Privacy Statement
The high standards you expect from us with respect to our products and services are the guideline for us on how to handle your data, including your personal data. We aim to lay a solid foundation for confidential business relationships with our customers and potential customers, partners and mobility users, and to maintain this as well. We set great store by the confidentiality and integrity of your personal data. It is for this reason that we will carefully process and use your data for specific purposes that are consistent with your consent and in accordance with the legal provisions related to the protection of data.
Alphabet Luxembourg SA Privacy Statement
Alphabet Luxembourg SA is a service provider active in the business mobility sector, and it is in this capacity that we process personal data. Most of the data we process is related to offering our mobility solutions to customers, to include, for example, the possibility of leasing a car or LCV along with related services. However, this also consists of mobility card provision and car rentals. For all of these services we receive and process personal data. For example, these include customer data, and data from their employees and drivers or representatives of business partners or potential business partners. This statement applies to personal data that we receive from and about these individuals
Processing your data starts with the mobility solution application process, namely with drawing up a quotation and any resulting subsequent order. To this end we receive data from your employer or from you. After the initial processing, there will still be other times at which your data is processed, for example if your vehicle is involved in an accident, if there is damage that requires repair, or if we receive traffic fines for your vehicle.
We also process your data for our additional services, such as providing a fuel card, roadside assistance and rental car.
We understand that use of your data requires your confidence. We will therefore apply the highest possible data protection standards and use your data solely for clearly defined purposes and in accordance with your data protection rights.
In the following sections, this privacy statement describes how Alphabet Luxembourg SA and Belgium Long Term Rental NV collect, process and use the personal data of its customers or potential customers, business partners and mobility users.
Who is responsible for processing personal data?
As defined in the generally applicable law on privacy, Alphabet Luxembourg SA, with its registered office at 2-4 Rue du Château d’Eau, L3364 Leudelange, jointly with Alphabet Belgium Long Term Rental NV, with its registered office at Ingberthoeveweg 6, 2630 Aartselaar (hereinafter Alphabet and/or we and/or us), are responsible for processing your personal data.
Alphabet International is the parent company of Alphabet and comprises part of the BMW Group, just as Alphabet does. Due to this relationship there is a possibility that we may share data with both parties.
Alphabet is liable for all your data that are processed via the websites www.alphabet.lu , www.alphabet-used-cars.lu , our customer portal www.fleetagent.lu , and our Alphabet Guide app. If your data have been provided by Sales or Service Partners, Alphabet also processes these to the extent that the applicable requirements regarding compliance with the GDPR (General Data Protection Regulations) are satisfied.
Service partners such as garages, roadside assistance, dealer sites, etc. are responsible for processing personal data that you make available to them for the purpose of service provision. Service partners also process your data if they have been transferred by Alphabet, and insofar as the requirements regarding compliance with the legislation on the protection of personal data applicable thereto are satisfied.
These data protection policy guidelines also describe how your data are processed by Service Partners. However, these Service Partners may collect other personal data and have their own data protection policy guidelines. In this instance, you can deduce how your data is used based on the respective service partner’s data protection policy guidelines.
When does Alphabet collect and process your personal data?
Alphabet collects and processes your personal data under the following circumstances:
• If your employer uses Alphabet as a business mobility service provider and has transmitted your data to us in order to purchase mobility solutions;
• If you contact us directly, for example via our website, Fleet Agent or one of our employees because you are interested in our mobility solutions or if you have any questions;
• If you use the Alphabet Guide app;
• If you request information about our products and services (e.g. for a price enquiry);
• If you respond to our marketing campaigns, for example in the event of online data provision on one of our websites;
• If your personal data are forwarded to us by Sales Partners or third parties, and if and to the extent that the requirements for compliance with the GDPR have been met; for example, if you have consented to the processing, and if you have raised no objection to the transmission of your data;
• If we receive personal data relating to maintenance and repair work, roadside assistance, claims management, insurance information, mobility or fuel consumption from our service partners within the context of service provision;
• If we receive traffic and parking fines related to your person.
We kindly request that you help us keep your data up to date by keeping us informed of changes to your data (including contact data) or preferences. As a customer or mobility user, you can do this via your personal page on our Fleet Agent customer portal.
If you provide data on behalf of another person, you must ensure that the data subject has received this privacy statement in advance.
What data relating to your person can be collected?
