In this Privacy Notice according to Art. 13, 14 EU-GDPR we are informing you about the automated, electronic processing of your personal data by AUDI AG, Auto-Union-Straße 1, 85057 Ingolstadt, Deutschland / Germany (”we”) in the context of the fulfillment of your contract with an Audi Service Partner or a service company (e.g. for the performance of repairs, services, inspections).

We will inform you about data processing in connection with the use of other products and services, e.g. myAudi and the Audi connect services, in separate data protection information. Your Audi partner will also inform you separately about data processing by them.

Personal data means any information relating to an identified or identifiable natural or, if provided under local law, legal person, including, as the case may be, sensitive personal data as defined under the laws of the country where you are located at the relevant time (‘data subject’); a data subject is one that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.             Who is the controller for the processing?

The controller for the processing of your personal data is:

AUDI AG, Auto-Union-Straße 1, 85057 Ingolstadt, Germany.

Tax identification number / Registration number: DE811115368 / HRB Nr./Commercial Register No.: 1

2.             Who can I contact?

If you wish to assert your data protection rights, please use the contact options at

https://data-subject-rights.audi.com/

There, you will find further information regarding how you can assert your data protection rights. You may also send your request via mail: AUDI AG, DSGVO-Betroffenenrechte, 85045 Ingolstadt, Germany.

3.             Contact details of the data protection officer

For matters concerning data protection, you can also consult our company data protection officer, using your own language:

AUDI AG, Data Protection Officer, 85045 Ingolstadt, Germany

·       Email: datenschutz@audi.de

·       Telephone number: +49841 890

·       Office address of the company data protection officer: AUDI AG, Data Protection Officer, Auto-Union-Straße 1, 85057 Ingolstadt, Germany

4.             Which data do we process for which purposes and from which sources does it originate?

We process personal data which we receive from you within the scope of our business relationship, i.e. during the initiation, execution and management of your business relationship with us or the provision of services (including the processing of possible warranty and guarantee cases) or your enquiries if you contact us directly.

The personal data include:

·       Private contact and master data

We collect your data every time you contact us.

Secondly, we process personal data that we have lawfully obtained and are permitted to process from publicly accessible sources (e.g. the National Motor Transport Authority).

4.1.         Data provided by Audi Partners or service companies

We process - to the extent necessary in connection with your enquiry - personal data which we lawfully receive from Audi Service Partners or independent service companies in the course of carrying out repairs, services or processing your enquiries (e.g. for the execution of orders, for the performance of contracts or on the basis of your consent).

The personal data include: Private contact and master data, Professional work and organizational data, Vehicle master data and identification, Data on vehicle history and workshop visits, Vehicle usage data (vehicle usage and operating data),                  Legal transactions / contract data, Financial data, Particularly sensitive personal data

The vehicle identification number of your vehicle serves as a unique identifier for your vehicle in the event of possible warranty or guarantee cases, repair, maintenance and support services, our internal quality monitoring and in the event of theft of your vehicle.

4.2.         Data from your vehicle

If you use the services (e.g. repair services, maintenance work), data stored in the vehicle (software status, vehicle operation data, technical data and other vehicle status data) can be extracted and processed together with the VIN and other vehicle master data (e.g. vehicle model, vehicle equipment).

The collection of data from the vehicle can be achieved by extracting it using a so-called diagnostic device or specific extraction devices (analysis tools) by employees of the Audi service network (Audi Service Partner) or third parties (e.g. roadside assistance and towing services, independent service companies), or by an employee of Audi, either directly or via remote access to the diagnostic device of the service company.

Vehicle-related data (e.g. event memory, operating data, vehicle identification number, model, software version) are always extracted by the diagnostic device for analysis of the request and transferred to a diagnostic protocol. The service company transmits the diagnostic protocol to us for the purposes specified in Section 3.

Further data can be extracted on an individual basis depending on your request.

This may also include data from the infotainment module, e.g. address book entries for requests regarding the access to the address book, or profile settings that you have stored locally in the vehicle.

The service company processes the data extracted in order to analyze and resolve your complaint. As a principle, we generally only process such data relating to you or to your vehicle which is necessary for the efficient processing of your request and to support the service company or us in processing it.

In the following, we explain to you which data your vehicle processes and which data can be extracted and processed by us in connection to a request.

4.3.         Electronic control units - General information

Electronic control units are installed in your vehicle. Control units process data that they for example receive from vehicle sensors, generate themselves or exchange with each other. Some control units are necessary for the safe operation of your vehicle, others support you while driving (driver assistance systems), others enable comfort or infotainment functions. Specific information on data processing in your vehicle can be found in the respective operating manual, which is available online and, depending on the vehicle equipment, also in digital form in the vehicle, in direct connection with the data protection notices on the relevant features.

4.4.         Operational data in the vehicle

Control units process data to operate the vehicle. These include, for example:

·       Vehicle status information (e.g. speed, deceleration, lateral acceleration, number of wheel rotations, seat belt indicator system),

·       Environmental conditions (e.g. temperature, rain sensor, distance sensor).

Generally, such data is volatile and is not stored beyond the operating time and only processed within the vehicle itself. Control units often contain event logs (including the vehicle key). These are used to temporarily or permanently document technical incidents as well as information about the vehicle condition (e.g. component stress, maintenance information).

