DATA PROTECTION PRIVACY STATEMENT– MAHA IRELAND LIMITED
This Privacy Statement (our Statement) sets out the basis on which any personal data within the meaning of the General Data Protection Regulation (GDPR) (EU) 2016/679 is collected and used by us. This Statement is drafted and operated in accordance with the GDPR and Data Protection Act (2018).
We are MAHA Ireland Limited trading as [MAHA] ('We' and “Us”) of 629 Jordanstown Avenue, Greenogue Business Park, Rathcoole Co. Dublin Ireland, a company registered in Ireland under company number 282005.
We attach a great deal of importance to protecting your personal data. Personal data processing therefore takes place in compliance with the applicable European and national legislation.
You may naturally revoke your declaration(s) of consent at any time with effect for the future. Please contact the controller according to clause 1 to do so.
The following policy provides an overview of what type of data is collected, how it is used and disclosed, what security measures we take to protect your data, and how you can obtain information about the information we gather.
Legal basis for personal data processing
Insofar as we obtain the data subject’s consent to process their personal data, Art. 6, Clause 1, (a) of the EU General Data Protection Regulation (GDPR) shall apply as the legal basis.
In the event of personal data which is necessary to fulfilling a contract, the contracting party for which is the data subject, being processed, Art. 6, Clause 1, (b) of the GDPR shall apply as the legal basis. This also applies to processing which is required to carry out pre-contractual measures.
If personal data needs to be processed to fulfil a legal obligation to which we are subject, Art. 6, Clause 1, (c) of the GDPR shall apply as the legal basis.
If processing is necessary to protecting a legitimate interest on the part of our company or a third party, and if the data subject’s interests, fundamental rights and fundamental freedoms do not take precedence over the former interest, Art. 6, Clause 1, (f) of the GDPR shall apply as the legal basis for processing.
Deletion of data and duration of storage
The data subject’s personal data shall be deleted or blocked as soon as the purpose of storage ceases to apply. Storage can also take place if this was stipulated by the European or national legislator in Union regulations, legislation or other specifications to which we are subject. Blocking or deletion of the data also takes place if a storage period stipulated by the aforementioned standards elapses, unless the data must be stored for longer to conclude or fulfil a contract.
Section 1 The controller and the data protection officer
(1) Name and address of the controller
The controller under the terms of the General Data Protection Regulation, other national data protection legislation of the member states and other provisions under data protection legislation is:
We are not required to have a Data Protection Officer but have taken the step to appoint a data champion who is responsible for overseeing questions in relation to this Statement. If you have any questions about this Statement, including any requests to exercise your legal rights, please contact the data champion using the details set out below. This data champion can be contacted at:-
Name: Sean Byrne
Address: 629 Jordanstown Avenue, Greenogue Business Park, Rathcoole Co. Dublin Ireland
Section 2 Definitions
a) Personal data means all information which relates to an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is one who can be identified either directly or indirectly, particularly by means of assignment to an identifier such as a name, to an ID number, to location data, to an online ID or to one or several particular features which are an expression of this natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.
b) Data subject means any identified or identifiable natural person whose personal data is processed by the controller responsible for processing.
c) Processing means any listed operation carried out with or without the help of automated methods or any such series of operations associated with personal data such as collection, recording, organisation, arrangement, storage, adaptation or modification, reading, querying, use, disclosure through transfer, dissemination or provision in another way, comparison or linking, restriction, deletion or destruction.
d) Profiling means any kind of automated personal data processing which is characterised by the fact that this personal data is used to evaluate certain personal aspects relating to a natural person, and particularly to analyse or predict aspects concerning job performance, economic situation, health, personal preferences, interests reliability, behaviour, location or movements.
e) Pseudonymisation means personal data processing in such a way that the personal data can no longer be assigned to a specific data subject without the help of additional information, provided that this additional information is stored separately and subject to technical and organisational measures which guarantee that the personal data cannot be assigned to an identified or identifiable natural person.
f) Controller, or controller responsible for processing means the natural or legal person, authority, establishment or other body which, either alone or together with others, decides on the purposes and means of personal data processing. If the purposes and means of such processing are stipulated by Union or member state law, the controller and the specific criteria of their appointment may be provided for under Union or member state law.
g) Processor means a natural or legal person, authority, establishment or other body which processes personal data on the controller’s behalf.
h) Recipient means a natural or legal person, authority, establishment or other body to whom personal data is disclosed, regardless of whether or not it is a third party. However, authorities which may receive personal data in the context of a specific investigation mandate under Union or member state law are not considered to be recipients.
i) Third party means a natural or legal person, authority, establishment or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.
j) Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes in the form of a declaration or another clear and affirmative act, by which the data subject signifies agreement to the processing of the personal data concerning them.
