Business Partner Privacy Policy

This data protection notice for customers, suppliers, and business partners including sponsors and co-hosts of our summits and webinars ("Data Protection Notice") describes how LeanIX GmbH (Limited Liability Company) ("LeanIX", "we" or "our") processes your personal data in the context of our business relationship with you, or the company or organization you represent ("Your Company"). If you are a customer, the personal data addressed in this Data Privacy Notice is not related to personal data processed in our software. In addition, the Data Protection Notice explains what types of personal data we collect about you, how we use, store, and disclose the data, and what rights you have in that regard.

WHO IS RESPONSIBLE FOR PROCESSING MY PERSONAL DATA? HOW CAN I CONTACT LEANIX?

LeanIX, as controller within the meaning of the EU General Data Protection Regulation ("GDPR"), is responsible for the processing of your personal data. You can contact us at any time using the following contact details:

LeanIX GmbH (Limited Liability Company)
Friedrich-Ebert-Allee 37-39,
53113 Bonn, Germany

Tel: +49.228.2862992-0
Email address: dataprivacy@leanix.net
Internet address: www.leanix.net

You can also contact our external data protection officer at any time at the following contact details:

Andreas Schmidt LL.M., to be reached by post at the address of LeanIX with the addition "(personal) to the data protection officer," or we can forward your request by email to him upon request. In an individual case, you can also directly request further contact details of the data protection officer (e.g., email and/or telephone number).

If you are located in the United Kingdom and have questions about your personal data or would like to request to access, update or delete it, you may contact our representative at:

Bird & Bird GDPR Representative Services UK
12 New Fetter Lane
London
EC4A 1JP
United Kingdom

UKrepresentative.LeanIX@twobirds.com

Main point of contact:
Vincent Rezzouk-Hammachi

WHICH PERSONAL DATA WILL BEI PROCESSED ABOUT ME?

We will collect and process the personal data you or Your Company provide(s) to us in connection with any business-related interaction between you or Your Company and LeanIX, as necessary for the business relationship, regardless of whether the information is provided verbally (e.g., by telephone) or by writing (e.g., by email, letter) or via our online applications.

We may collect, in particular, the following categories of personal data:

  • Name and contact information, such as first and last name; company/organization, business telephone number, email address, and other business contact information; job title;
  • Order, service, and contract data, including revenue information and payment terms, subscription details, etc.;
  • payment and billing information, such as information required for payment processing and fraud prevention, including bank and account data, tax numbers, and billing addresses;
  • history of orders, transaction and business interactions as well as commercial information about the use of products and services, including as necessary for business partner relationship management;
  • Content of business communication relating to business relationship, products, and services (e.g., correspondence by email, letter, fax, etc.);
  • personal data that we collect from publicly available sources, information databases, or from credit agencies;
  • where legally required as part of compliance screenings: date of birth, country of residence, results of screening against recognized sanction lists, information on relevant court proceedings, and other legal disputes in which you or Your Company is involved.

FOR WHICH PURPOSES WILL MY DATA BE PROCESSED, AND ON WHICH LEGAL BASIS?

We process your personal data for the following legitimate business purposes and based on the following legal grounds for processing:

  • To enter into and/or perform a contract with Your Company, including processing orders, delivery of services, providing service, support and maintenance, and for related administrative, account management, accounting, billing and auditing purposes. As far as the business relationship exists between LeanIX and you personally, we rely on the necessity of the processing for the performance of the contract with you or in order to take steps at your request prior to entering into a contract with you (Art. 6(1) lit. b) GDPR). As far as the business relationship exists between LeanIX and Your Company, we rely on our legitimate interests in the establishment, performance and handling of the business relationship with Your Company (Art. 6(1) lit. f) GDPR);
  • To maintain, handle and support the business relationship with you or Your Company. We rely on the necessity of the processing to safeguard our legitimate interests in an appropriate account and relationship management and an effective and service-oriented support and care of our business contacts (Art. 6(1) lit. f) GDPR);
  • To communicate with you or Your Company in the context of the establishment or performance of the business relationships to the extent this is necessary for the purposes of our legitimate interest in ensuring efficient communication with you and/or Your Company, e.g., when we inform you about changes to our terms and conditions or when you contact LeanIX with questions and requests (Art. 6(1) lit. f) GDPR);
  • To carry out a business partner compliance due diligence. We process your personal data to the extent the processing is necessary for our legitimate interest in complying with legal requirements, in particular with obligations under applicable data protection laws and regulations (Art. 6(1) lit. f) GDPR);
  • To the extent necessary for ensuring compliance with applicable statutory retention and other obligations of LeanIX, in particular, according to sec. 257 HGB and sec. 147 AO (Art. 6(1) lit. c) GDPR);
  • To safeguard our legitimate interests in ensuring and documenting compliance with applicable laws and in establishing, exercising and/or defending of legal claims (Art. 6(1) lit. f) GDPR), including collection of debts and enforcement of payment claims.
  • For direct marketing purposes: If you have provided your consent, we will process such data to send you marketing information about the products and services offered by LeanIX via your preferred channel (via email, fax and/or telephone) (Art. 6(1) lit. a) GDPR). In addition, we may use your data to the extent permitted by law for sending of marketing information on the products and services offered by LeanIX on the basis of our legitimate interests in the effective marketing of our products and services (Art. 6(1) lit. f) GDPR). You can withdraw your consent and/or object to this use of your data for marketing purposes at any time with effect for the future. Further information on the right to withdraw your consent and the right of objection can be found in section 9.

AM I OBLIGED TO PROVIDE MY DATA?

You are neither contractually nor legally obliged to provide your personal data as indicated above. However, if you do not provide specific data to us, we may, under certain circumstances, be unable to comply with our obligations, establish and/or perform the contract, or otherwise handle the business relationship with you or Your Company.

WHOM WILL MY PERSONAL DATA BE DISCLOSED TO?

We do not disclose your personal data, except as described in this Data Protection Notice or in case we are legally compelled to do so under applicable law.
Your personal data may be disclosed in the following scenarios:

  • To LeanIX group companies: LeanIX, Inc., LeanIX B.V., LeanIX SI d.o.o, LXTech India Private Limited
  • Service providers, partner companies, and affiliates (as processors): We transmit your data to our affiliates, business partners and third-party service providers that process your personal data on our behalf, as necessary to assist with the relevant business purposes. These recipients have been carefully selected beforehand and are contractually obliged as processors in accordance with applicable data protection laws. For instance, we may share your personal data with technical hosting providers, marketing agencies, data analytics services, cloud service providers for CRM software, accounting software, ERP software, personal information management tools, etc. As processors, these recipients may only use your personal data in accordance with our instructions and to the extent necessary to provide the services requested by us. Your data will neither be sold to third parties nor marketed in any other way. An up-to-date list of all affiliates, partner companies, and service providers is available upon request from LeanIX under the contact details listed in section 1.
  • Public Authorities and Courts: To the extent that (1) we believe it is (i) required by law or (ii) necessary to respond in the course of legal proceedings (such as a court order or subpoena) or following a request from a public authority (such as an access or disclosure request by a law enforcement authority), or (2) when we believe the disclosure is necessary and appropriate (i) to ensure compliance with applicable laws, (ii) to establish, exercise and/or defend our legal claims, (iii) to prevent physical harm or financial loss, or (iv) in connection with an investigation of suspected or actual illegal activity, we may also share your personal data with local or foreign government authorities, supervisory authorities, law enforcement authorities, courts and tribunals. Where permitted by law and reasonably practicable, we will attempt to notify you of such requirements.

IS MY PERSONAL DATA STORED AND PROCESSED OUTSIDE THE EU/EEA?

Some of the above recipients that may receive your personal data (as described in Section 5) are located in countries outside the European Union ("EU") and the contracting states of the European Economic Area ("EEA") ("Third Countries"), including the United States of America and India. To the extent LeanIX transfers your personal data to Third Countries, LeanIX has – to the extent required – put into place appropriate safeguards to ensure that your personal data will be adequately protected in accordance with legal requirements (such as contracts on the basis of the EU Standard Contractual Clauses). For more information on the appropriate safeguards in place, the Third Countries concerned, and on how to obtain a copy of such safeguards, please contact us at the contact information set above under Section 1.

