All policies
Privacy policy
Privacy policy
I. General Information
(1) Purpose: In accordance with Art. 13 GDPR (DSGVO), we inform you below about the collection of personal data when using our website. Personal data is all data that can be related to you personally, e.g., name, address, e-mail addresses, user behaviour.
(2) Data Controller: The responsible party pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR / DSGVO) is:
MARIA GALLAND PARIS > Wintrichring 58, D-80992 Munich
Telephone: 00800 642 55 263
Web: mariagalland.com
E-mail: kundenservice@maria-galland.com (see our imprint)
You can reach our Data Protection Officer at:
Bugl & Kollegen Gesellschaft für Datenschutz und Informationssicherheit mbH, Eifelstraße 55, 93057 Regensburg
E-mail: kontakt@buglundkollegen.de
(3) Contacting Us: When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, name, and telephone number, if applicable) will be stored by us in order to answer your questions. Legal Basis: Our legitimate interest in responding to your request (Art. 6 (1) lit. f GDPR). If your contact aims at the conclusion of a contract, the additional legal basis is Art. 6 (1) lit. b GDPR. Retention: We delete the data accruing in this context after storage is no longer necessary, or restrict processing if there are statutory retention obligations.
(4) Service Providers & Marketing: If we use commissioned service providers for individual functions of our offer or would like to use your data for advertising purposes, we will inform you in detail about the respective processes below, including the defined criteria for the storage period.
II. Your Rights
(1) Data Subject Rights: You have the following rights with regard to the personal data concerning you: Right to information (Art. 15 GDPR), right to correction (Art. 16 GDPR) or deletion (Art. 17 GDPR), right to restriction of processing (Art. 18 GDPR), right to object to processing (Art. 21 GDPR), right to data portability (Art. 20 GDPR).
(2) Supervisory Authority: You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us (Art. 77 GDPR).
III. Hosting
(1) Scope: The hosting services used by us serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services, and technical maintenance services used for the purpose of operating this online offer.
(2) Data Categories & Basis: In this context, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta data, and communication data of customers, interested parties, and visitors. Legal Basis: Our legitimate interests in an efficient and secure provision of this online offer pursuant to Art. 6 (1) lit. f GDPR in conjunction with Art. 28 GDPR (order processing agreement). More Information: Additional compliance documentation can be found via Shopify Privacy.
IV. Calling Up the Website
When using the website purely for informational purposes (i.e., without registration or data transmission), we only collect the personal data that your browser automatically transmits to our server. This data is technically necessary to display our website and ensure stability and security:
- IP address
- Date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status / HTTP status code
- Amount of data transferred in each case
- Website from which the request originated
- Browser type, language, and software version
- Operating system and its interfaceLegal Basis: Processed and stored for a limited period on the basis of our legitimate interest (Art. 6 (1) lit. f GDPR) to initiate a derivation to personal data in the event of unauthorised access or attempted access to our servers.
V. Use of Cookies
(1) Definition: Cookies are small text files stored on your hard drive in relation to the browser you are using which provide the party setting the cookie (us) with certain information. They serve to make the internet offer more user-friendly and effective.
(2) Categories: We distinguish between: (a) Absolutely necessary cookies: Required for core website functions. Cannot be disabled. (b) Functional cookies: Enable enhanced functionality and personalisation. (c) Performance cookies: Allow us to count visits and traffic sources anonymously to measure performance. (d) Marketing cookies: Set by advertising partners to profile interests and show targeted ads on other sites. (e) Social media cookies: Set by social services to allow content sharing and tracking across platforms.
(3) Legal Basis: The use of optional cookies (b, c, d, e) is strictly based on your explicit consent (Art. 6 (1) lit. a GDPR).
On our website, we use the following necessary, functional, and analytical/performance cookies.
VI. Use of Consentmo
We use the consent management tool Consentmo on our website to obtain and manage consent for the use of cookies and similar technologies.
In doing so, we process information about the consents granted or revoked, technical data such as IP address (truncated if necessary), browser and device information, as well as the time and context of the consent.
This serves to fulfill our legal obligation to provide evidence of consent in accordance with Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR.
For this purpose, a cookie is set to store your consent decision.
