Privacy Policy

Last updated: July 2019
XOM Materials GmbH, Berlin (“XOM”) operates a platform under the domain www.xom-materials.com (“Platform”), via which XOM enables commercial third parties (“Partners”) to distribute products solely to registered entrepreneurs, legal entities under public law and special funds under public law (“Customers”). These Terms of Use (“Terms of Use”) apply to the use of the Platform by Customers.

1. Identity of the controller and contact details of our Data Protection Officer

The controller is the

XOM Materials GmbH
Ackerstraße 14-15
10115 Berlin

Email: support@xom-materials.com

Our DPO is available under the following addresses:

XOM Materials GmbH
- Datenschutzbeauftragter -
Ackerstraße 14-15
10115 Berlin

Email: datasecurity@xom-materials.com

2. When, how and why we process personal data

2.1 Personal data

Pursuant to the General Data Protection Regulation (“GDPR“), personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.2 Which kind of data we process and how we collect it

2.2.1 General use of the Site

Insofar as you do not actively make personal data available to us, we do not store personal data while you use our Site except that our webserver(s) register all connections to the Site automatically and collects the following technical information about your visit:
  • Date and time of access,
  • Type and setup of your internet browser,
  • Operating system used,
  • The website you came from,
  • your IP address.

2.2.2 Registering for a user account and purchasing products

You may register for a user account on our Site. You need a user account in order to purchase products or services on out platform. For creating a user account, we collect the following data:

  • Company Name
  • Street
  • House No.
  • Additional address (optional)
  • Postal code
  • City
  • Country
  • Company VAT
  • Company registration number (optional)
  • Name
  • Username
  • Email address
  • Password

Additionally, we collect contact data from you:

  • Salutation
  • First Name
  • Last Name
  • Email (for login)
  • Password
  • Phone Number
  • Fax

If you buy a product from a vendor, we process the data mentioned above. In such case, we process further transaction-related data. These are data on purchases or sales you make when placing an order, or other transaction-related data, such as the time and price of the transaction, and financial information for settlement as well as shipping and billing information.

Moreover, we process the information related to an order on the amount and type of purchased products in aggregated form. For example, we store product and pricing information from a successful order process and aggregate that data to evaluate the use of our Industrial Platform. Your data is not affected by this. Rather, merely anonymous data is concerned which cannot be assigned to your person or user profile and which only allows a statistical evaluation of the use of the Industry Platform.

If you register your company for the first time on XOM, we will process the company data and with it in some cases also personal data during our “Know Your Customer” process. This means that we or a service provider selected by us will check your company data, such as legal form, field of business, tax ID, commercial register entry, address, management, ownership and management structure as well as the key (expected) financial indicators for validity and whether conducting business with you is subject to restrictions due to statutory regulations. In addition, we or a service provider selected by us will also process the contact data of the person registering in order to be able to verify whether they are actually connected with the registered company.

2.2.3 Contact

If you contact us by writing an email, we collect your email address and all information that is included in the email.

If you use the chat function on our website, we process all data provided to us through it.

2.2.4 E-Mail newsletter

You can register for an e-mail newsletter on our website. We will then process your e-mail address and any other analysis and usage data, e.g. whether you clicked on links and which links you clicked on.

2.3 Why and on which legal basis do we do that

We process your IP address only to allow your device to establish a connection to our webserver over the Internet. By storing logfiles we ensure security and integrity of our IT systems. This processing is based on Art. 6 par. 1 lit. f) GDPR.


If you register a user account with us, we process this data to create your user account and manage all related operations, for example for the purchase products or services. The legal basis is Art. 6 part. 1 lit. b) GDPR. If you purchase products or services on our platform, we process the collected data for the purposes of performance and conclusion of contract. The legal basis is Art. 6 par. 1 lit. b) GDPR. Additionally, we are legally obliged to store certain data, which is included in contracts and invoices as well as in business letters or other documents relevant for taxation or accounting. The legal basis is Art. 6 par. 1 lit. c) GDPR and Sec. 147 AO and Sec. 257 HGB.

We process personal data during the “Know Your Customer” process to meet statutory requirements regarding the prevention of money laundering, economic crime and/or terrorism and to be able to comply with foreign trade law, the EU’s dual-use regulation, embargos or similar provisions. The legal basis for such processing is Art. 6 par. 1 lit. c) GDPR in connection with Sec. 18 AWG (German foreign trade law) as well as Art. 6 par. 1 lit. f) GDPR. The legitimate interest we pursue is to be able to have and retain the necessary facts to comply with the aforementioned requirements and provisions and be able to prove compliance.

