LexCom Privacy Statement
Protecting your personal data is of the utmost concern to us.
We generally refers to LexCom Informationssysteme GmbH (Rüdesheimer Str. 23, 80686 Munich, Germany, [email protected]). If you have a user agreement with us in the United Kingdom, your contractual partner may, depending on the content of your contract documents, be LexCom Information Systems Ltd (Unit C3 Arena Business Centre, 9 Nimrod Way, Wimborne, BH21 7UH, United Kingdom, [email protected]). This Privacy Statement applies both for LexCom Informationssysteme GmbH and for LexCom Information Systems Ltd (hereinafter referred to jointly as “LexCom”) as controllers within the meaning of data protection law.
This Privacy Statement is intended to inform you about LexCom’s policy regarding your personal data when you use
- the websites available at www.lexcom.de and www.lexcom-industries.de and - possibly other addresses (“LexCom websites”)
- the following locally installed software products and web services (collectively referred to as “LexCom services”):
- ETKA (including ETKA Mobile, available at www.etkamobile.com, and ETKAinfo, available at www.etkainfo.com)
- partslink24 (available at www.partslink24.com)
- ETOS (including myETOSinfo, available at www.etosinfo.com)
- PET2
- ASA, (including ASA WEB, available at www.myasaweb.com, ASA SQT, available at www.myasasqt.com and myASAinfo, available at www.myasainfo.com)
- agroparts (including Online Catalog, Offline Catalog (DICSY), Mobile and DealerShop), available at www.agroparts.com)
This Privacy Statement supplements LexCom’s General Terms and Conditions governing the use of the relevant LexCom services.
1. LexCom’s Policy for Processing Your Personal Data
LexCom has adopted the following policies with a view to protecting your personal data during the use of the LexCom websites and LexCom services:
- LexCom collects, processes and uses your personal data in compliance with the relevant data protection legislation of the Federal Republic of Germany and of the European Union (in particular, the General Data Protection Regulation – GDPR).
- LexCom uses your personal data primarily to enable you to use the LexCom services. In these cases, the processing is necessary for fulfilment of the contract on the basis of Art. 6 (1) b) GDPR. In addition, LexCom may process the processed data for further purposes in the interests of the LexCom user. Any further processing takes place exclusively on the basis of a legitimate interest in accordance with Art. 6 (1) f) GDPR, or consent by the LexCom user in accordance with Art. 6 (1) a) GDPR. In these cases, your data will be processed anonymously or pseudonymously if possible.
- In cases where personal data is processed by a data processing company or passed on to a third party, the processing is always carried out only on the basis of a data processing agreement in accordance with Art. 28 GDPR, on the basis of standard data protection clauses in the case of transmission to third countries in accordance with Art. 46 GDPR or on the basis of a legitimate interest pursuant to Art. 6 (1) f) GDPR.
2. Terms and Definitions in the Privacy Statement
LexCom uses certain fixed terms in this Privacy Statement, which are defined as follows:
- “Personal data” includes all information referring to a natural person who is or could be identified.
- The users registered for a specific LexCom software and/or a specific LexCom web service are referred to as “LexCom users”.
- “LexCom services” includes all products and services listed under “LexCom software” and “LexCom web services”.
3. What does LexCom know about you, what do you allow LexCom to do, and how is your personal data handled?
3.1 Registration information
When you register to use the LexCom services, LexCom has to process certain personal data from you as your registration information (hereinafter referred to as “registration data”). First and foremost, this information is your:
- Company ID/ID
- User name / Email address
- Password
LexCom must process this registration information in order to fulfil the requirements of your contract with LexCom (GDPR Art. 6 (1) b)), as the LexCom services can only work properly with this information. In some cases, access to one LexCom web service also allows access to another web service. In this case, your registration details will be processed for logging in to the other LexCom web service using the “single sign-on” procedure.
Furthermore, you need to fill in certain mandatory fields during registration, for example, your first name, surname, the name and address of your company, and your e-mail address (the mandatory fields of the LexCom web services may vary).
LexCom must also process this registration information in order to fulfil the requirements of your contract with LexCom (Art. 6 (1) b) GDPR) in particular for the following purposes:
- To set up and administer your user account, e.g. to verify your data, to assign you the necessary rights and roles or to enable you to access the LexCom services and specific functions. For individual services and certain user roles, e.g. as a dealer, it may be necessary to forward your data to manufacturers/importers for approval.
