Privacy Notice applicable to the purchase and use of Audi vehicles
In this Privacy Notice according to Art. 13, 14 EU-GDPR we are informing you about the automated, electronic processing of your personal data by AUDI AG, Auto-Union-Straße 1, 85057 Ingolstadt, Deutschland / Germany (”we”) in the context of the purchase and subsequent use of an Audi brand vehicle.
Personal data means any information relating to an identified or identifiable natural or, if foreseen under local law, legal person, including, as the case may be, sensitive personal data as defined under the laws of the country where you are located at the relevant time (‘data subject’); a data subject is one that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1. Who is the controller for the processing?
The controller for the processing of your personal data is:
AUDI AG, Auto-Union-Straße 1, 85057 Ingolstadt, Germany.
Tax identification number / Registration number: DE811115368 / HRB Nr./Commercial Register No.: 1
2. Who can I contact?
If you wish to assert your data protection rights, please use the contact options at
https://data-subject-rights.audi.com/
There, you will find further information regarding how you can assert your data protection rights. You may also send your request via mail: AUDI AG, DSGVO-Betroffenenrechte, 85045 Ingolstadt, Germany.
3. Contact details of the data protection officer
For matters concerning data protection, you can also consult our company data protection officer, using your own language:
AUDI AG, Data Protection Officer, 85045 Ingolstadt, Germany
· Email: datenschutz@audi.de
· Telephone number: +49841 890
· Office address of the company data protection officer: AUDI AG, Data Protection Officer, Auto-Union-Straße 1, 85057 Ingolstadt, Germany
4. Which data do we process for which purposes and from which sources does it originate?
We process personal data which we receive from you within the scope of our business relationship, i.e. during the initiation, execution and processing (including the handling of any warranty or guarantee claims) of your vehicle purchase or the purchase of other products or services, i.e. the vehicle purchased by you in each case.
The personal data include:
· Private contact and master data
· Professional work and organizational data
· Vehicle master data and identification
· Data on vehicle history and workshop visits
· Vehicle usage data (vehicle usage and operating data)
· Legal transactions / contract data
· Financial data
· Particularly sensitive personal data
We collect your data whenever you (a) purchase a vehicle or other product or service from AUDI AG or a sales partner. We may also collect data in connection with your use of digital services within the vehicle as well as your workshop visit. Please refer to the respective data protection information for these data processings.
In addition we process - insofar as necessary in connection with your vehicle purchase (e.g. vehicle production, vehicle delivery, provision of purchased services) - personal data which we have received from other companies of the AUDI- or VW-Group or from third parties (e.g. AUDI dealers, workshops, etc.) (e.g. for the execution of orders, for the fulfillment of contracts or on the basis of your consent). On the other hand, we process personal data that we have obtained from publicly accessible sources and are permitted to process.
These include:
· Private contact and master data
4.1. Data that we receive from Audi partners
· Details that the Audi partner forwards to Audi in connection with repair and service support
· Details that are required to validate legal or contractual claims/questions from the customer (in particular relating to warranty/guarantee)
· Details that the Audi partner forwards to Audi in order to check and handle the claims
· Details that are needed for the direct collection of the customer vehicle from Audi
· Details that are required for the Audi partner's participation in Audi compensation and/or bonus programs
· Details that are required for claiming special conditions, for example, special customer groups (for example, driving schools, etc.)
· Details that are required to fulfill legal obligations (including product observation) to Audi
· Details that are needed by Audi for quality assurance or quality improvement and for product optimization and further development
4.2. Electronic control units
a) General
Electronic control units have been installed in your vehicle. Control units process data that they receive, for example, from vehicle sensors, that they generate themselves or that they share among one another. Some control units are required to ensure that your vehicle functions safely, others help you while driving (driver assistance systems), and others provide comfort or infotainment features.
Below you will find some general information about data processing in your vehicle. Specific information concerning the privacy notices for individual features is provided in the operating manual for your vehicle, which is available online and may also, if applicable, be provided digitally in your vehicle.
b) Personally identifiable data
Each vehicle is identified with a unique vehicle identification number. In Germany and as the case may be, in the other relevant domiciles, this vehicle identification number (“VIN”) can be used to obtain information about the current and previous owners of the vehicle respectively from the Federal Motor Transport Authority (in Germany “Kraftfahrtbundesamt”) or the relevant authority. There are other ways to use the data collected from the vehicle to learn about the owner or driver of the vehicle, for example, with the number plate.
The data generated or processed by the control units may, therefore, be personally identifiable or may, under certain circumstances, become personally identifiable. Depending on the vehicle data that are available, it may be possible, for example, to make inferences about your driving behavior, your location or route or user behavior.
c) Statutory data disclosure requirements
Where there are statutory requirements, manufacturers have a duty, in individual cases, to comply with government agency requests to provide data stored at the manufacturer to the extent necessary (for example, to assist with the investigation of a criminal offense).
Within the scope of the applicable law, government agencies are also authorized to read data from vehicles themselves in individual cases. For example, if there is an accident, data can be read from the airbag control unit to help with investigation of the accident.
4.3. Operating data in the vehicle
Control units process data in order to operate the vehicle. This includes, for example:
- Vehicle status information (for example, speed, deceleration, lateral acceleration, wheel revolution speed, whether the seat belts are fastened),
- Environmental conditions (for example, temperature, rain sensor, distance sensor).
