Privacy statement

The high standards you expect from us with respect to our products and services are the benchmark for us on how to handle your data, including your personal data.

We set great store by the confidentiality and integrity of your personal data. It is for this reason that we will carefully process and only use your data for specific purposes, and in accordance with the legal provisions related to the protection of data.

In this Privacy Statement we provide a detailed description of how we handle your personal data.

Access to your data is restricted to authorised persons within Alphabet who need this information to perform their job.

In addition, where necessary or appropriate, we can share your personal data with:

- Our branches / other entities of the Alphabet and BMW Group

- Our business partners

- Public services (including judicial and police services)

- Banks and insurers

- Our professional advisers (e.g. law firms and consultancy firms)

- Suppliers of IT-related services

- Other service providers we appoint as a data processor

We will impose appropriate contractual, confidentiality, security and other obligations on these third parties. The obligations imposed correspond to the nature of the services they provide to us. We will only allow them to process your personal data in accordance with the law and our instructions. We do not allow them to use your personal data for their own purposes and when our relationship ends we will ensure that your personal data are securely returned and/or destroyed.

Some of these third parties are data controllers responsible for processing your personal data for their own purposes, such as insurers or authorities. In these cases, we are unable to impose any obligations or restrictions on these controllers as to how they can process your personal data.

Alphabet is part of the BMW Group. The personal data held by Alphabet can also be processed for and by other companies affiliated with BMW AG.

In principle, your data will not be transferred to a destination outside the European Economic Area (EEA). If this is nevertheless the case, Alphabet will ensure that an adequate level of protection is guaranteed.

From certain countries outside the EEA, the European Commission recognises that they provide an appropriate level of data protection. For transfers from EEA countries to countries that are not considered adequate by the European Commission, we have taken appropriate measures such as the binding corporate rules of BMW or setting up standard contractual clauses to ensure an appropriate level of data protection.

In accordance with the Data Protection law, you have the right to:

- Request access and consultation: this allows you to view your personal data at any time;

- Ask to correct or, if necessary, delete your personal data, in particular when such data are no longer necessary for the purposes for which they were collected/processed;

- Withdraw your consent to the processing of personal data;

- Object to the processing of the data relating to you in certain specific cases, including processing for direct marketing purposes; in that case, we will no longer process your data, except for legitimate and compelling reasons that outweigh your interests, rights and freedoms or if the processing relates to the establishment, exercise or defence of a legal claim;

- Object to automated individual decision-making (not applicable to Alphabet);

- Request the restriction of processing, in particular where you contest the accuracy of the data, for a period allowing us to verify the accuracy of such data; and

- Recover your personal data, for example, to transfer them to another controller and, if technically possible, for the data to be transferred directly from one controller to another.

You can exercise the above rights by sending a written request by email to contact.privacy@alphabet.be

We will respond to your request as soon as possible, and in any case within one month of receiving your request. Depending on the complexity and number of requests, this period can be extended by another two months. We will inform you if this is the case.

You can exercise your rights free of charge unless your request is manifestly unfounded or excessive, in particular because of its repetitive nature. In such a case, we have the right and option to charge you a reasonable fee (taking into account the administrative costs of providing the requested information and the costs associated with taking the requested measures or refusing to comply with your request).

Complaints in case of violation of the applicable rules regarding the protection of personal data can be addressed to the Data Protection Authority at contact@apd-gba.be.

Alphabet treats all your personal data confidentially and takes appropriate technical and organisational measures to protect your data against loss or unlawful processing.

To protect your personal data, we take various security measures including secure servers, firewalls, encryption and authentication tools, as well as physical protection of the locations where personal data is stored.

Nevertheless, despite all the precautionary measures taken, should you establish a breach of our security, we request that you notify us of this as soon as possible via contact.privacy@alphabet.be

We do not use your personal data for any automated decision-making.

Alphabet can change this Privacy Statement from time to time without prior notice (last change June 2021). We recommend that you regularly consult this Privacy Statement, in any case when you provide (or once again provide) Alphabet with personal data.