Some of our vendors perform their own compliance checks in addition to our checks before activating their shop for customers. To this end, we transfer certain types of company data to these vendors. As a rule, and in the majority of cases, this data does not contain any personal references as it relates exclusively to the company. In individual cases, e.g. if the company name is also the name of a natural person, a personal reference can also exist here. In these cases, transmission is made in order to safeguard the legitimate interest of the respective vendor in being able to carry out compliance reviews (Art. 6(1) (f)) GDPR). The respective vendor will inform you separately about the processing that takes place in their case.

If you contact us by email or by using a contact form, the processing is based on Art. 6 par. 1 lit. f) GDPR. The purpose as well as our legitimate interest is to answer your inquiry.

If you subscribe to an e-mail newsletter, we will process your data in order to send you the e-mail newsletter. This processing takes place on the basis of your consent to receive the newsletter (Art. 6(1) (a) GDPR). The analysis data is processed on the basis of our legitimate interest in evaluating the use of our newsletter and thus being able to improve it, if necessary. The legal basis for this is Art. 6(1) (f) GDPR. If you object to the processing of the usage data, you can unsubscribe from the newsletter at any time with future effect.

3. Who receives personal data from us and when it is transferred to third countries

Within our company, the data is processed by the responsible department. Externally, we pass on your data to the respective vendor from whom you have purchased the products or services or who, in the exceptional cases described above, carries out a check before activating the shop. In certain cases we carry out a Know Your Customer process for which we use external service providers. We also use external IT service providers to offer our services. Some of these service providers process data in the USA. These service providers are EU-US Privacy Shield certified, which ensures an adequate level of protection for your personal data. Should we use service providers in other countries and where these countries do not already offer an adequate level of protection on the basis of a Commission Decision, we have concluded standard European Commission contractual clauses with the respective service providers. You can view the standard documents used at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

4. Period for which personal data will be stored

Our log files are stored for seven day.


The data processed in relation to your user account is stored until you terminate your user account. After termination, we delete your data immediately.


We store the data about your purchases as long as you have a user account with us. However, if personal data is relevant for our contracts or invoices, we store it until the end of the eleventh year after conclusion of contract. If personal data is stored in business letters or other documents relevant for taxation or accounting, we store it until the end of the seventh year after conclusion of contract.

We retain the personal data collected for and processed during the “Know Your Customer” process as long as you have an account with XOM and for an additional period of 5 years starting with the end of the year in that the account is terminated. We use your data in this period only to make or defend against claims as well as to assist or exonerate ourselves in official investigations.

Your emails will be stored for the time needed to answer your inquiry and for three more years, if you refer to us again.

5. Your rights as a data subject

If the respective requirements are met, the GDPR grants you certain rights as a data subject.

  • Art. 15 GDPR – Right of access: You shall have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain information.
  • Art. 16 GDPR – Right to rectification: You shall have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  • Art. 17 GDPR – Right to erasure: You shall have the right to obtain from us the erasure of personal data concerning you without undue delay.
  • Art. 18 GDPR – Right to restriction of processing: You shall have the right to obtain from us the restriction of processing.
  • Art. 20 GDPR – Right to data portability: You shall have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you shall have the right to transmit those data to another controller without hindrance from us. You shall also have the right to have the personal data transmitted directly from us to another controller, where technically feasible.
  • Art. 77 GDPR – Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
Specifically: the right of objection and revocation of consent
  • Art. 21 GDPR – Right to object: You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on legitimate interests or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such case, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms or where the processing is necessary for the establishment, exercise or defence of legal claims.

  • Revocation of consent: If the processing is based on your consent, you have the right to revoke your consent at any time. The previously carried out processing operations shall not be affected thereby. To revoke your consent, please send a message to kundendienst@xom-materials.com.

6. Your obligation to provide us with personal data

You have no statutory or contractual obligation to provide us with any personal data. However, we may not be able to provide you with our services if you decide not to do so.

7. Existence of automated decision-making, including profiling

We do not use automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you.

8. Internet specific processing or use of personal data

8.1 Cookies

For providing you the services of the Site we may use cookies. Cookies are small text files, which are transferred from the Site and stored on your device. Cookies cannot execute programs or infect your device with computer viruses. We use cookies, to provide certain technical features to you, such as a shopping basket. The legal basis for this is Art. 6 par. 1 lit. f) GDPR. Our legitimate interest is to provide you with the respective features.

