Last updated: September 2020
XOM Materials Operations Inc. (“XOM”) operates a marketplace platform under the domain www.xom-materials.com and an eProcurement Software as a Service solution (“the eProcurement service”) under the domain procurement.xom-materials.com (both together: “Platform” or “Site”), via which XOM enables commercial third parties (“Partners”) to distribute products solely to registered entrepreneurs, legal entities under public law and special funds under public law (“Customers”) or to procure products from their suppliers.
The controller is the
XOM Materials GmbH
Our DPO is available under the following addresses:
XOM Materials GmbH
- Datenschutzbeauftragter -
Pursuant to the General Data Protection Regulation (“GDPR“), personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Insofar as you do not actively make personal data available to us, we do not store personal data while you use our Site except that our web server(s) register all connections to the Site automatically and collects the following technical information about your visit:
You may register for a user account on our Site. You need a user account in order to purchase or offer products or services on our Platform.
Our marketplace is open for all commercial users who wish to register. However, for setting up a user account and for offering products on our eProcurement service, you require an invitation from the company that performs the procurement. This company will give us the name and email address of the relevant contacts and we will send you the invitation email on their behalf as a data processor. You can create the user account by clicking on the link in the email.
Additionally, we collect contact data from you:
If you buy a product from a vendor on the marketplace or offer a product on the eProcurement service, we process the data mentioned above. In such case, we also process transaction-related data, for example information on purchases or sales you make when placing an order or offering a product, the time and price of the transaction, and, if applicable, financial information as well as shipping and billing information.
Moreover, we process the information related to an order on the amount and type of purchased products in aggregated form. For example, we store product and pricing information from a successful order process and aggregate that data to evaluate the use of our Industrial Platform.
If you register your company for the first time on the marketplace or the eProcurement Service as a Software, we will process the company data and with it in some cases also personal data during our “Know Your Customer” process. This means that we or a service provider selected by us will check your company data, such as legal form, field of business, tax ID, commercial register entry, address, management, ownership and management structure as well as the key (expected) financial indicators for validity and whether conducting business with you is subject to restrictions due to statutory regulations. In addition, we or a service provider selected by us will also process the contact data of the person registering in order to be able to verify whether they are actually connected with the registered company.
If you contact us by writing an email, we collect your email address and all information that is included in the email.
If you use the chat function on our website, we process all data provided to us through it.
You can register for an e-mail newsletter on our website. We will then process your e-mail address and any other analysis and usage data, e.g. whether you clicked on links and which links you clicked on.
We offer Whitepapers on several topics to our users. In order to get access to them, you have to provide us with your e-mail address, if you decide so, you may also register for our newsletter. We will then send you an e-mail with a download and newsletter activation link.
We process your IP address only to allow your device to establish a connection to our web server over the Internet. By storing log files we ensure security and integrity of our IT systems. This processing is based on Art. 6 par. 1 lit. f) GDPR.
If you register a user account with us, we process this data to create your user account and manage all related operations, for example for the purchase of products or services. The legal basis is Art. 6 part. 1 lit. b) GDPR. If you purchase products or services on our platform, we process the collected data for the purposes of performance and conclusion of contract. The legal basis is Art. 6 par. 1 lit. b) GDPR. Additionally, we are legally obliged to store certain data, which is included in contracts and invoices as well as in business letters or other documents relevant for taxation or accounting. The legal basis is Art. 6 par. 1 lit. c) GDPR and Sec. 147 AO and Sec. 257 HGB.
We process personal data during the “Know Your Customer” process to meet statutory requirements regarding the prevention of money laundering, economic crime and/or terrorism and to be able to comply with foreign trade law, the EU’s dual-use regulation, embargos or similar provisions. The legal basis for such processing is Art. 6 par. 1 lit. c) GDPR in connection with Sec. 18 AWG (German foreign trade law) as well as Art. 6 par. 1 lit. f) GDPR. The legitimate interest we pursue is to be able to have and retain the necessary facts to comply with the aforementioned requirements and provisions and be able to prove compliance.
Some of our vendors perform their own compliance checks in addition to our checks before activating their shop for customers. To this end, we transfer certain types of company data to these vendors. As a rule, and in the majority of cases, this data does not contain any personal references as it relates exclusively to the company. In individual cases, e.g. if the company name is also the name of a natural person, a personal reference can also exist here. In these cases, transmission is made in order to safeguard the legitimate interest of the respective vendor in being able to carry out compliance reviews (Art. 6(1) (f)) GDPR). The respective vendor will inform you separately about the processing that takes place in their case.
If you contact us by email or by using a contact form, the processing is based on Art. 6 par. 1 lit. f) GDPR. The purpose as well as our legitimate interest is to answer your inquiry.