The following categories of personal data may be collected by your employer, you or our Sales/Service Partners. Under “For what purposes do we process your data?” you can find a detailed overview of the data processed per mobility solution.
- Contact data Surname, first name, address, telephone number, email address, employer.
- Contract data Contract number, quotation number, lease amount, VIN number, number plate, lease elements.
- Financial data IBAN data, mandate ID in case of direct debit.
- Biological data Date of birth, sex.
- Biographical data Employment status.
- Transaction data Data on maintenance, fuel consumption, damages, interaction with the Driver Center / Customer Care and or Sales Support (for requests and complaints), participation in market research).
- Data relating to your online account Fleet Agent login data.
- Website use and communications Data on how you use the website and whether you open or forward messages from us, including data collected through cookies. You can find more information about Cookies here (link to Cookies, add paragraph or statement).
- Data related to testing your credit rating and identity Data to identify you (e.g., driving licence) with respect to your credit rating in the case of B2E data such as a payslip, information concerning fraud, criminal offences, suspicious transactions, PEPs and penalty lists on which your data is listed.
- Data relating to the use of Alphabet Apps and services Data concerning your Alphabet apps use (on your mobile phone), such as Alphabet Guide and AlphaCity.
- Data intended to locate the vehicle Data on the location of your vehicle or mobile device. Where applicable, Alphabet can receive and use these data in accordance with the detailed descriptions of the respective services and the security measures for location data.
Alphabet does not have access to the vehicle’s operational data, data relating to comfort and infotainment. If you wish to access these details, you can contact your car’s make; the contact details can be found in the respective privacy statements of the relevant makes.
For what purposes do we process your data?
Alphabet will only process your data if this is required for concluding an agreement with its corresponding provision of service. Based on the legal grounds that follow, we process your data under the following circumstances:
In response to mandatory requests from authorities or regulatory parties.
For mobility solution delivery, correct handling of maintenance and repairs; all in accordance with the agreement.
For the detection of fraud and criminal activities to protect our Company and society against crime and the consequences thereof.
For marketing - to send you news and offers.
For the research and development of our products and services to provide even better services through surveys (satisfaction surveys).
All uses for which we require your consent are described in your dashboard preferences on Fleet Agent, where you can modify your preferences at any time.
For each mobility solution, we indicate which data are processed and which third parties may be involved in this processing below:
This can involve the lease of a car, but also the lease of an LCV. To this end, the customer pays an agreed monthly amount (in which the lease period and the number of kilometres driven are established). Full operational leasing includes operational services such as maintenance, repair, insurance, tyre replacement/change, etc.
If you purchase any of these mobility solutions, we will process the data listed below:
Customer (employer) data: contact details, company telephone number, company email address, VAT number and bank account number, first name and surname, email address and telephone number of contact persons. Director and/or authorised signatory data: name, email address, telephone number and identity card, all of which are used to contact you about our cooperation and to verify signatory authority.
Vehicle driver data: driver’s first name and surname, sex, date of birth, address and place of residence, mobile phone number, email address (business and/or private), cost centre, employee number, as well as vehicle data such as the vehicle registration number and VIN number.
In addition, we also process the following contract data to process your lease contract: Employee number, lease category, data on which the lease scheme enters into force, and annual breakdown of kilometres driven.
Certain data such as name, employer, number plate and lease contract are shared with dealers/sellers for the delivery of your vehicle/LCV.
-> To this end, contract execution forms the grounds for data processing.
The following services may comprise part of an Operational Lease,, Sale & Leaseback, Motivational Lease, Fleet Management, Light Commercial Vehicles:
- Repairs and Maintenance
- Roadside assistance
- Claims management/insurance policies
- Tyre management
- Fuel management
- Fines management
- Management information
- Driver Center / Customer Care
- CO2 Compensation
Alphabet also offers the possibility of renting a short-term vehicle, whether or not in connection with other products.
If you purchase any of these mobility solutions, we will process the following data of yours:
Customer (employer) data: company contact details, company telephone number, company email address, VAT number and bank account number, first name and surname, email address and telephone number of contact persons, directors and/or authorised signatory: name, email address, telephone number and identity card, all of which are used to contact you regarding our agreement with you and to verify signatory authority.
Vehicle driver data: driver’s first name and surname, sex, date of birth, mobile phone number, email address (business and/or private), cost centre, employee number, as well as vehicle data such as the vehicle registration number and VIN number.
