BMW INDIA: LEGAL NOTICES ON DATA PROTECTION

The high standard that you associate with the features of our products and services are the guideline we use in handling your data. In doing so, we seek to create and maintain an environment conducive to a trustworthy business relationship with our customers and interested parties. The confidentiality and integrity of your personally identifiable data is especially important to us.

Who is the authority responsible for data processing?Data processing takes place at national sales company, BMW India Private Limited , a company registered under the provisions of the Companies Act, 1956, having its registered office at 2nd Floor, Oberoi Centre, Building No.11, DLF Cyber City, Phase-II, Gurugram, Haryana (hereinafter "NSC")

The NSC provides to the customer certain vehicle-based information and assistance services (hereinafter "services") under the designation "BMW ConnectedDrive" (hereinafter "ConnectedDrive Agreement") and is the authority for data processing in this context.

What data about you is processed and for what purpose?

Data collected in the course of concluding an agreement or rendering services is processed for the purposes listed below:

For the purposes of fulfilling the ConnectedDrive Agreement concluded between you and NSC , NSC renders a variety of services, such as BMW Intelligent eCall, information services, real-time traffic information, TeleServices, etc. The other BMW ConnectedDrive services details are mentioned in the respective Service Descriptions.

For performance of these services, the following—potentially personally identifiable—information from the vehicle is processed and optionally stored by BMW and commissioned service providers for such performance:

• Vehicle status information (mileage, battery voltage, door and hatch status, etc.)
• Position and movement data (time, position, speed, etc.)
• Vehicle service data (due date of next service visit, oil level, brake wear, etc.)
• Dynamic traffic information (traffic jams, obstacles, signs, parking spaces, etc.)
• Environmental information (temperature, rain, etc.)
• User profile (personal profile picture/ avatar, settings as navigation, media, communication, driver’s position, climate/light, driver assistance, etc.)
• Sensor information (radar, ultrasonic devices, gestures, voice, etc.)

A complete list and detailed description of the services and the data used in each case can be found here:  service description list.

The provision of this data is not actually necessary for concluding the ConnectedDrive Agreement. Without your provision of such data and the processing of such data, BMW is, however, unable to provide the respective service for you.

The processed personal data is deleted automatically after 4 weeks if it is not needed longer for provision of the specific service.

The ConnectedDrive Account is assigned personally to you. Therefore, your driver profile (if it’s mapped with a ConnectedDrive Account) can just be activated within one vehicle.

BMW Group login

To use the Service, you must register in the App / portal. When you register, you will receive an online customer account that gives you access to other BMW Group portals and offers. In order to provide you the BMW Group login service, your data is passed on to the BMW Group company that acts as a provider of the applications in use by you. Storage of the data from your customer account is handled by BMW and is separate from any other (even potentially identical) data about your person that may be available to BMW Group. 

Beyond mere performance of service, the data collected under B. is also processed for quality assurance in products and services offered by BMW Group and for developing new products and services by BMW. This processing is used for the legitimate interests of BMW to meet the high customer standard placed on existing products and services and to allow the company to fulfill the future requests of its customers through new products and services that have not yet been developed. In order to protect the privacy of our customers, data is processed solely in a manner that cannot be traced back to the customer/vehicle directly.

In order to optimize the customer experience and collaboration with BMW distributors continuously, we create evaluations and reports based on information from agreements and we share these evaluations and reports with the applicable BMW distributors. These evaluations are predominantly used for introducing appropriate measures (e.g. training courses for sales personnel) to improve the request and sales process. We will create the aforementioned reports only in an aggregated and anonymized form; this means that the recipients of the reports will be unable to draw any conclusions about you personally.

Portions of the vehicle-specific data collected under B. are used for performance of the service processes (e.g. repair, warranty, goodwill) of BMW, the national sales companies and authorized dealers. This processing is within the legitimate interests of BMW to provide our customers with the best possible service process. Processing sometimes also takes place in connection with legal requirements (e.g. repair and maintenance information due to the provisions of anti-trust regulations). Technical data is always processed in relation to the vehicle and without direct connection to the customer in order to protect the privacy of our customers.

The following data categories are used for this:

• Vehicle master data (vehicle type, color, equipment, etc.)
• Vehicle service data (due date of next service visit, oil level, brake wear, etc.)
• Vehicle status information (mileage, battery voltage, door and hatch status, etc.)
• Information required for statutory or regulatory purposes.

The technical vehicle data is deleted at the end of the vehicle life cycle.

The NSC is a company within BMW Group.  NSC processes your data in order to make the administration of the various companies within BMW Group as efficient and successful as possible. One of the areas this affects is common group accounting in accordance with international accounting regulations for companies (such as the International Financial Reporting Standards (IFRS)).

NSC will also process personal data if there is a legal obligation to do so. This could be the cause if we needed to contact you because your vehicle is subject to a vehicle recall or repair request.

Collected data is also processed as part of safeguarding the operation of IT systems (back-end and vehicle systems). Safeguarding in this context includes, but is not limited to, the following actions:

• Backup and restoration of data processed in IT systems
• Logging and monitoring transactions to check the specific functionality of IT systems
• Detecting and protecting against unauthorized access to data to guarantee the integrity and security of IT systems. Incident and problem management for resolving problems in IT systems.
• Information / details may be required for fulfilling statutory or regulatory purposes.

Collected data is also processed as part of internal compliance management, wherein we review aspects such as whether you have received sufficient advising as part of concluding an agreement and whether dealers have complied with all legal requirements.