These data are generally temporary; they are not stored after the vehicle is no longer in operation and are only processed in the vehicle itself. Control units often have data storage units (including the vehicle keys). These are used to temporarily or permanently document information about the vehicle status, component stress, maintenance requirements and technical events and errors.
Depending on selected equipment, the following information is stored:
- Operating conditions of system components (for example, fill levels, tire pressure, battery status),
- Disruptions and defects in key system components (for example, lights, brakes),
- System responses in special driving situations (for example, deployment of airbags, use of stability control systems),
- Information about vehicle-damaging events,
- For electric vehicles, the state of charge of the high-voltage battery, estimated range.
In special cases (for example, when the vehicle has detected a malfunction), it may be necessary to store data that would otherwise only be temporary.
When you use services (for example, repair services, maintenance work), it may, where required, be necessary to read and use the stored operating data together with the vehicle identification number. The data may be read from the vehicle by an employee of the service network (for example, mechanics, manufacturer) or third parties (for example, breakdown service centers). The same applies for warranty cases and quality assurance measures.
The data are generally read out via the statutorily prescribed connection for on-board diagnostics (OBD) in the vehicle. The operating data that are read out document the technical conditions of the vehicle or individual components and help with error diagnosis, compliance with maintenance obligations and with quality improvement. These data, especially information about component stress, technical events, operating errors and other errors are sent together with the vehicle identification number to the manufacturer, if necessary. The manufacturer is also subject to product liability. The manufacturer also uses operating data from the vehicle for recalls. These data may also be used to review warranty and guarantee claims by customers.
Error storage units in the vehicle can be reset by a service center as part of repair or service work or at your request.
4.4. Comfort and infotainment features
You can save comfort settings and customizations in the vehicle and modify or reset them at any time. Depending on the vehicle equipment, these include for example:
- Seat and steering wheel position settings,
- Chassis and climate control settings,
- Customizations such as interior lighting.
Within the scope of the selected equipment, you can add data to the vehicle infotainment features yourself. Depending on the vehicle equipment, these include for example:
- Multimedia data, such as music, videos or photos for replay in an integrated multimedia system,
- Address book data for use in conjunction with an integrated speaker phone system or an integrated navigation system,
- Entered navigation destinations,
- Data about the use of internet services.
These comfort and infotainment features can be stored locally in the vehicle or they can be located on a device that you have linked with the vehicle (for example, smartphone, USB stick or MP3 player). If you have entered the data yourself, you can delete it at any time.
These data are only transmitted from the vehicle at your request, particularly as part of the use of online services in line with the settings selected by you. Further information about online services can be found in Section 2 of the MMI privacy notice.
4.5. Smartphone integration, for example, Android Auto or Apple Carplay
If your vehicle has the necessary equipment, you can link your smartphone or other mobile device to the vehicle to control the control elements integrated in the vehicle. If you do, you can stream video and sound from your smartphone over the multimedia system. At the same time, certain information will be transmitted to your smartphone. Depending on the type of integration, this includes for example, location data, day/night mode and other general vehicle information. More information can be found in the operating manual for the vehicle/infotainment system.
The integration enables the use of selected smartphone apps, such as navigation or music replay. There is no further interaction between the smartphone and the vehicle; in particular, there is no active access to vehicle data. The type of other data processing is determined by the provider of the app used. Whether and which settings you can adjust depends on the relevant app and your smartphone’s operating system.
4.6. Online services
If your vehicle has a wireless internet connection, this will enable you to share data between your vehicle and other systems (the data servers of Audi or the data servers of service providers). In certain countries, the wireless internet connection is enabled by an on-board transmitting and receiving unit (installed by us) or a mobile device provided by you (for example, a smartphone). This wireless internet connection enables the use of online features (information and control services for your vehicle). These include online services and apps that are provided by us or other providers (“Audi connect services” or “services”).
Information about the individual services can be found in Section 2 of the MMI privacy notice.
Please note that the services listed here may not all be available in your vehicle or country.
a) Manufacturer services
For Audi online services, the relevant functions are described at a suitable location (for example, MMI, Audi website) together with the associated data protection information. Personal data may be required for the provision of online services. These data will be exchanged over a secure connection, for example, by the manufacturer's IT systems provided for this purpose. Personal data are only collected, processed and used beyond the scope of the provision of the services on the basis of a statutory authorization, for example, as part of a statutorily required emergency call system, if there is a contractual agreement or if consent has been obtained.
You can have the services and features (some of which are subject to charges) and – depending on the vehicle – in some cases the entire wireless internet connection activated or deactivated. This does not include statutorily required features and services, such as an emergency call system.
b) Third-party services
If you use the online services of other providers (third parties), these services are the responsibility of and subject to the data protection terms and terms and conditions of use of the relevant provider. We generally have no influence over the information that is shared.
You can learn more about the type, scope and purpose of the personal data that is collected and used during the use of third-party services from the relevant service provider.
5. Which data do we process for which purposes and which legal bases apply?
We process your personal data in accordance with the provisions of the General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”) and other local law for various purposes..
The processing of your personal data must be based on one of the following legal bases:
· You have given your consent (Art. 6(1)(a) GDPR);
· Processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract (Art. 6(1)(b) GDPR);
· Processing is necessary for compliance with a legal obligation under EU law or the law of an EU member state to which we are subject (Art. 6(1)(c) GDPR);
· Processing is necessary in order to protect your vital interests or those of another person (Art. 6(1)(d) GDPR);
· processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Art. 6(1)(e) GDPR)
· Processing is necessary for the purposes of the legitimate interests pursued by AUDI AG or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f) GDPR).
