Data Protection Policy
li-x GmbH (“li-x”) is delighted that you have visited our website and thanks you for your interest in our company. We take the protection of your private data seriously and would like you to feel at ease when visiting our website.
Our data protection policy is intended to inform you about the data we collect during your visit at li-x GmbH and how this information is used.
Name and contact details of the responsible body and, if applicable, its/his/hers representative:
Executive Director: Dipl. Kfm. Boris Vöge
District Court of Hamburg HRB 130997
Contact details of the data protection officer:
Purposes for which the personal data are to be processed:
We collect, store and process personal data for the following purposes, if you voluntarily provide this information to us in the framework of your order or when you contact us:
- For purposes of processing the contract
- For our own marketing purposes
- For our statistics
Legal basis for the processing
The processing of your personal data is carried out on the following legal bases:
- On the basis of your consent, Art. 6 para. 1 (a) GDPR
- To fulfil a contract made with you, Art. para. 1 (b) GDPR
- Legitimate interests, Art. 6 para. 1 (f) GDPR (see below)
We process your information in furtherance of the following legitimate interests:
- To improve our offer, marketing
- Protection against misuse
Recipients or categories of recipients of the personal data
When processing your data, we work together with the following service providers, who have access to your data:
- Providers of Web analysis tools
Period for which the personal data will be stored:
We store your personal data,
- if you have consented to the processing, only until you revoke said consent,
- if we require the data to execute a contract, only until the end of the contractual relationship with you or as long as legal retention periods permit,
- if your personal data are used on the basis of a legitimate interest, only until your interest outweighs deletion or anonymisation.
We obtain the data from you (including the devices you use).
Data transmission to third countries
The data are transmitted to third countries outside the EU. The transmission is based on statutory contractual provisions that are intended to ensure adequate protection of your data and that you can look into upon request.
Right of information, rectification, erasure or right of limitation of processing or revocation to processing, as well as the right to data portability:
You have – partially under certain circumstances – the right,
- to request information about the processing of your data,
- to correct your data,
- to have your data erased or blocked,
- to restrict processing,
- to object to the processing of your data,
- to receive your data in a transferable format and to transmit said data to third parties,
- to withdraw your consent to the processing of your data in the future and
- to file a complaint with the responsible supervisory authorities about unlawful processing. The responsible supervisory authority is the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI).
Requirement or obligation to provide data
Unless specifically indicated, the provision of data is not a requirement or an obligation.
Order data processing
In the event that li-x processes the customer’s data on behalf of the respective customer, the parties shall simultaneously conclude the attached order processing contract.
Further information on data protection
Automatic storage of access data
Every time you visit our website, usage data are transmitted by your Internet browser and stored in log files known as server log files. The data sets stored in the process contain the following data: the domain from which the user accesses the website, date and time of access, IP address of the accessing computer, website(s) visited by the user in the context of the offer, amount of data transferred, browser type and version, operating system used, name of the Internet service provider, notification of whether the retrieval was successful. These log file datasets are analysed in an anonymised form, in order to improve the offer and to make it more user-friendly, to find and remove errors and to manage the capacity utilisation of servers.
Using the contact form on our website is the quickest and easiest way to get in contact with us. To make getting in contact with us possible, a few mandatory fields are marked as such. When you fill in the fields and select “Submit”, you consent to your data being sent to us along with the message by email. The data are not stored on the web server.
If you sign up for our newsletter, we use the data that is necessary, or separately provided by you, to send you our email newsletter on a regular basis. You can unsubscribe from the newsletter at any time. You can do so either by sending a message to the indicated contact point or via a link provided in the newsletter.
This website also uses so-called cookies. A cookie is a text file with an identification number that, together with the requested data, is transmitted to the user’s computer and stored there when the website is accessed. The file is stored there for later access and used to authenticate the user.
As cookies are only simple files and not executable programs, they pose no threat to your computer. Cookies do not contain personal data, which means your private information remains protected. Browsers accept these cookies automatically depending on the settings configured by the user. However, this setting can be changed and the storage of cookies disabled or configured so that the user is notified when a cookie is stored. In the case that cookies are disabled, however, some functions of the website may not be available or only to a limited extent.
The li-x website uses temporary (so-called “session”) cookies, i.e., cookies that are only valid for the period of a so-called “session” and that are automatically deleted when the browser is closed. li-x may have links to other websites where cookies may also be used.
Learn more about what cookies are and how you can delete them here::
Use of the “Google Analytics” analysis tool
Furthermore, you can also prevent Google Inc. from collecting and processing this information by downloading and installing the browser ad-on available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en
More information and ways to disable these ads can be found a http://www.google.com/settings/u/0/ads/anonymous?hl=de.