HOW WILL MY PERSONAL DATA BE PROTECTED?

We implement comprehensive technical and organizational measures to ensure a level of security appropriate to the risk to the personal data we process, in particular, to protect your data against accidental or unlawful destruction, misuse, alteration, partial or complete loss, and against unauthorized disclosure of or access to personal data, taking into account the state of the art, implementation costs and the nature, scope, context and purpose of the processing, as well as the existing risks to your personal data. These measures aim to ensure the ongoing integrity, availability, and confidentiality of personal data and the resilience of our processing systems and services. We evaluate and improve these measures regularly. For further information, please contact us at the contact information set out in Section 1 of this Data Protection Notice.

FOR HOW LONG WILL MY PERSONAL DATA BE STORED?

We will store your data only for the period necessary to fulfill the purposes for which we have collected and processed your personal data as set out in this Data Protection Notice. Therefore, in principle, your personal data will be stored for as long as necessary for the business relationship with you or Your Company and deleted thereafter.
More specifically, we will process your personal data as follows:

  • Personal data stored for contract performance will be stored for as long as necessary for safeguarding our rights and obligations under the contract, including for account administration, billing, accounting, audit, and compliance purposes.
  • Personal data stored to handle, maintain and support the business relationship with you or Your Company, including emails, will be stored for the purposes of the contractual relationship and deleted following termination or expiration of the business relationship upon request to LeanIX.
  • Personal data stored on the basis of your consent to carry out direct marketing will be stored until your consent is withdrawn or we cease carrying out respective marketing activities.
  • Personal data required for purposes of compliance with our data retention obligations under tax and commercial law will be stored for a period of up to ten years.

After the end of the applicable storage period, your data will be deleted in accordance with our data retention policy and procedures, unless further storage is necessary to comply with our legal obligations (Art. 6(1) lit. c) GDPR), such as statutory data retention obligations, or for purposes of our legitimate business interests in ensuring compliance with applicable legal and regulatory requirements or establishing, exercising, or defending our legal claims (Art. 6(1) lit. f) GDPR).

WHICH RIGHTS DO I HAVE AND HOW CAN I EXERCISE THEM?

To the extent you are affected by data processing by us, you have the right, subject to the requirements under applicable data protection laws:

  • To request information about the personal data stored about you as well as to receive a copy of such personal data (right of access, Art. 15 GDPR);
  • To obtain the rectification of inaccurate personal data and, taking into account the purpose of the processing, to have incomplete personal data completed (right to rectification, Art. 16 GDPR);
  • To obtain the erasure of your personal data, provided a legitimate ground applies (right to erasure/right to be forgotten, Art. 17 GDPR);
  • To obtain the restriction of processing of your personal data, if the legal requirements are met (right to restriction of processing, Art. 18 GDPR);
  • To receive the personal data which you have provided to us in a structured, commonly used, and machine-readable format and to transmit such personal data to another controller without hindrance from us and, where technically feasible, to have such data transmitted directly from us to another controller, if the legal requirements are met (right to data portability, Art. 20 GDPR); and
  • not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you, if the legal requirements are not met. LeanIX does not carry out automated individual decision-making.

Further, subject to applicable data protection laws, you have the right to object, on grounds relating to your particular situation, to the processing of your personal data based on our legitimate interests. If your personal data is processed by us for direct marketing purposes, you can object to the processing for the purpose of such marketing at any time without any special reason (right to object).

You further have the right to withdraw any consent given at any time. The withdrawal of your consent does not affect the lawfulness of the processing of your personal data until such withdrawal.
In order to exercise your rights (including withdrawal of your consent), you may use the contact details set out above under section 1.
In addition and without prejudice to any other rights, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. The competent supervisory authority for LeanIX is:

North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information:

Kavalleriestr. 2-4
40213 Düsseldorf
Telephone: 0211/38424-0
Fax: 0211/38424-10
Email: poststelle@ldi.nrw.de
Internet: www.ldi.nrw.de

HOW CAN THIS DATA PROTECTION NOTICE BE CHANGED?

We may modify or update this Data Protection Notice from time to time. If we make any revisions that materially change how we process your personal data, we will notify you of these changes before applying them to that personal data.