred to as "mah-ATN GmbH", "we" or "us"). 

The term "user" or "data subject" includes all customers and visitors to our mah-ATN website as well as all natural persons whose personal data we process in the normal course of business. 

The privacy policy is also available in digital form:

Data protection | mah-ATN GmbH

2. Data Protection Officer:

Mr Robert Winkler

c/o ROWIDAT GmbH

E-mail: dsb-mahatn@rowidat.de

3. Basic information on data processing

We only process the personal data of data subjects in compliance with the relevant data protection regulations in accordance with the principles of data minimisation and data avoidance. This means that user data is only processed if there is a legal basis for processing, in particular if the processing is necessary for the provision of our contractual services or is required by law, if we have legitimate interests or if we have the consent of the data subject. 

4. Categories of data subjects, categories of personal data and legal basis for processing

We process the following personal data for the following purposes

Category of data subject	Category of personal data	Purpose and legal basis of the processing
Website visitors	Person-related technical data, such as IP addresses, click behaviour, etc. This data is usually processed via our cookies and tracking tools. Further information can be found in our cookie policy, integrated in our cookie banner: www.mah.de.	Art. 6 (1) lit. f) GDPR (legitimate interests), insofar as data is collected by cookies and tracking tools that are necessary for the operation of the website. Art. 6 (1) lit. a) GDPR (consent), for all other cookies and tracking tools for statistical, analytical and advertising purposes. Consent also fulfils the requirements of § 25 TTDSG.
	Contact details, surname, first name and all other personal data that a website visitor can send us when contacting us via our contact options.	Art. 6 (1) lit. b) or lit. f) GDPR, depending on whether the contact is made to initiate a contract or has another purpose. In the latter case, we have a legitimate interest in processing the enquiry and answering it if necessary.
Persons who contact us offline	Contact details, surname, first name and all other personal data that the data subject may send us when contacting us via our offline contact options.	Art. 6 (1) lit. b) or lit. f) GDPR, depending on whether the contact is made to initiate a contract or has another purpose. In the latter case, we have a legitimate interest in processing the enquiry and answering it if necessary.
Business partners (natural persons)	All personal data that is necessary for carrying out the business relationship (ordering goods, setting up the customer account, etc.). As the data is collected directly from the business partner, Art. 12 (4) GDPR applies.	Art. 6 (1) lit. b) GDPR (fulfilment of the contract, implementation of pre-contractual measures required at the request of the data subject).
Employees of the business partner (company)	Business contact details of the employee, position in the company, business address.	Art. 6 (1) lit. f) GDPR (our legitimate interest in cooperation with the employer of the data subject in the normal course of business).
Applicants	Application documents, insofar as these are sent to us.	§ Section 26 of the Federal Data Protection Act in conjunction with Art. 88 GDPR.

1. 5. Further legal bases and purposes of processing

   In addition, we process personal data for the following purposes

   • Fulfilment of a legal obligation (Art. 6 (1) lit. c) GDPR)

   • Protection of our legitimate interests (Art. 6 (1) lit. f) GDPR):

     • Fraud prevention

     • Risk management

     • Marketing/advertising to the extent permitted by law

     • Intra-group data transfer in the context of project management, administration, etc.

     • Legal defence and enforcement of legal claims

     • Performance evaluation

   6. Duration of the processing of personal data

   Personal data is deleted if it has fulfilled its intended purpose and the deletion does not conflict with any retention obligations or retention rights.

   7. Transfer to third parties and categories of recipients

   We transfer the data of the respective data subjects to our service providers (e.g. if it is necessary for billing purposes or for dispatch), to supervisory authorities, etc. Our service providers include in particular IT, logistics, translators, lawyers, accountants, auditors, providers of data management systems and communication tools. We have concluded an order processing contract with service providers who process personal data on our behalf in accordance with Art. 28 of the GDPR. 

   Data is also passed on if we are authorised or obliged to pass on data due to legal provisions and/or official or court orders. In particular, this may involve the provision of information for the purposes of criminal prosecution, to avert danger or to enforce intellectual property rights.

   If your data is passed on to service providers to the extent necessary, they will only have access to your personal data to the extent necessary to fulfil their tasks. These service providers are obliged to treat your personal data in accordance with the applicable data protection laws, in particular the GDPR.

   Beyond the aforementioned circumstances, we do not transfer your data to third parties without your consent. In particular, we do not have any service providers or group companies in a third country outside the EU/EEA that has an inadequate level of data protection according to the assessment of the EU Commission, with the exception of the providers of cookies and tracking tools, which we expressly name in our cookie policy.

