We, Xperience CONNECT GmbH, based in Pullach, Germany, thank you for using our web pages and our services. Protecting personal data is important to us. You are providing personal data to us exclusively on a voluntary basis and as part using our web pages and services. We are processing these data in accordance with the provisions of the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable laws on data protection.
Below please find information on which personal data are processed during your use of the web pages and/or services.
1. Data controller
Below please find our contact information:
Xperience CONNECT GmbH
2. Terms and definitions
“Personal data“ means any information relating to an identified or identifiable natural person, hereinafter also referred to as “data subject“; an identifiable person is a person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data include, for example, your computer‘s IP address, your real name, your address, your telephone number and your date of birth. Data that are not directly associated with your real identity – such as favourite websites or the number of users of a web page – are not personal data.
Our web pages are hereinafter jointly referred to as “XpC web pages“. The Xperience CONNECT services (including the XpC supplier portal and the XpC corporate solution) available on the XpC web pages are jointly referred to as “XpC services“.
3. Storage of access data during visits to our web pages
If you are only viewing the XpC web pages without using any XpC services, you may do so in general without providing any information about yourself. We only store access data such as date and time of your visit, transferred data amounts and the requesting providers. The data will exclusively be evaluated to ensure trouble-free operation of the XpC web pages and to improve our products and services. This will not allow us to identify you.
4. Data collection and use as part of performing the contract
During your use of the XpC services, we collect and process personal data (e.g., as part of registration or log-in) to the extent necessary and legally permissible to perform the contract, in particular to provide the relevant XpC services. In general, we collect, process and use your personal data only if and insofar as you expressly and voluntarily communicate such data to us (for example, by uploading consultant profiles to the XpC supplier portal or by contacting us via the XpC web pages, e.g., our Customer Support department). In such cases, we will use the relevant personal data only for the respective purpose within the scope of performing the contract, as well as within the scope of your consent and always in accordance with the applicable statutory data protection provisions.
In addition, all personal data collected during the provision or use of our XpC services will be collected, processed and used only for the purposes of performing the contract, of protecting our legitimate business interests and in accordance with applicable statutory data protection provisions.
5. Specific use of personal data
We use the personal data provided by you to make the XpC web pages available and to provide agreed services, in particular to provide the relevant XpC services, otherwise only for the purposes of technical administration of the web pages and for user administration.
6. Legal basis for data processing
The legal basis for the processing of your personal data depends on the purpose for which data are processed.
The legal basis for processing personal data for the above-mentioned purpose is Art. 6(1)(b) GDPR, where a contractual relationship exists with you or your company. If there is no contractual relationship between us and you or between us and your company, the legal basis for data processing is Art. 6(1)(f) GDPR. The transmission of personal data (such as the IP address) is necessary to establish the connection and to display the contents of the XpC web pages and/or XpC services.
The legal basis for processing personal data for the above-mentioned purpose is Art. 6(1)(b) GDPR. We provide our services within the scope of our performance of contractual obligations. We are unable to perform or carry out the existing contract without the processing of personal data.
7. Data transfer to perform the contract
Your personal data will not be transferred to any third parties without your explicit consent, unless where necessary to perform the contract with you and where permitted by statutory data protection provisions. As an example, we may make the consultant profiles uploaded by the consulting companies participating in the XpC supplier portal accessible to interested companies via the XpC web pages. This only occurs after the respective consultancy company has given consent within the scope of the functionalities available on the web pages. Otherwise, we will only transfer personal data to third parties where we are legally obligated to do so.
8. Access to third-party contents and applications
9. Use of anonymised data
To the extent permitted by law, the data collected from users of the XpC web pages and/or the XpC services may be anonymised and/or pseudonymised to prepare statistics and comparable evaluations from the processed data. We are also entitled to use the anonymised or pseudonymised data for our own purposes such as for quality assurance and for improving our services.
Some of the cookies used are deleted after the end of the respective browser session, i.e., after the browser has been closed by the user (“session cookies“). Other cookies will remain on the respective user’s computer and allow us to recognise the user’s browser on the next visit of our website (“persistent cookies“).