The following data is stored, depending on the technical equipment:

·       Operating states of system components (e.g. fill levels, tire pressure, battery status),

·       Malfunctions in important system components (e.g. lights, brakes),

·       System reactions to special driving situations (driver assistance systems),

·       Information about events affecting the condition of the vehicle (e.g. charging status of the high-voltage battery in electric vehicles, estimated range).

In special cases (e.g. if the vehicle has detected a malfunction) it may be necessary to store data which would otherwise only be volatile.

If you make use of services, the stored operational data can be extracted together with the VIN if necessary. The extracted operating data documents the technical status of the vehicle or individual components and supports diagnosis, quality improvement and compliance with warranty or guarantee obligations.

The data is generally extracted via defined interfaces, e.g. the legally required connection for OBD ("on-board diagnosis") or the service key. These data, in particular information on component stress, technical events (event log entries), operation errors and malfunctions, are transmitted to us, together with the VIN, if necessary as part of the diagnostic protocol.

Event logs in the vehicle can be reset by a service company as part of repair or service work or at your request.

4.5.         Technical data (IUMPR)

Regular functionality checks of components involved in exhaust gas cleaning are legally required.

To prove regular checks (diagnosis) have been conducted, the In-Use Monitor Performance Ratio (IUMPR) is determined in the control unit (data verifying the diagnostic function) and stored there as technical data.

4.6.         Comfort and infotainment functions

You can save comfort settings and customizations in the vehicle and change or reset them at any time. Depending on the respective equipment, these include, for example

·       Settings for seat and steering wheel positions,

·       Chassis and air conditioning settings,

·       Customizations such as interior lighting.

Within the scope of the selected equipment, you can introduce your own data into the infotainment-functions of the vehicle. Depending on the respective equipment, these include, for example:

·       Multimedia data, such as music, films or photos for playback and reproduction in an integrated multimedia system,

·       Address book data used in combination with an integrated hands-free system or navigation system,

·       Navigation destinations entered,

·       Data on the use of Internet services.

Generally, such data will only be transferred from the vehicle at your request, especially regarding the use of online services according to the settings you have selected.

Data from comfort and infotainment functions, e.g. individual settings or customizations, cannot be extracted using the diagnostic device and are therefore not a standard part of the diagnostic protocol. Such data is extracted only in individual cases and upon request of the customer. In connection to a complaint regarding the area of comfort and infotainment functions, it may be necessary for this data to be extracted and transmitted to us for the purpose of repair support.

Depending on the respective equipment, the following data in particular can be extracted from the comfort functions and processed, if required:

·       Settings for seat and steering wheel positions,

·       Chassis and air conditioning settings,

·       Volumes of the parking aid,

·       Customizations such as interior lighting

Depending on the respective equipment, the following data in particular can be extracted from the infotainment functions and processed, if required:

·       Multimedia data, such as music, films or photos for playback and reproduction in an integrated multimedia system,

·       Address book data used in combination with an integrated hands-free system or navigation system,

·       Navigation destinations entered,

·       Data on the use of Internet services.

·       Information about connected devices, such as mobile phones (in this case primarily device name, manufacturer, software version).

In this context for example, the last recognized voice command can also be extracted.

Such data regarding comfort and infotainment functions can be stored locally in the vehicle or on a device you have connected to the vehicle (e.g. smartphone, USB stick or MP3 player). If you have entered data yourself, you can delete it at any time.

If a control unit is replaced as part of a repair, this data is usually extracted from the old control unit and transferred to the new control unit.

4.7.         Online services

If your vehicle has a wireless network connection, this enables the exchange of data between your vehicle and other systems (data servers of Audi or data servers of service providers). In certain countries, the wireless network connection is made possible by an onboard transmitter and receiver unit (built-in by us) or by a mobile device (e.g. smartphone) installed by you.

Online functions (information and control services for your vehicle) can be used via this network connection. This includes online services and applications/apps provided to you by us or other providers ("Audi connect services").

Regarding the Audi online services, a description of the respective functions and the associated data protection information are provided at a suitable location (e.g. MMI, Audi website). Personal data may be processed for the purpose of providing online services.

If this is necessary for processing your service request, we can also access the data stored in our IT systems from the online services as well as information on the status of the Audi connect services, i.e. license periods, connection status, contract status.

4.8.         Video, image and sound recording

In some individual cases it may be necessary to make video, image or sound recordings of individual components from your vehicle and to transmit these to Audi, e.g. in the event of complaints, to be able to carry out a targeted analysis and the resolution of complaints (repair support). This may be possible, for example, in the case of acoustic complaints in order to find the cause of the noise emission and to be able to resolve the complaint.

5.             Which data do we process for which purposes and which legal bases apply?

We process your personal data in accordance with the provisions of the General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”) and other local law for various purposes..

The processing of your personal data must be based on one of the following legal bases:

·       You have given your consent (Art. 6(1)(a) GDPR);

·       Processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract (Art. 6(1)(b) GDPR);

·       Processing is necessary for compliance with a legal obligation under EU law or the law of an EU member state to which we are subject (Art. 6(1)(c) GDPR);

·       Processing is necessary in order to protect your vital interests or those of another person (Art. 6(1)(d) GDPR);

·       processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Art. 6(1)(e) GDPR)

·       Processing is necessary for the purposes of the legitimate interests pursued by AUDI AG or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f) GDPR).

