Which entity is responsible for data processing?
BMW Car IT GmbH, Moosacher Straße 86, 80809 Munich, Germany registered office and register court Munich HRB 134810 is responsible for the processing of your personal data according to the EU General Data Protection Regulation ("GDPR"). BMW Car IT is based in Munich; it is a subsidiary of BMW AG.
Which data provided by you do we process and what do we use it for?
Unless stated otherwise in detail in the relevant sections of the website, personal data generated from the use of our website www.bmw-carit.de is processed as follows:
B. Compliance with legal obligations to which BMW is subject (Art. 6 (1) lit. c) GDPR)
In addition, we also process personal data wherever there is a legal obligation to do so – for example, where necessary to enable operation of IT systems, including the following activities:
- backup and recovery of data processed in IT systems,
- detection and prevention of unauthorised access to personal data,
- incident and problem management for troubleshooting IT systems.
BMW Car IT GmbH is subject to a wide range of additional legal obligations. To comply with these obligations, we process your data to the required extent and, if necessary, submit it to the responsible authorities in accordance with legal reporting requirements.
How long do we store your data?
We store your personal data only as long as required for the intended purpose. If data is processed for multiple purposes, it will be deleted, or only stored in a form that cannot be directly traced back to you, as soon as no longer needed for the final specified purpose.
How do we store your data?
We utilise state-of-the-art technology to store your data. The following safeguards are used, for example, to protect your personal data from misuse or any form of unauthorised processing:
- Access to personal data is restricted to a limited number of authorised persons for the stated purposes.
- The data collected is only transmitted in encrypted form.
- Sensitive data is also only stored in encrypted form.
- The IT systems used for processing data are technically isolated from other systems to prevent unauthorised access and hacking.
- Access to these IT systems is constantly monitored to detect and prevent misuse in the early stages.
Whom do we share data with and how do we protect you?
BMW is a global company. If necessary to process your request, your information will be forwarded to the national sales company in your home country, for example. We also use contracted service providers who prefer to process data within the European Union.
If data is processed in countries outside the European Union, BMW uses EU Standard Contracts, with appropriate technical and organisational measures, to ensure that your personal data is processed in accordance with European data protection standards. If you wish to view the specific safeguards for the transfer of data to other countries, please contact us through one of the communication channels listed below.
The European Union has already established a comparable level of data protection for certain countries outside the EU, such as Canada and Switzerland. Since the level of data protection is comparable, data transmission to these countries does not require special approval or agreement.
Contact details, rights of the data subject and your right to complain to a supervisory authority.
If you have any questions relating to our use of your personal data, we recommend that you contact the company’s Data Privacy Protection Officer:
BMW Car IT GmbH
Data Privacy Protection Officer
Rights of the data subject.
As the party affected by the processing of your data, you may claim certain rights under the GDPR and other relevant data protection regulations. Under the GDPR, you are entitled to claim the following specific rights vis-à-vis BMW as the data subject:
Right of access by the data subject (Art. 15 GDPR): You have the right to request information on the data we hold about you from us at any time. This information includes, but is not limited to, the categories of data we process, the purposes for which it is processed, the source of the data if not collected directly from you, and, if applicable, the recipients with whom we have shared your data. You can obtain a copy of your data from us free of charge. If you require additional copies, we reserve the right to charge you for these copies.
Right to rectification (Art. 16 GDPR): You have the right to request that we rectify inaccurate data relating to you. We will take appropriate steps to keep the data we store and process on an ongoing basis accurate, complete and current, based on the most up-to-date information available.
Right to erasure (Art. 17 GDPR): You have the right to request that we erase your data, as long as the legal requirements for this are satisfied. This may be the case under Art. 17 GDPR if
- data is no longer required for the purposes for which it was collected or otherwise processed;
- you withdraw the consent on which data processing is based, and there is no other legal basis for processing;
- you lodge an objection to the processing of your data and there are no legitimate reasons for processing, or you object to data processing for direct marketing purposes;
- the data was processed unlawfully,
and provided that processing is not required
- to ensure compliance with a legal obligation that requires us to process your data;
- especially with regard to statutory retention periods;
- to establish, exercise or defend legal claims.
Right to restriction of processing (Art. 18 GDPR): You have the right to request that we restrict processing of your data if
- you dispute the accuracy of the data – in which case processing may be restricted during the time it takes to verify the accuracy of the data;
- processing is unlawful, and you reject erasure of your data, requesting that its usage be restricted instead;
- we no longer need your data, but you need it to establish, exercise or defend your rights;
- you have lodged an objection to its processing, as long as it is not certain that our legitimate reasons outweigh yours.
Right to data portability (Art. 20 GDPR): You have the right to request that we transfer your data – if technically possible – to another responsible party. However, you may only enforce this right if data processing is based on your consent or is necessary for the performance of a contract. Rather than receiving a copy of your data, you may also ask us to submit the data directly to another responsible party specified by you.
Right to object (Art. 21 GDPR): You have the right to object to the processing of your data at any time for reasons that arise from your particular situation, as long as data processing is based on your consent, on our legitimate interests or those of a third party. In this case, we will cease to process your data. This does not apply if we can show that there are compelling legitimate grounds for processing that outweigh your interests, or if we need your data for the establishment, exercise or defence of legal claims.
Time limits for compliance with the rights of the data subject.
We make every effort to comply with all requests within 30 days. However, this period may be extended for reasons relating to the specific right or complexity of your request.
Restriction of information for compliance with the rights of the data subject.
In certain situations, we may be unable to provide you with information about all your data, due to legal requirements. If we are unable to fulfil your request for information in such a case, we will notify you of the reasons.
Complaint to supervisory authorities.
BMW Car IT GmbH takes your concerns and rights very seriously. However, if you believe that we have not responded in an appropriate manner to your complaints or concerns, you have the right to lodge a complaint with your local data protection authority.