11. Data security
Our employees and any service providers commissioned by us are obligated to non-disclosure and compliance with the provisions of the applicable data protection laws. We take appropriate technical and organisational security measures to protect your personal data from loss, alteration, destruction and from access by unauthorised persons or unauthorised disclosure. Our security measures are constantly improved according to the state of the art.
12. Duration of data storage
We will store your data as long as necessary for your access of the XpC web pages and/or for providing the agreed services, in particular for providing the relevant XpC services, or where we have a legitimate interest in further storage.
The personal data will be deleted upon expiry of the statutory or contractual retention periods (e.g., under tax law and commercial law). Personal data that are not subject to any retention duty will be deleted after the relevant purpose for which they have been collected has ceased to apply.
13. Asserting your rights as a user
As a visitor to the XpC web pages and as a user of the XpC services, you are entitled to various rights granted by the European legislature. Please use the information in the contact section to assert your rights. When doing so, please also make sure that we are able to clearly identify you.
Below please find explanations of your main rights as the data subject.
14. Right of confirmation, access, rectification or erasure of data
According to the GDPR, you as the data subject may request information in writing at at any time and free of charge about which personal data concerning you are stored (e.g., name, address). In addition, as the data subject, you have the right to have such data rectified or erased as granted by the European legislature, provided that the legal requirements are met. Some data such as stored data on business processes that are subject to the statutory retention obligation are excluded from the claim to the erasure.
A data subject has the right granted by the European legislature to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and to additional information to the extent provided for by law.
A data subject has the right granted by the European legislature to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
A data subject has the right granted by the European legislature to obtain from the data controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay if one of the grounds provided for by law applies and if processing is not necessary.
15. Right to restriction of data processing
As the data subject, you have the right granted by the European legislature to obtain from the data controller restriction of processing where one of the legal requirements are met.
16. Right to object
As the data subject, you have the right granted by the European legislature to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you by us as data controller; we will then no longer process the personal data unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as data subject or for our establishment, exercise or defence of legal claims.
17. Right to data portability
As the data subject, you have the right granted by the European legislature to receive the personal data concerning you which you have provided to us as data controller in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from us as data controller to which the personal data have been provided, provided that the legal requirements are met.
18. Withdrawal of a consent
Where you consent to the collection, processing and/or use of personal data within the scope of the use of XpC services, you may withdraw such consent with effect for the future at any time. The lawfulness of processing your data up to the withdrawal will remain unaffected.
Upon receipt of your withdrawal, we will cease the relevant use of the personal data without undue delay. Where the use of the data was necessary to provide and/or use XpC services, there may be restrictions on the continued use of the XpC services concerned or the XpC services may become unavailable.
19. Duty to provide personal data
Where a contract exists between us and you (or between us and your company), you must – especially for your use of the relevant XpC services – provide those personal data which are necessary to establish, perform and/or terminate the contractual relationship and to meet the associated contractual obligations or data which we are legally obligated to collect. Without providing these data, we will generally not be able to perform the contract, in particular to enable you to use the XpC services in accordance with the contract.
Where data processing is not required to establish, perform and/or terminate the contractual relationship and to meet contractual obligations and is not provide for by law, either, the provision of your data is voluntary. Please note that certain functions of the XpC web pages and/or the XpC services cannot be used if the necessary data are not provided.
20. Automatic processing of personal data
Your personal data will only be processed exclusively automatically where necessary for concluding or performing a contract and such has no legal or similar effects for you.
21. Lodging complaints with supervisory authorities
In the event of complaints concerning the processing of your personal data, you have the right to contact the competent supervisory authorities. You may contact the data protection authority responsible for your German place of residence or German state or the data protection authority responsible for Xperience CONNECT GmbH, which is:
The Bavarian State Official for Data Protection (BayLfD)
PO Box 22 12 19
22. Contacting the Data Protection Officer
If you have any questions regarding the processing of your personal data, suggestions or complaints, please do not hesitate to contact our Data Protection Officer. We recommend sending confidential information by postal mail only.
Contact details of Xperience CONNECT GmbH‘s Data Protection Officer:
Tel. +49 89 749 75131