Section 3 Providing the website and creating log files
(1) When you are merely using the website for information purposes, i.e. if you do not register or otherwise transfer information to us, each time our website is accessed we automatically collect the following data and information from the accessing computer’s computer system:
a) Date and time of access
b) Content of hits (specific pages)
c) The names of downloaded files
d) The user’s IP address
e) Information about the browser type and the version used
f) The language and version of the browser software
g) The amount of data transferred
The data is also stored in our system’s log files. This data is not stored together with other personal data belonging to the user.
(2) The legal basis for the temporary storage of the log files is Art. 6, Clause 1, (f) of the GDPR.
(3) The temporary storage of the IP address by the system is necessary to
a) enable delivery of the website to the user’s computer. The user’s IP address must remain stored for the duration of the session for this purpose.
b) optimise the contents of our website and advertising for the same
c) guarantee the functionality of our IT systems and our website’s technology
d) provide law enforcement authorities with necessary information in the event of a cyber attack
Storage in log files is carried out to guarantee the functionality of the website. Additionally, we also use the data to optimise the website and to ensure the security of our IT systems. Evaluation of data for marketing purposes does not take place in this regard.
In these purposes, we also have a legitimate interest in data processing according to Art. 6, Clause 1, (f) of the GDPR.
(4) The data shall be deleted as soon as it is no longer required to achieve the purpose for which it was collected – in this case, when the usage process ends.
If data is stored in log files, this is done seven days afterwards at the latest. Extended storage is possible. In this case, the IP addresses are deleted or anonymised so that they can no longer be allocated to the accessing client.
(5) Data must be recorded under all circumstances to provide the website and store the data in log files for the purpose of operating the website, which is why there is no opportunity to object.
Section 5 Disclosure of data to third parties
(1) Links to external web page
Section 6 Contact form and email contact
(1) On our website, there is a contact form which can be used to contact us electronically. If you use this option, the data entered in the input screen shall be transferred to us and stored. This data includes:
P.O. box (if applicable)
Town / city
The following data is also stored when the message is sent:
The user’s IP address
Date and time
Alternatively, you can also contact us on the email address provided. In this case, the personal data which is transferred with the email is stored.
If this information relates to communication channels (e.g. your email address or telephone number), you are also consenting to the fact that we may, if necessary, contact you using these communication channels to respond to your request.
Your data shall not be disclosed to third parties in this regard. The data is only used for processing the conversation.
(2) The legal basis for data processing, provided that the user has given their consent to this effect, is Art. 6, Clause 1, (a) of the GDPR. The legal basis for processing data transferred in the course of sending an email is Art. 6, Clause 1, (f) of the GDPR. If you have contacted us by email with the aim of concluding a contract, Art. 6, Clause 1, (b) of the GDPR forms an additional legal basis.
(3) We only process personal data from the input screen to process the contact request. We shall naturally only use the data from your email enquiry for the purpose for which you are providing it during such contact. If the user makes contact by email, there is also a required legitimate interest in data processing when we reply. The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our IT systems.
(4) The data shall be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the contact form’s input screen and the data sent by email, this is the case when the respective conversation with the user has ended. The conversation is ended when the circumstances indicate that the situation concerned has been conclusively clarified. The personal data also collected during the sending process is deleted after a period of seven days at the latest.
(5) You have the opportunity to revoke your consent to the processing of your personal data at any time. If you contact us by email, you can object to the storage of your personal data at any time. The conversation cannot be continued in a case such as this. With regard to revocation of consent / objection to storage, we ask that you contact the controller or the data protection officer according to Section 1 by email or post. All personal data stored during the course of contact is deleted in this case.
Section 7 Google Analytics
(1) On our website, we use the service provided by Google Inc. (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to analyse our users’ surfing behaviour. The software sets a cookie on your computer (see Section 4 for information about cookies). If individual pages of our website are viewed, the following data is stored:
Two bytes of the IP address of the user’s accessing system
The web page viewed
Entry pages, exit pages
The time spent on the web page and the cancellation rate
The frequency of visits to the web page
The country of origin and regional origin, language, browser, operating system, screen resolution, use of Flash or Java
Search engines and search terms used
(2) The information generated by the cookie about the users’ use of this website shall generally be transmitted to and stored on a Google server in the USA.
