<Name of NSC> (“<Name of NSC>”) provides services through a number of different parties in <Country of NSC>.

<Name of NSC> coordinates the BMW business in <Country of NSC>: it appoints dealers and agents, deals with second level support and technical issues, operates the BMW.xy website, MyBMW accounts and the ConnectedDrive Service and promotes the BMW brand.

Financial services are provided through separate companies, BMW Financial Services Limited <Name of NFSC> and Alphabet Limited <Name of Alp>.

Dealers, unless stated otherwise, are independent businesses and not part of the BMW Group, but operate using the BMW brand under license to sell and service BMW vehicles.

BMW AG is the parent company of the BMW Group and provides much of the IT infrastructure through the above mentioned companies. Dealers provide services to customers and third level support for technical issues.

<Name of NSC> is responsible for, and “the data controller” of, your information that it receives through the BMW.xy website, MyBMW account, ConnectedDrive Service, and through dealing with any second level support and technical issues.

BMW <NFSC> are the data controllers of the information which is used to grant and provide finance to you. BMW <Alp> are the data controllers of the information used to provide corporate customers fleet management services.

Dealers are data controllers of information about you that you and in addition <Name of NSC> provides them in relation to your sales and service requests.

BMW AG is generally a service provider or data processor to the above mentioned parties. However, BMW AG is in addition the data controller for information received through the usage of the Connected App as well as a joint data controller for the technical provisioning of ConnectedDrive Services.

All of the controllers listed above will ensure with reasonable effort that any questions related to processing by any other controllers as listed above are routed to the correct controller for response.

Although this Privacy Policy describes some of the uses of your information made by Dealers, Dealers may collect other information relating to you and have their own privacy policies that set out how they use information which you should consult. The myBMW Self Service Portal – see also: How to see and change your privacy preferences in myBMW Self Service Portal - cannot be used to change preferences in respect of Dealer’s use of your information. You must liaise directly with the Dealer in respect of any such changes or questions relating to their use of your information. References to “we” in this Privacy Policy are to <Name of NSC>, BMW FS and BMW AG and do not include Dealers.

The contact details of each of the controllers listed above and their data protection officers can be found [here] – [link: Company and Data Privacy Officer Contact Details].

BMW companies in <Country of NSC> process your personal information amongst others in the following occasions:

If you contact us directly e.g. via the BMW.xy website or via our customer hotlines to request information about our products and services.
If you buy a product or service directly from us (e.g. BMW lifestyle shop or ConnectedDrive store at our web site).
If you reply to our direct marketing campaigns, e.g. filling out a response card or entering data online at one of our web sites.
If your contact details are transferred from authorised dealers or other third parties with your permission.
If your vehicle data (incl. vehicle identification number) are transferred to BMW AG while you’re having your vehicle serviced or repaired at e.g. authorized dealers.
If other BMW Group legal entities or business partners permissibly transfer your personal data to us.
If we acquired your personal data from other sources (e.g. commercial address brokers).

If you give information on behalf of someone else you must ensure that they have been provided with this privacy policy before doing so. If you are under 16 please do not provide us with any of your information unless you have the permission of your parent or guardian to do so.
Please help us to keep your information up to date by informing us of any changes to your contact details or preferences.

The following types of information about you may be collected through the various services and contact channels described in this Privacy Policy:

  • Contact Details: name, address, phone numbers, email address.
  • Interests: information you provide us about your interests, including the type of vehicles you are interested in.
  • Site & Communication Usage: how you use our site and whether you open or forward our communications, including information collected through cookies and other tracking technologies (our Cookies Policy found [here] [link: Cookie Policy] set out details).
  • Sales and Services Information: information relating to purchases, support and service, including complaints and claims.
  • Credit and Anti-Fraud Information: information which establishes your identity, such as driving licences, passports and utility bills; information about transactions, requests for credit and non-payment of debts with us and third parties and credit ratings from credit reference agencies; fraud, offences, suspicious transactions, politically exposed person and sanctions lists where your details are included.
  • Device and Service Usage: how you use your device (mobile or vehicle) and service offered on the device.
  • Vehicle Configuration Details: information about the features and current settings of your vehicle (identified by the Vehicle Identification Number).
  • Vehicle Technical Information: information about how the engine and systems within the vehicle are, or have been, performing.
  • Vehicle / Device Location Information: your vehicle’s or mobile device’s location.
     

Use of personal information under EU data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the grounds in respect of each use in this policy. An explanation of the scope of the grounds available can be found [here] –[link: legal grounds for processing of personal data] . We note the grounds we use to justify each use of your information next to the use.