If, in exceptional cases, we process special categories of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a person's sex life or sexual orientation) about you, one of the following legal bases must also apply:
· You have given your explicit consent (Art. 9(2)(a) GDPR);
· The processing is necessary to protect your vital interests or those of another person and the data subject is physically or legally incapable of giving consent (Art. 9(2)(c) GDPR);
· the processing relates to personal data which you have manifestly made public (Art. 9(2)(e) GDPR)
· processing is necessary for the establishment, exercise or defense of legal claims (Art. 9(2)(f) GDPR)
· processing is necessary for reasons of substantial public interest on the basis of EU law or the law of an EU Member State which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard your fundamental rights and interests (Art. 9(2)(g) GDPR).
Following on from the above, we process your personal data on the basis of the following legal bases for the following purposes:
Purpose
Legal grounds
Legitimate interest
Categories of data
Implementation of employment, HR administration and employer duties (communication & management, work organization, HR service)
Fulfillment of contract, balancing of interests, consent, compliance with a legal obligation
Representation of AUDI AG and representation of its interests, maintenance of IT systems and security, organization and processing of business trips, control of invoicing to avoid financial losses, implementation and patenting of employee ideas to improve product quality, avoidance of future losses, use of data on specific vehicle malfunctions and on general vehicle use for the further development of vehicles and functions, promotion of employees and safeguarding and further training of their knowledge, granting of benefits and support for employees
See section 4
Review and optimization of systems, facilities, workflows and processes
Compliance with a legal obligation,
balancing of interests
Control of product quality and prevention of product damage, preventive complaint management
See section 4
Customer order processing, including vehicle production and provision of digital services
Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment), balancing of interest, consent
- efficient identification and analysis of events and conclusion regarding modifications to the vehicle (tuning, modifications, etc.) in order to remedy customer complaints
- Support for the AUDI dealer in fulfilling its legal obligations towards you
See section 4
Prevention of legal violations (especially criminal offenses) and abuse
Fulfillment of legal obligations, balancing of interests
- Compliance with legal and regulatory requirements
- Verification of compliance with legal provisions, internal company guidelines, rules and standards of AUDI AG, Group companies, employees, business partners and other third parties
See section 4
Contract management (other contracts), in particular business partner management
Balancing of interests, fulfillment of contract, consent
Fulfillment of legal requirements of AUDI dealers, professionalization of the AUDI brand image and improvement of the experience for customers through qualification of the employees of our trade and business partners; improvement of cooperation with trade and business partners
See section 4
Data trading and management
Contract fulfillment, Consent
See section 4
Development and testing of components, products and services
Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment) and consent, balancing of interests
- Improvement of road safety and own products, promotion of science
- maintenance and improvement of product quality
See section 4
Operational safety and emergency management, owner's or tenant's right to undisturbed possession of premises and to keep out trespassers
Fulfillment of legal obligations, balancing of interests, consent
Maintaining plant safety, access control, accident prevention
See section 4
Internal administration
Contract fulfillment, balancing of interests, fulfillment of legal obligations, consent if necessary
- Analysis of sales and order data according to sales channel
model, order status
- Analysis of requested variants and equipment
- Reporting on business parameters, using the VIN
if necessary - Implementation of evaluations to manage our business processes and cost control based on the analysis of sales and order data according to sales channel model, order status, analysis of requested variants and equipment, reporting on business parameters, using the vehicle identification number if necessary
Maintaining operations -
Compliance with legal and regulatory requirements
- Providing benefits and support for employees
- Maintaining product quality
- Preventing recourse claims
- Preparing for and following up on events, improving the organization for the future
See section 4
Legal affairs and compliance
Compliance with a legal obligation, public interest, fulfillment of legal obligations, balancing of interests, fulfillment of contract
- Compliance with legal and regulatory requirements
- Verification of compliance with legal provisions, internal company guidelines, rules and standards of AUDI AG, Group companies, employees, business partners and other third parties,
- Compliance with legal and regulatory requirements, assertion, exercise or defense of legal claims of or against AUDI AG or the respective Audi dealer
- Verification of compliance with contractual and legal obligations by AUDI AG, its employees and its sales partners, suppliers, etc., if necessary using the vehicle identification number
- Review of conflicts of interest, prevention of industrial espionage
See section 4
Customer and prospective customer care, advertising
Consent, balancing of interests, fulfillment of contract (contract to which your request relates, e.g. vehicle purchase contract, delivery, etc.).