The transfer of data to third countries cannot be ruled out; in such cases, it is carried out on the basis of appropriate safeguards in accordance with Art. 44 et seq. of the GDPR.
For more information, please visit: https://www.consentmo.com/privacy-policy.
You may revoke or adjust your consent at any time via the cookie settings on our website.
VII. Use of Google Analytics 4 (GA4)
We use the 'Google Analytics' service on our website to evaluate user behavior. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Irland.
The legal basis for the use of Google Analytics is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future.
The data processed by Google Analytics includes your IP address, browser and device information, location data, time of visit, information on website interaction, and it sets cookies.
If you are logged into a Google account, this data can be linked to a user profile.
The purpose of data processing is the statistical analysis of website usage and user interactions to optimize website performance and user experience.
The default data retention period for Google Analytics is 14 months.
It cannot be ruled out that personal data may be transferred to unsafe third countries (United States) where the level of data protection is lower than in the EU. Google is certified under the EU-US Data Privacy Framework, which regulates the secure processing of EU citizens data in the US. We have entered into a data processing agreement (DPA) with Google that ensures that personal data will only be processed in accordance with our instructions and in compliance with the GDPR.
Further information on the privacy policy of Google Analytics can be found at: https://support.google.com/analytics/topic/2919631?hl=fr&ref_topic=1008008,3544742,2986333,&sjid=1881441919987619365-EU
Information about the cookies used can be found at: https://policies.google.com/technologies/cookies
You can prevent the processing of your data by clicking on this link: https://tools.google.com/dlpage/gaoptout
VIII. Facebook, Custom Audiences and Facebook Marketing Services
(1) Scope & Optimization: We integrate the "Facebook Pixel" operated by Meta Platforms Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook" / "Meta").
(2) Purpose: * To target our advertisements ("Facebook Ads") exclusively to Facebook users who have shown interest in our website or match specific criteria we transmit to Facebook (Custom Audiences). To track the commercial effectiveness of ads via conversion tracking (identifying if a user was redirected to our shop after clicking an ad).
(3) Data Processing: The pixel runs strictly upon your consent and sets a cookie. Collected data is anonymous to us and cannot identify you. However, Meta stores and processes this data to link it to your Facebook profile for its own advertising purposes. Any data sent to Meta for matching is locally encrypted (hashed) on your browser prior to transmission via HTTPS.
(4) Legal Basis: Your explicit consent via Art. 6 (1) lit. a GDPR.
(5) Opt-Out & Policies: You can adjust your Facebook ad settings via Facebook Ad Preferences. General policies are available at Facebook Privacy Policy.
IX. Use of Social Login
We use Shopify service on our website to enable users to log in or register using their existing social media accounts.
The data processed includes your IP address, device information, browser information, and, depending on the social network used, profile data such as your name, email address, and profile picture. Shopify may also set cookies.
Shopify processes user data to authenticate users and to simplify the registration and login process.
The purpose of data processing is to provide a convenient login function, improve user experience, and reduce registration barriers.
In the course of using social login functions, personal data may be transferred to the respective social media providers. It cannot be ruled out that such data transfers involve third countries (e.g., the United States), where the level of data protection may be lower than in the EU. Where required, appropriate safeguards in accordance with the GDPR are implemented.
Further information on the privacy policy can be found at: Shopify Privacy.
X. Integration of Google Maps
(1) Functionality: We integrate interactive maps from Google Maps to help you find locations conveniently.
(2) Extended Data Protection Mode: No data is transmitted to Google when you simply load the page. Data is only transferred to Google once you provide explicit consent and actively click to open or interact with the maps.
(3) Data Transmission: Upon activation, Google receives the informational data listed in Section IV of this policy and your IP address. This occurs regardless of whether you are logged into a Google account. If logged in, Google assigns this data directly to your profile. Google stores this data as usage profiles for advertising and market research. You have the right to object to the creation of these profiles directly via Google.
(4) Provider & Legal Basis: Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis is Art. 6 (1) lit. a GDPR (Consent). Privacy terms can be found at Google Privacy Policy.
XI. Use of Google Tag Manager
(1) Purpose: Google Tag Manager allows us to manage and deploy website tags (scripts and codes) easily, optimizing website loading speeds.
