The purpose of this Data Privacy Statement (“Statement“) is to provide information to the Users of the LeanIX workspaces as to the type of information the LeanIX software may process on behalf of the controller (i.e. the customer), as well as how such information may be used and the relevant data subject rights.
This Statement explains the following:
- Who is Data Controller?
- What is the scope of processing?
- What are the rights of a User?
Data Controller in terms of the LeanIX software is, if you are not an employee or a contractor of LeanIX, the Customer of LeanIX you are employed with or contracted by.
If you have difficulties in finding out who your Data Controller is and, respectively, its Data Protection Officer, please refer to [email protected].
If you are not employed or contracted by any customer of LeanIX, the Data Controller is:
LeanIX GmbH, Friedrich-Ebert-Allee 37-39, 53113 Bonn, Germany
Contact email: [email protected]
Data Protection Officer of LeanIX is Andreas Schmidt, c/o postal address above (refer to Data Protection Officer, personally)
Personal master data: name, surname, profile picture (optional), user role in the software, subscriptions of objects, e-mail address
- Purpose: user management, functions in the software such as subscriptions of objects
Communication data type: e-mail, user activity in the software, browser identification, IP address
- Purpose: user management, functions in the software such as notifications, error analysis, quality assurance of the operation and the faultlessness of the software, user support and information about news, individual user training
ONLY FOR SMP PRODUCT
Data from Google Workspace admin directory. The LeanIX SMP Google OAuth client is accessing users from your Google Workspace admin directory in addition, and retrieves usage metrics for individual Google services from usage reports. Usage reports are used by an application to get the last login for the users on Google Workspace. The application is also accessing the metadata of your organization to retrieve required data from your Google Workspace account.
Purpose: functions in the software
The Data Controller takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
The Data processing is carried out using computers and/or IT-enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Data Controller, the Data may be accessible to certain types of external parties (such as third-party technical service providers, hosting providers, or IT companies) appointed, if necessary, as Data Processors by the Data Controller. The updated list of these parties may be requested from the Data Controller at any time.
Legal basis is the respective contract between the Data Subject and the Controller (Art. 6 (1)(c) GDPR).
Unless LeanIX is the Data Controller, the data processing occurs in order to fulfill the SaaS contract between the Data Controller and LeanIX.
Hosting - The Data is hosted in the hosting region chosen by the Data Controller as it subscribed for the LeanIX software. To know which data region has been chosen by your Data Controller, please contact your Data Controller. Among others, LeanIX offers as hosting regions
- Netherlands + Ireland
- United Kingdom
Further places of processing - The Data is then accessed and processed at the Data Controller's operating offices and in any other places where the parties involved in the processing are located. That might include LeanIX subprocessors.
Subprocessors - LeanIX relies on subprocessors for processing Data. To learn where such subprocessors are located, what is the purpose of the transfer towards this subprocessors and what are the safeguards that we have put in place to ensure that any data processing is executed in accordance with applicable legislations, please visit https://www.leanix.net/en/legal/list-of-subprocessors.
Personal Data shall be processed and stored for as long as required by the purpose they have been collected for.
In due course, Personal Data will be deleted 30 days upon expiration or termination of the contract between Data Controller and LeanIX at the latest.
Once the retention period listed above expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification, and the right to data portability cannot be enforced after the expiration of the retention period.
Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
Users have the right to learn if Data is being processed by the Data Controller, obtain disclosure regarding certain aspects of the processing, and obtain a copy of the Data undergoing processing.
Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Data Controller will not process their Data for any purpose other than storing it.
Users have the right, under certain circumstances, to obtain the erasure of their Data from the Data Controller. To do so, they shall submit a request to LeanIX Customer Support.
Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance.
Users have the right to bring a claim before their competent data protection authority.
Any requests to exercise User rights can be directed to the Data Controller through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Data Controller as early as possible and always within one month.
The User's Personal Data may be used for legal purposes by the Data Controller in court or in the stages leading to possible legal action arising from improper use of this Application or the related Services.
The User declares to be aware that the Data Controller may be required to reveal personal data upon request of public authorities.
More details concerning the collection or processing of Personal Data may be requested at any time. Please see the contact information at the beginning of this document.
Updated about 2 months ago