We may share certain data with external leasing companies that we work with such as company contact data and first name and surname.
-> To this end, contract execution forms the grounds for data processing.
The following services may form part of Alphabet Rent:
- Repairs and Maintenance
- Roadside assistance
- Claims management/insurance policies
- Fuel management
- Fines management
AlphaElectric is a full option eMobility solution. Alphabet analyses the profile of the customer’s fleet and provides recommendations on which electric vehicles and charging stations/infrastructure are the best match for the fleet in question. Alphabet also specifies the various options for implementing eMobility. Customers can opt for a flexible combination of additional mobility solutions, e.g., a charging card (for public charging stations), service workshop, tyre service, etc., a practical app for locating charging stations and a 24-hour eMobility hotline.
If you purchase any of these mobility solutions, we will process the following data of yours:
Customer (employer) data: contact details, company telephone number, company email address, VAT number and bank account number, first name and surname, email address and telephone number of contact persons. Director and/or authorised signatory data: name, email address, telephone number and identity card, all of which are used to contact you about our cooperation and to verify signatory authority.
Vehicle driver data: first name and surname, sex, date of birth, address and place of residence, mobile phone number, email address (business and/or private), cost centre, employee number, as well as vehicle data such as the vehicle registration number and VIN number.
During the fleet analysis, part of the fleet is provided with a tracer for one month that keeps track of the routes travelled. These tracers are then read out and analysed. The analysis is made anonymously.
We may share certain details such as first name and surname and email address with the external supplier which, where necessary, installs a charging station at your location. We have concluded an agreement with them to this end.
-> To this end, contract execution forms the grounds for data processing.
The following services may form part of the contract:
- Repairs and Maintenance
- Roadside assistance
- Claims management/insurance policies
- Management information
- Tyre management
- Fuel management
- Fines management
- Management information
- Driver Center / Customer Care
Fleet Agent is the Customer Relation Management (CRM) system in which the customer, fleet managers and drivers can find their data. It also contains declaration forms and claims forms for reporting damages. System access can be obtained by means of an authorisation login code assigned to you.
If you purchase any of these mobility solutions, we will process the following data of yours:
Customer (employer) data: contact details, company telephone number, company email address, first name and surname, email address and telephone number of contact persons.
Vehicle driver data: first name and surname, date of birth, address and place of residence, mobile phone number, email address (business and/or private), cost centre, and employee number.
You can also find all vehicle-related data such as vehicle registration number and VIN number, make and model on Fleet Agent. Furthermore, data arising during the course of a lease contract, such as maintenance, damages, refuelling data are also located here.
Fleet Agent is managed by Alphabet, this website complies with the requirements of the privacy legislation.
-> To this end, contract execution forms the grounds for data processing.
Alphabet Guide is a mobile phone app that provides users with a number of convenient services related to their mobility. The app also allows you to view contract data, search for service partners and electrical charging stations, submit declarations and file a claim. Via the app, it is also possible to contact Alphabet Assistance and get reminders for scheduled appointments based on travel time.
If you purchase any of these mobility solutions, we will process the following data of yours:
Vehicle driver data: first name and surname, mobile phone number, app identification number, vehicle registration number, and in case of SOS alerts, data related to these.
Alphabet Guide is a personal application. Neither Alphabet nor your employer has access to the data you use in this app. Data, such as fuel card statements and damage claims sent to Alphabet via the app are however indeed processed by Alphabet.
Fleet Agent is managed by Alphabet, this website complies with the requirements of the privacy legislation.
-> To this end, contract execution forms the grounds for data processing.
The following services comprise part of the above-mentioned mobility solutions.
We use your data to maintain our cars within the framework of this agreement’s implementation. After repair and/or maintenance, we provide the customer with information on the repairs carried out.
If you purchase any of these mobility solutions, we will process the following data of yours:
Vehicle driver data: first name and surname, mobile phone number, address, email, customer number, and vehicle registration number.
We share the registration number of your lease vehicle with the service partner handling your vehicle. During your visit, you may provide the service partner (garage/repairer) with additional information. Alphabet has no access or control of these data.
Technical data on the vehicle are processed in the context of maintenance and/or repairs. These data are processed by the service partner and are used by technicians trained in the diagnosis and repair of any malfunctions. These technical data relating to the vehicle consist mainly of:
- Basic vehicle data (such as the vehicle identification number, type of vehicle, year of construction, and vehicle options);
- Information on the condition of the vehicle (measured values such as kilometre reading); and
- Maintenance and workplace data (such as maintenance requirements, work carried out, installed parts, guarantee issues, and workplace reports).