(2) Processing: The Tag Manager triggers other embedded tags which may collect data. The Tag Manager itself processes online identifiers (cookie IDs) and IP addresses.
(3) Legal Basis & Data Agreement: We have concluded an order processing contract with Google Ireland Ltd. Google processes this data on our behalf. Legal basis is Art. 6 (1) lit. a GDPR (Consent).
(4) Persistence of Deactivation: If you deactivate individual tracking services (e.g., opting out of a cookie), that deactivation remains in effect for all affected tracking tags managed via the Tag Manager.
XII. Newsletter
We use the 'Klaviyo' service on our website to manage email marketing campaigns and analyze user interactions. The provider is Klaviyo, Inc. ("Klaviyo"), 125 Summer Street, Floor 6, Boston, MA 02111, USA.
The legal basis for the use of Klaviyo is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future.
The data processed by Klaviyo includes your email address, IP address, device information, browser information, website interaction data, and it sets cookies.
Klaviyo collects user data to create user profiles for personalized marketing purposes.
The purpose of data processing is to manage email marketing campaigns, analyze user interactions, and optimize customer communication.
It cannot be ruled out that personal data may be transferred to unsafe third countries (United States) where the level of data protection is lower than in the EU. Klaviyo is certified under the EU-US Data Privacy Framework, which regulates the secure processing of EU citizens data in the US. We have entered into a data processing agreement (DPA) with Klaviyo that ensures that personal data will only be processed in accordance with our instructions and in compliance with the GDPR.
Further information on the privacy policy of Klaviyo can be found at: https://www.klaviyo.com/legal/privacy/privacy-notice.
XIII. Use of Stockist
We use the “Stockist” service on our website to provide an interactive store locator and to display locations where our products are available.
The provider is Stockist Pty Ltd (“Stockist”), Melbourne, Australia.
The legal basis for the use of Stockist is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future.
The data processed by Stockist includes your IP address, location data (if you allow location access), device information, browser information, and website interaction data. Stockist may also set cookies.
Stockist processes user data to enable location-based searches and to display relevant nearby stores.
The purpose of data processing is to provide a store locator function, improve user experience, and analyze the use of this feature.
It cannot be ruled out that personal data may be transferred to unsafe third countries (e.g., Australia), where the level of data protection may be lower than in the EU. We have entered into a data processing agreement (DPA) with Stockist that ensures that personal data will only be processed in accordance with our instructions and in compliance with the GDPR.
Further information on the privacy policy of Stockist can be found at: https://stockist.co/privacy.
XIV. Use of Join Stories
We use the “Join Stories” service on our website to display interactive social media content and integrate user-generated content. The provider is Join Stories GmbH (“Join Stories”), Germany.
The legal basis for the use of Join Stories is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future.
The data processed by Join Stories includes your IP address, device information, browser information, and website interaction data. If you interact with embedded content, further data (such as your interactions and social media activity) may be processed. Join Stories may also set cookies.
Join Stories processes user data to enable the display of embedded content and to analyze user engagement with this content.
The purpose of data processing is to integrate social media content, improve the visual presentation of our website, and analyze user interaction with embedded content.
As Join Stories is based in the European Union, data processing generally takes place within the EU. If personal data is transferred to third countries, appropriate safeguards in accordance with the GDPR are ensured.
Further information on the privacy policy of Join Stories can be found at: https://join-stories.com/privacy-policy.
XV. Loqate
We use the “Logate” service on our website to provide digital marketing functionalities such as user interaction tracking and campaign optimization. The provider is Logate GmbH (“Logate”), Germany.
The legal basis for the use of Logate is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future.
The data processed by Logate includes your IP address, device information, browser information, and website interaction data. Logate may also set cookies.
Logate processes user data to analyze user behavior and optimize marketing measures.
The purpose of data processing is to evaluate the effectiveness of marketing campaigns, improve user experience, and optimize website content.
As Logate is based in the European Union, data processing generally takes place within the EU. If personal data is transferred to third countries, appropriate safeguards in accordance with the GDPR are ensured.
Further information on the privacy policy of Logate can be found at: https://www.logate.com/privacy-policy
XVI. Translate & Adapt
We use the “Translate & Adapt” service on our website to provide automated translations and localized content for users in different languages. The provider is Shopify Inc. (“Shopify”), 151 O’Connor Street, Ground Floor, Ottawa, Ontario K2P 2L8, Canada.
