ASA Privacy Policy

The protection of your personal data is of particular concern to us.

We, that is usually LexCom Informationssysteme GmbH. If you have concluded a user agreement with us in the United Kingdom, your contractual partner may also be LexCom Information Systems Ltd, depending on the content of the contractual documents.

This privacy policy applies to both LexCom Informationssysteme GmbH and LexCom Information Systems Ltd (hereinafter jointly referred to as "LexCom").

The purpose of this privacy policy is to inform you about how LexCom uses your personal data when you use the various ASA modules (hereinafter referred to collectively as "ASA services").

• ASA Local
• ASA WEB (www.myasaweb.com)
• ASA SQT (www.myasasqt.com)
• myASAinfo (www.myasainfo.com)

processed.

This Privacy Policy supplements the General Terms and Conditions applicable to the use of ASA.

1. Data Controller

LexCom Munich
LexCom Informationssysteme GmbH
Rüdesheimer Str. 23
80686 Munich

LexCom UK
LexCom Information Systems Ltd
Unit C3 Arena Business Centre
9 Nimrod Way
Wimborne, BH217UH
United Kingdom

You can contact the data protection officer by sending an e-mail to privacy@lex-com.net.

2. Definitions

As a rule, the official terms of the General Data Protection Regulation (GDPR) are used in this privacy policy. The official definitions are explained in Art. 4 GDPR.

3. Basic principles of LexCom in the processing of your personal data

LexCom adheres to the following principles to protect your personal data when using the ASA services:

• LexCom collects, processes and uses your personal data in accordance with the relevant data protection laws of the European Union (in particular the EU General Data Protection Regulation - GDPR) and the Federal Republic of Germany.
• LexCom uses your personal data primarily to enable you to use the ASA services. In these cases, the processing is carried out for the fulfilment of the contract on the basis of Art. 6 (1) b) GDPR. In addition, LexCom may process the processed data for other purposes if necessary. Any further processing is carried out exclusively on the basis of a legitimate interest in accordance with Art. 6 (1) f) GDPR or consent by the ASA user in accordance with Art. 6 (1) a) GDPR. In these cases, your data will be processed anonymised or pseudonymised where possible.
• In cases in which personal data is processed by a processor or forwarded to a third party, the processing is always only carried out on the basis of a Data Processing Agreement in accordance with Art. 28 GDPR, on the basis of standard contractual clauses in the case of a transfer to third countries in accordance with Art. 46 GDPR or on the basis of a legitimate interest in accordance with Art. 6 (1) f) GDPR.
• LexCom will delete the following data as soon as a) there is no longer a legitimate interest in processing it, b) as soon as there is no lawful legal basis for processing this data, or c) if there are no statutory retention obligations.

4. Registration and ordering of ASA services

It is possible to purchase licenses for the use of the various ASA services. This is done via an order form as part of an initial order.

Depending on the user's location, the order can be submitted either directly to LexCom or to the relevant/responsible importer. If the importer is authorized to do so due to its location and uses this possibility, the importer will be given access to the user's account and can also make changes if necessary.

When registering or ordering ASA licenses/products, LexCom must process certain personal data from you (hereinafter referred to as "order data"). In the course of this, personal data is processed by LexCom directly or by the importer forwarding it to LexCom.

First of all, these are the following data:

• (Company) master data
• Dealer number
• Contact details (phone/e-mail address)
• Licence orders
• Payment data

The processing of this personal data by LexCom takes place in particular in the following cases for the fulfilment of your contract and for the provision of the ASA services in accordance with Art. 6 (1) b) GDPR:

• To register you as a user in the ASA system, set up an account and grant you access to the user administration. This is necessary in order to be able to use the ASA services to their full extent.
• Required for delivery
  • To send you the login details for myASAinfo as a new customer by letter.
  • To give you access to the software/ ASA DVD Downloader that you need to download in order to download, install and register ASA Local.  
  • To give you access to the web applications ASA WEB and ASA SQT via myASAinfo. However, if you already have the relevant licenses, you can also log in to these web applications directly via the browser.
• To send you important information about the existing contractual relationship (e.g. announcements of new program versions and important features) and to support you with questions about payment and contract processing.
• To be able to identify and contact you for customer service fulfilment.

