Privacy Notice for B2B customers and interested parties

This information in accordance with Art. 13 ff. GDPR on data protection serve the information obligation when collecting personal data of our business customers and interested parties.

The protection of your privacy is of crucial importance to our company and we are committed to handling your personal data responsibly and confidentially. The following privacy notice is intended to give you a better understanding of how we collect, use, protect and share your personal data in the course of managing our relationships with prospects and customers.

1. Name and contact details of the controller

CARFAX Europe GmbH

Barthstraße 2-10

80339 Munich, Germany

E-mail: info@carfax.eu

(hereinafter referred to as "CARFAX", "we", "us").

2. Contact details of the data protection officer:

Holzhofer Consulting GmbH

Martin Holzhofer

Lochhamer Str. 31

82152 Planegg

Phone: (0 89) 1 25 01 56 00

E-Mail:datenschutzbeauftragter-carfax@holzhofer-consulting.de

Website: https://www.holzhofer-consulting.de

3. Purposes for which the personal data are to be processed and the legal basis for the processing

3.1 Processing of inquiries and preparation of quotations

If you are interested in our company and the goods and services we offer, we process and store the following data to process your inquiry and prepare a quote when you contact us (e.g. by email, telephone or contact form on our website):

  • Title

  • Surname, first name

  • Company/organization and, if applicable, department in the company

  • Position in the company

  • Business address

  • Business telephone number

  • Business fax number

  • Business e-mail address

  • Individual message

  • If applicable, call notes from sales and customer support calls

We reserve the right to ask you for your decision by telephone or e-mail within 3 months of submitting our offer, provided you have not objected to our request.

The legal basis for the processing is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. A balancing of interests was carried out and came to the conclusion that the processing of your data is necessary to answer your request and, if necessary, for further pre-contractual measures and that our interest outweighs your interests or fundamental rights and freedoms to protect your data.

3.2 Execution and processing of contracts with business customers

In order to execute and fulfill an existing contractual relationship, in particular to provide the services owed (e.g. provision of services, invoicing), we and any third parties or processors commissioned by us process the following data from you, provided that you have provided us with this data when concluding the contract or in the course of the contractual relationship:

Contact details of a contact person at the business customer's company:

  • Surname, first name or company/organization and, if applicable, department in the company

  • Business address

  • Business e-mail address

For sole traders, if applicable:

  • Company name (incl. surname and first name)

  • Business address

  • Business e-mail address

  • Payment information

  • Tax ID or VAT ID

For invoicing, monitoring and the collection of receivables from services, we may process contact details of contact persons in the accounting department and other persons entrusted with these processing operations.

The data collected will be processed exclusively for the purpose described above. The provision of this data is necessary for the conclusion of the contract. If you do not provide us with this information, a contract will not be concluded with us. All other information is voluntary.

The legal basis for the processing of your data is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. A balancing of interests was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in the execution and fulfillment of contracts with our business customers. In the present case, we have a legitimate interest in the execution and fulfillment of contractual obligations with our business customers, for which the processing of the data and data categories mentioned here is necessary.

3.3 Processing in connection with events (e.g. trade fairs or conferences)

If you are interested in the services we offer and provide us with your business contact details in this context, e.g. by handing over a business card at an event (e.g. trade fair or conference), we will initially process and store the details you provide (surname, first name, business address, business telephone number, business e-mail address, etc.) in our internal CRM system and may then contact you to inform you about our products and other interesting topics.

However, this only takes place if you have expressly consented to this form of advertising contact in advance.

The legal basis for the processing is Art. 6 para. 1 lit. a GDPR, i.e. your voluntary and informed consent.

You can revoke your consent at any time and without giving reasons in accordance with Art. 7 para. 3 GDPR. You have two options for this:

You can unsubscribe from receiving future emails with advertising content by clicking on the "Unsubscribe" button, which can be found in every advertising email.

You can send an informal e-mail with your unsubscribe request to privacy@carfax.eu.

The electronic transmission of the information and documents explicitly requested by you, as well as the preparation and transmission of an offer, if applicable, is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. A balancing of interests was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in the implementation of pre-contractual measures. In the present case, we have a legitimate interest in the implementation of pre-contractual measures with potential business customers, for which the processing of the data and data categories mentioned here is necessary.