Representing AUDI AG and providing information about its activities and products, adapting online services to the changing needs of users, maintaining and improving product quality
See section 4
Market and opinion research
Consent, balancing of interests
Maintaining and improving product quality
See section 4
Customer analysis and customer evaluation
Consent, balancing of interests, balancing of interests
- Analysis of sales and order data according
to model sales channel, order status
- Analysis of requested variants and equipment
- Reporting on business parameters, if necessary using the VIN
- Implementation of evaluations to control our business processes and cost control based on the analysis of sales and order data according to model sales channel, order status, analysis of requested variants and equipment, reporting on business parameters, if necessary using the vehicle identification number, maintaining and improving product quality, representing AUDI AG and providing information about its activities and products, adapting online services to users' changing needs
See section 4
Customer inquiries and customer complaints
Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment) and consent, balancing of interests
Control of product quality and prevention of product damage, preventive complaint management
See section 4
Warranty and goodwill
Contract fulfillment, consent
See section 4
Warranty management including product recalls
Contract fulfillment (service contract), balancing of interests, contract fulfillment
- If there are concrete indications that a fault was caused during the warranty or guarantee period by modifications to the vehicle (tuning, conversions, etc.), AUDI AG has a legitimate interest in recognizing this
- Effective fault detection and analysis in order to be able to rectify faults;
- Support for the AUDI dealer in fulfilling its legal obligations towards you;
See section 4
Please note: If the applicable local law of the country where you are located at the relevant time foresees additional requirements regarding the legal bases, we will comply with such additional requirements and will inform you accordingly. This in particular applies, where such local law requires (express) consent for the processing of your personal data.
Please note your rights to object to the processing of data for the purpose of direct marketing or for personal reasons and your right to withdraw consent (see section "Which rights do you have?" and the section "Information on your right to object").
5.1. Is there an obligation to provide personal data?
As part of our business relationship, you only need to provide the personal data that is required to enter into and conduct a business relationship, or that we are required or permitted to collect by law. Without this data, we will generally have to refuse to enter into the contract or to execute the order, or will be unable to perform an existing contract and possibly have to terminate it.
6. Who receives my data?
Within AUDI AG, those entities receive your data that need your data for data processing purposes (e.g. the Audi Training sales department, Sales Germany, IT).
Service providers employed by us and working on our behalf (so-called processors), who support data processing on our behalf, also receive data for these purposes. For example, your email address may be passed on to a service provider so that they can deliver a newsletter you have ordered. Service providers may also be commissioned to provide server capacity. This includes:
Category of Processor
Name of Processor
Processing purpose
Group companies
Volkswagen AG
IT operation, hosting and support service providers
Group companies
Cariad SE
IT operation, hosting and support service providers
We will generally share your personal data with third parties only if this is necessary for the performance of the contract, if we or the third party have a legitimate interest in the disclosure, or if you have given your consent, subject to applicable local laws. In addition, data may be shared with third parties (including investigative or security authorities) to the extent we should be required to do so by law or by enforceable regulatory or judicial orders. Third parties to whom we disclose your personal data and who act as data controllers under data protection law include
· Public authorities
· Legal, economic and financial representatives
· Trading partners
Third Party Name
Items of transmitted personal data
Purpose of transfer
Local importer in your country of purchase
See section 4
See section 5
7. Is data transferred to a third country?
We process your data in Germany. As a rule, we do not transfer your data to other countries or third countries (countries that are neither members of the European Union nor the European Economic Area) or to international organizations.
A transfer of data to third countries (i.e. countries that are neither members of the European Union nor of the European Economic Area) may take place, to the extent this is required for the provision of services to you, is required by law, or you have given us your consent (in the absence of any other appropriate safeguarding mechanism under applicable law). Please note: Under the applicable local laws of the jurisdiction where you are located at, a transfer to a third country might be defined as a transfer outside of the territory or country where you are located at the relevant time.
Please note that not all third countries have a level of data protection recognized as adequate by the competent body of the country where you are located at the relevant time (e.g. the European Commission). AUDI AG will only transfer your personal data to third countries to the extent permitted by applicable law. Insofar as AUDI AG relies on appropriate safeguards in accordance with applicable law (e.g. Standard Contractual Clauses or Binding Corporate Rules pursuant to Art. 46(2) GDPR for third country transfers), AUDI AG will take such additional technical and/or organizational measures to the extent necessary to maintain an adequate level of protection of your personal data, as required under applicable laws.
You can obtain a copy from us of the specific applicable or agreed rules to ensure the adequate level of data protection. Please use the information in the Contact section for this purpose.
Your data will be transferred to the following recipients in a third country:
Name of recipient
Name of third country
Purpose of third-country transfer
Recipient of onward transfer
Local importer in your country of purchase
Country of purchase
Execution of the vehicle purchase contract
cf. privacy policy of local importer
8. How long will my data be stored?
We store your data as long as it is necessary for the provision of our services to you or we have a legitimate interest in the further storage.
In addition, we are subject to various retention and documentation obligations, which result, inter alia, from the German Commercial Code (Handelsgesetzbuch, “HGB”) and the German Tax Code (Abgabenordnung, “AO”). The periods specified therein for retention and documentation are up to ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which can be up to thirty years, for example, according to Sections 195 et seqq. of the German Civil Code (Bürgerliches Gesetzbuch, “BGB”), with the regular period of limitation being three years.
Under certain circumstances, your data may also need to be retained for a longer period of time, such as when a so-called legal hold or litigation hold (i.e. a prohibition of data deletion for the duration of the proceedings) is ordered in connection with administrative or judicial proceedings.
We may also be subject to retention and documentation obligations in line with the local legislation of your country.
9. Which rights do I have?
All the below described rights concerning the personal data and the processing thereof may be subject to limitations, according to the applicable EU and/ or national laws. Depending on your jurisdiction, as the data subject, you may be entitled to the following data protection rights. Please note: Your data protection rights under the local laws of the country where you are located at the relevant time may differ from the rights described below. Please see Annex 1 for additional, country-specific information, in particular on rights that you might have under local laws. Such rights apply, to the extent the legal requirements are met, in addition to your rights provided under the GDPR.