If, in exceptional cases, we process special categories of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a person's sex life or sexual orientation) about you, one of the following legal bases must also apply:

·       You have given your explicit consent (Art. 9(2)(a) GDPR);

·       The processing is necessary to protect your vital interests or those of another person and the data subject is physically or legally incapable of giving consent (Art. 9(2)(c) GDPR);

·       the processing relates to personal data which you have manifestly made public (Art. 9(2)(e) GDPR)

·       processing is necessary for the establishment, exercise or defense of legal claims (Art. 9(2)(f) GDPR)

·       processing is necessary for reasons of substantial public interest on the basis of EU law or the law of an EU Member State which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard your fundamental rights and interests (Art. 9(2)(g) GDPR).

Following on from the above, we process your personal data on the basis of the following legal bases for the following purposes:

Purpose

Legal grounds

Legitimate interest

Categories of data

Personal identity checks and checking of licenses and permits/authorizations

Consent, balancing of interests, implementation of pre-contractual measures, performance of a contract

Review of conflicts of interest, prevention of industrial espionage, maintenance and improvement of product quality, assertion, exercise or defense of legal claims of AUDI AG or the respective AUDI dealer

See section 4

Review and optimization of systems, facilities, workflows and processes 

Balancing of interests

Control of product quality and prevention of product damage, preventive complaint management

See section 4

Review and optimization of products and services

Compliance with a legal obligation, balancing of interests

Control of product quality and prevention of product damage, preventive complaint management

See section 4

Customer order processing, including vehicle production and provision of digital services

Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment), balancing of interest, consent

- efficient identification and analysis of events and conclusion regarding modifications to the vehicle (tuning, modifications, etc.) in order to remedy customer complaints
- Support for the AUDI dealer in fulfilling its legal obligations towards you

See section 4

Prevention of legal violations (especially criminal offences) and abuse

Fulfillment of legal obligations, balancing of interests

- Compliance with legal and regulatory requirements
- Verification of compliance with legal provisions, internal company guidelines, rules and standards of AUDI AG, Group companies, employees, business partners and other third parties

See section 4

Contract management (other contracts), in particular business partner management

Balancing of interests, fulfillment of contract, consent

Fulfillment of legal requirements of AUDI dealers, professionalization of the AUDI brand image and improvement of the experience for customers through qualification of the employees of our trade and business partners; improvement of cooperation with trade and business partners

See section 4

Data trading and management

Contract fulfillment, consent

See section 4

Development and testing of components, products and services

Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment) and consent, balancing of interests

Improvement of road safety and own products, promotion of science

See section 4

Operational safety and emergency management, owner's or tenant's right to undisturbed possession of premises and to keep out trespassers

Fulfillment of legal obligations, balancing of interests, consent

Maintaining plant safety, access control, accident prevention

See section 4

Internal administration

Contract fulfillment, balancing of interests, fulfillment of legal obligations, consent if necessary

- Analysis of sales and order data according to sales channel model, order status
- Analysis of requested variants and equipment
- Reporting on business parameters using the VIN
 if necessary - Implementation of evaluations to manage our business processes and cost control based on the analysis of sales and order data according to sales channel model, order status, analysis of requested variants and equipment, reporting on business parameters, using vehicle identification number if necessary using the vehicle identification number
- Maintaining operations
- Compliance with legal and regulatory requirements
- Providing benefits and support for employees
- Maintaining product quality
- Preventing recourse claims
- Preparation and follow-up of events, improving the organization for the future,

See section 4

Legal affairs and compliance

Compliance with a legal obligation, public interest, fulfillment of legal obligations, balancing of interests, fulfillment of contract

- Compliance with legal and regulatory requirements
- Verification of compliance with legal provisions, internal company guidelines, rules and standards of AUDI AG, Group companies, employees, business partners and other third parties,
- Compliance with legal and regulatory requirements, assertion, exercise or defense of legal claims of or against AUDI AG or the respective Audi dealer
- Verification of compliance with contractual and legal obligations by AUDI AG, its employees and its sales partners, suppliers, etc., if necessary using the vehicle identification number

See section 4

Customer and prospective customer care, advertising 

Consent, balancing of interests, fulfillment of contract (contract to which your request relates, e.g. vehicle purchase contract, delivery, etc.).

Representing AUDI AG and providing information about its activities and products, adapting online services to the changing needs of users, maintaining and improving product quality
-

See section 4

Customer analysis and customer evaluation

Consent, balancing of interests

Analyzing sales and order data according to sales channel model, order status
- Analyzing requested variants and equipment
- Reporting on business parameters, using FIN if necessary using the FIN
- carrying out analyses to manage our business processes and cost control based on the analysis of sales and order data according to the sales channel model, order status, analysis of requested variants and equipment, reporting on business parameters, if necessary using the vehicle identification number, maintaining and improving product quality, representing AUDI AG and providing information about its activities and products, adapting online services to changing user needs

See section 4

Customer enquiries and customer complaints 

Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment) and consent, balancing of interests

Control of product quality and prevention of product damage, preventive complaint management

See section 4

Warranty and goodwill

Contract fulfillment, consent

See section 4

Warranty management including product recalls

Contract fulfillment (service contract), balancing of interests, contract fulfillment

- Effective and efficient detection and analysis of events and conclusion regarding modifications to the vehicle (tuning, modifications, etc.) in order to remedy customer complaints
- Effective event detection and analysis in order to be able to rectify events and complaints;
- Support for the AUDI dealer in fulfilling its legal obligations towards you;

See section 4

Please note: If the applicable local law of the country where you are located at the relevant time foresees additional requirements regarding the legal bases, we will comply with such additional requirements and will inform you accordingly. This in particular applies, where such local law requires (express) consent for the processing of your personal data.