In addition, LexCom may use this personal data for the following additional purposes for legitimate interest in accordance with Art. 6 (1) f) GDPR:

• To provide you with news and help on how to use the ASA services you use
• To send you offers and promotions exclusively for own or similar goods and/or services.
• To ask you about your use of and satisfaction with the ASA services.
• For internal evaluation by LexCom for the purpose of further product development in the interests of the customer and/or for forwarding to dealers/order recipients, manufacturers and/or importers for the purpose of sales optimization and performance measurement. In these cases, personal data is only processed on the basis of your consent and is otherwise pseudonymised/anonymised. 

5. Payment data

If necessary, LexCom processes your payment data such as bank and credit card data for the purpose of payment processing and invoicing in accordance with the payment method you have selected.

Depending on your country, various payment options are available for the purchase of licenses to use the ASA services:

• Invoice by bank transfer
• Direct debit
• Payment by credit card: For the processing of credit card payments, LexCom transmits your payment data to the extent necessary to the service provider Adyen (Adyen N.V., Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, Netherlands) for further processing.  In doing so, LexCom ensures that your credit card data is processed in accordance with the PCI-DSS security standard. This means, among other things, that your credit card details are never stored by LexCom in plain text.

The processing of your payment data by LexCom is necessary for the fulfilment of your contract with LexCom, see Art. 6 (1) b) GDPR. LexCom needs this information to bill you for LexCom services and to be able to contact you if you have any questions about payment and contract fulfilment.

6. myASAinfo

The following functions in particular are available to you via the myASAinfo service (www.myASAinfo.com) after logging in with your ASA user data:

• Licence ordering and administration
• Change your master data
• Managing your account
• View and download your invoices

In this context, depending on the function selected, various personal data will be processed by you. The legal basis is on the one hand Art. 6 (1) b) GDPR, insofar as this is necessary for the fulfilment of the contractual relationship or the legitimate interest pursuant to Art. 6 (1) f) GDPR.

7. ASA SQT

ASA SQT' is an optional add-on module that provides you with the following functions in particular:

• Creation and exchange of quotations between ASA users and end customers based on predefined menus.
• Customized editing/extension of the predefined menus to include additional spare parts and work items.
• Creation and exchange of "Vehicle Health Checks" (VHCs) to document the vehicle status, including photos and videos.
• Management of end customer data such as address and contact information required for the creation and exchange of offers and VHCs.
• Interfaces to ASA and ASA WEB to switch to ASA/ASA WEB using the single sign-on procedure and research the relevant information.
• Interfaces to DMS via export or LexCom standard interfaces.
• Possibility to report missing menus for selected chassis numbers to LexCom for product improvement.

In this context, various personal data of you and the end customers are processed depending on the selected function. The legal basis is on the one hand Art. 6 (1) b) GDPR, insofar as this is necessary for the fulfilment of the contractual relationship or the legitimate interest pursuant to Art. 6 (1) f) GDPR.

For ASA SQT there is an extension "ASA SQT Service App" for end customers, which can be activated in ASA SQT. The "ASA SQT Service App" is provided in accordance with separate terms of use and data protection provisions.

8. Single sign-on partslink24

When you set up an ASA account, you have the option of logging into the demo version of the LexCom portal www.partslink24.com (hereinafter referred to as "partslink24"). There are two methods available for this:

• Cross-login via ASA services: You can log in to the partslink24 demo version from the various ASA services using the single sign-on procedure. For this, authentication takes place automatically via your dealer number and your user name.
• Direct login to partslink24: Alternatively, you can also go directly to the partslink24 website and log in there with your ASA user data.

Your data is processed in partslink24 in accordance with the partslink24 T&Cs and Privacy Policy. You can access these at www.partslink24.com under "T&C" and "Privacy".