As a data subject, you are generally entitled to the following data protection rights:
Access:
You have the right to request information about the data stored about you at AUDI AG and the scope of the data processing and disclosure carried out by AUDI AG and to receive a copy of the personal data stored about you.
Rectification:
You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you as well as the completion of incomplete personal data stored concerning you at AUDI AG.
Erasure:
You have the right to obtain the erasure of the personal data concerning you stored at AUDI AG without undue delay if the statutory requirements are met.
This may be the case, in particular, if
· Your personal data are no longer necessary in relation to the purposes for which they were collected;
· The sole legal ground for the processing was your consent and you have withdrawn it;
· You have objected to the processing based on the legal ground of balancing of interests on grounds relating to your particular situation and we cannot prove that there are overriding legitimate grounds for the processing;
· Your personal data have been unlawfully processed; or
· Your personal data have to be erased for compliance with a legal obligation.
If we have shared your data with third parties, we will inform them about the erasure, insofar as required by law.
Please note that your right to erasure is subject to restrictions. For example, we are not required or allowed to delete data that we are still obligated to retain due to statutory retention periods. Similarly, data that we need for the establishment, exercise or defense of legal claims are excluded from your right of erasure.
Restriction of processing:
You have the right to obtain, under certain conditions, restriction of processing (i.e. the marking of stored personal data in order to restrict their future processing). The requirements are, in particular:
· The accuracy of your personal data is contested by you and AUDI AG must verify the accuracy of your personal data;
· The processing is unlawful, but you oppose the erasure of the personal data and instead request the restriction of the use of the personal data;
· AUDI AG no longer needs your personal data for the purposes of processing, but you require the data for the establishment, exercise or defense of legal claims;
· You have objected to the processing and the verification is pending whether the legitimate grounds of AUDI AG override yours.
In the event of a restriction of the processing, the data will be marked accordingly and will be – except for their storage – only processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a EU Member State or of the country where you are located at the relevant time, in each case only to the extent permitted under applicable data protection laws.
Please note that the restriction of the processing of your personal data may be also employed as an alternative to the erasure of your personal data, where permitted by applicable law.
Data portability:
To the extent that we automatically process your personal data provided to us based on your consent or a contract with you (including your employment contract), you have the right to receive the data in a structured, commonly used and machine-readable format and to transfer those data to another controller without hindrance from AUDI AG. You also have the right to have the personal data transferred directly from AUDI AG to another controller where technically feasible and provided that this does not adversely affect the rights and freedoms of others.
Objection:
If we process your personal data on the basis of legitimate interests or in the public interest, you have the right to object to the processing of your data on personal grounds. In addition, you have an unrestricted right to object if we process your data for our direct marketing. Please see our separate note in the "Information on your right to object" section.
Withdrawal of consent:
If you have given consent to the processing of your personal data, you may withdraw it at any time. Please note that the withdrawal shall only be effective for the future. Processing that occurred before the withdrawal shall not be affected.
Complaint:
In addition, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data is unlawful. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy. The address of the data protection supervisory authority responsible for AUDI AG is:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
91522 Ansbach
Deutschland / Germany
See Appendix 1 "Additional rights of data subjects and further country-specific information" for contact details of national supervisory authorities and further country-specific information.
Information on your right to object
Right to object on grounds relating to your particular situation
You have the right to object to the processing of your personal data on grounds relating to your particular situation. The prerequisite for this is that the data processing takes place in the public interest or on the basis of balancing of interests. This also applies for any profiling.
Insofar as we base the processing of your personal data on balancing of interests, we generally assume that we can demonstrate compelling legitimate grounds, but we will, of course, examine each individual case.
In the event of an objection, we will no longer process your personal data, unless,
· we can demonstrate compelling legitimate grounds for the processing of such data which override your inter-ests, rights and freedoms or
· your personal data are used for the establishment, exercise or defense of legal claims.
Objection to the processing of your data for our direct marketing purposes
Where we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing. If you object to the processing for direct marketing purposes, we will no longer process your personal data for such purposes, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
Objection to the processing of your data for product improvement and general customer analysis
As part of the legitimate interests, we grant you a separate right of objection with regard to the processing of your personal data for product improvement and general customer analysis.
If you object to the processing for the purpose of product improvement and/or general customer analysis, we will no longer process your personal data for these purposes. Purely statistical evaluations of aggregated or otherwise anonymous data remain unaffected by this.
Exercise of the right to object
The objection can be exercised in any form and should preferably be addressed to the contact details listed in this privacy notice.