Please note your rights to object to the processing of data for the purpose of direct marketing or for personal reasons and your right to withdraw consent (see section "Which rights do you have?" and the section "Information on your right to object").

5.1.         Is there an obligation to provide personal data?

As part of the execution of your contract with an Audi Service Partner or a service company, you only need to provide the personal data that is required for the execution of your contract, or that we are required or permitted to collect by law. Without this data, we will generally have to refuse to enter into the contract or to execute the order, or will be unable to perform an existing contract and possibly have to terminate it.

1.2           Who receives my data?

Within AUDI AG, those entities receive your data that need your data for the performance of our contractual and statutory obligations and to pursue legitimate interests (e.g. quality control).

Service providers employed by us and working on our behalf (so-called processors), who support data processing on our behalf, also receive data for these purposes. We only use processors in Germany. For example, your email address may be passed on to a service provider so that they can deliver a newsletter you have ordered. Service providers may also be commissioned to provide server capacity. This includes:

Category of Processor

Name of Processor

Processing purpose

Group companies

Volkswagen AG

IT security, hosting and support service provider, IT operation

We will generally share your personal data with third parties only if this is necessary for the performance of the contract, if we or the third party have a legitimate interest in the disclosure, or if you have given your consent, subject to applicable local laws. In addition, data may be shared with third parties (including investigative or security authorities) to the extent we should be required to do so by law or by enforceable regulatory or judicial orders. Third parties to whom we disclose your personal data and who act as data controllers under data protection law include

·       Service providers / suppliers

·       Public authorities

·       Legal, economic and financial representatives

·       Trading partners

·       Group companies

These third parties include:

Third Party Name

Items of transmitted personal data

Purpose of transfer

Local importers in the country of service

See section 4

Quality/performance assurance, product/field observation, warranty and guarantee, customer order processing

6.             Is data transferred to a third country?

A transfer of data to third countries (i.e. countries that are neither members of the European Union nor of the European Economic Area) may take place, to the extent this is required for the provision of services to you, is required by law, or you have given us your consent (in the absence of any other appropriate safeguarding mechanism under applicable law). Please note: Under the applicable local laws of the jurisdiction where you are located at, a transfer to a third country might be defined as a transfer outside of the territory or country where you are located at the relevant time.

Please note that not all third countries have a level of data protection recognized as adequate by the competent body of the country where you are located at the relevant time (e.g. the European Commission). AUDI AG will only transfer your personal data to third countries to the extent permitted by applicable law. Insofar as AUDI AG relies on appropriate safeguards in accordance with applicable law (e.g. Standard Contractual Clauses or Binding Corporate Rules pursuant to Art. 46(2) GDPR for third country transfers), AUDI AG will take such additional technical and/or organizational measures to the extent necessary to maintain an adequate level of protection of your personal data, as required under applicable laws.

You can obtain a copy from us of the specific applicable or agreed rules to ensure the adequate level of data protection. Please use the information in the Contact section for this purpose.

Your data will be transferred to the following recipients in a third country:

Name of recipient

Name of third country

Purpose of third-country transfer

Recipient of onward transfer

n.a.

7.             How long will my data be stored?

We store your data as long as it is necessary for the provision of our services to you or we have a legitimate interest in the further storage.

In addition, we are subject to various retention and documentation obligations, which result, inter alia, from the German Commercial Code (Handelsgesetzbuch, “HGB”) and the German Tax Code (Abgabenordnung, “AO”). The periods specified therein for retention and documentation are up to ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which can be up to thirty years, for example, according to Sections 195 et seqq. of the German Civil Code (Bürgerliches Gesetzbuch, “BGB”), with the regular period of limitation being three years.

Under certain circumstances, your data may also need to be retained for a longer period of time, such as when a so-called legal hold or litigation hold (i.e. a prohibition of data deletion for the duration of the proceedings) is ordered in connection with administrative or judicial proceedings.

We may also be subject to retention and documentation obligations in line with the local legislation of your country.

8.     Which rights do I have?

All the below described rights concerning the personal data and the processing thereof may be subject to limitations, according to the applicable EU and/ or national laws. Depending on your jurisdiction, as the data subject, you may be entitled to the following data protection rights. Please note: Your data protection rights under the local laws of the country where you are located at the relevant time may differ from the rights described below. Please see Annex 1 for additional, country-specific information, in particular on rights that you might have under local laws. Such rights apply, to the extent the legal requirements are met, in addition to your rights provided under the GDPR.

As a data subject, you are generally entitled to the following data protection rights:                

Access:

You have the right to request information about the data stored about you at AUDI AG and the scope of the data processing and disclosure carried out by AUDI AG and to receive a copy of the personal data stored about you.

Rectification:

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you as well as the completion of incomplete personal data stored concerning you at AUDI AG.

Erasure:

You have the right to obtain the erasure of the personal data concerning you stored at AUDI AG without undue delay if the statutory requirements are met.