Customer Support and Marketing - to respond to enquiries and to bring you news and offers:

<Name of NSC> collects Contact Details, Interests, Site & Communications Usage and may use Sales and Service Information that it receives from you through the BMW.xy website, MyBMW accounts and the ConnectedDrive Service or via the Dealer and information about when your current finance product expires to determine what news and offers are most likely to interest you and to contact you in relation to those offers in accordance with you marketing preferences (can be changed in the myBMW Self Service Portal). <Name of NSC> may share this information with Dealers to follow up on your requests and to make more specific offers to you.


Use justification: Consent, legitimate interest [link: legal grounds for processing of personal data]

Legitimate interest: Short statement on legitimate interests pursued by the controller or by a third party (see example in section Quality Assurance).

Choice: Marketing consent for channel and analytics may at any time be withdrawn.


Vehicle Sales & Service - to process your sale, configure and service your vehicle:

Dealers will obtain Contact Details, Vehicle Configuration Details, Vehicle Technical Information and Sales and Services Information when you purchase, service or repair a vehicle from or with them as part of the sale or service and will use it to provide the services you request and notify you of issues in relation to your vehicle. This information may be accessed by BMW <NSC> and BMW AG to troubleshoot technical or other issues relating to the delivery of these services.

The above mentioned controllers may also receive limited Vehicle Location Information during the repair process which will be used only in accordance with the Location Information Safeguards [link: Location Information Safeguards]

Use justification: Contract performance; legitimate interests [link: legal grounds for processing of personal data].

Legitimate interest: Short statement on legitimate interests pursued by the controller or by a third party (see example in section Quality Assurance).

Choice: Customer my object to processing of personal data

 

Vehicle Finance - to assess your eligibility for finance and administer its repayment:

BMW FS will obtain Credit and Anti-Fraud Information from you, credit reference agencies and fraud prevention agencies for the purposes of verifying your identity, complying with its anti-money laundering duties, determining your eligibility for credit and to administer its repayment. This may also involve it obtaining details of your financial associates (a person with whom you have or have had joint personal financial arrangements with). If you give BMW FS false or inaccurate information it will record this. When you ask for credit BMW FS may share any of the preceding information, the request for credit and its response with credit reference agencies. These agencies may share it with other lenders as part of a reciprocal credit analysis and anti-fraud scheme and who may take such information into account in relation to their lending or fraud detection decisions. BMW FS may also share this information with debt recovery agents. Important further information about how this information is used is set out [here][link: FLA approved CRA and Fraud Prevention Agencies wording]. You must read this information before applying for finance.

Some applications may be automatically rejected due to our automated credit or anti-fraud filters. Wherever your application is rejected you may explain your position to BMW FS and BMW FS will reconsider the position if the rejection decision was undertaken without human intervention.

BMW FS does not share this information with Dealers, <Name of NSC> or BMW AG, except the fact that you have taken out a finance option on a vehicle and the date that the option expires or is terminated.

Use justification: Contract performance; legitimate interests [link: legal grounds for processing of personal data].

Legitimate interest: Short statement on legitimate interests pursued by the controller or by a third party (see example in section Quality Assurance).

Choice: Object to processing

 

ConnectedDrive - to provide digital services in the vehicle:

<Name of NSC> and BMW AG receive Contact Information, Vehicle Location Information as well as Device and Service Usage Information which they use in accordance with the detailed service descriptions for each element of the services set out [here] [link: ConnectedDrive privacy notice]and the Location Information Safeguards [link: Location Information Safeguards]. The detailed service descriptions also set out any disclosures to third parties which only use the information to provide the service.

Where you use a third party application, for example Spotify in conjunction with BMW Online entertainment, you will be presented with their terms of service and privacy policy before you are able to use that application. The operator of that third party application will be the data controller of any of your information that is accessed or input through that application. It will set out how it uses your information in its privacy policy and other notices as well as consents that it provides or obtains through the application. We are not responsible for that use.

Use justification: Contract performance; legal obligation (EU eCall service).

Choice: Cancelling of ConnectedDrive contract and/or deactivation of SIM card.

 

Connected App - to provide digital services relating to the vehicle through a mobile device:

BMW AG will obtain Contact Information, Device and Vehicle Location Information as well as Device and Service Usage Information through the provision of these services which it uses in accordance with the detailed service descriptions for each element of the services set out [here][link: BMW connected privacy notice] and the Location Information Safeguards [link: Location Information Safeguards].