Version: 06/2025
Annex 1 – Additional data subject rights and further country-specific information
Argentina
We process your personal data on the basis of the following legal bases for the following purposes:
Purpose
Legal grounds
Categories of data
Implementation of employment, HR administration and employer duties (communication & management, work organization, HR service)
Fulfillment of contract, consent, compliance with a legal obligation
See section 4
Review and optimization of systems, facilities, workflows and processes
Compliance with a legal obligation,
consent
See section 4
Customer order processing, including vehicle production and provision of digital services
Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment), consent
See section 4
Prevention of legal violations (especially criminal offenses) and abuse
Fulfillment of legal obligations, consent
See section 4
Contract management (other contracts), in particular business partner management
Fulfillment of contract, consent
See section 4
Data trading and management
Contract fulfillment, consent
See section 4
Development and testing of components, products and services
Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment) and consent
See section 4
Operational safety and emergency management, owner's or tenant's right to undisturbed possession of premises and to keep out trespassers
Fulfillment of legal obligations, consent
See section 4
Internal administration
Contract fulfillment, fulfillment of legal obligations, consent if necessary
See section 4
Legal affairs and compliance
Compliance with a legal obligation, public interest, fulfillment of legal obligations, consent, fulfillment of contract
See section 4
Customer and prospective customer care, advertising
Consent, fulfillment of contract (contract to which your request relates, e.g. vehicle purchase contract, delivery, etc.)
See section 4
Market and opinion research
Consent
See section 4
Customer analysis and customer evaluation
Consent
See section 4
Customer inquiries and customer complaints
Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment) and consent
See section 4
Warranty and goodwill
Contract fulfillment, consent
See section 4
Warranty management including product recalls
Contract fulfillment (service contract), consent, contract fulfillment
See section 4
You have the right to
· access;
· rectification;
· erasure;
· file a complaint regarding the processing of your personal data to THE PUBLIC INFORMATION ACCESS AGENCY, which, depending on the facts of the individual case, in its capacity as the Control Entity of Law No. 25,326, has the power to attend complaints and claims filed by those whose rights are affected due to breaches with applicable regulations on personal data protection.
Australia
You have the right to
· access;
· rectification;
· lodge a complaint with both AUDI AG and the Office of the Australian Information Commissioner (“OAIC”) or any other dispute recognition scheme recognized by the OAIC which can be found on the OAIC website www.oaic.gov.au.
If you are concerned with the way we have handled your personal data, you may lodge a privacy complaint with the Office of the Australian Information Commissioner (“OAIC”). However, it is a requirement of the OAIC that prior to lodging a complaint, you have raised your complaint with us. If you are not satisfied with our response or we fail to provide a response within 30 days of receipt, you can lodge a complaint with the OAIC. The contact details for the OAIC are set out below:
Phone
1300 363 992
Fax
(02) 9284 9666
Website
Post
GPO Box 5288, Sydney NSW 2001
Brazil
You have the right to
· to be informed about the collection and use of your personal data, by us, in a readily accessible manner, and in plain and clear language. You also have the right to be informed about any public or private entity with whom your data has eventually been shared. We are implementing your right to be informed, also through this notice, the content of which may be updated from time to time.
· information access;
· obtain a copy when the legal basis for processing is consent or performance of a contract;
· erasure when consent is the legal basis for processing: please note that exceptions to this right might apply, namely, when the data is needed for (i) compliance with legal obligations; (ii) study by a research organization; (iii) transfer to third parties; (iv) use solely by the controller, as long as the data is anonymized;
· rectification;
· object to the processing (e.g. if the data is being unlawfully processed);
· data portability;
· withdraw consent at any time;
· anonymize, block or delete unnecessary or excessive personal data or data processed in noncompliance with data protection law;
· review decisions made solely on the basis of automated processing;
· lodge a complaint before ANPD (Autoridade Nacional de Proteção de Dados) against the data controller;
· be informed of the possibility of not providing consent and the consequences thereof;
· be informed about the public and private entities with whom the data has been shared.
Canada
Please note
Personal data may be processed or stored outside of Canada for purposes consistent with this Data Protection Notice. You acknowledge and agree that, as a result, the personal data that is processed or stored or accessed in other jurisdictions may be subject to the laws of those jurisdictions and may be disclosed in response to valid demands or requests from government authorities, courts, or law enforcement in such other countries.
Under Canadian law, you have the right to
· opt out of information handling practices that are not reasonably necessary to provide the services you’ve requested. You can exercise this right by contacting using the contact details set out in Sec. B. II.
· be informed of the use by us of technology allowing us to profile, locate or identify you and of the means available to you to activate the functions that allow us to identify, locate or profile you.
While Audi AG takes the security of personal data seriously and uses industry standard security risks associated with transferring and processing personal data contemplated herein. However, no security or processes are fool proof. If personal data is accessed by third parties, it may lead to phishing attempts to get more information from you and/or identify theft.
Colombia
Pursuant to the provisions of art. 8 of Law 1581 of 2012, you have the right to
· know, update and rectify your Personal Data from the Controller or the Processor. This right can be exercised, among other, regarding partial data as well as in respect to data that is incomplete or fractioned, that induces error, or those whose Processing is expressly forbidden or has not been authorized;
· request evidence of the authorization granted to the Controller unless when it is expressly excepted as a requirement for the Processing, pursuant to the provisions of article 10 of law 1581 of 2012;
· be informed by the Controller or the Processor upon request, in respect to the use that has been made of your Personal Data;
· file to the Superintendence of Industry and Commerce complaints for infractions to the provisions of Law 1581 of 2012 as amended, added to or supplemented from time to time;
· revoke the authorization and/or to request the deletion of the specific data, provided that there is no legal or contractual obligation that imposes on you the duty to remain in the database;
· have access, free of charge, to your Personal Data that has been the subject of Processing, at least once per calendar month and whenever there are substantial amendments to the Processing policies.