This may be the case, in particular, if

·       Your personal data are no longer necessary in relation to the purposes for which they were collected;

·       The sole legal ground for the processing was your consent and you have withdrawn it;

·       You have objected to the processing based on the legal ground of balancing of interests on grounds relating to your particular situation and we cannot prove that there are overriding legitimate grounds for the processing;

·       Your personal data have been unlawfully processed; or

·       Your personal data have to be erased for compliance with a legal obligation.

If we have shared your data with third parties, we will inform them about the erasure, insofar as required by law.

Please note that your right to erasure is subject to restrictions. For example, we are not required or allowed to delete data that we are still obligated to retain due to statutory retention periods. Similarly, data that we need for the establishment, exercise or defense of legal claims are excluded from your right of erasure.

Restriction of processing:

You have the right to obtain, under certain conditions, restriction of processing (i.e. the marking of stored personal data in order to restrict their future processing). The requirements are, in particular:

·       The accuracy of your personal data is contested by you and AUDI AG must verify the accuracy of your personal data;

·       The processing is unlawful, but you oppose the erasure of the personal data and instead request the restriction of the use of the personal data;

·       AUDI AG no longer needs your personal data for the purposes of processing, but you require the data for the establishment, exercise or defense of legal claims;

·       You have objected to the processing and the verification is pending whether the legitimate grounds of AUDI AG override yours.

In the event of a restriction of the processing, the data will be marked accordingly and will be – except for their storage – only processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a EU Member State or of the country where you are located at the relevant time, in each case only to the extent permitted under applicable data protection laws.

Please note that the restriction of the processing of your personal data may be also employed as an alternative to the erasure of your personal data, where permitted by applicable law.

Data portability:

To the extent that we automatically process your personal data provided to us based on your consent or a contract with you (including your employment contract), you have the right to receive the data in a structured, commonly used and machine-readable format and to transfer those data to another controller without hindrance from AUDI AG. You also have the right to have the personal data transferred directly from AUDI AG to another controller where technically feasible and provided that this does not adversely affect the rights and freedoms of others.

Objection:

If we process your personal data on the basis of legitimate interests or in the public interest, you have the right to object to the processing of your data on personal grounds. In addition, you have an unrestricted right to object if we process your data for our direct marketing. Please see our separate note in the "Information on your right to object" section.

Withdrawal of consent:

If you have given consent to the processing of your personal data, you may withdraw it at any time. Please note that the withdrawal shall only be effective for the future. Processing that occurred before the withdrawal shall not be affected.

Complaint:

In addition, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data is unlawful. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy. The address of the data protection supervisory authority responsible for AUDI AG is:

Bayerisches Landesamt für Datenschutzaufsicht

Promenade 18

91522 Ansbach

Deutschland / Germany

See Appendix 1 "Additional rights of data subjects and further country-specific information" for contact details of national supervisory authorities and further country-specific information.

8.1.         Information on your right to object

Right to object on grounds relating to your particular situation

You have the right to object to the processing of your personal data on grounds relating to your particular situation. The prerequisite for this is that the data processing takes place in the public interest or on the basis of balancing of interests. This also applies for any profiling.

Insofar as we base the processing of your personal data on balancing of interests, we generally assume that we can demonstrate compelling legitimate grounds, but we will, of course, examine each individual case.

In the event of an objection, we will no longer process your personal data, unless,

·       we can demonstrate compelling legitimate grounds for the processing of such data which override your inter-ests, rights and freedoms or

·       your personal data are used for the establishment, exercise or defense of legal claims.

Objection to the processing of your data for our direct marketing purposes

Where we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing. If you object to the processing for direct marketing purposes, we will no longer process your personal data for such purposes, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

Objection to the processing of your data for product improvement and general customer analysis

As part of the legitimate interests, we grant you a separate right of objection with regard to the processing of your personal data for product improvement and general customer analysis.

If you object to the processing for the purpose of product improvement and/or general customer analysis, we will no longer process your personal data for these purposes. Purely statistical evaluations of aggregated or otherwise anonymous data remain unaffected by this.

Exercise of the right to object

The objection can be exercised in any form and should preferably be addressed to the contact details listed in this privacy notice.

Annex 1 – Additional data subject rights and further country-specific information

Argentina

In deviation to the legal bases set out in the table in Sec. 3, for Argentina we process your personal data on the basis of the following legal bases for the following purposes:

Purpose

Legal grounds

Categories of data

Personal identity checks and checking of licenses and permits/authorizations

Consent, implementation of pre-contractual measures, performance of a contract

See section 4

Review and optimization of systems, facilities, workflows and processes 

Consent

See section 4

Review and optimization of products and services

Compliance with a legal obligation, consent.

See section 4

Customer order processing, including vehicle production and provision of digital services

Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment), consent

See section 4

Prevention of legal violations (especially criminal offences) and abuse

Fulfillment of legal obligations, consent

See section 4

Contract management (other contracts), in particular business partner management

Fulfillment of contract, consent

See section 4

Data trading and management

Contract fulfillment, consent

See section 4

Development and testing of components, products and services

Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment) and consent

See section 4

Operational safety and emergency management, owner's or tenant's right to undisturbed possession of premises and to keep out trespassers

Fulfillment of legal obligations, consent

See section 4

Internal administration

Contract fulfillment, fulfillment of legal obligations, consent if necessary

See section 4

Legal affairs and compliance

Compliance with a legal obligation, fulfillment of legal obligations, consent, fulfillment of contract

See section 4

Customer and prospective customer care, advertising 

Consent, fulfillment of contract (contract to which your request relates, e.g. vehicle purchase contract, delivery, etc.).