If you have any questions about this privacy policy, are not satisfied with the way we handle your personal data or wish to exercise one of your rights, please contact us at contact.privacy@alphabet.be

If you are not satisfied with our response to a complaint or if you believe that our processing of your personal data does not comply with data protection legislation, you can contact the Data Protection Authority at contact@apd-gba.be

Controller

Alphabet Long Term Rental with company number 0438.973.597, based at Ingberthoeveweg 6, 2630 Aartselaar (hereinafter referred to as Alphabet and/or we and/or us) is responsible for processing your personal data.

Alphabet International is the parent company of Alphabet and is part of the BMW Group (as is Alphabet itself). Due to this relationship there is a possibility that we may share information with both parties.

 

Data subjects

Below, we detail for each category of data subject which personal data we collect, for what purposes and on what legal basis, as well as information on retention periods:

When you visit our website, a certain amount of data is collected for analytical purposes (necessary cookies). These data are necessary to improve your user experience.

In addition, further data can only be collected via other cookies if you accept this. Please consult our cookie statement for more information on this matter and to activate these settings if you wish.

If you fill in our contact form on the website, we request data such as your name, email address, company, position and telephone number. We collect these data based on your consent and only use these data to respond to your question and/or request.

These data will be kept for as long as necessary to fulfil your request.

1. Which personal data do we process?

If you are a customer, we collect and process information about persons in your organisation. We can include the following personal data in our file:

Of contacts:                                                                                              

- Contact information such as name, position, telephone number, email address, company, department

- Transaction data such as orders, billing data, service and warranty can also contain personal data

- Electronic identification data (e.g. IP number, online login data)

- Financial data can contain personal data: IBAN data, mandate ID in case of direct debit

We can also request the identity card of drivers and/or authorised signatories.

2. Why do we process your personal data?

We process your personal data in order to execute our agreement. For example, we process your personal data with a view to:

- Managing our customer relationships

- Conducting effective and efficient communication

- Verifying signature authority in case of contract signature

- Managing our contractual obligations: service provision, invoicing, etc.

- Customer support

- Product support and guarantees

- Organising events

- Surveys or other forms of communication (including marketing communication)

Alphabet also strives to protect its own assets and interests. In this context, we can process personal data where we consider it appropriate and necessary, for example (non-exhaustive):

- Implementing our acceptance policy

- In the context of assessing creditworthiness

- In the context of managing legal disputes

- To ensure payment of our invoices

Finally, Alphabet can also process your personal data to comply with legal obligations. Examples include the Sanctions Legislation that obliges us to assess customer relationships with regard to sanctions lists, as well as to correctly identify the UBO (ultimate beneficial owners).

3. Legal basis for processing

We process your personal data:

- if it is necessary for the execution of the agreement we have with you;

- if it is necessary to comply with a legal obligation applicable to us;

- if it is necessary to pursue our legitimate interests, to the extent that your fundamental rights and freedoms do not override those interests (e.g. if we need your data for internal administrative purposes, to ensure the security of the network and the data or to prevent fraud);

- when you have agreed to it, for example when you subscribe to our newsletters

4. How long do we store your data?

In accordance with Article 17 of the GDPR, we store your data for the time needed to reach the objectives for which we process your data. Alphabet has developed internal procedures for the deletion of data to ensure that all your data are deleted in accordance with the principle of data minimisation and Article 17 of the GDPR.

The fundamental principles by which your personal data are deleted are described below.

- Use for contract compliance

To meet contractual obligations, data collected from you can be retained for as long as the contract is in force and - depending on the nature and scope of the contract - for 7 to 10 years thereafter in order to comply with legal retention requirements and to be able to answer any questions or resolve any complaints following the contract’s expiry.

Moreover, there are contracts for the delivery of products and services requiring longer storage periods; see also “Use for claims assessment” below.

- Use for claims assessment

Data that we find essential to the assessment and prevention of claims against us or employed to institute criminal proceedings or to prevent claims against you, us or third parties can be retained by us as long as the relevant proceedings could be invoked.