The legal basis for the use of Translate & Adapt is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future.
The data processed by Translate & Adapt includes your IP address, browser language settings, device information, browser information, and website interaction data. The service may also set cookies.
Translate & Adapt processes user data to automatically display content in the appropriate language and to improve translations based on user behavior.
The purpose of data processing is to provide multilingual website content, improve user experience, and enable localization of our services.
It cannot be ruled out that personal data may be transferred to third countries (e.g., Canada or the United States). Canada is considered to provide an adequate level of data protection by the European Commission. Where data is transferred to other third countries, appropriate safeguards in accordance with the GDPR are implemented.
Further information on the privacy policy of Shopify can be found at: https://www.www.shopify.com/legal/privacy.
XVII. Use of Judge Me
We use the 'Judge.me' service on our website to collect and display customer reviews. The provider is Judge.me Company Limited ("Judge.me"), Buckworths 2nd Floor, 1-3 Worship Street, London, England.
The legal basis for the use of Judge.me for the display of reviews on our website is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest lies in providing our customers with a transparent shopping experience by giving them access to the experiences and opinions of other customers, as well as improving the presentation of our products and services.
If you voluntarily submit a review, the processing of the data you provide for this purpose is based on your consent pursuant to Art. 6 (1) lit. a GDPR. By submitting a review, you expressly consent to the processing of your review content and the associated personal data for the purpose of collecting and publishing customer reviews. You may withdraw your consent at any time with effect for the future.
The data processed by Judge.me includes your name, email address, order information, review content, IP address, and device information.
The purpose of data processing is to collect and display customer reviews and ratings for products and services.
It cannot be ruled out that personal data may be transferred to unsafe third countries (United States) where the level of data protection is lower than in the EU. Judge.me uses standard contractual clauses designed to ensure that your data complies with European data protection standards even if it is transferred to and stored in third countries.
We have concluded a Data Processing Addendum with Judge.me, which guarantees that personal data will only be processed in accordance with our instructions and in compliance with the GDPR.
Further information on the privacy policy of Judge.me can be found at: https://judge.me/privacy.
XVIII. The Use of Beyable
We use the “Beyable” service on our website to provide personalized content, product recommendations, and to optimize user experience in real time.
The provider is BEYABLE SAS (“Beyable”), 17 Rue de la Banque, 75002 Paris, France.
The legal basis for the use of Beyable is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future.
The data processed by Beyable includes your IP address, device information, browser information, website interaction data, and behavioral data such as browsing history and click behavior. Beyable may also set cookies.
Beyable processes user data to create user profiles and to deliver personalized content and recommendations.
The purpose of data processing is to improve the user experience, increase conversion rates, and optimize website content and marketing measures.
As Beyable is based in the European Union, data processing generally takes place within the EU. If personal data is transferred to third countries, appropriate safeguards in accordance with the GDPR are ensured.
Further information on the privacy policy of Beyable can be found at: https://www.beyable.com/legal-notice/
XIV. [SKIN]ALIZE Pro
(1) Purpose & Scope: We process personal data and skin-related health data as part of our online skin analysis survey to provide personalized skincare routine recommendations.
(2) Processed Categories: Name, first name, e-mail address, IP address, and details regarding your skin condition provided during the survey.
(3) Legal Basis: Your explicit consent pursuant to Art. 6 (1) lit. a GDPR and Art. 9 (2) lit. a GDPR (explicit processing of special categories of data / health data).
(4) Recipients & Storage: Shared internally with authorized Maria Galland GmbH staff and Piwik as an order processor. No processing occurs outside the EU/EEA. Data is automatically and fully deleted no later than 6 months after collection. No automated individual decision-making or profiling is utilized.
XVI. Use of Our Webshop
(1) Contract Processing: Ordering items requires providing mandatory personal data necessary to execute your contract. Mandatory fields are clearly marked. We transmit data to selected payment and shipping providers to complete your order under Art. 6 (1) lit. b GDPR.
(2) Customer Account & Institute Assignment: You can voluntarily create a password-protected account ("My Account") to save data for future purchases. At checkout, you may voluntarily enter your beautician's Institute Identification Number to ensure correct commission routing.