3.4 Processing the email address of existing customers for the purpose of direct advertising

Unless you have objected, we will use your e-mail address, which we have received as part of the sale of a service, to send you electronic advertising for our own services that are similar to those that you have already purchased from us. You can object to this use of your e-mail address at any time by sending us a message. The contact details for exercising your objection can be found in section 9. You can also use the link provided for this purpose in the advertising e-mail. This will not incur any costs other than the transmission costs according to the basic rates.

The legal basis for this is Article 6(1)(f) GDPR in conjunction with Art. Art. 95 GDPR, Section 7 (3) UWG. A balancing of interests was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in carrying out direct advertising. We have a legitimate interest in the electronic transmission of advertising content to existing customers, for which the processing of the data and data categories mentioned here is necessary.

4. Obligation to provide the data

As a rule, the provision of the personal data mentioned in section 3 is neither legally nor contractually required. You are not obliged to provide the data. Failure to provide it therefore has no consequences. This only applies if no other information is provided in the respective processing operations.

5. Automated decision-making, including profiling

CARFAX Europe GmbH does not carry out automated individual decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR.

6. Data transfer to a third country

Data transfers to countries outside the EU and the European Economic Area ("third countries") occur in the context of the administration, development and operation of IT systems. The transfer only takes place on the basis

  • an adequacy decision of the European Commission within the meaning of Art. 45 GDPR.

  • an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country

  • standard data protection clauses adopted by the Commission in accordance with the examination procedure under Art. 93 para. 2 GDPR.

Currently, in connection with pre-contractual measures with interested parties and the conclusion of a contract with business customers, data is transferred to countries outside the EU and the European Economic Area ("third countries") in the following case:

Transmission of data to Salesforce Inc, Salesforce Tower 415 Mission Street, 3rd Floor San Francisco, CA 94105. USA in connection with the provision and use of our CRM system.

For the USA, there is an adequacy decision by the EU Commission within the meaning of Art. 45 para. 3 GDPR, which extends to the EU-US Data Privacy Framework (DPF). For data exports to recipients in the USA that are certified under the DPF, the level of data protection is therefore considered adequate. Salesforce has certified itself in accordance with the DPF and has therefore undertaken to comply with European data protection principles.

Standard data protection clauses in accordance with Art. 46 (2) lit. c GDPR have been concluded with affiliated companies and transfer impact assessments have also been carried out. When transferring personal data to third countries on the basis of standard data protection clauses, additional security measures may have been taken. Please contact us to request a copy of these security measures.

The data processed on our systems is located exclusively on servers within the EU.

7. Categories of recipients of data and data sources

7.1 Categories of recipients of data

To the extent permitted by law, we pass on personal data to external service providers:

  • Credit institutions and providers of payment services for billing and processing payments (e.g. Adyen N.V., Netherlands).

  • Tax consultants for financial accounting and preparation of balance sheets

  • Lawyers for the defense and enforcement of legal claims

  • Debt collection service providers and competent courts to collect receivables and enforce claims in court. If personal data (customer and contact data, payment data and data relating to the claim) is transferred to a debt collection service provider in the event of debt collection, we will inform you or your company in advance of the intended transfer.

We use the following categories of recipients as processors within the meaning of Art. 28 GDPR to process personal data for the purposes stated here:

  • IT service providers for the maintenance of our IT infrastructure

  • Software service provider for email marketing tool

  • Software service provider for CRM system

  • Software service provider for contract management system

  • Software service provider for billing system

  • Service provider for operation of the e-mail server

  • Software service provider in connection with the provision and use of our invoicing software

  • Other processors within the meaning of Art. 28 GDPR in the course of order processing

These service providers process information about you on our behalf and on the basis of our instructions and are contractually obliged to comply with the applicable data protection laws within the meaning of Art. 28 GDPR.

We may also pass on personal data to your employer, e.g. to fulfill and enforce our contract with them and for pricing purposes.

All personal data collected by us will only be processed and used for the purpose of fulfilling and processing our contract with your company and for processing your inquiries. Otherwise, your personal data will only be passed on or transmitted to third parties if this is necessary for the purpose of processing the contract, in particular to our service partners who we need to process the contractual relationship. In these cases, we strictly observe the provisions of the GDPR and the Federal Data Protection Act. The scope of data transmission is limited to a minimum.