- Use for customer service and marketing purposes

The data collected from you for customer service and marketing purposes can be stored for 3 to 10 years

5. What happens if you do not provide the data we requested or if you request that we stop processing your data?

Our ability to comply with our obligations under our agreement with you or our applicable legal obligations sometimes depends on the ability to access and use certain personal data about you. Consequently, the fact that you do not provide us with certain personal data can cause us to breach one or more applicable legal or contractual obligations or prevent us from performing our agreement.

1. Which personal data do we process?

The following categories of personal data can be collected via your employer, you or our Sales/Service Partners.

- Contact details: Surname, first name, address, telephone number, email address, employer

- Contract data: Contract number, quotation number, lease amount, VIN number, number plate, lease elements

- Biological data: Date of birth, sex

- Transaction data: Data on maintenance, fuel consumption, damages, interaction with the Driver’s Desk and or Sales Support (your requests and complaints), participation in market research

- Details regarding your online account: Login information regarding Fleet Agent

- Data relating to the use of Alphabet App and services: Data about your use of the Alphabet apps (on your mobile phone)

- Vehicle location data: Details of the location of your vehicle or mobile device. Where applicable, Alphabet can receive and use these data in accordance with the detailed descriptions of the respective services and the security measures for location data.

Alphabet has no access to the vehicle’s operational data, data relating to comfort and infotainment. If you wish to access these details, you can contact your car’s make; the contact details can be found in the respective privacy statements of the relevant makes. 

2. Why do we process your personal data?

We only process your personal data within the scope of our service provision. Depending on the contract your employer has with us, this can include:

- Repairs and maintenance

- Roadside assistance

- Claims management/insurance policies

- Management information

- Tyre management

- Fuel management

- Fines management

- Driver’s Desk / Customer Care

3. Legal basis for processing

We process your personal data:

- if it is necessary for the execution of the agreement we have with your employer

- if it is necessary to comply with a legal obligation that applies to us, e.g. in the context of fines management

- if it is necessary to pursue our legitimate interests, to the extent that your fundamental rights and freedoms do not override those interests (e.g. if we need your data for internal administrative purposes, to ensure the security of the network and the data or to prevent fraud);

- when you have agreed to it, for example when you have subscribed to our newsletters

4. How long do we store your data?

We keep your personal data for as long as necessary in the context of the execution of our agreement, unless:

- We need your personal data in the context of a current or potential dispute (for example, we need these data to assert or defend legal claims), in which case we will retain your personal data until the end of such dispute; and/or

- We must retain your personal data in order to comply with any legal or regulatory obligation (for example, for tax purposes), in which case we will retain your personal data for as long as required by that obligation.

5. What happens if you do not provide the data we requested or if you request that we stop processing your data?

Our ability to comply with our obligations under our agreement with your employer or our applicable legal obligations sometimes depends on the ability to access and use certain personal data about you. Consequently, the fact that you do not provide us with certain personal data can cause us to breach one or more applicable legal or contractual obligations or prevent us from performing our contract.

1. Which personal data do we process?

Within the scope of our agreement, we can collect and process the following personal data about you:

- Contact information such as name, position, telephone number, email address, company, department

- Transaction data such as orders, billing data, service and warranty can also contain personal data

- Financial data (bank account number)

- Electronic identification data (e.g. IP number, online login data)

- Compliance information such as fraud prevention and criminal law data (only in the case of a legal obligation)

2. Why do we process your personal data?

We process your personal data in order to execute our agreement. For example, we process your personal data with a view to:

- Managing our supplier relationships;

- Conducting effective and efficient communication;

- Managing our contractual obligations: order processing, service provision, guarantees, invoice payment;

- Performance evaluation;

- Financial control: processing accounts and accounting, conducting reviews and due diligence including risk analyses and credit ratings;

- Customer support;

- Product support and guarantees;

- Organising events;

- Managing disputes (including legal disputes).

3. Legal basis for processing

We process your personal data:

- if it is necessary for the execution of the agreement we have with you;

- if it is necessary to comply with a legal obligation applicable to us;

- if it is necessary to pursue our legitimate interests, to the extent that your fundamental rights and freedoms do not override those interests (e.g. if we need your data for internal administrative purposes, to ensure the security of the network and the data or to prevent fraud);

- when you have agreed to it, for example when you have agreed to participate voluntarily in a survey.