(3) Statutory Retention: Commercial and tax regulations oblige us to store your address, payment, and order history for a period of ten years. We restrict processing after two years; data is then locked and used exclusively for legal compliance.
(4) Encryption: To protect sensitive transactions and financial records, the ordering process is strictly encrypted using TLS technology.
(5) Adyen Payment Gateway: Payments are processed via Adyen GmbH, Ludwigstraße 9, 80539 Munich, Germany. Data transmission is executed strictly for contract fulfillment under Art. 6 (1) lit. b GDPR.
(6) PayPal Processing: Run by PayPal (Europe) S.à.r.l. & Cie. S.C.A., Luxembourg. PayPal may perform creditworthiness checks via credit agencies. Processing is governed by Art. 6 (1) lit. b GDPR.
(7) Verified Reviews: Post-purchase, your e-mail address and order ID are shared with NET REVIEWS (Marseille, France) to send a review invitation. Legal Basis: Our legitimate interest in gathering authentic, verified customer reviews (Art. 6 (1) lit. f GDPR). Data is automatically deleted 18 months after delivery. You can opt out of these invitations at any time.
XVII. E-Gift Card
(1) Purpose: Personal data is processed exclusively to issue and deliver voucher purchases.
(2) Legal Basis: Fulfillment of the purchase contract (Art. 6 (1) lit. b GDPR).
(3) Processed Categories: Buyer's name, recipient's name, and recipient's e-mail address.
(4) Execution: Shared only with internal staff of Maria Galland GmbH within the EU/EEA. Data is fully deleted 6 months after collection.
XVIII. Online Presences in Social Media
We maintain active profiles on Facebook, Instagram, and YouTube to communicate with customers. Our social media icons are standard external hyperlinks; we do not use active social plug-ins that track you when you simply browse our website. Once you click a link and enter a social platform, their respective privacy policies apply.
Supplementary Facebook & Instagram Fanpage Policy
Maria Galland GmbH operates a Facebook Fanpage under joint-controller responsibility.
(1) Joint Responsibility: We share joint responsibility with Meta Platforms Ireland Ltd. pursuant to Art. 26 GDPR. The governing agreement can be reviewed at Facebook Page Controller Addendum. Meta assumes primary responsibility for providing info and honoring data subject rights.
(2) Page Insights Data: Facebook provides us with aggregated, anonymous statistics regarding visitor interactions ("Page Insights"). We cannot identify individual users through Page Insights unless a user sets their "Like" profile data to public. Legal Basis: Our legitimate interest in external presentation and customer communication (Art. 6 (1) lit. f GDPR).
(3) Data Transfers & Opt-Out: Data collected by Meta is shared across its group (Instagram, WhatsApp) and may involve international transfers to the USA. You may object to tracking or opt out directly via Facebook Privacy Settings.
(4) Right to Object / Revoke: If you wish to object to our direct communication or processing on the Fanpage, you can send an explicit message to kundenservice@maria-galland.com.
XIV. Automated Decision-Making / Profiling
(1) Core Policy: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you.
(2) Application: We do not use any automated decision-making or profiling systems within the scope of our website and its associated data processing.
Privacy Policy for Business Customers
Privacy Policy for Business Customers
In this privacy notice, we inform you about the type, scope, and purpose of the processing of personal data by our company.
The Controller within the meaning of Art. 4 No. 7 of the GDPR is:
Maria Galland GmbH > Wintrichring 58, D-80992 Munich, Germany
(hereinafter referred to as “we” or “us”)
I. Purposes and Legal Bases for the Processing
1. Processing of Your Contact Data
We process your contact data (such as name, first name, academic degree, specialisation/professional qualification, address, telephone numbers, and e-mail addresses). We collect this data from you, from publicly available sources, or via our service providers.
- Contract Performance: Processed insofar as necessary for the conclusion and performance of contracts with you.Legal Basis: Art. 6 (1) lit. b GDPR (if you are our direct contractual partner) or Art. 6 (1) lit. f GDPR (if you are a contact person for our contractual partner company, where our legitimate interest is communication regarding the contract).