-> To this end, contract execution and legitimate interest form the grounds for data processing.
In the event of a breakdown while travelling with your leased vehicle, including a flat tyre or other (possibly technical) problem, you can contact us via Alphabet Assistance for assistance.
If you purchase any of these mobility solutions, we will process the following data of yours:
Vehicle driver data: first name and surname, mobile phone number, registration number of your leased vehicle, location where this breakdown took place and where assistance was provided, which repairs were carried out or where the car was towed to. Depending on the circumstances, your account number or other data may also be requested, for example in the context of a reimbursement of costs advanced to you.
To perform this service, we use third parties (such as towing services or roadside assistance services); these third parties will process and forward the necessary data with regard to your situation to Alphabet for settlement at a later time.
-> To this end, contract execution and legitimate interest form the grounds for data processing.
In order to ensure that the lease vehicle is properly insured and that you can be provided with the necessary insurance certificates, we process the following in regard of your data:
Customer (employer) data: contact details, company telephone number, company email address, first name and surname, email address and telephone number of contact persons.
Vehicle driver data: first name and surname, date of birth, address and place of residence, employee number, period during which you were driving the lease vehicle, as well as vehicle-related data such as vehicle registration and VIN numbers, and the make and model.
Depending on the customer, Alphabet shares these data with the relevant insurance broker or agent or companies for the specific agreements made.
In case of damage to your vehicle as a result of an accident or when reporting an accident in which your lease vehicle is involved, you can approach us (or we will approach you) to repair this damage or arrange any replacement transport and the insurance or repair-related settlements thereto. In addition to the above-mentioned data, we also process information about the accident, any photos of the damage/accident, the number of passengers (where relevant), any evidence supplied by witnesses (where applicable), and any other information we receive from you regarding the damage and/or accident (e.g., information about injured parties).
Depending on the circumstances of the accident, you may also be asked for any medical and/or financial details.
We can also process data from third parties who were involved in the damage or accident, such as the identity of these third parties. We can also process information on witnesses, passengers involved, police data (such as police reports and witness statements) and insurance data related to the damage and/or accident, including information from and claims by third parties.
We share these data with our customer (your employer) in reports. We also share these data with damage repair companies, insurance companies (both our own insurance company and those of third parties) and, where necessary, with damage and other assessors, police or judicial authorities involved in the settlement of the damage and/or accident.
-> To this end, the grounds for processing are a legal obligation deriving from the execution of the contract and legitimate interest.
If tyre management comprises a part your contract, we will assist you in the changing of your summer and winter tyres.
If you purchase any of these mobility solutions, we will process the following data of yours:
Vehicle driver data: first name and surname, mobile phone number, email address (business and/or private).
We share this information with the tyre service centres responsible. We have entered into contractual agreements with these tyre service centres to provide the proper level of protection for your data.
-> To this end, contract execution forms the grounds for data processing.
If you conclude a lease contract with Alphabet including fuel management, you will receive a fuel card. We use brand-linked cards and non-brand-linked cards in this regard.
If you purchase any of these mobility solutions, we will process the following data of yours:
Customer (employer) data: company contact details.
Vehicle driver data: first name and surname, email address (business), contract number, employee number, and fuel type.
While using the card the following data are also processed: fuel type, refuelling date, kilometre reading, and associated costs.
We share this information with the fuel card suppliers. We may also share this information with our customer (your employer) via our customer portal / Fleet Agent CRM system. Reports will be made available to your employer including information on the use of these services (except for location data) on Fleet Agent; you can also personally view your refuelling data on Fleet Agent.
-> To this end, contract execution forms the grounds for data processing.
In the case of operational leasing, Alphabet is registered as the vehicle’s owner.
Alphabet processes parking fees and fines from abroad. For this purpose, we process the following data to process and manage the payment of these fines and, where necessary, to additionally have our customer (your employer) provide reimbursement: the data we receive from the municipality or its representative or a foreign institution, such as the vehicle registration, the nature of the violation, the place in and time at which the violation occurred and the amount of the fine imposed.
In the invoice and statements to the customer (your employer), we will not report privacy-sensitive data (such as the nature, place and time of the violation).
