In this Data Protection Notice (Privacy Policy) according to Article 13, 14 GDPR we are informing you about the processing of your personal data by AUDI AG, Auto-Union-Straße 1, 85045 Ingolstadt ("we") in the context of Privacy Portal of the AUDI AG.

 

On this website you can request information about your personal data processed by the AUDI AG in accordance with Article 15 GDPR via web form.

 

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Processing means any operation or set of operations performed with or without the aid of automated processes in connection with personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

 

1. Who is responsible for data processing and whom can I contact?

 

The entity responsible for the processing of your personal data (the controller) is:

AUDI AG, Auto-Union-Straße 1, 85045 Ingolstadt.

 

If you have concerns about data protection, you can also contact our company's data protection officer:

AUDI AG Datenschutzbeauftragter, Auto-Union-Straße 1, 85045 Ingolstadt

E-Mail: datenschutz@audi.de

 

If you have any general questions about this data protection notice or the processing of your personal data by AUDI AG, please use the following contact options:

AUDI AG
DSGVO-Anfrage
Postfach 600108
14401 Potsdam

 

If you no longer wish your request to be processed by AUDI AG, you have the option of cancelling your request at the following postal address:

AUDI AG
DSGVO-Anfrage
Postfach 600108
14401 Potsdam

 

 

2. What data do we process and what sources do such data come from?

2.1 Access to the website

 

In general you can use the website for login without providing any personal data. However, registration for the event requires the entry of personal data (see section 2.2).

Each time you access the website, your Internet browser automatically transmits certain information, which we store in so-called “log files”.

 

In particular, the following information are transmitted automatically:

  • IP address (Internet Protocol address) of the terminal from which the online service is accessed;
  • Internet address of the website from which the online service was accessed (the so-called “source URL” or “referrer URL”);
  • Name of the service provider used to access the online offer;
  • Name of the files or information retrieved;
  • Date and time as well as duration of the retrieval;
  • Transferred data volume;
  • Operating system and information about the Internet browser used, including installed add-ons (e.g., Flash Player);
  • http status code (for example, “request succeeded” or “requested file not found”).

 

In the log files, the above data is stored without your complete IP address, so that it is not possible to trace back to your IP address.

 

 

2.2 Use of the website / data provided by you

 

 

The following explains the purpose for which your personal data is required in the context of an data subject request:


Name: Your full name shall be used for the collection of the personal data processed within the AUDI AG. Moreover, your name shall also be used for the identification of your person and, as required, for the legitimisation
of your vehicle ownership(s).


Address: Your address (with the obligatory data: street, house number, postal code, city, country) shall be used for the collection of the personal data processed within the AUDI AG. Moreover, we shall require your address
(with the aforementioned obligatory data) for the identification of your person and, as required, for the legitimisation of your vehicle ownership(s). Additionally your address is needed in order to send you the information
report via post.


Vehicle Identification Number: If you have a request regarding your personal data associated with a vehicle identification number (VIN), we require the corresponding vehicle identification numbers and additionally the
period (beginning and end of ownership) for which you are entitled to receive the data. In order to check whether you are entitled, we require proof of ownership or a consent/permission from the respective vehicle owner
(legitimation). On the corresponding documents for proof of owner-ship, any data not required by us should be made unrecognizable (see the information sheet on obliteration).

 

 

2.3 Legitimation of vehicle usage by third parties


In order to grant you personal data concerning the provided vehicle, which you are not the owner of, the consent/permission of the respective vehicle owner for the time of granting is required.


Therefore, we use the declaration of consent (Article 6 Para. 1 lit. a GDPR, Article 6 Para. 1 lit. c GDPR), which is deposited from the vehicle owner to clearly associate the personal data from the vehicle to their corresponding
person. In the context of obtaining the consent, the following data from the vehicle owner are collected for the purpose of legitimation or contact establishment due to the processing of your request: name, forename,
address of the vehicle owner, vehicle identification number (VIN) as well as a telephone number or an e-mail address optionally.


The requester's name and the period of use of the vehicle are collected to ensure that the vehicle can be assigned to his or her person.

 

 

3. For what purposes do we process your data and on which legal basis?

 

We process your personal data for various purposes in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act [Bundesdatenschutzgesetz (“BDSG”)].

 

The processing of your personal data must be based on one of the following legal bases:

  • You have given your consent (Art. 6 (1) (a) GDPR);
  • Processing is necessary to perform a contract with you, or in order to take steps your request prior to entering into a contract (Art. 6 (1) (b) GDPR);
  • Processing is necessary for compliance with a legal obligation under EU law or under a Member State law to which we are subject (Art. 6 (1) (c) GDPR);
  • Processing is necessary to protect your vital interests or the vital interests of another person (Art. 6 (1) (d) GDPR);
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority which has been vested in us (Art. 6 (1) (e) GDPR);
  • Processing is necessary for the purposes of the legitimate interests pursued by the AUDI AG or of a third party, except where these interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, particularly where this concerns a child (Art. 6 (1) (f) GDPR).