- Relationship Management & Marketing: Processed for maintaining our business relationship, scientific information, market research, and direct marketing.Legal Basis: Art. 6 (1) lit. f GDPR (Legitimate Interests) or Art. 6 (1) lit. a GDPR (if explicit consent has been given).
- Legal Compliance: Processed to comply with statutory commercial, tax, and product safety obligations (see Section I.4).
2. Field Visits and Interviews by Engaged Service Providers
Following a visit by our field sales team, we process the date, location, and content of the visit (e.g., order history, POS data, requirements, and preferred visit times). We also process data gathered via market research surveys conducted by external processors pursuant to Art. 28 GDPR.
- Business Optimization: Processed for managing our field service, evaluating visit quality, adapting visits to your interests, improving product design, and targeted marketing.Legal Basis: Art. 6 (1) lit. f GDPR (Legitimate Interests).
- Tailored Digital & Physical Outreach: If you have given explicit consent, we will process your data to send tailored updates by email, fax, phone, or video call. This includes company news, new product developments, field service appointment scheduling, consultations (business organisation, local marketing), digital samples, seminars, trade fair or event invitations, and short surveys.Legal Basis: Art. 6 (1) lit. a GDPR (Consent).
3. Processing in the Context of Competitions
We process the personal data you provide during competitions (e.g., name, address, answers to contest questions) exclusively to conduct the competition and award prizes.
- Legal Basis: Art. 6 (1) lit. b GDPR (Performance of the competition contract).
- Note: Provision of data is voluntary, but participation or prize delivery is impossible without it.
4. Compliance with Legal Obligations
We process your personal data insofar as necessary to perform a legal obligation to which we are subject.
- Product Safety & Non-Interventional Studies: We process your name and contact details if you report undesirable product effects or quality defects. If we carry out application observations or non-interventional studies in cooperation with you, we process your name, contact details, and the amount of compensation paid.
- Legal Basis: Art. 6 (1) lit. c GDPR in conjunction with relevant national or European statutory regulations (e.g., cosmetic/food sample levies, adverse effect reporting).
5. Creditworthiness Verifications and Credit Agency Reporting
In individual cases, we process data provided by you (name, address, date of birth, and gender) to query credit reporting agencies using mathematical-statistical procedures prior to contract conclusion. We may also transmit data regarding non-contractual or fraudulent behaviour during our business relationship. This exchange is also used for identity and address verification.
- Legal Basis: Art. 6 (1) lit. f GDPR. Our legitimate interest is to protect our company and third parties from payment defaults and financial disadvantages.
II. Recipients or Categories of Recipients of Your Data
Within our company, access to your data is strictly limited to employees who require it to fulfil contractual or legal obligations. External disclosure occurs only when legally permitted, required, or authorized by you.
- Affiliated Group Companies: Insofar as they act as internal service providers (e.g., providing IT services) necessary for economic, administrative, or business continuity purposes.
- Private Entities & External Partners: * Payment service providers and banks (payment collection and reimbursements).Complaint handlers (processing inquiries and customer defects).Marketing agencies, printing companies, and lettershops (competitions, promotions, physical mailings).IT service providers, system maintenance assistants, file archivers, and data shredding companies.Logistics and shipping service providers (goods delivery).Credit reporting agencies, debt collection agencies, and legal consultants.Market research companies and licensed business partners.
- Public Bodies and Institutions: State authorities and regulatory bodies competent for our company to report product quality defects, product forgeries, or mandatory adverse effect observations.
III. Transfer to Third Countries
Data will not be transferred to countries outside the EU or the European Economic Area (EEA) unless necessary for our contractual relationships (e.g., tax reporting), legally required, or covered by explicit consent.
When service providers are deployed in a third country, data protection levels are guaranteed via:
- EU Standard Contractual Clauses (SCCs) according to Art. 46 GDPR, or
- An official Adequacy Decision by the European Commission.
IV. Duration of Storage of Your Personal Data
We store your personal data only as long as necessary to fulfil the purposes listed under Section I, after which it is erased unless statutory retention periods apply:
- Product Safety & Safety-Relevant Events: Stored for up to 10 years beyond the marketability of the product (depending on its classification as a cosmetic or food product).