Procedures you have to follow to exercise your personal data rights
A. Complaints: You may file complaints regarding the Personal Data kept in AUDI AG's databases, according to the following rules:
· The complaint will be analyzed to verify your identification. If the complaint is made by a person other than you and the capacity of such person is not accredited according to the laws in force, the complaint will be rejected.
· All the complaints will be resolved in a maximum term of ten (10) business days as from the date in which the same are received. If it is not possible to answer the complaint within said term, you will be informed, expressing the reasons for the delay and informing a date in which the inquiry will be answered, which cannot exceed, in any case, five (5) business days after the expiration of the original term.
B. Requests: If you consider that the data contained in AUDI AG's databases must be subject to corrections, updates or deletion, or when they notice the alleged breach of any of the duties, you may file a request according to the following rules:
· The requests will be analyzed to verify your identification. If the request is made by a person other than you and the representation thereof is not accredited according to the regulations in force, the request will be rejected.
· The request must contain the following information: (i) your identification; (ii) contact data (physical and/or electronic address and contact phone numbers); (iii) the documents that accredit your identity, or your representation; (iv) The clear and precise description of the Personal Data regarding which you seek to exercise any of the rights; (v) The description of the facts that lead to the request; (vi) The documents that they intend to enforce; (vii) signature and identification number.
· If the request is incomplete, AUDI AG shall make a requirement to you, within a term of five (5) days after the receipt of the request, to remedy the defects. If two (2) months lapse from the date of the requirement and you have not given the information required, it shall be construed that you have desisted the request.
· If the area that receives the request is not competent to answer it, it shall pass it to the relevant area or person within a term of two (2) business days and will inform this situation to the interested party.
· Once the complete request has been received, a note saying “request being processed” shall be included in the database with the reason thereof, in a term of no more than two (2) business days. Said note must be left in place until the moment in which the claim is decided.
· The maximum term to answer the request will be fifteen (15) business days as from the day after the date in which it is received. When it is not possible to answer the request within that term, the reasons of the delay shall be informed to the interested party together with the date in which the request will be answered, which under no circumstances can exceed eight (8) business days after the expiration of the first term.
· You have the right, at all times, to request the deletion of your Personal Data. The deletion implies the total or partial removal of the Personal Data from the Data Bases, according to your request. The deletion right is not absolute and AUDI AG may refuse the exercise thereof in the following events: (i) If you have a legal or contractual duty to remain in the Database or if the Controller has a legal or contractual obligation that means that it has to keep the Personal Data; (ii) The deletion of the Personal Data would thwart judicial or administrative activities related to fiscal obligations, the investigation and persecution of crimes or the update of administrative sanctions; (iii) The Personal Data is necessary to protect your interests protected by the laws, to perform an action pursuant to the public interest, or to comply with an obligation legally acquired by you or by the Controller.
Authorization: As from the enactment of this Notice, at the time of the collection of Personal Data, AUDI AG shall request the prior authorization from you and you shall be duly informed about the specific purposes of the Processing for which such consent has been obtained, excepting in the case of any one of the exceptions provided in article 10 of Law 1581 of 2012 for such purposes.
AUDI AG may transmit and/or transfer your Personal Data to third parties located in Colombia or abroad, as long as AUDI AG has the prior and express authorization of you of the Personal Data.
Retention period: The information provided by you shall only be used for the purposes herein established. Once the need for the Processing of the Personal Data has ceased, the same shall be deleted from AUDI AG's databases.
Hong Kong
In addition to your rights set out in Sec. 7, you may withdraw your consent to the use of your personal data.
In addition to your rights set out in Sec. 7.1, you will be informed at the time of the first communication with you in direct marketing without charge to you.
India
You have the right to
· access;
· rectification;
· withdraw consent;
· contact the Grievance Officer. The Data Protection Officer is the Grievance Officer for AUDI AG. For the contact details please see Sec. 1.
Israel
You have the right, subject to Protection of Privacy Law, 5741-1981 and the regulations enacted therefrom, to
· be informed if you are under a legal duty to provide the data, the purpose of collection, and details of any third party that will receive the data and for what purpose;
· access;
· rectification: request correction of the inaccurate or missing data or request deletion or destruction of the data;
· object to the processing (e.g. if the data is being unlawfully processed).
Malaysia
You have the right to
· request access to your personal data;
· request correction of your personal data;
· prevent processing likely to cause damage or distress; and
· prevent processing for purposes of direct marketing.
Upon exercising your rights stated above in written form addressed to the contact details listed in section 1., if you are dissatisfied with our response or we fail to provide a response within 21 days of receipt, you have the right to submit an application to the Personal Data Commissioner to require us to comply with your request. The application to the Personal Data Commissioner can be made to the following address:
Commissioner of Personal Data Protection, 6 th Floor, KKMM Complex Lot 4G9, Persiaran Perdana, Presint 4 Federal Government Administrative Center 62100 Putrajaya.
In the event of any inconsistencies between the English version and the Bahasa Malaysia version of this Privacy Notice, the English version shall prevail.
Mexico
You have the right to:
· access;
· rectify;
· cancel;
· oppose;
· file data protection measures with the Federal Institute for Access to Information and Data Protection;
· request a reconsideration of a decision made via automated decision making in case you are of the opinion that the data processed in this context is (partly) incomplete or incorrect.