4. How long do we store your data?

We keep your personal data for as long as necessary in the context of the execution of our agreement, unless:

- We need your personal data in the context of a current or potential dispute (for example, we need these data to assert or defend legal claims), in which case we will retain your personal data until the end of such dispute; and/or

- We must retain your personal data in order to comply with any legal or regulatory obligation (for example, for tax purposes), in which case we will retain your personal data for as long as required by that obligation.

5. What happens if you do not provide the data we requested or if you request that we stop processing your data?

Our ability to comply with our obligations under our agreement with you or our applicable legal obligations sometimes depends on the ability to access and use certain personal data about you. Consequently, the fact that you do not provide us with certain personal data can cause us to breach one or more applicable legal or contractual obligations or prevent us from performing our agreement.

Introduction

This Privacy Notice is intended to describe the recruitment practices of Alphabet Belgium with respect to the privacy of applicants.

In the search for the right candidates for our vacancies, Alphabet Belgium uses a cloud-based candidate portal i.e. CV Warehouse. When you wish to apply for a vacancy at Alphabet Belgium, you will be directed to CV Warehouse in order to fill out a candidate profile and upload your resume.

If you are merely a visitor to our careers site, Alphabet Belgium does not collect any personal information about you, except to a limited extent through the use of cookies as described in our cookie statement. However, if you are applying for an advertised position at Alphabet Belgium, we collect information about you when you create a Candidate Profile in CV Warehouse.

The provision of your personal information is optional at any time. However, please be aware that your refusal to provide us with your personal information or to process it in CV Warehouse may result in Alphabet Belgium not being able to carry out any activity related to your recruitment.

This notice will provide comprehensive information about how we will use your personal information and to inform you about your rights in this regard. If you have any questions regarding the processing of your personal information please contact us via: contact.privacy@alphabet.be

1. What personal data do we process?

To be able to apply for our career opportunities, you need to create an account into CV Warehouse. This “Candidate Profile” requires a valid e-mail address, along with other information, some of which is mandatory.

Mandatory information is marked accordingly. Your e-mail address allows us to communicate with you if your qualifications and/or preferences match our job opportunities. Your Candidate Profile also makes it possible for you to access CV Warehouse to monitor the progress of your application or to amend your personal details should you wish to do so.

During the different stages of the recruitment and selection process, Alphabet Belgium may process – to the extent necessary and permitted by law - the following personal data:

- Personal identification information such as your name, home address;

- E-mail address and phone number;

- Work-related information such as current job title and responsibilities, previous positions and professional experience, reason for leaving;

- Position(s) previously applied for (at Alphabet Belgium) and job preferences, how you heard about the position;

- Compensation and benefits information such as (gross) salary and salary package expectations;

- Educational and training information such as educational awards, certificates and licenses, in house training attendance;

- Performance related data such as objectives, ratings, comments, feedback results, career and succession planning, skills and competences and other work-related qualifications;

- Information needed for compliance and risk management such as disciplinary records, background check reports and security data;

- Data relating to mobility (driving license, transport options);

- Your willingness to travel if the applied position so requires;

- Immigration, right to work and residence status;

- Government-issued identification numbers such as national ID, social security number;

- Family and emergency contact details;

- Payment related information, including identification and bank account numbers;

- Data resulting from professional competence and skills assessments;

- Data obtained from a personality test.

In addition, we may need to collect special categories of personal information from you at a later stage in the recruitment process if employment laws or regulations require us to do so, such as:

- Criminal convictions and prosecutions;

- Biometric data such as photographs with the purpose to uniquely identifying a person.

2. Purposes of processing

Alphabet Belgium will only collect and process your personal data to the extent necessary for the purposes of recruitment and selection.

Your personal information is processed in order to allow Alphabet’s recruitment team to consider and manage your application for the advertised position and to contact you.

Alphabet Belgium does not collect or compile personal information obtained for dissemination or sale to outside parties for consumer marketing purposes or host mailings on behalf of third parties.