   8. International data transfer

   As part of our business relationships, your personal data may be transferred to business partners in third countries. These may also be located outside the EU / the European Economic Area (EEA), i.e. in third countries. 

   The European Commission certifies that some third countries have a level of data protection comparable to the EEA standard by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible via binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognised codes of conduct in accordance with Chapter V of the GDPR. Please contact us if you would like more information on this.

   
   
   

1. 5. 9. Rights of data subjects and erasure of data

      The applicable data protection law grants data subjects comprehensive data subject rights (rights of access and intervention) vis-à-vis the controller with regard to the processing of their personal data, about which we provide information below:

      Right to information in accordance with Art. 15 GDPR: In particular, data subjects have a right to information about their personal data processed by us, the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients to whom their data has been or will be disclosed, the planned storage period or the criteria for determining the storage period. the criteria for determining the storage period, the existence of a right to rectification, erasure, restriction of processing, objection to processing, complaint to a supervisory authority, the origin of your data if it was not collected by us from the data subject, the existence of automated decision-making including profiling and, if applicable, meaningful information on the logic involved and the scope and intended effects of such processing, as well as the right to be informed of the guarantees pursuant to Art. 46 GDPR if your data is transferred to third countries;

      Right to rectification pursuant to Art. 16 GDPR: Data subjects have the right to obtain without undue delay the rectification of inaccurate data concerning them and/or the completion of incomplete data stored by us;

      Right to erasure in accordance with Art. 17 GDPR: Data subjects have the right to request the erasure of their personal data if the requirements of Art. 17 (1) GDPR are met. However, this right does not apply in particular if the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;

      Right to restriction of processing pursuant to Art. 18 GDPR: Data subjects have the right to request the restriction of the processing of their personal data for as long as the accuracy of their data, which they dispute, is being verified, if the data subjects refuse to have their data erased due to unauthorised data processing and instead request the restriction of the processing of their data, if the data subjects require their data for the establishment, exercise or defence of legal claims after we no longer require this data once the purpose has been achieved or if data subjects have lodged an objection on grounds relating to their particular situation, as long as it has not yet been established whether our legitimate grounds prevail;

      Right to information in accordance with Art. 19 GDPR: If data subjects have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning the data subject has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. The data subject has the right to be informed about these recipients.

      Right to data portability in accordance with Art. 20 GDPR: Data subjects have the right to receive their personal data that they have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller, insofar as this is technically feasible;

      Right to revoke consent given in accordance with Art. 7 para. 3 GDPR: Data subjects have the right to withdraw their consent to the processing of data at any time with effect for the future. In the event of revocation, we will delete the data concerned immediately, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;

      Right to lodge a complaint pursuant to Art. 77 GDPR: If data subjects consider that the processing of personal data relating to them infringes the GDPR, they have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, without prejudice to any other administrative or judicial remedy.

      RIGHT TO OBJECT

      INSOFAR AS WE PROCESS PERSONAL DATA ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST IN THE CONTEXT OF A BALANCING OF INTERESTS, USERS HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME WITH EFFECT FOR THE FUTURE ON GROUNDS RELATING TO THEIR PARTICULAR SITUATION.

      IF DATA SUBJECTS EXERCISE THEIR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED. HOWEVER, WE RESERVE THE RIGHT TO CONTINUE PROCESSING IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS.

      WHERE PERSONAL DATA ARE PROCESSED BY US FOR DIRECT MARKETING PURPOSES, THE DATA SUBJECT SHALL HAVE THE RIGHT TO OBJECT AT ANY TIME TO PROCESSING OF PERSONAL DATA CONCERNING HIM OR HER FOR SUCH MARKETING. DATA SUBJECTS MAY EXERCISE THEIR RIGHT TO OBJECT AS DESCRIBED ABOVE.

      IF DATA SUBJECTS EXERCISE THEIR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED FOR DIRECT MARKETING PURPOSES.

1. 5. 9. 10. changes to the privacy policy

         We reserve the right to amend the privacy policy in order to adapt it to changed legal situations or in the event of changes to the service and data processing. However, this only applies with regard to declarations on data processing. If the consent of the data subjects is required or components of the privacy policy contain provisions of the contractual relationship with the data subjects, the changes will only be made with the consent of the data subjects.

         Data subjects are requested to inform themselves regularly about the content of the privacy policy.