(3) The legal basis for personal data processing is Art. 6 (1), clause 1 (a) of the GDPR.
(4) Google shall use this information on our behalf to evaluate your use of the website and to compile reports on website activities. Evaluation of the obtained data allows us to compile information about the use of our websites’ individual components. This helps us to constantly improve our website and its user-friendliness.
(5) The data shall be deleted as soon as it is no longer required for the purposes that it was collected for. In our case, this is after 14 months.
(9) According to Art. 13 and Art. 14 of the GDPR, we hereby inform you that we collect your data and process it in the course of further processing. You hereby agree to the disclosure of your personal data. Of course, according to Art. 15 of the GDPR, you have a right of access at any time to confirm our processing activities, a right of rectification (Art. 16 of the GDPR), a right of erasure (Art. 17 of the GDPR) and a right to restriction of processing (Art. 18 of the GDPR).
You shall be notified of your personal data being rectified or erased, or of processing of your data being restricted, on request according to Art. 19 of the GDPR. Furthermore, you can request that data be transmitted to another controller at any time under the conditions set down in Art. 20 of the GDPR. You also have the right to object at any time to the processing of personal data concerning you according to Art. 21 of the GDPR by emailing at firstname.lastname@example.org.
Section 8 Integration of Google Maps
(1) Our website uses the services of Google Maps. This allows us to display interactive maps on our website and permits you convenient usage of the map function.
(2) When you visit the website, Google receives the information that you have accessed the respective sub page of our website. In addition, the data listed under Section 7 of this statement is transmitted. This is the case irrespective of whether or not you have a Google user account and are logged into it. If you are logged into a Google account, your data is associated directly with your account. If you do not wish for your data to be associated with your Google profile, log out before activating the button. Google saves your data as usage profiles and uses it for the purposes of promotion, market research and/or tailoring its website to the users' needs. In particular, this evaluation is conducted (even for users not logged into a user account) to provide tailored advertising and to inform other users of the social network about your activities on our website. You have a right to object to the creation of these user profiles, but in order to exercise this right, you will have to contact Google.
Section 9 E-Commerce
(1) You can order brochures and advertising materials using our website’s Support section. To complete an order, you must provide personal data or have specified your data when you registered your personal customer account. We require this data to process your order. The following data is collected when you use the shop:
Name / Company name
Address (or an alternative delivery address, if necessary)
Date and time of the order
Your data is only passed on to third parties if we are required to transfer the same for the purposes of processing a contract, billing, or collecting money, or if you have expressly consented to the same. In this respect, we only transfer the data required on a case-by-case basis.
(2) The shop is maintained by our parent company, Maha Germany.
(3) The legal basis is Art. 6 (1), clause 1 (b) of the GDPR. With respect to the voluntary data, the legal basis for data processing is Art. 6 (1), clause 1 (a) of the GDPR.
(4) The collected mandatory data is required to fulfil the contract with the user (for the purpose of sending the goods and confirming the contents of the contract). We therefore use the data to answer your enquiries, to process your order and for the purpose of technical administration of the website. Any voluntary information you provide is used to prevent misuse and investigate criminal offences if necessary. We may also process the data you provide to tell you about other interesting products from our range or to send you emails containing technical information.
(5) The data shall be erased as soon as it is no longer required to achieve the purpose for which it was collected. We are obligated under specifications in commercial and tax law to save your address, payment and order details for ten years following performance of the contract. However, we undertake to restrict processing after two years, i.e. your data shall only be used to adhere to legal obligations. If a continuing obligation has been established between ourselves and the user, we shall store the data for the entire term of the contract and for the duration of ten years thereafter (see above). With respect to the voluntary information you provide, we shall erase the data once two years after performance of the contract have elapsed, provided that no further contracts have been concluded with the user in this period; if a contract is concluded with the user in the same period, the data shall be erased once two years after processing of the most recent contract have elapsed. Statutory retention periods shall remain unaffected and take precedence.
(6) If the data is required to fulfil a contract or to implement pre-contractual measures, the data may only be erased prematurely provided there are no contractual or legal obligations to the contrary.