- For the correct billing of licenses. If this is done via importers/manufacturers, your data must be forwarded to them.
- To establish contact, e.g. to fulfil the customer service and to provide you with important information regarding the current contractual relationship (such as changes in support structures, announcements regarding new program versions and important features).
- For shipping hardware and software.
In addition, we process your data based on a legitimate interest in accordance with Art. 6 (1) f) GDPR, in particular for the following purposes:
- To send you, for example, news and help topics about the use of the LexCom services you have licensed, to contact you regarding offers and promotions for own or similar goods and/or services or to ask you about your usage and satisfaction regarding existing products and/or functionalities. In these cases, you are generally free to object to the processing of your data for these purposes.
- With the exception of the password, your data may also be evaluated internally together with usage data and order data and forwarded to dealers/order recipients, manufacturers and/or importers. In this case, the purpose of the processing is to provide an overview of the orders received as well as to measure success and usage and optimise the product and sales for the benefit of the user. Personal data is only evaluated if this is essential to achieve the purpose and is otherwise pseudonymised or anonymised.
3.2 Payment data
Where necessary, LexCom processes your payment data, such as credit card or bank details, for the purpose of payment handling and accounting as necessary for the selected mode of payment. Depending on the LexCom service used and to the extent necessary to process your transaction, your payment data will be transferred to the service providers Adyen, GetNet and Allpago as well as financial institutions or may be collected directly and processed by these organisations. Your payment data is stored in order to enable payment handling and accounting for the automatic extension of your subscription. We process your credit card data in accordance with the PCI DSS security standard. That means, for example, that LexCom never stores your credit card data as plain text.
LexCom must process your payment data in order to fulfil the requirements of your contract with LexCom (Art. 6 (1) b) GDPR). LexCom needs this information to invoice the LexCom services as well as to contact you about any issues related to payment or performance of contracts.
3.3 Usage data
As described below, LexCom processes data about the scope and nature of your use of the LexCom services (hereafter referred to as “usage data”). This includes the following data:
- Searches and navigation in brand catalogues
- Use of functions, buttons, tabs etc.
- Creation of shopping baskets and execution of orders
- Type and scope of the vehicles researched based on the chassis numbers (VIN) entered
We process your usage data to fulfil the contract in accordance with Art. 6 (1) b) GDPR, provided that the use of individual LexCom services is subject to a charge depending on the scope of use. In this case, the monitoring and evaluation of your scope of use is necessary in order to charge you for the use or to determine the need for a paid subscription.
In addition, we process your data based on a legitimate interest in accordance with Art. 6 (1) f) GDPR, in particular for the following purposes:
- To analyse the use of LexCom services and their functions in a targeted manner, to measure their relevance and success and to develop them further. This processing is exclusively for the purpose of developing the LexCom services in the interests of the user. At no time will the usage behaviour of specific accounts or users be analysed. Personal data is pseudonymised and/or anonymised as far as possible and otherwise only processed if essential to achieve the purpose, or if you have given us your consent in accordance with Art. 6 (1) a) GDPR.
- In order to detect any illegal and/or improper use of the LexCom services, we must also analyse the use of the LexCom services on an ongoing basis and, if there is a reasonable suspicion of abuse, contact responsible user accounts and/or users or restrict and/or block their access and, if necessary, terminate the user contract. The purpose of this processing is to protect the LexCom services and the data they contain as well as to protect the LexCom users and their data against misuse and attacks.
3.4 Order data
The LexCom services may provide the option to order spare parts from other LexCom users. All data processed within the framework of created shopping baskets as well as the transmission of order inquiries and orders is referred to here as “order data”.
LexCom transfers the data collected from you on a case by case basis within the LexCom services used to the respective order recipients. This processing serves the purpose of contract fulfilment in accordance with Art. 6 (1) b) GDPR. Further processing of your data by the order recipient for carrying out the order and, if necessary, transfer of your data into its own systems takes place under the responsibility of the order recipient outside our control.
In addition, LexCom may pseudonymise/anonymise order data for the purpose of designing, enhancing and optimising the LexCom services as needed and analyse it internally in this form for its own purposes based on a legitimate interest pursuant to Art. 6 (1) f) GDPR and, if necessary, forward it to dealers/order recipients, manufacturers and/or importers. Personal data is processed and forwarded exclusively on the basis of the consent of the LexCom user in accordance with Art. 6 (1) a) GDPR.