See section 4

Customer analysis and customer evaluation

Consent

See section 4

Customer enquiries and customer complaints 

Contract fulfillment (e.g. service contract, vehicle purchase contract or contract for special equipment) and consent

See section 4

Warranty and goodwill

Contract fulfillment, consent

See section 4

Warranty management including product recalls

Contract fulfillment (service contract), consent, contract fulfillment

See section 4

You have the right to

·       access;

·       rectification;

·       erasure;

·       file a complaint regarding the processing of your personal data to THE PUBLIC INFORMATION ACCESS AGENCY, which, depending on the facts of the individual case, in its capacity as the Control Entity of Law No. 25,326, has the power to attend complaints and claims filed by those whose rights are affected due to breaches with applicable regulations on personal data protection.

Australia

You have the right to

·       access;

·       rectification;

·       lodge a complaint with both AUDI AG and the Office of the Australian Information Commissioner (“OAIC”) or any other dispute recognition scheme recognized by the OAIC which can be found on the OAIC website www.oaic.gov.au.

If you are concerned with the way we have handled your personal data, you may lodge a privacy complaint with the Office of the Australian Information Commissioner (“OAIC”). However, it is a requirement of the OAIC that prior to lodging a complaint, you have raised your complaint with us. If you are not satisfied with our response or we fail to provide a response within 30 days of receipt, you can lodge a complaint with the OAIC. The contact details for the OAIC are set out below:

Phone

1300 363 992

Fax

(02) 9284 9666

Website

https://www.oaic.gov.au/

Post

GPO Box 5288, Sydney NSW 2001

Brazil

You have the right to

·       to be informed about the collection and use of your personal data, by us, in a readily accessible manner, and in plain and clear language. You also have the right to be informed about any public or private entity with whom your data has eventually been shared. We are implementing your right to be informed, also through this notice, the content of which may be updated from time to time.

·       information access;

·       obtain a copy when the legal basis for processing is consent or performance of a contract;

·       erasure when consent is the legal basis for processing: please note that exceptions to this right might apply, namely, when the data is needed for (i) compliance with legal obligations; (ii) study by a research organization; (iii) transfer to third parties; (iv) use solely by the controller, as long as the data is anonymized;

·       rectification;

·       object to the processing (e.g. if the data is being unlawfully processed);

·       data portability;

·       withdraw consent at any time;

·       anonymize, block or delete unnecessary or excessive personal data or data processed in noncompliance with data protection law;

·       review decisions made solely on the basis of automated processing;

·       lodge a complaint before ANPD (Autoridade Nacional de Proteção de Dados) against the data controller;

·       be informed of the possibility of not providing consent and the consequences thereof;

·       be informed about the public and private entities with whom the data has been shared.

Canada

Please note

Personal data may be processed or stored outside of Canada for purposes consistent with this Data Protection Notice. You acknowledge and agree that, as a result, the personal data that is processed or stored or accessed in other jurisdictions may be subject to the laws of those jurisdictions and may be disclosed in response to valid demands or requests from government authorities, courts, or law enforcement in such other countries.

Under Canadian law, you have the right to

·       opt out of information handling practices that are not reasonably necessary to provide the services you’ve requested. You can exercise this right by contacting using the contact details set out in Section 2.

·       be informed of the use by us of technology allowing us to profile, locate or identify you and of the means available to you to activate the functions that allow us to identify, locate or profile you.

While Audi AG takes the security of personal data seriously and uses industry standard security risks associated with transferring and processing personal data contemplated herein. However, no security or processes are fool proof. If personal data is accessed by third parties, it may lead to phishing attempts to get more information from you and/or identify theft.

Colombia

Pursuant to the provisions of art. 8 of Law 1581 of 2012, you have the right to

·       know, update and rectify your Personal Data from the Controller or the Processor. This right can be exercised, among other, regarding partial data as well as in respect to data that is incomplete or fractioned, that induces error, or those whose Processing is expressly forbidden or has not been authorized;

·       request evidence of the authorization granted to the Controller unless when it is expressly excepted as a requirement for the Processing, pursuant to the provisions of article 10 of law 1581 of 2012;

·       be informed by the Controller or the Processor upon request, in respect to the use that has been made of your Personal Data;

·       file to the Superintendence of Industry and Commerce complaints for infractions to the provisions of Law 1581 of 2012 as amended, added to or supplemented from time to time;

·       revoke the authorization and/or to request the deletion of the specific data, provided that there is no legal or contractual obligation that imposes on you the duty to remain in the database;

·       have access, free of charge, to your Personal Data that has been the subject of Processing, at least once per calendar month and whenever there are substantial amendments to the Processing policies.

Procedures you have to follow to exercise your personal data rights

A.     Complaints: You may file complaints regarding the Personal Data kept in AUDI AG's databases, according to the following rules:

·       The complaint will be analyzed to verify your identification. If the complaint is made by a person other than you and the capacity of such person is not accredited according to the laws in force, the complaint will be rejected.