If you subscribe to an e-mail newsletter, we will process your data in order to send you the e-mail newsletter. This processing takes place on the basis of your consent to receive the newsletter (Art. 6(1) (a) GDPR). The analysis data is processed on the basis of our legitimate interest in evaluating the use of our newsletter and thus being able to improve it, if necessary. The legal basis for this is Art. 6(1) (f) GDPR. If you object to the processing of the usage data, you can unsubscribe from the newsletter at any time with future effect.
Within our company, the data is processed by the responsible department. Externally, we pass on your data to the respective vendor from whom you have purchased or have the option to purchase the products or services or who, in the exceptional cases described above, carries out a check before activating the shop. In certain cases we carry out a Know Your Customer process for which we use external service providers. We also use external IT service providers to offer our services. Should we use service providers in countries outside the EU and where these countries do not already offer an adequate level of protection on the basis of a Commission Decision, we have concluded standard European Commission contractual clauses with the respective service providers. You can view the standard documents used at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
Our log files are stored for seven day.
The data processed in relation to your user account is stored until you terminate your user account. After termination, we delete your data immediately.
We store the data about your purchases as long as you have a user account with us. However, if personal data is relevant for our contracts or invoices, we store it until the end of the eleventh year after conclusion of contract. If personal data is stored in business letters or other documents relevant for taxation or accounting, we store it until the end of the seventh year after conclusion of contract.
We retain the personal data collected for and processed during the “Know Your Customer” process as long as you have an account with XOM and for an additional period of 5 years starting with the end of the year in that the account is terminated. We use your data in this period only to make or defend against claims as well as to assist or exonerate ourselves in official investigations.
Your emails will be stored for the time needed to answer your inquiry and for three more years, if you refer to us again.
If the respective requirements are met, the GDPR grants you certain rights as a data subject.
Art. 15 GDPR – Right of access: You shall have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain information.
Art. 16 GDPR – Right to rectification: You shall have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Art. 17 GDPR – Right to erasure: You shall have the right to obtain from us the erasure of personal data concerning you without undue delay.
Art. 18 GDPR – Right to restriction of processing: You shall have the right to obtain from us the restriction of processing.
Art. 20 GDPR – Right to data portability: You shall have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you shall have the right to transmit those data to another controller without hindrance from us. You shall also have the right to have the personal data transmitted directly from us to another controller, where technically feasible.
Art. 77 GDPR – Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
Specifically: the right of objection and revocation of consent
Art. 21 GDPR – Right to object: You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on legitimate interests or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a case, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms or where the processing is necessary for the establishment, exercise or defence of legal claims.
Revocation of consent: If the processing is based on your consent, you have the right to revoke your consent at any time. The previously carried out processing operations shall not be affected thereby. To revoke your consent, please send a message to firstname.lastname@example.org.
You have no statutory or contractual obligation to provide us with any personal data. However, we may not be able to provide you with our services if you decide not to do so.
We do not use automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you.
You can change your preferences and/or withdraw your consent regarding these purposes at any time via our consent management platform: www.xom-materials.com/europe
We also use Google Analytics to inform you of target-group-specific advertising via the Google advertising network. For this purpose, we may transfer data to Google concerning the offers you have viewed or related features (e.g. interest in specific topics or products which can be identified based on the websites visited). Google uses such data to show you target-group-specific advertising when visiting our website or our advertising on other websites of the Google network (so-called “remarketing” or “Google Analytics Audiences”). With the aid of Remarketing Audiences we seek to ensure that our advertising complies with potential interest of the respective user.
We use Google Analytics only with your consent (Art. 6 par. 1 lit. a) GDPR). Data are stored for 1 year.
Our website uses Google Tag Manager. This service allows website tags to be managed through a single interface. Google Tag Manager only implements tags. No cookies are used and no personal data is collected by the tool. The Google Tag Manager only triggers tags, which in turn may capture data (for example, via Google Analytics). However, Google Tag Manager does not access this data. If deactivated at the domain or cookie level, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager.
To ensure the quality of our online services, we use the Pardot analysis tool from Salesforce. Pardot tracks visitor and prospect activities on our website and landing pages by setting cookies in the browsers. Cookies are set to remember preferences (like form field values) when a visitor returns to our site. Pardot also sets a cookie for logged-in users to maintain the session and remember table filters.
Pardot cookies don’t store personally identifying information, only a unique identifier.
We use technical and organizational security measures to protect data that is collected and processed, in particular against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. Our security measures are continuously improved in line with technological developments.
COPPA regulates the collection of personal information online from children under the age of 13. This site is not intended or designed to attract users under the age of 13 or to collect personal information from such users. We do not collect personally identifiable data from any person we know to be under the age of 13 and those under 13 should not submit any personal information through this site. If we learn that we have inadvertently collected personal information from a child under the age of 13 we will remove the information from our files.