However, we will be obliged to share this information with our customer (your employer) in certain situations, namely in the case of car sharing/carpooling (multiple drivers per lease car), or should we not know the identity of the driver at the time of the violation.
--> To this end, the grounds for processing are a legal obligation based on legitimate interest.
To produce management reports we can also process your personal data for the purposes of statistical and scientific objectives or to improve the quality of our products and services. This processing is done anonymously and cannot be traced back to any individual person.
In addition, we provide our customer with basic reports to provide them with insight into the fleet and possibly to generate management information therefrom; in these reports we shall treat privacy-sensitive data such as location data and the nature of violations in accordance with that which is laid down in the “How do we protect your personal data?” section.
-> To this end, contract execution forms the grounds for data processing.
We use your personal data for contract management or to handle a request you have submitted (such as a request for quotations and for questions or complaints).
With respect to all aspects of contract management or problem-solving, we may contact you without permission, for example in writing, by telephone, or by email.
We also contact you if your vehicle is affected by a so-called technical campaign or recall (usually crucial measures to prevent, for example, danger to passengers or to the vehicle) so that we can comply with our legal obligation regarding the provision of information.
Alphabet also processes your personal data on this basis to optimise our customer service, for example to correctly identify you when you contact us.
-> To this end, contract execution forms the grounds for data processing.
Other times at which Alphabet is permitted to process personal data:
If you visit any of our facilities, we may use your personal data to provide you with an access badge, to ensure controls related to this access and to ensure the security of our locations.
We are able to process the following of your personal data: your name, your contact details and the name of the person at Alphabet you are visiting.
Alphabet also uses camera surveillance. These cameras are only installed for the security of the locations concerned; data shall also be used only for this purpose and shall not be stored longer than is strictly necessary.
-> To this end, legitimate interest forms the grounds for processing.
Data submitted by persons on the alphabet.be website are passed on to the competent services within Alphabet.
-> To this end, consent forms the grounds for processing.
We are happy to personally provide you with information at such time that it becomes relevant to you. This information may include newsletters, offers or any other materials. These may entail advantages for you, which is why we would like to draw your attention to these advantages. We also process your data for this, however, not without having requested your permission to this end.
We request your permission for the provision of information concerning the following activities:
- Alphabet events;
- updates on advice, news and promotional campaigns;
- Alphabet customer satisfaction surveys
You can use Fleet Agent to provide this permission by selecting the information you wish to receive from us. In addition to this, you can just as simply revoke this authorisation.
-> To this end, consent forms the grounds for processing.
How do we protect your personal data?
To protect your personal data, we take various security measures such as the use of encryption and authentication tools in conformity with state-of-the-art technology for the protection and maintenance of your data’s security, integrity and accessibility.
We cannot guarantee 100% protection against unauthorised access in the event of data transmission across the internet or a website; however, we and our service providers and business partners do our utmost to protect your personal data in accordance with the applicable data protection regulations (GDPR) by means of physical, electronic and process-oriented security measures based on current, state-of-the-art technology. Among other things, we use the following principles and means:
- Strict consent criteria for accessing your data in accordance with the “need to know” principle (limitation to as few people as possible) and solely for the purposes specified
- Collected data is only transmitted in encrypted form
- Firewall protection of IT systems to protect against unauthorised access, for example by hackers
- Permanent monitoring of IT system access to detect and prevent misuse of personal data
If you have received a password from us or have created a password yourself to access certain sections of our website or other portals, apps or services we operate, you are responsible for maintaining the confidentiality of this password and complying with all other security procedures indicated to you by us. In particular, please do not share your password with or tell it to anyone else.
Certain services can only be offered if you provide your location or announce the location of your vehicle. We take the confidentiality of these location data very seriously.
Your location data (including data viewed as part of vehicle maintenance) are therefore protected by the following security measures:
- They are only stored in a form capable of being traced back to you or your vehicle to the extent that this is required to meet the intended purpose for which you provided your consent.
- Data will only be collected and opened in this form if they are required to provide the requested services.
- Data for the location of the vehicle and data for the location of a mobile device/your mobile device are only linked if this is necessary for providing the services requested.
- Any other use of location data with regard to analysis takes place by using pre-anonymised data files.
If it does not have any significant bearing in relation to the execution of our agreement with your employer, we will not share your location data with your employer.
How long do we store your data?