In addition, we will only pass on your personal data to third parties if you have given your express prior consent. You have the right to revoke your consent at any time with effect for the future.

Your data will also be passed on if we are legally obliged to do so.

7.2. Overview of the payment service providers

7.2.1 Data protection notice on the use of Adyen

You have the option of paying by credit or debit card on our website. The provider of the payment service is the payment gateway provider Adyen B.V., Simon Carmiggeltstraat 6-50, 5th floor, 1011 DJ Amsterdam, Netherlands (hereinafter referred to as "Adyen"). Your credit card details will be checked by the Adyen service during the check-out process and approved for payment. We will then receive confirmation that the details are correct and that the payment process has been completed.

If you choose this payment method, Adyen is responsible for the processing of your data under data protection law, as Adyen processes the payments directly with the customers and therefore does not process the payment data in accordance with instructions.

Insofar as personal data is processed during the described transfers to Adyen, this is done exclusively for the purpose of payment processing and thus for the fulfillment of a contract in accordance with Art. 6 para. 1 lit. b GDPR (for contracts with natural persons) or Art. 6 para. 1 lit. f GDPR (for contracts with legal entities).

You can find further information on data protection at Adyen at: https://www.adyen.com/policies-and-disclaimer/privacy-policy

7.3 Data sources

We process personal data that we have received from interested parties and business customers as part of our business relationships.

Insofar as it is necessary for the provision of our services, we process personal data that we legitimately obtain from publicly accessible sources (debtor directories, land registers, commercial and association registers, press, Internet) or are legitimately transmitted by other third parties (a credit agency or an address service provider).

8. Storage period and criteria for determining the duration

Personal data will only be stored for as long as is necessary to fulfill the purposes stated here or for as long as the retention periods stipulated by law require. After the respective purpose no longer applies or after the retention periods have expired, the data will be deleted in accordance with the statutory provisions.

We retain your personal data for as long as is necessary for us for business reasons (e.g. to provide you with a service you have requested or to comply with legal, tax or accounting requirements).

Once we no longer have a legitimate business reason to process your personal data, we will comply with our applicable information management policies, procedures and standards and retain your data for as long as necessary to fulfill the purpose for which it was collected.

Please contact us for more information about the period for which we will process your personal data.

We store your data for advertising purposes until you object to its use or until contacting you is no longer permitted by law. We store your other data for as long as we need it to fulfill the specific purpose (e.g. to fulfill or process a contract) and delete it once the purpose no longer applies.

9. Information on your rights as a data subject

CARFAX Europe GmbH is responsible for the processing of your data, unless otherwise stated.

You can request information from us at any time (Art. 15 GDPR) about the data stored about you and its correction (Art. 16 GDPR) in the event of errors. You can also request the restriction of processing (Art. 18 GDPR), the portability (Art. 20 GDPR) of the data you have provided to us in a machine-readable format or the erasure of your data (Art. 17 GDPR) - insofar as it is no longer required.

You also have the right to object at any time to the use of your data based on public or legitimate interests (Art. 21 GDPR).

If we process your data on the basis of your consent, you can withdraw this consent at any time with effect for the future (Art. 7 para. 3 GDPR). Upon receipt of your revocation, we will no longer process your data for the purposes specified in the consent.

If you wish to make use of your rights as a data subject, please address your request to

CARFAX Europe GmbH

Barthstraße 2-10

80339 Munich, Germany

privacy@carfax.eu

10. Right to lodge a complaint with a supervisory authority

You can also lodge a complaint with a supervisory authority at any time in accordance with Art. 77 (1) GDPR. For us, this is generally the

Bavarian State Office for Data Protection Supervision, Promenade 18, 91522 Ansbach, P.O. Box 1349, 91504 Ansbach, e-mail: poststelle@lda.bayern.de, telephone: +49 (0) 981 180093-0, is responsible for us.

Alternatively, you can contact your local supervisory authority.

11. Security of the processing

We protect personal data that we process through appropriate technical and organizational measures designed to ensure a level of protection appropriate to the risk of processing your personal data.

We will notify you or your company of any security incident involving your personal data by email, telephone or other means, in accordance with applicable law.

Status February 2024

This privacy policy is subject to constant review and CARFAX reserves the right to make changes at any time.