- Commercial and Tax Laws: Retention of up to 10 years after the end of the business relationship or pre-contractual relationship in accordance with the German Commercial Code (HGB) and the German Revenue Code (AO).
- Statutory Statutes of Limitation: For the preservation of evidence under Sec. 195 et seq. of the German Civil Code (BGB), the regular limitation period is 3 years, but specific long-term limitation periods can extend up to 30 years.
V. Absence of Automated Decision-Making / Profiling
We do not use any procedures for purely automated individual decision-making, including profiling, in accordance with Art. 22 GDPR.
VI. Your Data Protection Rights
You may assert your data protection rights against us under the conditions set out by law:
- Right of Access (Art. 15 GDPR): Request confirmation and detailed info on whether and how your data is being processed.
- Right to Rectification (Art. 16 GDPR): Demand the correction of inaccurate or incomplete personal data.
- Right to Erasure (Art. 17 GDPR): Request immediate deletion of your data (unless processing is required for legal obligations, freedom of expression, or defense of legal claims).
- Right to Restriction (Art. 18 GDPR): Request that we restrict data processing under certain statutory conditions.
- Right to Data Portability (Art. 20 GDPR): Receive the data you provided in a structured, commonly used, and machine-readable format.
- Right of Withdrawal: Withdraw any given processing consent at any time, with effect for the future.
- Right to Lodge a Complaint (Art. 77 GDPR): Lodge a complaint with a competent data protection supervisory authority regarding our processing.
Information About Your Right to Object (Art. 21 GDPR)
1. Case-Specific Objection: You have the right to object at any time, on grounds relating to your particular situation, to data processing based on Art. 6 (1) lit. f GDPR (balancing of interests), including profiling. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, or for the defense of legal claims.
2. Direct Marketing Objection: Where your data is processed for direct marketing purposes, you have an absolute right to object to this at any time. We will immediately stop processing your data for marketing and related profiling upon receipt of your objection.
How to Contact Us or Exercise Your Rights
You can address inquiries regarding your data protection rights via our regular corporate contact details, or via our dedicated portals:
- E-mail Support (France): service.consommateurs@maria-galland.fr
- External Data Protection Officer:Mr. Alexander Bugl > Bugl & Kollegen Gesellschaft für Datenschutz und Informationssicherheit mbHEifelstrasse 55, 93057 Regensburg, GermanyPhone: +49 941-630 49 789E-mail: Datenschutz.buglundkollegen@klosterfrau.de
Maria Galland GmbH Status: July 2023
Privacy Policy on the Collection of Intolerance Reaction Data
Privacy Policy on the Collection of Intolerance Reaction Data
This Privacy Policy informs you about the nature, scope, and purpose of processing personal data when any of the companies belonging to the Maria Galland Group handles your communication regarding an intolerance or undesirable reaction to one of our products.
Group Entities & Potential Data Controllers
The Data Controller pursuant to Art. 4 (7) of the GDPR is the specific company of the Maria Galland Group to which you communicate the undesirable product effect, or which is in direct contact with you regarding this matter:
- Germany: Maria Galland International GmbH, Wintrichring 58, 80992 Munich
- Germany: Maria Galland GmbH, Wintrichring 58, 80992 Munich
- Austria: Maria Galland Cosmetics GmbH, Dörenkampgasse 11, 1100 Vienna
- France: Maria Galland SARL, 22 Rue St. Gilles, 75003 Paris
- Switzerland: Maria Galland S.A., Ankerstrasse 53, 8004 Zurich
- Belgium: S.A. Maria Galland N.V., 1, Avenue du Four à Briques – Kareelovenlaan 1, Brussels 1140
- Spain: Maria Galland SLU, Calle Antonio González Echarte, 1, 28029 Madrid
- Italy: Maria Galland srl, Via Copernico 38, 20125 Milan
I. Categories of Personal Data Processed by Us
We process the personal data provided directly within your communication when you advise us of potential skin/intolerance reactions or product quality defects.
- Note: You are under no statutory obligation to provide us with your personal data. However, we may be unable to investigate or fully handle your communication without these details.
II. Purposes and Legal Bases of Data Processing
We exclusively process this health and contact data to meet our strict statutory public health and product safety monitoring obligations.