 

To the extent that we, in exceptional cases, process special categories of personal data about you (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning sex life or sexual orientation), then one of the following legal bases must also apply:

 

  • You have given explicit consent (Art. 9 (2) (a) GDPR);
  • Processing is necessary to protect your vital interests or those of another person where the relevant person is physically or legally incapable of giving consent (Art. 9 (2) (c) GDPR);
  • Processing relates to personal data which you manifestly made public (Art. 9 (2) (e) GDPR);
  • Processing is necessary for the establishment, exercise or defence of legal claims (Art. 9 (2) (f) GDPR);
  • Processing is necessary for reasons of substantial public interest, on the basis of EU law or Member State law which shall be proportionate to the aim pursued, which shall respect the essence of the right to data protection and which shall provide for suitable and specific measures to safeguard your fundamental rights and interests (Art. 9 (2) (g) GDPR).

 

Following on from the above, we process your personal data on the basis of the legal bases for the purposes in section 2.2 and 2.3.

 

 

3.1 Is there an obligation to provide data?

 

In the context of our business relationship, you need to provide only the personal data that is required to enter into or conduct a business relationship or that we are required to collect by law. Without this data, we will generally have to refuse to enter into the contract or to execute the order, or we will be unable to perform under an existing contract and possibly may have to terminate it.

 

 

4. Who receives my data?

 

Due to the size and complexity of the data processing by the AUDI AG, it is not possible to list each recipient of your personal data individually in this data protection notice, which is why usually only categories of recipients are specified.

 

Within AUDI AG, your data is provided to the respective departments that need such data for data processing.

 

Third-party service providers engaged by us and working on our order to support data processing (so-called “processors”) may also receive data for these purposes. We only use processors in Germany. For example, your e-mail address can be passed on to a service provider so that he can deliver an ordered newsletter to you. Service providers can also be commissioned to provide server capacity. This includes:

  • Hosting providers and support service providers

 

Your personal data will be disclosed by us to third parties only if this is necessary for the fulfilment of the contract, if we or the third party have a legitimate interest in the disclosure, or if you have given your consent. In addition, data may be transferred to third parties to the extent we are required to do so by law or by enforceable regulatory or judicial order. Third parties to whom we may transfer your personal data, irrespective of the services we provide, include

 

  • Authorities within their jurisdiction (e.g. tax office, police, public prosecutor's office),
  • Courts
  • Other third parties, if you instruct us to pass on data or give your consent.

 

 

5. Are data transmitted to a third country?

We process your data in Germany. As a rule, we do not transfer your data to other countries or third countries (countries that are neither members of the European Union nor of the European Economic Area) or to international organisations.

 

A transfer of data to third countries (i.e., countries that are neither members of the European Union nor of the European Economic Area) may occur to the extent necessary to perform services for you, if required by law, or where you have given us your consent.

 

Please note that not all third countries have a data protection level recognized as adequate by the European Commission. For data transfers to third countries where there is no adequate level of data protection, before we share data, we will ensure that the recipient either has an adequate level of data protection (e.g., through self-certification by the recipient of the EU-US Privacy Shield or by agreement containing so-called “EU standard contractual clauses” of the European Union with the recipient) or if our users give their express consent.

 

You can obtain from us a copy of the specific applicable or agreed provisions to ensure an adequate level of data protection. To do so, please use the information in the contact section.

 

 

6. How long will my data be stored?

 

We store your data as long as necessary for the provision of our services to you or do so if we have a legitimate interest in the continued storage.

 

We will store your data for the duration of one year.

 

In addition, we are subject to various retention and documentation requirements pursuant to, inter alia, the German Commercial Code (Handelsgesetzbuch - “HGB”) and the Tax Code (Abgabenordnung - “AO”). The retention and documentation periods specified therein last up to ten years. Finally, the storage period is also governed by statute of limitation periods, which can be up to thirty years, for example, pursuant to secs. 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch - “BGB”), whereby the general limitation period is three years.

 

Under certain circumstances, your data may need to be kept longer, e.g. if a legal hold or litigation hold (i.e. a ban on deleting data for the duration of the proceedings) is ordered in connection with official or judicial proceedings.

 

 

7. What rights do I have?

 

As the data subject, you are entitled to the following data protection rights:

Access:

You have the right to request access to personal data related to you and stored at AUDI AG and about the scope of data processing and data transfer performed by AUDI AG and to obtain a copy of your stored personal data. 