Where you use a third party application, for example Amazon Echo or Spotify, you will be presented with their terms of service and privacy policy before you are able to use that application. The operator of that third party application will be the data controller of any of your information that is accessed or input through that application. It will set out how it uses your information in its privacy policy and other notices as well as consents that it provides or obtains through the application. We are not responsible for that use.

Use justification: Contract performance; consent

Choice: De-installation of App from device, withdraw consent within App.

 

Quality Assurance, Research and Development - to improve our products and services:

BMW AG may use any of the information that it receives through the provision of services to <Name of NSC>, Dealers [and BMW FS] (including Location Information) in de-personalised form for product and service quality assurance and development purposes. Before any such use is undertaken your information will be de-personalized so it can’t be directly linked back to you.

Use justification: Legitimate interests (to anonymise the information)

Legitimate interest BMW legitimate interest to provide premium products and services meets the interests of the customer and is therefore in alignment with the GDPR. In order to process customer data based on Art. 6 lit. f) GDPR legitimate interest the fundamental rights and the freedoms of the customer were weighted against the interest of BMW to process the customer’s data. Customer actually expect premium quality and premium function of BMW’s products and services. In order to fulfill those expectation continuous monitoring and improvement of quality as well as development or new products and services is necessary. To mitigate the potential risks and enhance the protection of the individuals’ interests, additional safeguards and controls are implemented as needed, such as strict data access, data use limitations, security measures, retention schedules, as well as data minimization including as appropriate data, and pseudonymization.

This processing is based on the legitimate interest of BMW to fulfill the high expectation of our customers regarding the quality of our current premium products and services as well as their desires for new innovative solutions.

 

Choice: [Opt out option in myBMW Self Service Portal]


Compliance with binding requests for your information – to comply with our legal obligations to law enforcement, regulators and the court service:

All the controllers are subject to the laws in the countries in which they operate and must comply with those laws. This includes to provide your information to law enforcement agencies, regulators and courts and third party litigants in connection with proceedings or investigations anywhere in the world, where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.

Use justification: Legal obligation, defence of legal claims, legitimate interests.

Legitimate interest: Short statement on legitimate interests pursued by the controller or by a third party … to cooperate with law enforcement and regulatory authorities. (see example in section Quality Assurance).

Choice: None

 

Transfer to 3rd Parties

Personal data which we collected e.g. to fulfill ConnectedDrive Services may be transferred to 3rd parties on your behalf and with your consent only to e.g. execute a pay-as-you drive insurance contract . Further details can be found [here] [Link: www.bmw-connecteddrive.fr/bmwcardata].

We use a variety of security measures, including encryption and authentication tools, to help protect and maintain security, integrity and availability of your information.

Although data transmission over the Internet or website cannot be guaranteed to be secure from intrusion, we and our subcontractors and business partners work hard to maintain physical, electronic and procedural safeguards to protect your information in accordance with applicable data protection requirements. We use amongst others measures such as:

  • tightly restrict personal access to your data on a „need to know“ basis and for the communicated purpose only,
  • transfer collected data only in encrypted form,
    store highly confidential data - e.g. credit card information - only in encrypted form,
  • firewalling IT systems to prohibit unauthorized access e.g. from hackers and
  • permanently monitor access to IT systems to detect and stop misuse of personal data.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website or any other portal, app or service we operate, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share a password with anyone.

 

Location Information Safeguards

Certain services can only be offered where you disclose your location or the location of your vehicle. We take the confidentiality of that location information very seriously.

The following safeguards are applied to Location Information (including information accessed as part of the vehicle service process):

  • It is only kept in a form associated to you or your vehicle for as long as necessary to fulfil the purpose consented to.
  • It is only obtained or accessed in that form where necessary to provide the service requested or where we are obliged to retain and/or provide the information by law (and where we are required to provide the information to law enforcement or any other third party, we will - notify you unless to do so would prejudice the prevention or detection of a crime or we are not permitted to do so).
  • Vehicle Location Information and Device Location Information are not linked unless necessary to provide the service requested.
  • Any other use of Location Information for analytics purposes will be undertaken on irreversibly anonymised data sets.

We and the Dealer may have access to Vehicle Location Information and BMW AG may have access to Device Location Information through the services they provide (e.g. ConnectedDrive).

You will have been provided with a detailed description of the location information obtained to provide a location information dependent service when you initially purchased the vehicle or activated or configured the service or application (e.g. ConnectedDrive or Connected App). You can control whether we continue to hold or collect that information through the MyBMW Self Service Portal so future location information ceases to be collected. Please note that we may not be able to provide certain features of our services to you if you limit the collection of your location information.

