Privacy policy for use of EPIS (Electronics Parts Information System)
1. Data controller
This privacy policy provides you with information on the processing of your personal data by Volkswagen AG, Berliner Ring 2, 38440 Wolfsburg, Germany, entered in the register of companies at Braunschweig District Court as HRB 100484 (“Volkswagen AG”), when you use the EPIS system and visit our website at www.webepis.com.
2. Processing of your personal data
2.1 Use of the EPIS system
Basic principles
EPIS is the Volkswagen Group’s standard application for creating and managing catalogues of genuine parts and accessories. It is specifically intended to provide data content to ETKA, etc., the genuine parts catalogues operated
in the dealer organisation. In addition, EPIS communicates with various Group systems and with the Group’s production sites in Germany and abroad, as well as distribution centres and importers. The SAP ET2000 genuine parts subsystems operated by distribution centres/importers and other commercial systems are supplied by EPIS with material master data such as material numbers, part names, parts lists, dimensions, weights, suppliers and other data.
Personal data which is processed
In addition to an internal user ID (IT usage data), EPIS stores professional contact and organisational data such as the surname and first name, business telephone number and business email address as well as the department code
The following legal basis is relevant for the processing of professional and IT usage data:
- Employment-related purposes (Section 26 (1) of the German Federal Data Protection Act / BDSG) – applies to Volkswagen AG employees
- Contract or contract initiation with data subjects (Article 6 (1) (b) GDPR) – applies to users who are not employees of Volkswagen AG
The personal data can be viewed and, if necessary, changed by the user concerned. Only professional contact details and IT usage data of the data subjects are processed. In terms of organisation, when a user application is made there is always a multi-stage procedure for user authorisation, so that only those users who must have access are authorised. This keeps the number of users as small as possible.
Beginning and duration of storage
Users’ data is managed and saved by an administrator when a user account is created. If a user no longer re-quires access to EPIS, that access is blocked within a month of confirmation that EPIS is no longer required.
For queries and the obligation to provide evidence, and in the case of unclear vehicle part identification, it is necessary to save the assignment to vehicle parts of the technically responsible editor. Storage takes place from the assignment of the technically responsible editor to specific vehicle parts. This assignment remains saved for 30 years. This assignment is visible to all EPIS users, which means also to authorised EPIS users who access EPIS from outside Europe, from so-called third countries.
Data transfer to third countries
We share your data with Group companies of Volkswagen AG. If data is processed in a third country outside the EU/EEA, we as the data controller are obliged to guarantee a certain level of protection. By agreeing to EU standard data protection clauses, we ensure that this level of protection is maintained. You can access the EU standard contractual clauses that have been used via the URL https://eur-lex.europa.eu/LexUriServ/LexUriS-erv.do?uri=OJ:L:2004:385:0074:0084:en:PDF.
Recipients of personal data
Service provider: In order to provide EPIS and the webepis.com website, Volkswagen AG uses service providers – in particular, LexCom Informationssysteme GmbH (“LexCom”) – on the basis of a corresponding order pro-cessing agreement.
System users: All system users within Group companies have access to personal data in order to engage in any specialist communication and collaboration that they wish to.
2.2 Visiting the website www.webepis.com
When you visit our website (www.webepis.com), we process your personal data in the context of using cookies, for example. Data processing details are outlined below.
Vimeo
a.Basic principles
Our website uses the plugin from the external service Vimeo to insert videos and give you access to them. The video portal provider is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA (“Vimeo”).
Visiting our website does not immediately establish a connection to Vimeo’s servers in the USA. Instead, a local image (“thumbnail”) is loaded in order to indicate the presence of the video and Vimeo is referred to as the third-party provider. We have also added the Vimeo embed code with the parameter dnt=1 (“do not track”), preventing cookies from being set. See https://vimeo.zendesk.com/hc/en-us/articles/360001494447-Using-Player-Parameters.
b.Processed personal data and legal basis
As the user, you must actively start the Vimeo video. Your personal data (such as the IP address of your device) will not be transferred to Vimeo until you do this. Vimeo cannot be used without your consent in the form of actively starting the video within the meaning of Article 6 (1) (a) GDPR. You can manage your consent at any time using the Usercentrics Consent Management tool integrated into our website.
c.Beginning and duration of storage
Data is transferred to Vimeo as the data controller. For information on the duration of storage and further pro-cessing of your data, please refer to the Vimeo Privacy Policy at https://vimeo.com/privacy.
d.Transfer to third countries
The privacy of your data is guaranteed if it is transferred to Vimeo in the USA. Vimeo is certified in line with the EU-U.S. Data Privacy Framework, which means that it provides an appropriate level of data privacy on the basis of an adequacy decision adopted by the European Commission. You can find details of this certification at https://www.dataprivacyframework.gov/list.
e.Recipients of personal data
Your data is transferred to Vimeo when you grant your consent.