·       All the complaints will be resolved in a maximum term of ten (10) business days as from the date in which the same are received. If it is not possible to answer the complaint within said term, you will be informed, expressing the reasons for the delay and informing a date in which the enquiry will be answered, which cannot exceed, in any case, five (5) business days after the expiration of the original term.

B.     Requests: If you consider that the data contained in AUDI AG's databases must be subject to corrections, updates or deletion, or when they notice the alleged breach of any of the duties, you may file a request according to the following rules:

·       The requests will be analyzed to verify your identification. If the request is made by a person other than you and the representation thereof is not accredited according to the regulations in force, the request will be rejected.

·       The request must contain the following information: (i) your identification; (ii) contact data (physical and/or electronic address and contact phone numbers); (iii) the documents that accredit your identity, or your representation; (iv) The clear and precise description of the Personal Data regarding which you seek to exercise any of the rights; (v) The description of the facts that lead to the request; (vi) The documents that they intend to enforce; (vii) signature and identification number.

·       If the request is incomplete, AUDI AG shall make a requirement to you, within a term of five (5) days after the receipt of the request, to remedy the defects. If two (2) months lapse from the date of the requirement and you have not given the information required, it shall be construed that you have desisted the request.

·       If the area that receives the request is not competent to answer it, it shall pass it to the relevant area or person within a term of two (2) business days and will inform this situation to the interested party.

·       Once the complete request has been received, a note saying “request being processed” shall be included in the database with the reason thereof, in a term of no more than two (2) business days. Said note must be left in place until the moment in which the claim is decided.

·       The maximum term to answer the request will be fifteen (15) business days as from the day after the date in which it is received. When it is not possible to answer the request within that term, the reasons of the delay shall be informed to the interested party together with the date in which the request will be answered, which under no circumstances can exceed eight (8) business days after the expiration of the first term.

·       You have the right, at all times, to request the deletion of you Personal Data. The deletion implies the total or partial removal of the Personal Data from the Data Bases, according to your request. The deletion right is not absolute and AUDI AG may refuse the exercise thereof in the following events: (i) If you have a legal or contractual duty to remain in the Database or if the Controller has a legal or contractual obligation that means that it has to keep the Personal Data; (ii) The deletion of the Personal Data would thwart judicial or administrative activities related to fiscal obligations, the investigation and persecution of crimes or the update of administrative sanctions; (iii) The Personal Data is necessary to protect your interests protected by the laws, to perform an action pursuant to the public interest, or to comply with an obligation legally acquired by you or by the Controller. 

Authorization: As from the enactment of this Notice, at the time of the collection of Personal Data, AUDI AG shall request the prior authorization from you and you shall be duly informed about the specific purposes of the Processing for which such consent has been obtained, excepting in the case of any one of the exceptions provided in article 10 of Law 1581 of 2012 for such purposes.

AUDI AG may transmit and/or transfer your Personal Data to third parties located in Colombia or abroad, as long as AUDI AG has the prior and express authorization of you of the Personal Data.

Retention period: The information provided by you shall only be used for the purposes herein established. Once the need for the Processing of the Personal Data has ceased, the same shall be deleted from AUDI AG's databases.

Hong Kong

In addition to your rights set out in Sec. 7, you may withdraw your consent to the use of your personal data.

In addition to your rights set out in Sec. 7.1, you will be informed at the time of the first communication with you in direct marketing without charge to you.

India

You have the right to

·       access;

·       rectification;

·       withdraw consent;

·       contact the Grievance Officer. The Data Protection Officer is the Grievance Officer for AUDI AG. For the contact details please see Sec. 1.

Israel

You have the right, subject to Protection of Privacy Law, 5741-1981 and the regulations enacted therefrom, to

·       be informed if you are under a legal duty to provide the data, the purpose of collection, and details of any third party that will receive the data and for what purpose;

·       access;

·       rectification: request correction of the inaccurate or missing data or request deletion or destruction of the data;

·       object to the processing (e.g. if the data is being unlawfully processed).

Malaysia

You have the right to

·       request access to your personal data;

·       request correction of your personal data;

·       prevent processing likely to cause damage or distress; and

·       prevent processing for purposes of direct marketing.

Upon exercising your rights stated above in written form addressed to the contact details listed in section 1., if you are dissatisfied with our response or we fail to provide a response within 21 days of receipt, you have the right to submit an application to the Personal Data Commissioner to require us to comply with your request. The application to the Personal Data Commissioner can be made to the following address:

Commissioner of Personal Data Protection, 6th Floor, KKMM Complex Lot 4G9, Persiaran Perdana, Presint 4 Federal Government Administrative Centre 62100 Putrajaya.

In the event of any inconsistencies between the English version and the Bahasa Malaysia version of this Privacy Notice, the English version shall prevail.

Mexico

You have the right to:

·       access;

·       rectify;

·       cancel;

·       oppose;

·       file data protection measures with the Federal Institute for Access to Information and Data Protection;

·       request a reconsideration of a decision made via automated decision making in case you are of the opinion that the data processed in this context is (partly) incomplete or incorrect.

The purposes disclosed in Section 3 of this Privacy Notice that rely on the performance of a contract or the need to comply with legal obligations are considered Primary Purposes. These purposes are necessary for the provision of our services and to fulfill our legal and contractual obligations. For these purposes, your consent is not required as they are essential to our relationship and the services we provide.