9. VIN query

The chassis number (VIN) is personal data within the meaning of the GDPR. The VIN is processed by LexCom as Processor on basis of the Data Processing Agreement with you.

Depending on the ASA service used, it may be necessary to transmit the VIN you have entered to LexCom in order to display the correct information. In any case, an online request is also generated to LexCom for each VIN query, which also contains the VIN you have entered. This enables LexCom to check whether the manufacturer/importer has published additional information (so-called memos) relating to the requested VIN and to display this information accordingly. The legal basis for the processing in both of the above cases is Art. 6 (1) b) GDPR.

In addition, LexCom may process/transmit data to manufacturers/importers for evaluation purposes in accordance with Art. 6 (1) f) GDPR, for example to check how often so-called 'alert memos' have been retrieved, which are particularly relevant to safety in the event of recalls. In these cases, personal data is generally not part of the processing and is pseudonymised/anonymised. Otherwise, your personal data will be processed exclusively on the basis of your consent in accordance with Art. 6 (1) a) GDPR.

In addition, the VIN is also processed when creating shopping baskets and parts lists, see chapter 10 ("Shopping baskets and parts lists").

10. Shopping baskets and parts lists

As an ASA user, you have the option of creating shopping baskets or parts lists to process purchase orders, exporting them manually and then importing them manually into the dealer management system (DMS). Alternatively, there is the option of automated transfer to the DMS via various interfaces, such as the LexCom standard interface or COMbox. It is also possible to import orders created in the DMS into ASA.

In both cases, the VIN and any other personal data (e.g. customer name, customer reference, etc.) are processed. This depends on the information provided when the orders were created in ASA or in the DMS.

The legal basis for the processing of personal data in this context is Art. 6 (1) b) GDPR.

In addition, every shopping basket or parts list created, including the VIN, is automatically transmitted to LexCom and processed for its own purposes. The VIN and other personal data are removed or anonymised for further processing. Processing in this context is carried out in accordance with Art. 6 (4) e) GDPR.

11. Other usage analysis

As described below, LexCom processes data about the extent and manner of your use of the ASA services (hereinafter referred to as "usage data"). This includes, for example, the following data:

• Research and navigation in the manufacturer catalogue
• Use of functions, buttons, tabs, etc.
• Creation of notes on vehicles and parts
• Upload photos for specific VINs
• Upload photos for specific parts, VHCs and offers
• Creation of shopping baskets/parts lists, VHCs and quotations and execution of orders
• Type and scope of the researched vehicles based on entered VINs

In addition, usage data can be analysed in a targeted manner, e.g. to measure the relevance or success of the function or - in the absence of use - to identify possible problems and then contact users in a targeted manner. These evaluations always serve exclusively to measure success and usage as well as to optimize products and sales in the interests of the customer and represent a legitimate interest of LexCom pursuant to Art. 6 (1) f) GDPR. Personal data is only subject to evaluation if absolutely necessary to achieve the purpose (e.g. to make contact) and is otherwise pseudonymised or anonymised.

In addition, usage data can be used for external analyses. These are provided by LexCom for importers and MMC, e.g. in the form of dashboards via the www.partsdata24.com service.  These analyses are used for the proper fulfilment of contracts with our customers in accordance with Art. 6 (1) b) GDPR. Personal data is only the subject of the evaluations to the extent that this is absolutely necessary to achieve the purpose and is otherwise pseudonymised.

Furthermore, LexCom may also analyse usage data on an ongoing basis to detect unlawful and/or abusive use of LexCom services. Personal data will only be analysed if there is reasonable suspicion of misuse of LexCom services by a specific user account. This analysis serves to protect the LexCom services and the data contained therein as well as to protect LexCom users and their data from misuse and attacks and thus constitutes a legitimate interest of LexCom pursuant to Art. 6 (1) f) GDPR.

12. Contact by e-mail or contact form

If you send us enquiries via the ASA services, we store your details and the personal data you provide there, including any uploaded files. This serves to process your enquiry and in the event of follow-up questions.