The newsletter is sent by means of the mailing service provider SendinBlue, a simplified limited company registered with the Commercial Registry of Paris under the number 498 019 298, headquartered in 55 Rue d’Amsterdam, 75008 Paris. The mailing service provider may use the data of the recipients in pseudonymous form, i.e., without assignment to a user, to optimise or improve their own services, e.g., for the technical optimisation of the sending and presentation of newsletters or for statistical purposes. However, the mailing service provider does not use the data of our newsletter recipients to approach them directly nor does the provider pass on the information to third parties.
The newsletters contain a so-called “web-beacon”, i.e., a pixel-sized file that, upon opening the newsletter, is retrieved from our server, or, if we have used a mailing service provider, from their server. In the framework of the retrieval, technical information such as your browser type and operating system, as well as your IP address and the time of retrieval, is collected. This information is used for technical improvement of the service, as technical data or target group data can be analysed according to their reading behaviour, their download locations (identifiable through IP addresses), or download times. Statistical data collection also includes an analysis of whether the newsletters are accessed, when they are opened, and the links that are clicked on. Although this information technically allows the tracking of individual newsletter recipients, neither we nor the shipping provider, if involved, are interested in watching the behaviour of individual users. Data analysis is more importantly used to recognise patterns in the reading behaviour of our users, and to adapt contents accordingly or send different content according to the interests of our users. SendinBlue’s data protection regulations can be found here: https://de.sendinblue.com/legal/privacypolicyeinsehen.
For dispatch of the newsletter, we also use the services of Getresponse Sp. z o.o., headquartered in Gdansk, Poland, ul. Arkonska 6, A3, 80-387 Gdansk.
Getresponse will only use your data to dispatch the newsletter and to evaluate this dispatch on our behalf. Furthermore, Getresponse will only use your data to improve our own service. Getresponse will neither use the data to contact you personally nor disclose your data to third parties. The data used by Getresponse contain a “web-beacon” that sends a notification to Getresponse when you open the newsletter and/or click on a link contained in said newsletter. In this case, information about your browser, your location and your IP address is transmitted to Getresponse. This information is used to help us optimise how we approach you.
For information on how Getresponse handles your data, please refer to the data protection policy of Getresponse: https://www.getresponse.co.uk/email-marketing/gb-legal/privacy.html.
We use Mouseflow, a service provided by Mouseflow ApS, Flaesketorvet 68, 1711 Copenhagen, Denmark. Mouseflow is an analysis tool that captures mouse clicks and movements, scroll movements and other metadata. The data are processed for the purpose of optimising our Internet offer. This service collects anonymised information about your IP address, the pages on our website that you visited and, if necessary, other data required by Mouseflow for the provision of the service. You can stop the collection of data by Mouseflow by obtaining an opt-out cookie here: https://mouseflow.de/opt-out This cookie effectuates that no visitor data will be collected and stored by Mouseflow when visiting this website. Note: If you delete your cookies, this means that the opt-out cookie also gets deleted and you may need to re-activate it.
For more information on data protection and the cookies used at Mouseflow, please visit the Mouseflow website: https://mouseflow.de/privacy.
We use Salesviewer on our website. Salesviewer collects data for marketing, marketing research and optimisation purposes.
Usage profiles under a pseudonym can be created from these data. This uses a so-called Tracking Script, which serves to collect company-related data. The data collected using these technologies are not used to personally identify the visitor of this website without the explicit consent of the data subject and are not connected to any personal data of the pseudonym carrier.
Data collection and storage can be objected to at any time with effect in the future, by clicking on this link https://www.salesviewer.com/opt-out. This prevents SalesViewer from collecting any data on this website in the future by saving an opt-out cookie for this website on your device. If you delete the cookies in this browser, you will need to click on the link again.
If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provided there, will be stored in order to process the request and in case of follow-up questions We will not disclose these data without your permission.
We use the services of Contact Form 7 for our contact form. Their data protection policy can be found here: https://contactform7.com/privacy-policy.
For our support system, we use the established software from Zendesk, Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, USA. Zendesk is a certified member of the Safe Harbor Privacy Agreement and thus meets the minimum requirements for lawful processing of data pursuant to European standards.
Further details can be found at: https://www.zendesk.de/datenschutzrichtlinie
Order Data Processing
– Responsible party – hereinafter referred to as ‘Client’ –
li-x GmbH, Barmbeker Str. 2, 22303 Hamburg, Germany
– processors, hereinafter referred to as ‘Contractor’ –
1. Subject and duration of the contract
The subject of the order for data handling is the performance of the following tasks by the contractor:
Software license management
Administration of customer accounts
Customer Service and Support
Execution and documentation of license transfers
Provision of license information and documents
(2) Duration / Termination and Exceptions
The order is placed for an indefinite period and can be terminated by either party with a notice period of 3 months. The possibility of termination without notice remains unaffected.