NSC are subject to a number of additional legal obligations. In order to comply with statutory/regulatory  obligations, we process your data to the extent needed and pass on this data to the responsible authorities, if necessary, as part of legal reporting requirements.

NSC provides the data collected under B. to third parties in anonymized form for the purposes of using resources such as mobility services, maps and tools, especially in combination with highly automated, fully automated and autonomous driving.

How long do we store your data?

We save your personal data only for as long as the specific purpose requires. If the data is processed for several purposes, the data is deleted automatically or saved in a form that cannot be traced directly back to you once the last specified purpose has been met.

How is your data stored?

We store your data in accordance with the state of the art of technology.. The following security measures serve as an example of the measures applied to protect your personal data from misuse or other unjustified processing:

• The availability of access to personal data is restricted to just a limited number of authorized persons for the specified purposes.
• Collected data is transferred only in encrypted form.
• Sensitive data is also saved only in encrypted form.
• The IT systems for processing the data are compartmentalized from other systems, e.g. to prevent hacking.
• In addition, access to these IT systems is monitored continuously in order to ward off and detect misuse early.

To whom is the data passed and how do we protect it along the way?
BMW is a global company. Personal data is processed by BMW employees, national sales companies, authorized dealers and by service providers we have commissioned, with preference given to those within the EU.

If data is processed in countries outside the EU, BMW uses EU standard agreements, including suitable technical and organizational measures, to ensure that your personal data is processed in accordance with the European level of data privacy. If you want to access the actual protections for data transfer to other countries, please contact us using the communications channels specified below.

The EU has already established a comparable data privacy level for some countries outside the EU, e.g. Canada and Switzerland. Due to the comparable data privacy level, data transfer to these countries does not require any special approval or agreement.

How can you view and modify your data privacy settings?
You can change your settings for the use of your data in BMW online accounts at any time using the corresponding options in your My BMW online account (if available), in your BMW ConnectedDrive account or in the My BMW App.

You can access the following data and, if possible, change it:

• Consent in advertising communication - here you can (if available) choose your desired communication channels (post, email etc.) and agree to the use of statistical procedures to create an individual customer profile in order to offer you personalized offers for products and services.
• BMW ConnectedDrive Account - here you can view and change your detailed settings for BMW ConnectedDrive. Some BMW ConnectedDrive settings can only be changed via the My BMW App or only in the vehicle. We kindly ask you to use the corresponding options in the App or in the vehicle.

However, the settings for the use of your data by BMW Partners cannot be changed in the data protection portal of BMW AG in your online account. For such a change or if you have any questions about the use of your data, you must therefore contact the relevant BMW Partner directly.

In the event of questions regarding our use of your personal data, please start by contacting BMW customer support, either by e-mail at contact.india@bmw.in  or by phone at the telephone number: 1800 102 2269 (daily 09:00 AM – 6:30 PM).

In addition, you can contact the responsible data protection officer:
Data Protection Officer

BMW India Private Limited

2nd Floor, Oberoi Centre,

Building No.11,

DLF Cyber City, Phase-II,

Gurugram,

Haryana, India contact.india@bmw.in

As persons affected by the processing of your data, you can assert certain rights in accordance with applicable data privacy provisions. The following section contains explanations regarding your rights as a data subject.

You specifically have the following rights as a data subject in relation to BMW:

Right of access by the data subject: At any time, you can request information about the data that we have about you. This information includes the data categories processed by us, the purposes for which we process it, the source of the data if we did not collect it from you directly and, where applicable, the recipients to which we have transferred your data. You can obtain a free copy of your data from us. If you are interested in additional copies, we reserve the right to charge you for any additional copies.

Right to rectification: You can request that we rectify your data. We will take appropriate measures to maintain, based on the latest information available to us, the correctness, completeness, and timeliness of the data we have and continue to process regarding you.

Right to erasure: You can request that we erase your data if the legal requirements exist for doing so.  This could be the case if

• the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
• you withdraw your consent on which the processing is based and where there is no other legal ground for the processing;
• you object to the processing of your data and there are no overriding legitimate grounds for the processing, or you object to data processing for direct marketing purposes;
• the personal data has been unlawfully processed

if such processing is not necessary

• for compliance with a legal obligation that requires that we process your data;
• especially with respect to retention periods required by law;
• for the establishment, exercise or defense of legal claims.

Right to restriction of processing: You can request the restriction of processing of your data by us if

• you contest the accuracy of the personal data for a period enabling us to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
• we no longer need your data, but you require it for the establishment, exercise or defense of legal claims;
• you have objected to processing pending the verification whether our legitimate grounds override yours.

Right to data portability: Your data shall, where technically feasible, be transmitted to another responsible party at your request. This right shall be available to you only insofar as data processing is based on your consent or is necessary in performance of an agreement. Instead of receiving a copy of your data, you can also request that we transfer the data directly to another controller that you specify.

Right to object: You can object, on grounds relating to your particular situation, at any time to processing of your personal data if data processing relates to your consent or to our legitimate interests or to those of a third party. We will cease processing of your data in such a case. The latter shall not apply if we can demonstrate compelling legitimate grounds for the processing which override your interests, or we require your data for the establishment, exercise or defense of legal claims.

Periods for fulfillment of rights as a data subject
We always make an effort to comply with all requests within 30 days. This period, however, may be prolonged for any reason relating to the specific right of a data subject or the complexity of your request.

Information restriction for fulfillment of rights as a data subject
In certain situations, we may be unable to provide you with any information about any of your data due to legal requirements. If we are required to decline a request for information in such a case, we will promptly notify you of the reasons for the refusal.