3. Legal bases for processing

Alphabet Belgium processes above stated personal data on the following legal bases:

You have expressly given your consent e.g. by providing us with your resume (via CV Warehouse), certificates, etc. or during an interview The processing is necessary for the performance of the contract e.g. drawing up employment contract The processing of your data is necessary to protect the legitimate interests of Alphabet Belgium with a view to a proper assessment of your application - provided that the interests or fundamental rights and freedoms of the applicant do not outweigh the legitimate interests of Alphabet Belgium - e.g. forwarding your contact details to assessment centers for conducting additional tests, forwarding your data to other Alphabet entities that may be interested in your profile.

4. Referees

If you provide any information in relation to third parties or referees, you are responsible for obtaining their consent and ensuring they are aware that their details will be forwarded to and used by Alphabet Belgium.

5. Retention

Alphabet will retain your personal information as long as necessary to achieve the purposes for which it was collected.

If you are given and accept an offer of employment by Alphabet, personal data collected during your pre-employment period will become part of your Alphabet personnel records, to be retained throughout and for a period after your employment. You will be further informed of the processing of your personal data by Alphabet within the framework of personnel management and payroll administration at the time of employment.

If Alphabet does not employ you, Alphabet may nevertheless continue to retain and use personal data collected during the recruitment process (in general: 6 months) in order to consider you for new positions, and, if appropriate, to refer back to an earlier application if you submit a resume or other information to Alphabet again in the future, as well as for system administration and to perform research and analysis.

Alphabet determines the retention period of your information based on the following retention criteria:

- Alphabet retains your personal data as long as it has an ongoing relationship with you;

- Alphabet retains your personal data where it is required to do so by a legal obligation to which it is subject;

- Alphabet retains your personal data where this is advisable to safeguard our legal position (for instance in relation to statutes of limitations, litigation, or regulatory investigations).

1. Which personal data do we process?

1.1 Visitor register

Alphabet keeps a visitor register of visitors, suppliers, customers, etc. who visit our buildings. For this register, we collect and store personal data such as name, company, position and optional telephone number and email address.

The data we collect about you are stored, used and protected by us in accordance with applicable data protection laws.

1.2 Camera surveillance

Alphabet has installed surveillance cameras in a number of locations in its buildings with the aim of guaranteeing the safety of its customers, visitors and employees, preventing, establishing or detecting crimes against people or property and/or preventing nuisance.

The purpose of the cameras is to provide a general overview of a particular location. The purpose is not to identify individuals unless a security incident has occurred.

The cameras are installed at the entrance to buildings, in car parks and within the Alphabet buildings and are positioned in such a way that only persons entering the building or car parks are filmed. No audio (sound or voices) is recorded.

The processing of personal data via camera surveillance takes place in accordance with the Belgian Camera Law of 21 March 2007 on the regulation, installation and use of CCTV and all other applicable legislation relating to privacy and data protection.

The use of cameras is clearly indicated by means of the legally required pictograms with Alphabet contact information.

2. Why do we process your personal data?

The purpose of processing your personal data is to protect and secure our buildings and people working in the building.

When registering at reception in the building, you will receive a visitor pass, which must be worn visibly and which - depending on your profile - grants authorised access to our rooms.

You will be signed out upon return of the visitor pass. However, your data will still be temporarily stored in our visitor register.

3. Legal basis for processing

The processing of the personal data mentioned in this Privacy Statement is based on our legitimate interest to protect our buildings and the people who work there.

4. How long do we store your data?

The data we hold about you are stored in a manner consistent with applicable data protection laws. Under no circumstances will your data be stored longer than necessary to achieve the purposes stated in this Privacy Statement.

Camera images are retained for a maximum of one month, unless the images are to be used as evidence in the context of an investigation or for the establishment, exercise or defence of a legal claim.

Access to the visitor register and the images is very limited, to a few authorised persons at Alphabet, and is subject to strict security with a password. Images can only be transmitted via the police.

5. What happens if you do not provide the data we requested or if you request that we stop processing your data?

In order to provide you with access to our buildings and to comply with the legal obligations applicable to us, it is necessary to process certain personal data.