The storage and use of information for the documentation of the rights chain of software licenses and associated documents is explicitly excluded from termination. This information and data may also be used by the Contractor after termination to perform its services for third parties. The general terms and conditions of li-x GmbH apply.
2. Concretisation of the order content
Nature and purpose of the proposed processing of data
The subject matter of the contract is described as follows with regard to the nature and purpose of the contractor’s tasks:
The Customer may use the Contractor’s platform to purchase and administer software licenses and, for example, to transfer them to its customers. For this purpose, the client creates customers in the platform and systematically transfers licenses to them.
The contractor stores this address information of the client’s customers in an SQL database. The transfer details are also stored there. Transfer documents which contain the company name and contact person as well as the transfer details are created and stored by the contractor.
The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union. Any relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. of the German Civil Code are met. DS-GVO are fulfilled. The appropriate level of protection in a third country is established by standard data protection clauses (Art. 46 para. 2 litt. c and d DS-GVO).
(2) Type of data
The processing of personal data is subject to the following types/categories of data
person master data
Communication data (e.g. telephone, e-mail)
Contract master data (contractual relationship, product or purchase information)
Customer history (rights chain)
(3) Categories of data subjects
The categories of data subjects to be processed shall include:
Employees of the client
3. Technical-organisational measures
(1) The contractor shall document the type and scope of data order processing as well as the necessary technical and organisational measures prior to commencement of processing, in particular with regard to the concrete execution of the order, in advance of awarding the contract and hand them over to the customer for inspection. If accepted by the client, the documented measures become the basis of the order. If the customer’s inspection/audit reveals a need for adjustment, this shall be implemented by mutual agreement.
(2) The Contractor shall provide security in accordance with Art. 28 para. 3 lit. c, 32 DS-GVO, in particular in conjunction with Art. 5 para. 1, para. 2 DS-GVO. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. In doing so, the state of the art, the implementation costs and the type, scope and purpose of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 DS-GVO shall be taken into account [details in Annex 1].
(3) The technical and organisational measures are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative adequate measures. The safety level of the specified measures may not be undercut. Material changes shall be documented.
4. Correction, restriction and deletion of data
(1) The contractor may not rectify, delete or restrict the processing of the data processed on behalf of the client without authorisation but only in accordance with documented instructions from the client. If a person concerned directly contacts the Contractor in this respect, the Contractor shall forward this request to the Customer without delay.
(2) As far as included in the scope of services, the deletion concept, right to be forgotten, correction, data portability and information are to be ensured directly by the contractor according to documented instructions of the client.
5. Quality assurance and other duties of the contractor
In addition to compliance with the provisions of this contract, the Contractor shall have statutory obligations pursuant to Art. 28 to 33 DS-GVO; to this extent, the Contractor shall in particular ensure compliance with the following requirements:
Written appointment of a data protection officer who performs his duties in accordance with Art. 38 and 39 DS-GVO. Dr. Frank Eickmeier, address and contact details have been ordered from the contractor as data protection officer. The customer must be informed immediately of any change in the data protection officer.
The maintenance of confidentiality pursuant to Art. 28 para. 3 S. 2 lit. b, 29, 32 para. 4 DS-GVO. When carrying out the work, the contractor shall only employ employees who are obliged to maintain confidentiality and who have been familiarised beforehand with the relevant data protection provisions. The contractor and any person subordinate to the contractor who has access to personal data may only process these data in accordance with the instructions of the client, including the powers granted in this contract, unless they are legally obliged to do so.
The implementation of and compliance with all technical and organisational measures required for this contract pursuant to Art. 28 para. 3 sentence 2 lit. c, 32 DS-GVO [details in Annex 1].
Upon request, the contracting authority and the contractor shall cooperate with the supervisory authority in the fulfilment of their tasks.
Immediate information of the contracting authority on control actions and measures of the supervisory authority, insofar as they relate to this contract. This shall also apply if a competent authority investigates the processing of personal data by the Contractor in the course of administrative offence or criminal proceedings.
Insofar as the Customer is subject to inspection by the supervisory authority, administrative offence or criminal proceedings, the liability claim of a person concerned or a third party or any other claim in connection with the processing of the order by the Contractor, the Contractor shall support the Customer to the best of its ability.
The contractor shall regularly monitor the internal processes as well as the technical and organisational measures to ensure that the processing in his area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the rights of the data subject are protected.