If you wish to prevent us from storing cookies on your device, your web browser or device may provide you with certain settings to do so. Most web browsers accept cookies by default. However, you may change these default settings in order to prevent any kind of storage or only allow storage after an explicit request. You may find an instruction on how to change your settings in the help section of your browser or device. The respective settings only apply to the device you are currently using. If you use another device, change your web browser or reinstall your browser you may have to change the respective settings again. Please, be aware that not accepting cookies may lead to you not being able to fully use the Site. In particular, ordering products through the Site may not be possible without cookies. Our usage of cookies finds its legal basis in Art. 6 par. 1 lit. f) GDPR. The aforementioned purposes constitute also the legitimate interests we pursue with it. 

8.2 Google Analytics including the Audiences Function

This website uses Google Analytics, a web analysis service of Google LLC ("Google"). Google Analytics uses cookies. The information generated by the cookie regarding your use of this website is normally transferred to a Google server in the USA and stored there. However, in case of activation of IP anonymization on this website, your IP address will be abbreviated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the complete IP address be transferred to a Google server in the USA and abbreviated there. Google will use this information on our behalf to evaluate your use of the website, to compile reports on website activities and to provide us with other services relating to website use and internet use. The IP address transferred from your browser in the course of Google Analytics will not be combined with other data of Google.


We also use Google Analytics to inform you of target-group-specific advertising via the Google advertising network. For this purpose, we may transfer data to Google concerning the offers you have viewed or related features (e.g. interest in specific topics or products which can be identified based on the websites visited). Google uses such data to show you target-group-specific advertising when visiting our website or our advertising on other websites of the Google network (so-called “remarketing” or “Google Analytics Audiences”). With the aid of Remarketing Audiences we seek to ensure that our advertising complies with potential interest of the respective user.

You can prevent collection of data generated by the cookie and relating to your use of the website (including your IP address) to Google as well as the processing of such data by Google by downloading and installing the browser plug-in available at the following link:


tools.google.com/dlpage/gaoptout?hl=en

You can also prevent collection of your data by Google Analytics by clicking on the button stated at the bottom of the page. An opt-out cookie is then set which prevents future collection of your data when visiting this website.


You can object to the use of data for presentation of target-group-specific advertising by executing appropriate settings at the following link:


https://adssettings.google.com/u/0/authenticated?hl=en-EN

The legal basis for the use of Google Analytics and its remarketing function is Art. 6 Par. 1 lit. f) DS-GVO. Our legitimate interest lies in the purposes described. Data are stored for 3 months.


More information on terms of use and data protection is available at https://www.google.com/analytics/terms/gb.html or at www.google.de/intl/en/policies/.

 

8.3 Google Tag Manager

Our website uses Google Tag Manager. This service allows website tags to be managed through a single interface. Google Tag Manager only implements tags. No cookies are used and no personal data is collected by the tool. The Google Tag Manager only triggers tags, which in turn may capture data (for example, via Google Analytics). However, Google Tag Manager does not access this data. If deactivated at the domain or cookie level, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager.

9. Data Security

We use technical and organizational security measures to protect data that is collected and processed, in particular against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. Our security measures are continuously improved in line with technological developments.

10. Used Cookies

Session ID

The session id is mandatory and is used to identify multiple concurrent requests from a user and assign them to a session.

Cookie name:JSESSIONID

Globally Unique Identifier (GUID)

Mandatory security cookie that is set after logging in. This cookie authenticates the user in the shop.

Cookie name:secureGUID

CSRF-Token

Mandatory auxiliary cookie to prevent cross-site request forgery (CSRF) attacks.

Cookie name:CSRFToken

Delivery address

When an anonymous user sets a delivery address, this information is stored as a cookie to identify products for the selected region. Only country and postal code are stored.

Cookie name:user-region

Status of cookie banner

Mandatory cookie that stores the information that the "We use cookies" information has already been noted.

Cookie name:disable-cookies-bar

Status of Google Analytics

Mandatory cookie that stores the information whether Google Analytics is disabled.

Cookie name:disable-analytics

Google Analytics

We use Google Analytics, to collect information about how users use our Site. The information generated by the cookie about your use of the site will be transmitted to and stored by Google on servers in the United States.

Cookie names:_ga, _gat, _gid, _gac, __utma, __utmt, __utmb, __utmc, __utmz, __utmv, collect