Thank you for visiting the B2B User Management System (hereinafter referred to as the B2B-UMS) operated by Volkswagen AG, Berliner Ring 2, 38440 Wolfsburg, Germany, vw@volkswagen.de, entered in the register of companies of Braunschweig District Court under HRB 100484 (“Volkswagen AG”). In the following, we will provide information on how Volkswagen AG processes the personal data which is collected when you use the B2B-UMS system.

The following data processing activities in the B2B-UMS are carried out under the joint control of the Group companies. Volkswagen AG and the Group companies have concluded agreements within the meaning of Article 26 GDPR with regard to their joint control. We shall make the principal content of these agreements available on request. To make such a request, please use the contact options listed in the “Contact persons” section. A list of Group companies that are parties to the agreement on the joint control in the Procurement division can be found here.

We process your personal data in the B2B-UMS in order to guarantee the secure operation of IT systems in the B2B environment through the unique identification, authentication and authorisation of users.

Access rights to the ONE.Konzern business platform and IT systems located on that platform, access rights to Volkswagen’s internal ONE.Portal and IT systems located on that portal, and other internal Volkswagen IT systems are managed in the B2B-UMS.

An individual user profile is required for this. If you are acting as an employee for a company/third party, the user profile is created for you by your company administrator. If you are acting on your own behalf, you will need to create the user profile yourself. If you are an employee of a Group company, this user profile will have been transferred to the B2B-UMS from upstream Group systems.

The following personal data is processed when your user profile is created:

• User ID
• Last name
• First name
• Business address data (company name, address, DUNS number or company code)
• Business email address
• Business telephone number
• Business fax number (optional)
• Gender
• Preferred language
• Valid from
• Valid to (optional)

If you are an employee of a Group company, the following data is also processed:

• Department
• Cost centre
• Plant

If your company administrator requests authorisation/activation to use internal Volkswagen Group IT systems for you as an employee of a company/third party or if you request this on your own behalf, your date and place of birth are also processed.

As an employee of a company/third party, you will be granted access rights to IT systems connected to the B2B-UMS by your company administrator. If you are acting on your own behalf, you will establish the access rights to connected IT systems yourself. Group employees are granted access rights by an internal Group administrator.

When access rights are granted, the respective permissions are stored in your user profile. You can view the permissions assigned to you in the B2B-UMS at any time.

The processing of your personal data as part of the data processing activities specified above takes place on the basis of the following legal bases:

• If you are acting on your own behalf, Article 6 (1) (1) (b) GDPR forms the legal basis for this data processing.
• If you are acting as an employee of a Group company or as an employee of a company/third party, an overriding legitimate interest in accordance with Article 6 (1) (1) (f) GDPR forms the legal basis for this data processing.

The legitimate interests of Volkswagen AG are as follows:

We process the personal data contained in your user profile and your access rights to ensure your unique identification. Permissions can only be assigned correctly if you have been uniquely identified. As part of the authorisation processes, it is necessary, in certain situations, to contact you, e.g. to send a password link. In this case, we will process your data for the purposes of business communication.

We store your personal data as long as this is necessary for the purpose for which we have collected it. In other words, we regularly store your personal data for the duration of our business relationship with you or the company/third party of which you are an employee.

If your personal data in the B2B-UMS is deleted, for example, by the company administrator, your personal data within the B2B-UMS will also be immediately deleted. If you or your company administrator do not delete any data, we will delete your personal data in the B2B-UMS 15 years after termination of the B2B usage agreement.

If you access and use the B2B-UMS, we will only process the following log data as necessary:

• User ID
• Login and logout times

The processing of your personal data as part of the data processing activities specified above takes place on the basis of the following legal bases:

• If you are acting on your own behalf, Article 6 (1) (1) (b) GDPR forms the legal basis for this data processing.
• If you are acting as an employee of a Group company or as an employee of a company/third party, an overriding legitimate interest in accordance with Article 6 (1) (1) (f) GDPR forms the legal basis for this data processing.

The legitimate interest of Volkswagen AG is as follows:

Log data is processed in order to ensure the confidentiality, integrity and availability of the personal data. The aim is to prevent potential security risks.

Personal data collected in this context is stored when you access the system and deleted after 90 days (or 720 days for Chinese personal data).

In electronic commerce, it is necessary to be able to prove who has performed which actions in the IT systems. This obligation to provide evidence also includes an obligation to prove which access rights and permissions were assigned to the user at the time that the action was implemented and which company administrator granted those access rights and permissions to the user. As part of this obligation to provide evidence, we also process the personal data contained in your user profile and your access rights. The processing of your personal data as part of the data processing activities specified above takes place on the basis of the following legal bases:

• If you are acting on your own behalf, Article 6 (1) (1) (b) GDPR forms the legal basis for this data processing.
• If you are acting as an employee of a Group company or as an employee of a company/third party, an overriding legitimate interest in accordance with Article 6 (1) (1) (f) GDPR forms the legal basis for this data processing.

The legitimate interest of Volkswagen AG is as follows:

Processing takes place to ensure the verifiability of roles/rights management for evidence purposes.

If you are a Group company employee, your personal data, once deleted from the B2B-UMS, will be stored in strictly access-protected audit logs for evidence purposes for seven years. For this, all personal data, apart from user ID, is anonymised, such that we only know the user ID and assigned permissions.