Otherwise, you are free to have us completely erase the personal data you provided on registration from the database maintained by the controller responsible for processing. The controller responsible for processing shall provide you with information about the personal data we store about you at any time on request. Furthermore, the controller responsible for processing shall rectify or erase personal data on the data subject’s request following submission of proof, provided there are no statutory retention obligations to the contrary. You may contact the controller or the data protection officer under Section 1 at any time by email or post and request that they erase / modify your data.
Section 10 Rights of the data subject
If personal data about you is processed, you are the data subject under the terms of the GDPR, and you are entitled to the following rights vis-à-vis the controller:
- Right of access
- Right to correction
- Right to restriction of processing
- Right to deletion
- Right to information
- Right to data portability
- Right to object to processing
- Right to revocation of consent under data protection legislation
- Right to not be subject to automated decision-making
- Right to lodge complaints with a supervisory authority
1. Right of access
(1) You can request confirmation of whether personal data concerning you is processed by us from the controller. If such processing takes place, you may request free information about the personal data stored about you and about the following from the controller:
a) The purposes for which the personal data is being processed;
b) The categories of personal data which are processed;
c) The recipients or categories of recipients to whom the personal data concerning you was or shall be disclosed;
d) The planned duration of storage of the personal data concerning you or, if specific information cannot be provided on this matter, criteria for defining the duration of storage;
e) The existence of a right to correct or delete the personal data concerning you, a right to restrict processing by the controller, and a right to object to such processing;
f) The existence of a right to lodge a complaint with a supervisory authority;
g) All of the available information about the origin of the data, if the personal data was not collected from the data subject;
h) The existence of automated decision-making, including profiling according to Art. 22, Paras. 1 and 4 of the GDPR, and – at least in these cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(2) You are entitled to the right to request information about whether the personal data concerning you is transferred to a third country or an international organisation. In this context, you can request to be informed of the appropriate safeguards according to Art. 46 of the GDPR in connection with such transfer.
2. Right to correction
You have a right to immediate correction and/or completion vis-à-vis the controller, provided that the processed personal data concerning you is incorrect or incomplete.
3. Right to restriction of processing
(1) You can request from the controller that processing of the personal data concerning you be immediately restricted under the following conditions:
a) If you dispute the accuracy of the personal data concerning you for a duration that enables the controller to check the accuracy of the personal data;
b) If processing is unlawful and you refuse deletion of the personal data and instead request restriction of your personal data’s use;
c) The controller no longer needs the personal data for the purposes of processing, but you require the same to establish, exercise or defend legal claims; or
d) If you have objected to processing according to Art. 21, Para. 1 of the GDPR and it has not yet been determined whether the controller’s legitimate grounds take precedence over your grounds.
(2) If processing of the personal data concerning you is restricted, such data may – with the exception of storage – only be processed with your consent, for the establishment, exercise or defence of legal claims, for the protection of rights of another natural or legal person, or for reasons of important public interest of the Union or of a member state. If restriction of processing was not carried out according to the aforementioned conditions, you shall be informed by the controller before the restriction is removed.
4. Right to deletion
(1) You can ask the controller to immediately delete the relevant personal data if one of the following grounds apply:
a) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
b) You revoke your consent on which processing according to Art. 6, clause 1 (a) or Art. 9, clause 2, (a) of the GDPR was based, and there are no other legal grounds for processing.
c) You object to processing according to Art. 21, clause 1 of the GDPR and there are no other overriding legitimate grounds for processing, or you object to processing according to Art. 21, clause 2 of the GDPR.
d) The personal data concerning you was processed unlawfully.
e) Deletion of the personal data concerning you is required to fulfil a legal obligation under Union law or the law of the member states to which the controller is subject.
f) The personal data concerning you was collected in relation to the offer of information society services according to Art. 8, clause 1 of the GDPR.
(2) If the controller has made the personal data concerning you public and is obligated to delete the same according to Art. 17, clause 1 of the GDPR, taking account of the available technology and the associated implementation costs the controller shall take appropriate measures, including those of a technical nature, to inform other controllers processing the personal data that you as the data subject have requested the deletion of all links to this personal data or to copies or replications of the same.
(3) The right to deletion does not exist insofar as processing is required
a) to exercise the right to freedom of expression and information;
b) to fulfil a legal obligation which requires processing according to Union or member state law to which the controller is subject, to perform a task carried out in the public interest, or to exercise official authority vested in the controller;
c) for reasons of public interest in the area of public health according to Art. 9, clause 2 (h) and (i), as well as Art. 9, clause 3 of the GDPR;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes according to Art. 89, clause 1 of the GDPR, insofar as the right mentioned under a) is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
e) for the establishment, exercise or defence of legal claims.