You also have the option of first logging into one of the relevant ASA services and then sending/allowing us to receive an enquiry. In this case, your personal data already stored in your account will be automatically entered/transferred into the contact form. However, this is only an optional option. You can change or delete the automatically entered data at any time before sending your enquiry.

Under no circumstances will we pass on this data without your consent. The legal basis for processing the data is our legitimate interest in responding to your enquiry in accordance with Art. 6 (1) f) GDPR and, if applicable, Art. 6 (1) b) GDPR if your enquiry is aimed at concluding a contract.

Your data will be deleted after final processing of your enquiry, provided that there are no statutory retention obligations or a legitimate interest pursuant to Art. (1) f) GDPR, in particular for the examination of post-contractual claims. In the case of Art. 6 (1) f) GDPR, you can object to the processing of your personal data at any time.

13. Cookies

Cookies are small files that enable us to store specific information relating to you, the user, on your PC or other end device while you are using the ASA services. Cookies help, for example, to determine the frequency of use and the number of users of web services, to analyse user behaviour on websites, to increase security and to make web services as convenient, efficient and interesting as possible.

After you have logged in (with myASAinfo ID/company ID, user name and password), the ASA services use so-called "session cookies", which can be used to identify you for the duration of your visit. At the end of the session, session cookies expire automatically, i.e. they are deleted.

Secondly, the ASA services use "persistent cookies". These cookies are used to store information about visitors who repeatedly access the ASA services (e.g. company ID, user name, language, timestamp of last use).

The purpose of using these permanent cookies is, on the one hand, to present ASA services to you in the correct language before you have logged in. On the other hand, you can return directly to your last session if you did not log out at the end of your last use of the ASA service. The cookies we set do not create an individual profile of your usage behaviour. The cookies are automatically deleted at the latest 4 weeks after the last use.

Under certain circumstances, you can deactivate the storage of cookies in your browser, restrict it to certain websites or set your browser to notify you as soon as a cookie is sent. You can also delete cookies from your end device at any time. Please note, however, that the use of ASA services is not possible if user cookies are rejected.

We use so-called pixels, web beacons, clear GIFs or similar mechanisms ("pixels"). A pixel is an image file or a link to an image file that is inserted in the website code but is not located on your end device (e.g. computer, smartphone, etc.). Pixels enable us, for example, to determine the browser used or the screen resolution. We do not establish a personal reference when using pixels. Personalised tracking does not take place either. Pixels usually work in conjunction with cookies. If you have deactivated cookies, the pixel will only determine an anonymous website visit.

14. Log files

Access data is stored in log files each time ASA services are called up.

The data records stored in the process contain the following data in particular (hereinafter collectively referred to as "log files"):

• the IP address
• the myASAinfo ID/ company ID
• the user name
• the session ID
• the login time
• VIN
• PC/device name

On the one hand, LexCom needs the log files to recognise and rectify technical errors, e.g. faulty links or programme errors, i.e. for the further development of the ASA services.

Furthermore, LexCom may analyse the log files on an ongoing basis to detect unlawful and/or abusive use of the ASA services. Personal data will only be analysed if there is reasonable suspicion of misuse of the ASA services by a specific user account. This analysis serves to protect the ASA services and the data contained therein as well as to protect ASA users and their data from misuse and attacks.

On the other hand, LexCom may use the log files to analyse the use of the ASA services (e.g. certain functions) in more detail. This processing also serves exclusively to further develop the ASA services in the interests of the customer. At no time is the usage behaviour of specific accounts or users analysed. In this case, the personal data is pseudonymised and/or anonymised where possible.

The processing of the data for the above-mentioned purposes is based on the legitimate interests of LexCom pursuant to Art. 6 (1) f) GDPR).

The log files are stored in our computer centre for 6 months - unless longer storage is permitted, e.g. for the enforcement of legal claims - and then automatically deleted.

15. Hosting

The ASA services are mainly hosted on the controller's own internal servers.