Usercentrics Consent Management Platform
a.Basic principles
In order to obtain and document users’ consent to the cookies and services we use, working in line with data privacy regulations, we make use of the cookie consent tool provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany (“Usercentrics”).
b.Processed personal data and legal basis
When you use our website, we store your consent data (data and time of consent/rejection and IP address) in order to comply with the legal provisions arising from Section 25 (2) no. 2 TDDDG (German Telecommunications Digital Services Data Protection Act) and Article 6 (1) (c) GDPR.
c.Beginning and duration of storage
From the point at which you grant or reject your consent, your data will be stored for 12 months and then erased.
d.Recipients of personal data
We use Usercentrics for data processing purposes. To protect your data, we have concluded an order processing agreement with Usercentrics and Usercentrics processes your data strictly according to our instructions.
Matomo Analytics
a.Basic principles
Our website uses the open-source software “Matomo Analytics” (formerly “Piwik”), a service provided by In-noCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769, in order to analyse how you use our app (“Matomo”). We use Matomo for analysis purposes and for statistical evaluations of how the website is used.
b.Processed personal data and legal basis
For processing purposes, your email address, IP address, location based on your IP address and usage data (such as the titles and URLs of the sites you click on) are transferred to our server and compiled in pseudony-mous usage profiles. For this purpose, Matomo creates a cookie on your device (see also the “Cookies” sec-tion). We use data that is collected in this way exclusively for the purpose of measuring the performance of our website and developing it with a view to its users. No collected data is given to third parties.
Data is processed exclusively on the basis of your consent in accordance with Section 25 (1) TDDDG and Article 6 (1) (a) GDPR. You grant this through the “Usercentrics Consent Management” tool integrated into our website (see the “Usercentrics” section). You can withdraw your consent at any time with effect for the future by chang-ing your preferences through Usercentrics.
c.Beginning and duration of storage
From the point at which you have granted your consent when visiting our website, your data will be stored for 12 months and then erased.
Cookies
We use “cookies” on our website. Cookies are small files that allow us to store on your PC or other device infor-mation that is specifically related to you, the user, while you are using the website. Cookies help us determine the frequency with which our website is used and the number of users, analyse usage behaviour, enhance secu-rity and make our web services as convenient, efficient and appealing as possible, for example. In order to tailor our services to your needs, our website uses cookies for analysing usage through the “Matomo” service on the basis of your consent (see the “Matomo Analytics” section). Once you have logged in (using your company ID and/or user name and password), our website also uses what are known as “session cookies” from the service provider LexCom, which make it possible to identify you throughout the duration of your visit. Session cookies automatically expire at the end of a session, which means they are erased. They are cookies that are technically necessary for allowing you to use our website (and therefore fall into the category of “essential cookies”).
3. Your rights
You can exercise the following rights with respect to Volkswagen AG at any time and free of charge. Further in-formation regarding the assertion of your rights can be found under Section 4 .
Right of access: You are entitled to obtain information from us about how we process your personal data.
Right to rectification: You have the right to request that we rectify any of your personal data that may be inaccurate or incomplete.
Right to erasure: You have the right to have your data erased if the conditions set out in Article 17 of the GDPR are met. According to this, you can request, for example, that your data be erased if it is no longer necessary for the purposes for which it was collected. In addition, you can request erasure if we process your data on the basis of your consent and you withdraw this consent.
Right to restriction of processing: You have the right to request a restriction of the processing of your data if the conditions set out in Article 18 GDPR are met. This is the case, for example, if you dispute the accuracy of your data. You can request that processing is restricted for the period during which the accuracy of the data is being checked.
Right to object: You have the right to submit an objection to the processing of your personal data for reasons relating to your specific circumstances. The conditions that need to be met are that processing is conducted either in the public interest or for the exercising of official authority, or if it is conducted based on a legitimate interest of Volkswagen AG or of a third party. If you object to the processing of your data, please notify us of the grounds for your objection. Furthermore, you have the right to object to data processing for the purposes of direct marketing. This also applies to profiling where this is connected to direct marketing.
Right to data portability: If we process your data on the basis of your consent or in relation to performance of contract, and use automated processing to this end, you have the right to receive your data in a structured, commonly used and machine-readable format and to transmit this data to another data processor.
Right to withdraw consent: Where data processing is based on consent, you have the right to withdraw your consent to data processing, with effect for the future, at any time free of charge.
Right to lodge a complaint: You also have the right to lodge a complaint with a supervisory authority (e.g. the Data Protection Officer for the State of Lower Saxony) about how we process your data.
4. Who to contact
Who to contact to exercise your rights
The person to contact if you wish to exercise your rights can be found on the following website: https://datenschutz.volkswagen.de/?lang=en-gb.
Data Protection Officer
Please contact our data protection officer regarding matters related to data protection:
Data Protection Officer of Volkswagen AG
Berliner Ring 2, 38440 Wolfsburg, Germany
Date: February 2026