3.5 Contact by e-mail or using contact forms
LexCom processes the data entered via the contact forms available on the LexCom websites, in the LexCom services as well as the data received via the contact e-mail addresses provided to handle your request or concern. Under no circumstances will this data be processed for any other purpose. Your personal data is processed on the basis of Art. 6 (1) b) GDPR.
3.6 Log files
Each time you open the LexCom website and whenever you log in to the LexCom services, access data is saved in a log file. The data stored includes, in particular, the IP address, LexCom company ID, user name, session ID, login time and cookies and, if applicable, vehicle data (chassis number, vehicle registration number).
LexCom processes this log data for the purposes of fulfilling the contract in accordance with Art. 6 (1) b) GDPR to detect and correct any technical problems such as defective links or program bugs, i.e. to improve and develop the LexCom services and provide customer service.
In addition, we process your data based on a legitimate interest in accordance with Art. 6 (1) f) GDPR, in particular for the following purposes:
- To analyse the use of LexCom services and their functions in a targeted manner, to measure their relevance and success and to develop them further. This processing is exclusively for the purpose of developing the LexCom services in the interests of the user. At no time will the usage behaviour of specific accounts or users be analysed. Personal data is pseudonymised and/or anonymised as far as possible.
- In order to detect any illegal and/or improper use of the LexCom services, we must also analyse the log data for the LexCom services on an ongoing basis and, if there is a reasonable suspicion of misuse, contact responsible user accounts and/or users or restrict and/or block their access and, if necessary, terminate the user contract. The purpose of this processing is to protect the LexCom services and the data they contain as well as to protect LexCom users and their data against misuse and attacks.
3.7 Retention of your data
Unless a longer storage period is permitted, e.g. to enforce legal claims, or the data is anonymised/pseudonymised for further processing for our own purposes, log files are stored in our data centre for six months and then automatically deleted.
Your data otherwise mentioned above will be kept only for as long as absolutely necessary to achieve the stated purposes and will be deleted as soon as there is no longer any legitimate interest in processing it (for example to verify possible claims after termination of the contract; this constitutes a legitimate interest for LexCom in accordance with Art. 6 (1) f) GDPR), unless the applicable commercial or tax laws obligate LexCom to retain the data (Art. 6 (1) c) GDPR). This obligation to retain data remains in effect for an additional ten years after the end of the contractual relationship. Every 12 months, we check whether there is a legitimate interest in retaining the data.
4. Cookies and Pixel Tags
“Cookies” are small files that enable us to store some specific information related to you as a user on your PC or other terminal device when you use the LexCom web services. Cookies help us to make our web services as convenient, efficient and interesting as possible for you. LexCom has to process the following personal data in order to pursue these legitimate interests (GDPR (Art. 6 (1) f)). Only you and LexCom have access to these cookies, which are used for the purposes described below.
When you log in (with your company ID/ID and/or user name and password), the LexCom web services utilise session cookies with which you can be identified for the duration of your visit. The session cookies expire automatically after the end of your session, meaning that they are deleted.
In addition, the LexCom web services use permanent cookies. These cookies store information about visitors accessing the LexCom web services repeatedly (for example, company ID, user name, language, time stamp of previous access). The purpose of these permanent cookies is, firstly, to present you with the relevant web service in the correct language even before you have logged in. Secondly, they enable you to return directly to your previous session if you did not log out after the last time you used the LexCom web service. The cookies we set do not generate an individual profile of your user behaviour. The cookies are automatically deleted within four weeks of your last session.
We utilise pixel tags, web beacons, clear GIFs or similar mechanisms (“pixel tags”). A pixel tag is an image file or a link to an image file that is inserted into the code of the web pages but not stored on your terminal device (e.g. computer, smartphone etc.). Pixel tags enable us, for example, to determine the browser used or the screen resolution. In this way, pixel tags help us optimise the efficiency of our web pages, and revise and optimise our offers and publicity activities. Our use of pixel tags does not involve any reference to any person; nor does any personalised tracking occur. Pixel tags usually work in conjunction with cookies. If you turn off cookies, the pixel tag will simply detect an anonymous website visit.