 

We retain your information only as long as is necessary for the purpose for which we obtained them and any other permitted linked purposes (for example, where relevant to the defence of a claim against us). So if information is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period once that period expires.

We restrict access to your information to those persons who need to use it for the relevant purpose.

Our retention periods are based on business needs and your information that is no longer needed is either irreversibly anonymised (and the anonymised information may be retained) or securely destroyed.

Use for marketing: In relation to your information used for marketing purposes, we may retain your information for that purpose for [X months] after, the date we last obtained a consent to market to you, or, the date you last responded to a marketing communication from us (other than to opt out of receiving further communications).

Use to perform a contract: In relation to your information used to perform any contractual obligation with you we may retain that data whilst the contract remains in force plus [X years] to deal with any queries or claims thereafter.

ConnectedDrive and Connected App: we set out how long we retain Vehicle Location Information [and Device Information] in relation to each service in the service descriptions [here] [link: ConnectedDrive and Connected App service descriptions].

Where claims are contemplated: in relation to any information where we reasonably believe it will be necessary to defend or prosecute or make a claim against you, us or a third party, we may retain that data for as long as that claim could be pursued.

[Add others if needed…]

BMW is a global company. Your personal information may be accessed by our staff, agents or contractors from a country outside the European Economic Area (EEA) for any of the purposes set out, in which data protection laws may be of a lower standard than in the EEA. We will ensure that any of your information that is accessible outside the EEA is handled subject to appropriate safeguards.

Certain countries outside the EEA, such as Canada and Switzerland, have been approved by the European Commission as providing essentially equivalent protection to EEA data protection laws and therefore no additional legal safeguards are required. In countries which have not had such approval, such as India or Japan, we will either ask for your consent to the transfer or transfer it subject to European Commission approved contractual terms that impose equivalent data protection obligations directly on the recipient unless we are permitted under applicable data protection law to make such transfers without such formalities.

Please contact us [here] [link: Company and data protection officer] if you would like to request to see a copy of the specific safeguards applied to the export of your information.

<Name of NSC> and BMW AG use a range of service providers to assist them to provides the services and uses listed. BMW AG provides IT and storage services to the controllers in respect of the majority of these uses and therefore stores the majority of your information detailed above on the controllers’ behalves.

Although data transmission over the Internet or website cannot be guaranteed to be secure from intrusion, we and our subcontractors and business partners work hard to maintain physical, electronic and procedural safeguards to protect your information in accordance with applicable data protection requirements.

All your information is stored on our or our subcontractors’ or business partners’ secure servers (or secure hard copies) and accessed and used subject to our security policies and standards (or equivalent standards of our subcontractors or business partners).

You can change your preferences in relation to <Name of NSC>, BMW FS <NSC> and BMW AG use your information by adjusting the settings through your MyBMW account, ConnectedDrive account or Connected App via the following link [link: www.mybmw.xy/privacysettings}.
The myBMW Self Service Portal cannot be used to change preferences in respect of the Dealer’s use of your information. You must contact your Dealer directly in respect of any such changes or questions relating to the Dealer’s use of your information.

In the myBMW Self Service Portal you have access to the following information and where possible to modify them:

  • Update my details – access your profile here
  • Marketing communication consent – choose your preferred method of communication
  • Marketing Analytics consent – allow analytics to receive personalized marketing campaigns
  • Link to BMW CarData – View and download/transfer your vehicle data
  • Request Information – which personal data of yours is stored
  • Subject Access Rights – information on how to execute subject access rights.


[add or remove as necessary]

If you have any questions in relation to our use of your information you should first contact our customer support hotline via email customer_service@bmw.xy or via telephone: xxxxxxxxx (Mon. – Sun. from 08:00 to 20:00). In addition you may contact the responsible data privacy officer listed [here] [link: company and data privacy officer].

Under certain conditions you may have the right to require us to

  • provide you with further detail on the use we make of your information,
  • provide you with a copy of information that you have provided to us,
  • update any inaccuracies in the information we hold,
  • to delete any information we no longer have a lawful ground to use, 
  • where processing is based on consent and in relation to any direct marketing to withdraw you consent so that we stop that particular processing,
  • to object to any processing [,including profiling,] based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights,
  • restrict how we use your information whilst a complaint is investigated.

Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). If you exercise any of these rights we will check your entitlement and respond in most cases within a month.

If you are dissatisfied with our use of your information or our response to any exercise of these rights you have the right to complain to your data protection authority [link to corresponding data protection authority: CNIL, ICO, BayLda…].