Any other purposes disclosed in this Privacy Notice that rely on our legitimate interest are considered Secondary Purposes. These purposes are not necessary for compliance with legal or contractual obligations. We will only process your personal data for these Secondary Purposes with your explicit consent.

You have the right to opt-out of the processing of your personal data for Secondary Purposes at any time. To exercise this right, please send a request to the following email address: datenschutz@audi.de.

New Zealand

You have the right to

·       know what personal data is held;

·       request for personal data held and access the personal data;

·       rectification;

·       a response to your request within 20 working days, if you make a request for access to or rectification of your personal information. In limited circumstances, AUDI AG may extend this 20 working day time limit, but we must tell you the period of the extension and the reasons for the extension.

·       lodge a complaint with both AUDI AG and the Privacy Commissioner. However, it is a requirement that before you can complain to the Privacy Commissioner you must first raise your complaint with AUDI AG. If you are not satisfied with AUDI AG’s response or you do not receive a response, you can lodge a complaint to the Privacy Commissioner. In general, you should wait at least 30 working days for a response before contacting the Privacy Commissioner to lodge a complaint.

Serbia

You have the right to be informed about appropriate safeguards in case of a data transfer to countries or international organizations outside Serbia that do not provide an adequate level of data protection recognized by a Serbian Government Decision. All EU / EEA Member states provide an adequate level of data protection recognized by a Serbian Government Decision.

Singapore

You have statutory rights as provided under Singapore's Personal Data Protection Act 2012, including the rights to

·       request access to your personal data;

·       request correction of your personal data; and

·       withdraw consent to the collection, use or disclosure of your personal data (where applicable), subject to any grounds for the collection, use or disclosure without your consent that are required or authorized under the Personal Data Protection Act 2012 or any other written law of Singapore.

South Africa

You have the right to

·       not have your personal data processed for the purposes of direct marketing by unsolicited electronic communication;

·       initiate civil proceedings;

·       be informed if your personal information has been compromised;

·       be informed, free of charge and before the information is included in a directory, should you be a subscriber to a printed or electronic directory;

·       lodge a complaint to the Information Regulator of South Africa by completing this form and sending it to POPIAComplaints@inforegulator.org.za.

For further information about your South African data privacy rights, please click here which will take you to the website of the Information Regulator.

South Korea

You (and your legal representative) have statutory rights under the Korean Personal Information Protection Act, in particular the right to

·       access;

·       rectification / erasure;

·       suspension of processing; and

·       withdrawal of consent.

You (or your legal representative) can exercise such rights by contacting us or our data protection officer using the contact details set out in Section B.II.

Certain personal data may be retained for compliance with local laws and regulations for certain periods, such as the following:

·       All transaction records and relevant documentary evidence as prescribed by applicable tax laws: 5 years (as required under the Framework Act on National Taxes and the Corporate Tax Act)

·       Records of logins: 3 months (as required under the Protection of Communications Secrets Act)

·       Records on labels and advertisements: 6 months (as required under the Act on Consumer Protection in Electronic Commerce)

·       Records on revocation of contracts or cancellation of orders/purchases, payments, provision of products and services: 5 years (as required under the Act on Consumer Protection in Electronic Commerce)

·       Records on handling of customer complaints or disputes: 3 years (as required under the Act on Consumer Protection in Electronic Commerce

The process and method for destroying personal data are set forth below.

·       Process of destruction: We select the relevant personal data to be destroyed and destroy it with the approval of our Data Protection Officer.

·       Method of destruction: We destroy personal data recorded and stored in the form of electronic files by using a technical method (e.g., low level format) to ensure that the records cannot be reproduced, while personal data recorded and stored in the form of paper documents shall be shredded or incinerated

If it is necessary to retain personal data for a period longer than the legal retention periods described herein, to the extent required by the laws of the applicable country, we shall obtain the data subject’s consent for such longer retention of personal data.

Taiwan

You have the right to

·       make an inquiry of and to review your personal data;

·       request a copy of your personal data;

·       supplement or correct your personal data;

·       demand the cessation of the collection, processing or use of your personal data; and

·       erase your personal data.

Thailand

Please note that your right to obtain a copy of the personal data is subject to law or pursuant to a court order, and must not adversely affect the rights and freedoms of others.

Turkey

You have statutory rights under Art. 11 of the Turkish Data Protection Law, in particular the right to

·       request reporting of the operations carried out which are rectification of the incomplete or inaccurate data, if any and the erasure or destruction of your personal data) to third parties to whom your personal data have been transferred;

·       claim compensation for the damage arising from the unlawful processing of your personal data;

·       object to the occurrence of a result against yourself by analyzing the data processed solely through automated systems,

·       lodge a complaint with the Turkish Data Protection Authority (Kişisel Verileri Koruma Kurumu) Nasuh Akar Mahallesi 1407. Sok. No:4, 06520 Çankaya/Ankara/Turkey.

The objection can be exercised in the forms stated in Article 5/1 of the Communique On The Principles and Procedures for the Request To Data Controller.

Local representative:

Doğuş Otomotiv Servis ve Ticaret A.Ş

Şekerpınar Mahallesi, Anadolu Cad. No:22 Çayırova/Kocaeli - Mersis No: 0-3090-1147-1300010

T: 0262 676 90 90