In addition, cookies and other tracking services are used for marketing or other purposes in the LexCom services exclusively on the basis of your consent in accordance with Art. 6 (1) a) GDPR. You may revoke your consent at any time by opening the consent management tool again in the respective LexCom web service.
In certain circumstances, you may also generally disable the storage of cookies or restrict it to specific websites in your browser, or set your browser to notify you when a cookie is sent. You may also delete cookies from your terminal device at any time. However, please note that the use of LexCom web services is not possible if user cookies are rejected.
5. Other Recipients of Your Personal Data and Transmission to Third Countries
Support by foreign subsidiaries of LexCom
The aforementioned personal data is processed by us in the European Union and, in some cases, by others on our behalf (in particular to provide support) in Brazil, China, Japan as well as in the USA, Mexico and the United Kingdom. Data is processed in these third countries exclusively on the basis of an adequacy decision by the EU or the EU’s standard data protection clauses as defined in Art. 46 GDPR. You can view these clauses at the following link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
Hosting at Amazon Web Services (AWS)
Some of LexCom’s services are hosted by Amazon Web Services, EMEA SARL, Axel-Springer-Platz 3, 20355 Hamburg, Germany (hereinafter: AWS).
For these services, your personal data will be processed on AWS servers. These servers are located in the EU or in another country outside the USA, depending on your place of business or residence. However, we cannot exclude the possibility that personal data may be transferred to AWS’s parent company in the USA or accessed by American authorities under section 702 of the FISA law.
Your personal data are transferred to AWS on the basis of standard EU contractual clauses and appropriate safeguards. You can find details here:
https://aws.amazon.com/de/blogs/security/new-standard-contractual-clauses-now-part-of-the-aws-gdpr-data-processing-addendum-for-customers.
Further information can be found in AWS’s privacy statement: https://aws.amazon.com/privacy/?nc1=h_ls.
The legal basis for this processing is Art. 6 (1) f) GDPR. We have a legitimate interest in ensuring that our services operate effectively and in compliance with requirements.
Analysis of web traffic by Akamai
In addition, your personal data detailed in the previous sections is processed by Akamai Technologies Inc. (“Akamai”) by integrating delivery, security and analysis services from Akamai.
Firstly, the traffic for the LexCom web services is routed via Akamai servers to enable the LexCom web services to be delivered quickly, reliably and securely, analysed for malicious software and to prevent unauthorised access to them. This processing is carried out on behalf LexCom and constitutes a legitimate interest on the part of LexCom pursuant to Art. 6 (1) f) GDPR.
Secondly, Akamai also processes your data on its own authority in the form of generated log files. These may contain personal data in the form of IP addresses and evaluations of your usage patterns of the LexCom web services, and are used in particular for the purpose of performing security analyses and to detect malicious patterns for the further development of the Akamai services. Akamai does not use this data to identify or profile natural persons. Akamai processes and stores this data predominantly on servers in the US and ensures that the data is transferred exclusively on the basis of EU standard contractual clauses in accordance with GDPR Art. 46. You can view these clauses at the following link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en).
You can find more detailed information about the terms of use for the processing of personal data by Akamai and about the Akamai privacy policies at https://www.akamai.com/legal.
Google Ads conversion tracking
The LexCom web services may use “Google Ads conversion tracking” (Google Ads) from Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Ads enables us to track, for example, by setting a cookie, whether a user has reached the LexCom web service after clicking on an advertisement placed by Google Ads and has used certain services there. This allows us to measure the quality and success of our advertising activities. We cannot draw conclusions about the identity of individual users.
In addition, collected data is processed by Google and can be transferred to countries outside the EU, in particular the USA. For more information on data protection at Google and data transfer to the USA, see here:
https://policies.google.com/privacy?hl=en
https://support.google.com/google-ads/answer/1722022?hl=en
https://policies.google.com/privacy/frameworks
The use of this service is based on your consent in accordance with Art. 6 (1) a) GDPR and Section 25 para. 1 of the German Telecommunications-Telemedia Data Protection Act (TTDSG). You may revoke your consent at any time by opening the consent management tool again in the respective LexCom web service.
Google Maps
The LexCom web services may use “Google Maps” (Google Maps) from Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
For example, we enable you to search for available dealers/order recipients located in your vicinity using Google Maps.
Google may also process your search terms, IP address and your location data – provided you have allowed it to be determined – for its own purposes beyond our control. Your data may also be transferred to countries outside the EU, in particular, the USA.