If you are an employee of a company/third party and not a company administrator, your personal data, once deleted from the B2B-UMS, will be stored in strictly access-protected audit logs for evidence purposes for 15 years after termination of the B2B usage agreement. For this, all personal data, apart from user ID, is anonymised, such that we only know the user ID and assigned permissions.

If you are an employee of a company/third party and a company administrator, your personal data, once deleted from the B2B-UMS, will be stored in strictly access-protected audit logs for evidence purposes for 15 years after termination of the B2B usage agreement.

As part of e-commerce, your personal data processed in the B2B-UMS will be transferred to connected IT systems. Here, your personal data will be processed for permission-based access to the respective IT systems and for business communication. For detailed information, please refer to the privacy policies of the respective IT systems.

The processing of your personal data as part of the data processing activities specified above takes place on the basis of the following legal bases:

• If you are acting on your own behalf, Article 6 (1) (1) (b) GDPR forms the legal basis for this data processing.
• If you are acting as an employee of a Group company or as an employee of a company/third party, an overriding legitimate interest in accordance with Article 6 (1) (1) (f) GDPR forms the legal basis for this data processing.

The legitimate interest of Volkswagen AG is as follows:

Processing takes place in order to guarantee permission-based access to systems and to enable business communication for partner company and Group employees.

Please refer to the privacy policies of the respective IT systems for the storage periods of the transferred data.

We transfer your personal data to Volkswagen Group companies (known as processors) used and commissioned by us to provide services (e.g. IT services).

The following Group companies support us in data processing:

• Volkswagen Group IT Services GmbH, Wolfsburg
• Volkswagen Group Services GmbH, Wolfsburg
• Volkswagen Servicios de Administración de Personal, S.A. de C.V., Puebla
• Volkswagen India Pvt. Ltd., Pune

We have concluded a processing contract with each of our processors that includes corresponding EU standard contractual clauses for the transfer of personal data to processors in third countries (as a suitable safeguard for data processing in non-European countries). You can access these EU standard contractual clauses at EUR-Lex - 32021D0914 - EN - EUR-Lex (europa.eu).

Furthermore, we transfer your personal data to other Group companies who work with us as data controllers within the scope of their professional/business activities insofar as this is necessary to perform the data processing activities described above. This takes place as part of the joint control.

When using the B2B-UMS, your personal data is also transferred to Volkswagen Group companies outside the European Union or the European Economic Area.

Group companies in third countries only participate in the B2B-UMS insofar as a sufficient level of data protection in the third country is ensured pursuant to the adequacy decision by the European Commission or appropriate safeguards can be provided (e.g. data protection contracts using the standard data protection clauses of the European Commission) to ensure the appropriate protection of your personal data. Within the framework of the agreements on joint control within the meaning of Article 26 GDPR, an appropriate, uniform data protection level is guaranteed through the standard data protection clauses of the European Commission. A copy of these safeguards will be provided on request. To make such a request, please use the contact options listed in the “Contact persons” section.

When you visit the B2B-UMS, cookies, i.e. small files with configuration information, are stored on your end device. These are only the cookies that are technically required to ensure the functionality of the B2B-UMS.

Processing of the function cookies is necessary to enable you to visit the website (see Article 6 (1) (b) GDPR).

Further information can be found in the cookie guidelines of the B2B-UMS.

You may exercise the following rights vis-à-vis Volkswagen AG at any time, free of charge. Please see sections E and F for further information about exercising your rights.

Right of access/information: You are entitled to receive information (Article 15 GDPR) from us relating to the processing of your personal data.

You have the right to request that we rectify (Article 16 GDPR) any inaccurate or incomplete personal data that concerns you.

Right to erasure: You have the right to have your data erased if the conditions set out in Article 17 of the GDPR are met. According to this, you can demand, for example, that your data is erased if it is no longer necessary for the purposes for which it was collected. In addition, you can demand erasure if we process your data on the basis of your consent and you withdraw this consent.

You have the right to ask for a restriction of the processing of your data if the conditions set out in Article 18 of the GDPR are met. This is the case, for example, if you dispute the accuracy of your data. You can demand restriction of processing for the period during which the data is being checked.

You have the right to receive your data in a structured, commonly used and machine-readable format and transfer the data to another data processor, provided that data processing is based on consent or contract fulfilment and that automated processing methods are used.

Where data processing is based on consent, you have the right to withdraw your consent to data processing, with future effect, at any time free of charge.

You also have the right to lodge a complaint about our processing of your data with a supervisory authority (such as the Data Protection Commissioner for the State of Lower Saxony [Landesbeauftragte für den Datenschutz Niedersachsen]).

You can easily contact us at any time for information about your personal data using the following web form. You can easily view documents relating to you (e.g. a copy of your personal data) online in the download portal.

• Go to the web form
• Download portal login for data subjects

Our service for you: you can view B2B-UMS master data yourself

In addition, you can instantly and conveniently view your master data stored in the B2B-UMS, online, at any time. In addition to online access, you also have the option to download the information shown as an Excel file.

These service functions can be found in the B2B-UMS under the menu item “My Personal Data”.

Office for data subject rights for suppliers and partner company employees

Service hours
Monday to Friday from 8:00 to 16:00 (CET)

Contact
Tel.: +49 5361 - 9 - 46290
datenschutz@VWGroupSupply.com

The contact persons for exercising your rights and further information can be found on the following website:
https://datenschutz.volkswagen.de.

Our data protection officer is your contact person for matters relating to data protection:
Data Protection Officer, Volkswagen AG,
Berliner Ring 2, 38440 Wolfsburg, Germany
datenschutz@volkswagen.de