5. Right to information
If you have asserted your right to correction, deletion or restriction of processing vis-à-vis the controller, the controller is obligated to inform all the recipients to whom the personal data concerning you was disclosed of this correction or deletion of data or of the restriction of processing, unless doing so proves to be impossible or would involve a disproportionate effort. You are entitled to receive information about these recipients from the controller.
6. Right to data portability
(1) You have the right to receive the respective personal data which you provided to the controller in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the controller to whom the personal data was provided, insofar as
a) processing is based on consent according to Art. 6, clause 1, (a) of the GDPR or Art. 9, clause 2, (a) of the GDPR or on a contract according to Art. 6, clause 1, b) of the GDPR; and
b) processing is carried out by automated means.
(2) In exercising this right, you further have the right to have the personal data concerning you transferred directly from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected by the exercising of this right.
(3) The right to data portability does not apply to the processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(4) With regard to asserting the right to data portability, the data subject can contact the controller responsible for processing at any time.
7. Right of objection
(1) You have the right, on grounds relating to your particular situation, to object at any time to processing of the personal data concerning you based on Art. 6, clause. 1, (e) or (f) of the GDPR; this also applies to profiling based on these provisions.
(2) The controller shall no longer process the personal data concerning you unless they can demonstrate compelling and legitimate grounds for processing which outweigh your interests, rights and freedoms, or if processing serves to establish, exercise or defend legal claims.
(3) If the personal data concerning you is processed for the purpose of carrying out direct advertising, you have the right at any time to object to processing of the personal data concerning you for the purposes of such advertising; this also applies to profiling if it is in conjunction with such direct advertising. If you object to processing for the purposes of direct advertising, the personal data concerning you shall no longer be processed for these purposes.
(4) In connection with the use of information society services – notwithstanding Directive 2002/58/EC – you can exercise your right of objection by automated means where technical specifications are used.
(5) To exercise the right of objection, the data subject can contact the controller responsible for processing.
8. Right to revocation of your declaration of consent under data protection legislation
You have the right to revoke your declaration of consent under data protection legislation at any time. Revocation of consent does not affect the lawfulness of processing carried out based on consent up until the same is revoked. You can contact the controller for this purpose.
9. Automated decision on a case-by-case basis, including profiling
(1) You have the right to not be subjected to a decision based solely on automated processing – including profiling – which has legal implications for you or significantly affects you in another way. This does not apply if the decision
a) is required to conclude or fulfil a contract between you and the controller;
b) is permissible based on Union or member state legislation to which the controller is subject, and this legislation contains appropriate measures to protect your rights and freedoms as well as your legitimate interests; or
c) is made with your express consent.
(2) However, these decisions may not be based on specific categories of personal data according to Art. 9, clause 1 of the GDPR, insofar as Art. 9, clause 2, (a) or (g) of the GDPR does not apply and appropriate measures were taken to protect rights and freedoms as well as your legitimate interests.
(3) With regard to the cases mentioned in (1) and (3), the controller shall take appropriate measures to protect rights and freedoms as well as your legitimate interests, which at least includes the controller’s right to request someone’s intervention, present their own point of view and contest the decision.
(4) If the data subject would like to assert rights in relation to automated decision-making, they can contact the controller for data processing concerning this matter at any time.
10. Right to lodge complaints with a supervisory authority
Regardless of another administrative or judicial legal remedy, you have the right to lodge complaints with a supervisory authority, particularly in the member state where your place of residence, your workplace or the place of the suspected violation is located if you believe that the processing of the personal data concerning you is in violation of the GDPR. The supervisory authority with whom the complaint was lodged informs the complainant of the status and results of the complaint, including the possibility to appeal according to Art. 78 of the GDPR.
We reserve the right to amend our data protection practices and this policy at any time in order to adapt it to amendments to relevant laws and regulations or to better meet your needs. Any amendments to our data protection practices shall be announced accordingly at this time. This Privacy Statement was updated  January 2022.
If you wish to contact us for any of the reasons set out above or you have any questions about our Privacy Statement or you wish to make a complaint with regard to the manner and means in which your data is processed by us or with regard to any other matter in relation to your data, you can write, call (as indicated above) or email us at email@example.com.