Consequently, the fact that you do not provide us with certain personal data can lead us to refuse you access to our premises.

Alphabet has installed surveillance cameras in its buildings for the purpose of ensuring security and safety of its customers, visitors and employees, preventing crimes and detecting unauthorized access or threats to the safety of the building.

The cameras are aimed to give a general overview of what's happening in certain places, but the purpose is not to recognise people unless a security or data protection incident is involved.

The cameras are installed at the building entrances, at the parking entrance and parking lots and inside the buildings and are placed and focused in a way that only people who enter the building or car parks are filmed. No audio (sound or voices) is recorded.

The processing of personal data via camera surveillance takes place in accordance with the Belgian Camera Act of March 21, 2007 regulating installing and using surveillance cameras and all other applicable privacy and data protection legislation.

The legal basis for processing is the legitimate interest of Alphabet to ensure the safety of its buildings and people. The use of cameras is clearly indicated by the legally required pictograms with the contact information from Alphabet.

Camera images are kept for a maximum of 1 month, except if the images must be used as evidence in the context of an investigation or for the establishment, exercise or substantiation of a legal claim.

Access to the images is limited to authorized persons at Alphabet and password protected. Images can only be transferred via the police.

For further questions about our camera surveillance, contact us via mail: contact.privacy@alphabet.be

Privacy notice information for informants

The protection of your privacy rights during the processing of personal data is a top priority for Bayerische Motoren Werke Aktiengesellschaft (“BMW AG”). We process personal data in compliance with the provisions of the EU General Data Protection Regulation (“GDPR”) and in accordance with national statutory provisions.

The following provides information on how your personal data as an informant is processed.
You can find further information on processing of personal data at BMW Group at: https://www.bmwgroup.com/en/general/data_privacy.html

Bayerische Motoren Werke Aktiengesellschaft, Petuelring 130, 80788 Munich, Germany, domicile and court of registry: Munich HRB 42243, is responsible for accepting, reviewing, and investigating reports of compliance concerns and jointly responsible with other BMW Group affiliated companies for clarifying violations of rules within the meaning of Article 26 GDPR.

You can contact our Data Protection Officer at the above address or at: datenschutz@bmw.de

BMW AG processes your data for the following purposes:
Reviewing and processing your report and conducting any necessary investigations into the person(s) accused; where applicable, communicating with the authorities and courts in connection with your report; communicating with international attorneys and auditors or other investigators engaged by the company; communicating with other BMW Group companies and their affiliated companies.

No obligation to provide your personal data
You may report compliance concerns without sharing your personal data (anonymous report) and are under no obligation to provide your personal data.

Types of data
When you submit a report, we collect the following personal data and information:

  • your name and/or private contact and identification data, should you choose to dis-
    close your identity (non-anonymous report),
  • your work contact and (work) organization data, if disclosed by you (non-anonymous report), and,
  • where applicable, the names and other personal data of the persons named in your report.

Legal basis
Case-specific processing of your personal data is justified by the following legal basis:

  • Collection of your personal data in connection with a non-anonymous report: consent to the processing of personal data for the purposes referred to above. If you voluntarily provide your personal data by submitting a non-anonymous report, we will process your information solely for the purpose of processing your report under Article 6 (1)LIT. C), F) of the GDPR.
  • Collection, processing, and disclosure of the personal data of the persons mentioned in your report: to safeguard the legitimate interests of the person concerned or of a third party (Article 6 (1) LIT. C) GDPR), to fulfil a legal obligation (Article 6 (1) LIT. C) GDPR). BMW AG has a legitimate interest to identify, process, rectify, and sanction violations of the law and severe breaches of duty by employees company-wide. This must be done in an effective manner with a high level of confidentiality to avert damage and liability risks for the BMW Group pursuant to sections 30 and 130 of the German Act on Regulatory Offenses (OWiG). BMW AG is also required to establish a complaints procedure in accordance with section 8 of the German Supply Chain Due Diligence Act (LkSG). Point 4.1.3. of the German Corporate Governance Code also requires that a system for reporting compliance concerns be established to give employees and third parties the opportunity to submit reports of infringements within the company safely and in an adequate manner.
  • Disclosure of your personal data from a non-anonymous report to other recipients, such as to authorities during the course of official proceedings: Your data is shared where there is a legal obligation to do so (Article 6 (1) LIT. C), F) GDPR).