Verifiability of the technical and organisational measures taken vis-à-vis the client within the scope of his control powers in accordance with Clause 7 of this contract.
6. Subcontracting relationships
(1) For the purposes of this regulation, subcontracting shall mean services which relate directly to the provision of the principal service. This does not include ancillary services which the Contractor uses e.g. as telecommunications services, postal/transport services, maintenance and user services or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Contractor shall be obliged to take appropriate and legally compliant contractual agreements and control measures to guarantee the data protection and data security of the Customer’s data even in the case of outsourced ancillary services.
(2) The passing on of orders to subcontractors within the scope of the activities agreed in the order is permissible. The Contractor shall carefully select subcontractors according to their suitability, in particular with regard to the requirements of the DS-GVO, and check them regularly. Furthermore, the Contractor shall agree with the subcontractors an agreement on order processing in accordance with this agreement. The Contractor shall inform the Client in advance of any intended change with regard to the involvement or replacement of subcontractors, which shall give the Client the opportunity to object to such change. If no objection is raised within 14 days of notification, the approval of the amendment shall be deemed to have been given.
(3) The passing on of the Client’s personal data to the subcontractor and his first action are only permitted when all prerequisites for subcontracting have been met.
(4) If the subcontractor renders the agreed service outside the EU/EEA, the contractor shall ensure that it is permissible under data protection law by taking appropriate measures. The same shall apply if service providers within the meaning of para. 1 S. 2 are to be used.
(5) Any further outsourcing by the subcontractor requires the express consent of the main client (at least in text form). All contractual regulations in the contract chain must also be imposed on the further subcontractor.
7. Control rights of the client
(1) The Customer shall have the right to carry out inspections in consultation with the Contractor or to have them carried out by inspectors to be appointed in individual cases. He has the right to convince himself of the observance of this agreement by the contractor in his business operations by means of spot checks, which as a rule must be notified in good time.
(2) The Contractor shall ensure that the Customer can satisfy himself that the obligations of the Contractor under Art. 28 DS-GVO have been complied with. The Contractor undertakes to provide the Customer with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organisational measures.
(3) Evidence of such measures, which do not only concern the specific order, can be provided by compliance with approved rules of conduct pursuant to Art. 40 DS-GVO; certification in accordance with an approved certification procedure pursuant to Art. 42 DS-GVO; current certificates, reports or extracts from reports by independent bodies (e.g. auditors, auditors, data protection officers, IT security department, data protection auditors, quality auditors); suitable certification by an IT security or data protection audit (e.g. in accordance with BSI-Grundschutz).
(4) The Contractor may assert a claim for remuneration for the facilitation of controls by the Client.
8. Notification in case of violations by the contractor
(1) The Contractor shall assist the Client in complying with the obligations set out in Articles 32 to 36 of the DS-GVO regarding the security of personal data, reporting obligations in the event of data breakdowns, data protection impact assessments and prior consultations. These include, but are not limited to
Ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the predicted probability and severity of a possible breach of rights due to security gaps and enable an immediate detection of relevant breach events.
the obligation to report violations of personal data to the client without delay
the obligation to assist the contracting authority within the framework of its duty to inform the data subject and to make all relevant information available to the data subject without delay in this connection
the support of the client for his data protection impact assessment
the support of the client within the framework of prior consultations with the supervisory authority
(2) The contractor may claim remuneration for support services which are not included in the service description or which are not attributable to a misconduct on the part of the contractor.
9. Authority of the client to issue instructions
(1) Oral instructions shall be confirmed by the client without delay (at least in text form).
(2) The contractor shall inform the customer immediately if he is of the opinion that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the execution of the corresponding instruction until it has been confirmed or amended by the Customer.
10. Deletion and return of personal data
(1) Copies or duplicates of the data shall not be made without the knowledge of the Customer. Excluded from this are backup copies insofar as they are necessary to guarantee proper data processing, as well as data which are necessary with regard to compliance with statutory storage obligations.
(2) Upon completion of the contractually agreed work or earlier upon request by the Customer – at the latest upon termination of the performance agreement – the Contractor shall hand over to the Customer all documents, processing and usage results as well as data stocks which have come into his possession and which are connected with the contractual relationship, or destroy them in accordance with data protection regulations after prior consent. The same applies to test and scrap material. The storage and use of information to document the rights chain of software licenses and associated documents is explicitly excluded from termination. This information and data may also be used by the Contractor after termination to provide its services for third parties. The deletion protocol shall be submitted upon request.
(3) Documentations which serve as proof of the orderly and proper data processing shall be kept by the contractor in accordance with the respective retention periods beyond the end of the contract. He may hand them over to the Customer at the end of the contract for his relief.