For more information on data protection at Google and data transfer to the USA, see here:
https://policies.google.com/privacy?hl=en
https://policies.google.com/privacy/frameworks
The use of this service is based on your consent in accordance with Art. 6 (1) a) GDPR and Section 25 para. 1 of the German Telecommunications-Telemedia Data Protection Act (TTDSG). You may revoke your consent at any time by opening the consent management tool again in the respective LexCom web service.
Matomo Analytics
The LexCom web services may use “Matomo Analytics” (formerly “Piwik”), a service provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769, to analyse your use of our web services (“Matomo”).
We have configured Matomo in such a way that the use of cookies is deactivated and your IP address is processed only in abbreviated form. This means that we are unable to identify you.
However, you can also prevent this anonymous processing by deselecting the following checkbox:
You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.
The legal basis for this processing is our legitimate interest in accordance with Art. 6 (1) f) GDPR to internally analyse the use of our web services with the aim of optimising our products and measuring success.
For more information on Matomo’s privacy policy, visit: https://matomo.org/privacy/
Facebook Pixel
The LexCom web services may use the “Facebook Pixel” service of Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Facebook”).
This tracking pixel establishes a direct connection between your browser and the Facebook server. The tracking takes place using a cookie, which is stored on your computer and collects the following information, such as HTTP header information (including IP address, information about the web browser, page location, document, URL of the website and user agent of the web browser as well as the day and time of use), as well as pixel-specific data (this includes the pixel ID and Facebook cookie data, including your Facebook ID (these are used to link events with a specific Facebook advertising account and to assign them to a Facebook user).
The Facebook pixel enables us to analyse the use of our web services and to track the effectiveness of Facebook advertising (“conversion tracking”) and to check whether users have been forwarded to our web services after clicking on a Facebook ad. We cannot draw any conclusions about the identity of the users in this regard. However, the data may be stored by Facebook outside of our control and used for Facebook’s own purposes in accordance with Facebook’s privacy policy.
In addition, we use the Facebook pixel to show you personalised ads based on your interest in our products. We can determine the users of our web services into target groups for the display of ads by Facebook. Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our web services or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the web pages visited) that we transfer to Facebook (“custom audiences”). This is to ensure that our Facebook ads match the potential interest of users.
If you are a member of Facebook and have allowed Facebook to do so via your account’s privacy settings, Facebook may also link the information collected about your visit to us to your member account and use it for the targeted placement of Facebook ads. You can view and change the privacy settings of your Facebook profile at any time.
The Facebook Pixel is used exclusively on the basis of your consent pursuant to Art. 6 (1) a) GDPR, which you give us via the cookie consent tool on our website. You can revoke this consent at any time by accessing the cookie consent tool on our website again.
If you did not agree to the use of Facebook Pixel, Facebook will only display general Facebook ads that are not selected based on the information collected about you on this website.
For more information, see the Facebook privacy policy at: https://www.facebook.com/about/privacy/
6. Availability of the Privacy Statement
You can retrieve and print out this Privacy Statement from any page of the LexCom websites and the websites of each LexCom web service or within the LexCom software by clicking the “Privacy” link.
7. Assertion of Claims and Rights
In accordance with the applicable data protection legislation, you have the right to information about your data (Art. 15 GDPR), to rectification of it (Art. 16 GDPR) and to deletion of it (Art. 17 GDPR) or to restriction of its processing (Art. 18 GDPR) as well as to data portability (Art. 20 GDPR).
If you have any further questions regarding data security when using the LexCom website and/or LexCom services, or if you would like to assert the aforementioned claims, please contact our data protection officer directly:
LexCom Informationssysteme GmbH
– Data Protection Officer –
Rüdesheimer Str. 23
80686 Munich
[email protected]
You also have the right to file a complaint with the supervisory authority responsible for data protection if you believe that LexCom has failed to comply with the applicable data protection legislation.
8. Right to Object
You have the right to object to the processing of personal data that refers to you under the terms of items 4 and 5 of this Privacy Statement (i.e. processing in accordance with Art. 6 (1) f) GDPR for reasons resulting from your specific situation at any time. In this case, LexCom will no longer process the personal data unless LexCom can demonstrate that it has compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or if the processing serves the establishment, exercise or defence of legal claims.