 

Rectification:

With respect to your personal data stored at AUDI AG, you have the right to demand the immediate rectification of incorrect personal data and you have the right to have incomplete personal data completed.

 

Erasure:

You have the right to demand the immediate deletion or erasure of your personal data stored by AUDI AG, if the legal requirements are satisfied.

This is the case, in particular, if

 

  • your personal data is no longer needed for the purposes for which it was collected;
  • the sole legal basis for processing such data was your consent, and you have withdrawn such consent;
  • you have objected to processing on the legal grounds relating to your particular situation, and we cannot prove that there are overriding legitimate grounds for processing;
  • your personal data were processed unlawfully; or
  • your personal data must be erased in order to comply with legal requirements.

 

If we have transmitted your data to third parties, we will inform them about the erasure to the extent required by law.

Please note that your right to erasure is subject to certain limitations. For example, we may not and/or must not erase data that we are still required to retain due to statutory retention obligations. In addition, your right of erasure does not extend to data that we need in order to assert, exercise or defend against legal claims, unless other grounds for continued storage exist.

 

Restriction to the Processing:

Under certain conditions, you have the right to request that processing be limited (i.e., the marking of stored personal data with the aim of limiting its processing in the future). The requirements are: 

 

  • The accuracy of your personal data is contested by you and AUDI AG must verify the accuracy of the personal data;
  • the processing is unlawful, but you oppose the erasure of the personal data and request the restriction of their use instead;
  • AUDI AG no longer needs the personal data for the purposes of processing, but you require the data to establish, exercise or defend your legal claims.
  • you have objected to processing pending the verification of whether the legitimate grounds of AUDI AG override your legitimate grounds.

 

Where processing has been restricted, such data will be marked accordingly and, with the exception of storage, will be processed only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest the EU or an EU Member State.

 

Data Portability:

To the extent that we automatically process your personal data that you have provided to us based on your consent or any contract with you (including your employment contract), you have the right to receive such data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from AUDI AG. You also have the right to have the personal data transmitted directly from AUDI AG to another controller where technically feasible, provided that such transmission does not adversely affect the rights and freedoms of others.

 

Right to Object:

If we process your personal data on grounds of legitimate interests or in the public interest, then you have the right to object to the processing of your personal data on grounds relating to your particular situation. In addition, you have an unrestricted right to object if we process your data for our direct marketing purposes. Please see our separate note in the section titled “Information about your right to object”.

In certain situations, in the context of a balancing of interests, we will grant you an additional unrestricted right to object.

 

Withdrawal of Consent:

If you have given consent to the processing of your personal data, then you can withdraw such consent at any time. Please note that the withdrawal applies prospectively only. Processing that occurred before the withdrawal of consent is unaffected.

 

Complaint:

Furthermore, you have a right to file a complaint with a data protection authority (Datenschutzaufsichtsbehörde), if you believe that the processing of your personal data is unlawful. The right to file a complaint is without prejudice to any other administrative or judicial remedies.

The address of the data protection supervisory authority responsible for AUDI AG is:

 

Bayerisches Landesamt für Datenschutzaufsicht

Promenade 18

91522 Ansbach

Deutschland

 

 

 

7.1 Information about Your Right to Object

 

Right to object for personal reasons

You have the right to object to the processing of your personal data on grounds relating to your particular situation. The prerequisite for this is that the data processing takes place in the public interest or on the basis of a balancing of interests. This applies also to profiling.

 

Insofar as we base the processing of your personal data on a balancing of interests, we generally assume that we can demonstrate compelling legitimate grounds but will, of course, examine each individual case.

 

In the event of an objection, we will no longer process your personal data, unless

  • we can demonstrate compelling legitimate grounds (zwingende schutzwürdige Gründe) for the processing of these data that override your interests, rights and freedoms, or
  • your personal data serves the establishment, exercise or defence of legal claims.

 

Objection to the processing of your data for our direct marketing purposes

If we process your personal data for the purpose of direct advertising, you have the right at any time to object to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct advertising.

 

If you object to the processing for purposes of direct marketing, we will no longer process your personal data for these purposes.

 

Objection against the processing of your personal data for product improvement and general customer analysis

As part of the balancing of interests, we grant you a separate right of objection with regard to the processing of your personal data for product improvement and general customer analysis.

 

If you object to the processing for purposes of product improvement and/or general customer analysis, we will no longer process your personal data for these purposes. Purely statistical evaluations of aggregated or otherwise anonymous data remain unaffected by this.

 

Exercise of the right of objection

The objection can be made without form and should preferably be made to the contact data listed in this data protection notice.

 

 

As of May 2020