Privacy policy for use of EPIS (Electronics Parts Information System)
A. Controller
This privacy policy provides you with information on the collection, processing and use of your personal data by Volkswagen AG, Berliner Ring 2, 38440 Wolfsburg, entered in the register of companies at Braunschweig District Court as HRB 100484 (Volkswagen AG), when you use the EPIS system.
B. Collection, processing and use of your personal data
I. Basic principles
EPIS is the Volkswagen Group’s standard application for creating and managing catalogues of genuine parts and accessories. It is specifically intended to provide data content to ETKA, ETOS etc., the genuine parts catalogues operated in the dealer organisation. In addition, EPIS communicates with various Group systems and with the Group’s production sites in Germany and abroad, as well as distribution centres and importers. The SAP ET2000 genuine parts subsystems operated by distribution centres/importers and other commercial systems, are supplied by EPIS with material master data such as material numbers, part names, parts lists, dimensions, weights, suppliers and other data.
II. Personal data which is processed
In addition to an internal user ID (IT usage data), EPIS stores professional contact and organisational data such as the surname and first name, business telephone number and business email address as well as the department code.
The following legal basis is relevant for the processing of professional and IT usage data:
- Employment-related purposes (Section 26(1) of the German Federal Data Protection Act / BDSG) – applies to Volkswagen AG employees
- An overriding legitimate interest of Volkswagen AG (Article 6 (1) (f) GDPR) – applies to users who are not employees of Volkswagen AG
The legitimate interest of Volkswagen AG is to quickly identify the contact person for corresponding part numbers in order to be able to answer queries and thus ensure the satisfaction of dealers and customers.
The personal data can be viewed and, if necessary, changed by the user concerned. Only professional contact details and IT usage data of the persons concerned are processed. In terms of organisation, when a user application is made there is always a multi-stage procedure for user authorisation, so that only those users who must have access are authorised. This keeps the number of users as small as possible.
III. Beginning and duration of storage
Users’ data is managed and saved by an administrator when a user account is created. If a user no longer requires access to EPIS, that access is blocked within a month of confirmation that EPIS is no longer required.
For queries and the obligation to provide evidence, and in the case of unclear vehicle part identification, it is necessary to save the assignment to vehicle parts of the technically responsible editor. Storage takes place from the assignment of the technically responsible editor to specific vehicle parts. This assignment remains saved for 30 years. This assignment is visible to all EPIS users, which means also to authorised EPIS users who access EPIS from outside Europe, from so-called third countries.
IV. Data transfer to third countries
The following companies have access to EPIS: Volkswagen Group of America, Volkswagen de Mexico, Volkswagen do Brasil, Volkswagen Argentina, Volkswagen South Africa, MAN Latin America, Bugatti, Bentley, Lamborghini, Porsche, Audi, Seat, Skoda, FAW VW-VW, FAW VW-Audi, SVW, Volkswagen Group Service, Volkswagen Group Russia.
If the data is processed in a third country outside the EU/EEA, we as the data controller are obliged to guarantee a certain level of protection. By concluding EU standard data protection clauses, we ensure that this level of protection is maintained. You can find the EU standard contractual clauses at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001D0497&from=EN.
V. Recipients of personal data
Service provider: The contractor LexCom Informationssysteme GmbH is responsible for the EPIS system for the purposes of technical support and further development.
System users: All users of the system have access to personal data in accordance with the list in (II) in order to carry out the required technical dialogue.
C. Your rights
You may exercise the following rights vis-a-vis Volkswagen AG at any time free of charge. Further information on asserting your rights is provided in section D.
Right of access: You are entitled to access information from us about how we process your personal data.
Right to rectification: You are entitled to request us to rectify any of your personal data that may be incorrect or incomplete.
Right to erasure: You have the right to have your data erased if the conditions set out in Article 17 of the GDPR are met. For example, you may ask for your data to be erased if it is no longer necessary for the purposes for which it was collected. You may also ask for your data to be erased if we process your data based on your consent and you withdraw that consent.
Right to restriction of processing: You have the right to ask for a restriction of the processing of your data if the conditions set out in Article 18 of the GDPR are met. That is the case, for example, if you dispute the accuracy of your data. You can then demand a restriction of processing for the period it takes to verify the accuracy of the data.
Right to object: You have the right to object to your data being processed if processing is based on an overriding interest or your data is used for the purposes of direct marketing. An objection is permitted if processing is conducted in either the public interest or for the exercise of official authority, or if it is conducted for a legitimate interest of Volkswagen AG or of a third party. If you object to the processing of your data, please notify us of the grounds for your objection. You also have the right to object to data processing for the purpose of direct marketing. The same applies to profiling, insofar as it is related to direct marketing.
Right of data transferability: You have the right to receive your data in a structured, commonly used and machine-readable format and to transfer this data to another data processor, provided that data processing is based on consent or contract fulfilment and that automated processing methods are used.
Right to withdraw consent: Provided data processing is based on your consent, you have the right to withdraw that consent free of charge at any time, and with effect for the future.
Right of complaint: You also have the right to lodge a complaint about our processing of your data with a supervisory authority (such as the Data Protection Commissioner for the German State of Lower Saxony [Landesbeauftragte für den Datenschutz Niedersachsen]).
D. Your contacts
Contact persons for exercising your rights
The contact persons for exercising your rights and further information can be found at the following website https://datenschutz.volkswagen.de.
Data Protection Officer
If you have any data protection concerns, contact our Data Protection Officer:
Data Protection Officer of Volkswagen AG
Berliner Ring 2, 38440 Wolfsburg, Germany
Date: December 2019