We store your personal data only as long as it is required for the purposes of the investigation and subsequent assessment, and, also, for as long as we are obliged to store it under country-specific legal, contractual, or statutory retention periods.

Once the report has been processed, the data will be deleted or anonymized in accordance with country-specific legal requirements. In the case of anonymization, the reference to your identity as an informant is permanently and irreversibly removed.

We utilise state-of-the-art technology to store your data. The following safeguards are used, for example, to protect your personal data from misuse or any other form of unauthorized processing:

  • Access to personal data is restricted to a limited number of authorized persons forthe stated purpose.
  • The data collected is only transmitted in encrypted form.
  • Sensitive data is also only stored in encrypted form.
  • The IT systems used for processing data are technically isolated from other systems, to prevent unauthorized access and hacking.
  • Access to these IT systems is constantly monitored to detect and prevent misuse in the early stages.

The BMW Group is a global organization. Personal data is stored and processed by employees, National Sales and Financial Service Companies, the BMW Group partners and service providers engaged by us, preferably within the European Union. In certain cases, your personal data may also be transmitted to other recipients: In substantiated individual cases, it may be necessary, for the purpose of processing a report or as part of an internal investigation, to share information with other employees of BMW AG or other companies affiliated with BMW AG, e.g. if the report relates to incidents at BMW AG subsidiaries. If required by the investigation, information may be shared with BMW AG subsidiaries in a country outside the European Union or the European Economic Area, based on appropriate data privacy guarantees designed to protect data subjects (e.g. EU standard data protection clauses, for employee data Binding Corporate Rules under Article 47 GDPR or exceptions under Article 49 GDPR). We always ensure compliance with the relevant data protection provisions relating to the disclosure of information.

If there is a corresponding legal obligation or if BMW AG or a third party has a legitimate interest in investigating the report, further recipients may include law enforcement agencies, antitrust authorities, other administrative authorities and courts, as well as international attorneys and auditors engaged by BMW AG or any other company affiliated with BMW AG.

In certain cases, BMW AG is obliged by data protection legislation to inform the accused of the allegations made against them. This is a statutory requirement in cases where it can be objectively established that the disclosure of information to the accused can no longer have an adverse effect on the investigation in question. If you provided us with your name or other personal data (by making a non-anonymous report), your identity as an informant will not be disclosed, as far as legally possible, and steps will also be taken to ensure your identity as an informant cannot be traced.

As the party affected by the processing of your data, you may claim certain rights under the GDPR and other relevant data protection regulations. Under the GDPR, you are entitled as
the data subject to claim the following rights vis-à-vis BMW AG:

  • Right of access by the data subject (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)

Right to object (Art. 21 GDPR): You have the right to object to the processing of your data at any time for reasons that arise from your particular situation, provided data processing is on the basis of your consent, on our legitimate interests or those of a third party. In this case, we will cease to process your data. This does not apply if we can show that there are compelling legitimate grounds for processing that outweigh your interests, or if we need your data for the establishment, exercise, or defense of legal claims.

In the event of data privacy violation, you have the right as a data subject to lodge a complaint with your local supervisory authority.

To revoke your consent (in the case of a non-anonymous report) or to exercise your rights regarding your personal data, please contact notifications@ bmwgroup.com.

You can find more detailed information on your data protection rights at: https://www.bmwgroup.com/en/general/data_privacy.html.

For questions relating to the use of your personal data as informant, please contact notifications@bmwgroup.com.

You can also contact the BMW AG Data Protection Officer: Data Protection Officer, BMW AG, Petuelring 130, 80788 Munich, Germany, datenschutz@bmw.de.

BMW AG takes your concerns and rights very seriously. However, if you believe that we have not responded in an appropriate manner to your complaints or concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

Updated: December 2022