The purposes disclosed in Section 3 of this Privacy Notice that rely on the performance of a contract or the need to comply with legal obligations are considered Primary Purposes. These purposes are necessary for the provision of our services and to fulfill our legal and contractual obligations. For these purposes, your consent is not required as they are essential to our relationship and the services we provide.
Any other purposes disclosed in this Privacy Notice that rely on our legitimate interest are considered Secondary Purposes. These purposes are not necessary for compliance with legal or contractual obligations. We will only process your personal data for these Secondary Purposes with your explicit consent.
You have the right to opt-out of the processing of your personal data for Secondary Purposes at any time. To exercise this right, please send a request to the following email address: datenschutz@audi.de.
New Zealand
You have the right to
· know what personal data is held;
· request for personal data held and access the personal data;
· rectification;
· a response to your request within 20 working days, if you make a request for access to or rectification of your personal information. In limited circumstances, AUDI AG may extend this 20 working day time limit, but we must tell you the period of the extension and the reasons for the extension.
· lodge a complaint with both AUDI AG and the Privacy Commissioner. However, it is a requirement that before you can complain to the Privacy Commissioner you must first raise your complaint with AUDI AG. If you are not satisfied with AUDI AG’s response or you do not receive a response, you can lodge a complaint to the Privacy Commissioner. In general, you should wait at least 30 working days for a response before contacting the Privacy Commissioner to lodge a complaint.
Serbia
You have the right to be informed about appropriate safeguards in case of a data transfer to countries or international organizations outside Serbia that do not provide an adequate level of data protection recognized by a Serbian Government Decision. All EU / EEA Member states provide an adequate level of data protection recognized by a Serbian Government Decision.
Singapore
You have statutory rights as provided under Singapore's Personal Data Protection Act 2012, including the rights to
· request access to your personal data;
· request correction of your personal data; and
· withdraw consent to the collection, use or disclosure of your personal data (where applicable), subject to any grounds for the collection, use or disclosure without your consent that are required or authorized under the Personal Data Protection Act 2012 or any other written law of Singapore.
South Africa
You have the right to
· not have your personal data processed for the purposes of direct marketing by unsolicited electronic communication;
· initiate civil proceedings;
· be informed if your personal information has been compromised;
· be informed, free of charge and before the information is included in a directory, should you be a subscriber to a printed or electronic directory;
· lodge a complaint to the Information Regulator of South Africa by completing this form and sending it to POPIAComplaints@inforegulator.org.za.
For further information about your South African data privacy rights, please click here which will take you to the website of the Information Regulator.
South Korea
You (and your legal representative) have statutory rights under the Korean Personal Information Protection Act, in particular the right to
· access;
· rectification / erasure;
· suspension of processing; and
· withdrawal of consent.
You (or your legal representative) can exercise such rights by contacting us or our data protection officer using the contact details set out in Section B.II.
Certain personal data may be retained for compliance with local laws and regulations for certain periods, such as the following:
· All transaction records and relevant documentary evidence as prescribed by applicable tax laws: 5 years (as required under the Framework Act on National Taxes and the Corporate Tax Act)
· Records of logins: 3 months (as required under the Protection of Communications Secrets Act)
· Records on labels and advertisements: 6 months (as required under the Act on Consumer Protection in Electronic Commerce)
· Records on revocation of contracts or cancellation of orders/purchases, payments, provision of products and services: 5 years (as required under the Act on Consumer Protection in Electronic Commerce)
· Records on handling of customer complaints or disputes: 3 years (as required under the Act on Consumer Protection in Electronic Commerce
The process and method for destroying personal data are set forth below.
· Process of destruction: We select the relevant personal data to be destroyed and destroy it with the approval of our Data Protection Officer.
· Method of destruction: We destroy personal data recorded and stored in the form of electronic files by using a technical method (e.g., low level format) to ensure that the records cannot be reproduced, while personal data recorded and stored in the form of paper documents shall be shredded or incinerated
If it is necessary to retain personal data for a period longer than the legal retention periods described herein, to the extent required by the laws of the applicable country, we shall obtain the data subject’s consent for such longer retention of personal data.
Taiwan
You have the right to
· make an inquiry of and to review your personal data;
· request a copy of your personal data;
· supplement or correct your personal data;
· demand the cessation of the collection, processing or use of your personal data; and
· erase your personal data.
Thailand
Please note that your right to obtain a copy of the personal data is subject to law or pursuant to a court order, and must not adversely affect the rights and freedoms of others.
Turkey
You have statutory rights under Art. 11 of the Turkish Data Protection Law, in particular the right to
· request reporting of the operations carried out which are rectification of the incomplete or inaccurate data, if any and the erasure or destruction of your personal data) to third parties to whom your personal data have been transferred;
· claim compensation for the damage arising from the unlawful processing of your personal data;
· object to the occurrence of a result against yourself by analyzing the data processed solely through automated systems,
· lodge a complaint with the Turkish Data Protection Authority (Kişisel Verileri Koruma Kurumu) Nasuh Akar Mahallesi 1407. Sok. No:4, 06520 Çankaya/Ankara/Turkey.
The objection can be exercised in the forms stated in Article 5/1 of the Communiqué On The Principles and Procedures for the Request To Data Controller.
Local representative:
Doğuş Otomotiv Servis ve Ticaret A.Ş
Şekerpınar Mahallesi, Anadolu Cad. No:22 Çayırova/Kocaeli - Mersis No: 0-3090-1147-1300010
T: 0262 676 90 90