- Applicable Regulations: Communications of undesirable effects under Sect. 63b, Sect. 63c AMG (German Medicinal Products Act), Sect. 3 MSPV (German Medical Devices Safety Plan Ordinance), Art. 23 Regulation (EC) No 1223/2009 (Cosmetics Regulation), and Art. 6 et seqq., Art. 19 Regulation (EC) No 178/2002 (General Food Law).
- Legal Bases: * Art. 6 (1) lit. c GDPR (Compliance with a legal obligation to which the controller is subject).Art. 9 (2) lit. i GDPR (Processing of special categories / health data necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and medicinal products or medical devices).
III. Recipients or Categories of Recipients of Your Data
Access to your personal data is strictly granted to authorized internal employees who require it to perform our statutory duties. External sharing occurs only if legally required, permitted, or explicitly authorized by you.
- Affiliated Group Enterprises: Insofar as they act as internal service providers (e.g., providing IT infrastructure) or require the data to meet centralized compliance and statutory obligations.
- Private Entities & Processors: External service providers specialized in collecting and evaluating skin reaction reports, as well as IT maintenance service providers, system administrators, file archivists, and secure data shredding companies.
- Public Bodies and Institutions: Competent national health and consumer protection authorities to which we are legally mandated to report product quality defects, cosmetic alerts, or adverse health reactions.
IV. Third-Country Transfer
Data is transferred to countries outside the EU or European Economic Area (EEA) only if required for handling the relationship, required by law (e.g., international reporting obligations), or explicitly authorized by you.
To guarantee an adequate level of data protection, any transfer to a third country is restricted to:
- EU Standard Contractual Clauses (SCCs) signed with the respective third-country recipient, or
- An official Adequacy Decision issued by the European Commission.
V. Duration of Retention of Your Personal Data
We process your personal data only as long as necessary for the respective tracking purpose and subsequently erase it, unless ongoing retention is legally mandatory:
- Product Safety & Pharmacovigilance: Due to statutory stipulations regarding safety-relevant events, data must be retained for testing and proof purposes for up to 10 years beyond the marketability of the product.
- Commercial and Fiscal Codes: Up to 10 years beyond the end of the business or legal relationship to comply with statutory safekeeping duties under the German Commercial Code (HGB) and the Fiscal Code of Germany (AO).
- Statutes of Limitation: For the preservation of evidence under Sect. 195 et seqq. of the German Civil Code (BGB), the standard limitation period is 3 years, but specific limitation periods for health or product liability claims can extend up to 30 years.
VI. Absence of Automated Individual Decision-Making / Profiling
We do not utilize any automated decision-making processes or profiling systems under Art. 22 GDPR within the scope of this data collection.
VII. Your Data Protection Rights
You may assert your data protection rights under the conditions set out by law:
- Right of Access (Art. 15 GDPR): Request confirmation and detailed info on whether and how your intolerance data is processed.
- Right to Rectification (Art. 16 GDPR): Demand immediate correction of inaccurate or incomplete medical/contact profiles.
- Right to Erasure (Art. 17 GDPR): Request deletion of data (does not apply if processing is mandatory for public health compliance, legal obligations, or defense of legal claims).
- Right to Restriction (Art. 18 GDPR): Request restriction of data processing under statutory conditions.
- Right to Data Portability (Art. 20 GDPR): Receive the data you provided in a structured, commonly used, and machine-readable format.
- Right to Withdraw Consent: If any part of the processing was based on consent, you may withdraw it at any time with effect for the future.
Information About Your Right to Object (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to data processing based on Art. 6 (1) lit. f GDPR (balancing of interests). If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, or for the defense of legal claims.
Contacts for Exercising Your Rights
You can submit your requests directly to the controller via:
- E-mail: kundenservice@maria-galland.com
- External Data Protection Officer:Mr. Alexander Bugl > Bugl & Kollegen Gesellschaft für Datenschutz und Informationssicherheit mbHEifelstraße 55, 93057 Regensburg, GermanyTel: +49 941-630 49 789E-mail: Datenschutz.buglundkollegen@klosterfrau.de
You also have the right to lodge a complaint with a competent data protection supervisory authority, in particular in the Member State of your habitual residence or place of the alleged infringement.
Status: October 2023