In some cases, ASA services may also be hosted by Amazon Web Services, EMEA SARL, Axel-Springer-Platz 3, 20355 Hamburg, Germany (hereinafter: AWS). Your personal data will be processed on the servers of AWS. Depending on your place of business/residence, these are located in the EU or in another country outside the USA.

The transfer of your personal data to AWS takes place on the basis of the EU-U.S. Data Privacy Framework. As a subsidiary of Amazon.com, Inc., AWS has a valid certification and thus demonstrates an adequate level of protection.

Details on certification can be found here:

https://www.privacyshield.gov/ps/participant?id=a2zt0000000TOWQAA4

Further information can be found in the privacy policy of AWS: https://aws.amazon.com/privacy/?nc1=h_ls.

The legal basis for the processing is Art. 6 (1) f) GDPR. We have a legitimate interest in operating our services as efficiently and reliably as possible.

16. Other recipients of your personal data and transfer to third countries

Support by LexCom branches

We process your personal data listed in the previous sections in the European Union and, if necessary, on our behalf (in particular for the provision of support) in Brazil, China, Japan, the USA, Mexico and the United Kingdom. The processing in these third countries is carried out exclusively based on an EU adequacy decision or EU standard data protection clauses in accordance with Art. 46 GDPR. You can view these under the following link: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de)

Analysis of web traffic by Akamai

In addition, your personal data listed in the previous sections will be processed by Akamai Technologies Inc. ("Akamai") through the integration of Akamai's delivery, security and analytics services.

On the one hand, the traffic of the ASA web services is routed via Akamai servers in order to deliver the ASA web services quickly, reliably and securely, to analyse them for malware and to prevent unauthorized access to them. This processing is carried out on behalf of the legitimate interest of LexCom in accordance with Art. 6 (1) f) GDPR.

On the other hand, Akamai also processes your data on its own responsibility in the form of generated log files. These may contain personal data in the form of IP addresses and evaluations of your usage behaviour of the LexCom web services and are used in particular for security analyses and to detect malicious patterns for the further development of Akamai services. Akamai does not use this data to identify natural persons or for the profiling of natural persons.

The transfer of your personal data to Akamai takes place based on the EU-U.S. Data Privacy Framework. Akamai has a valid certification and thus demonstrates an adequate level of protection.

Details on certification can be found here:

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000Gn4RAAS&status=Active

For more information on the terms of use for the processing of personal data by Akamai and the Akamai Privacy Policy, please visit https://www.akamai.com/de/de/privacy-policies/.

Matomo Analytics

The LexCom web services may use "Matomo Analytics" (formerly "Piwik"), a service provided by InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769, to analyse your use of our web services ("Matomo").
We have configured Matomo so that the use of cookies is deactivated and your IP address is only processed in abbreviated form. This makes it impossible for us to identify you personally.

17. Duration of the storage of personal data

The duration of the storage of personal data is based on the relevant statutory retention periods (e.g. from commercial law and tax law). After expiry of the respective period, the corresponding data is routinely deleted. If data is required for contract fulfilment or contract initiation or if we have a legitimate interest in further storage, the data will be deleted if it is no longer required for these purposes or if you have exercised your right of revocation or objection.

18. Your rights

Under the applicable data protection laws, you are entitled to information about your data (Art. 15 GDPR), to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) or to restriction of processing (Art. 18 GDPR) and to data portability (Art. 20 GDPR).

If you have any further questions on the subject of data protection when using the LexCom website and/or LexCom services or would like to assert the aforementioned claims, please contact our data protection officer directly:

LexCom Informationssysteme GmbH
- Data Protection Officer -
Rüdesheimer Str. 23
80686 Munich
privacy@lex-com.net

You also have the right to lodge a complaint with a supervisory authority responsible for data protection if you believe that LexCom is not complying with the applicable data protection laws.

19. Right of objection

If your personal data is processed by us on the basis of legitimate interest in accordance with Art. 6 (1) f) GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, insofar as this is done for reasons arising from your particular situation. In this case, LexCom will no longer process the personal data unless LexCom can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

If you wish to exercise your right of cancellation or objection, simply send an e-mail to privacy@lex-com.net.