In accordance with Article 17 of the GDPR, we store your data for the time needed to reach the objectives for which we process your data. Alphabet has developed internal procedures for the deletion of data to ensure that all your data is deleted in accordance with the principle of data minimisation and Article 17 of the GDPR. The fundamental principles by which your personal data are deleted are described below.
To meet contractual obligations, data collected from you may be retained for as long as the contract is in force and - depending on the nature and scope of the contract - for 7 to 10 years thereafter in order to comply with legal retention requirements and to be able to answer any questions or resolve any complaints following the contract’s expiry.
Moreover, there are contracts for the delivery of products and services requiring longer storage periods; see also “Use for claims assessment” below.
Data that we find essential to the assessment and prevention of claims against us or employed to institute criminal proceedings or to prevent claims against you, us or third parties may be retained by us as long as the relevant proceedings could be invoked.
The data collected from you for customer service and marketing purposes may be retained for 3 to 10 years, unless you wish such data to be deleted and there is no contractual or legal obligation hindering such request for deletion.
To whom do we give international access to your data and how do we ensure that these data are protected?
Alphabet is part of the BMW Group. The personal data of Alphabet customers and mobility users can also be processed for and by other companies affiliated with BMW AG. The preferred option is for personal data processed by us and/or the BMW group to be processed within the EU.
If data are processed in countries outside the EU, Alphabet uses standard EU contracts, which include the appropriate technological and organisational measures to ensure that your personal data are processed at the same level of security applicable under the European GDPR.
In some countries outside the EU, such as Canada and Switzerland, the EU has already established a level of data protection analogous to that of Europe. An analogous level of data protection means data transmission to these countries does not require any special permissions or agreements.
How can you see which personal data we have about you and how can you change your privacy preferences?
Via Fleet Agent, our online CRM portal, you have access to the personal data relating to you that we store. If permitted, it is also possible to modify your data here.
You can also view and possibly modify the Marketing Communication and Customer Satisfaction Survey permissions you have activated here.
However, settings related to data usage by service partners cannot be modified on your online account. To enact these changes, or if you have any questions about the use of your data, you must therefore contact the respective service partners directly.
Contacting us, your privacy rights and your right to submit a complaint at the national data protection authority
If you have any questions about the use of your data and our processing methods or about this privacy statement, you can contact the Data Privacy Protection Officer (DPPO) directly via the following mailbox: contact.privacy@alphabet.be
In accordance with the GDPR, you as an individual have the following rights which you are entitled to invoke in regard to your relation to us. The following section explains your rights as defined in the GDPR. Depending on the type and size of your request, we may request that you submit this in writing.
In accordance with the GDPR, you as the data subject have the following rights vis-a-vis Alphabet:
You are at all times at liberty to request which of your data are processed by us. This information includes the categories of data we process, the processing purposes, the data’s origin (should we have not have received it directly from you) and, where applicable, the recipients to whom or which we have transmitted your data.
Should you wish to inspect the data belonging to you that are processed by Alphabet, we refer you in the first instance to the Fleet Agent portal. Here you can view the personal data that we have received from you along with the data received by you with regard to your vehicle (such as refuelling, damage, etc.).
Inspection of decisions made (consent):
We provide you with the opportunity to personally indicate whether we may or may not use or process your personal data for commercial offers or analysis purposes. An overview of decisions registered by us that you have made may also be found on the Fleet Agent portal, where we also offer the option of easily modifying previous decisions at any time.
You are at all times at liberty to request which of your data are processed by us. This information includes the categories of data we process, the processing purposes, the data’s origin (should we have not have received it directly from you) and, where applicable, the recipients to whom or which we have transmitted your data.
Should you wish to inspect the data belonging to you that are processed by Alphabet, we refer you in the first instance to the Fleet Agent portal. Here you can view the personal data that we have received from you along with the data received by you with regard to your vehicle (such as refuelling, damage, etc.).
Inspection of decisions made (consent):
We provide you with the opportunity to personally indicate whether we may or may not use or process your personal data for commercial offers or analysis purposes. An overview of decisions registered by us that you have made may also be found on the Fleet Agent portal, where we also offer the option of easily modifying previous decisions at any time.
If you are unable to find the information you are looking for, you can submit a request for inspection. This information is provided free of charge. If you are interested in additional summary reports, we reserve the right to request compensation for these additional copies.
To receive a summary report, please send a letter to:
Alphabet Luxembourg SA
Attn. DPO
2-4 Rue du Château d’Eau
3364 Leudelange
Luxembourg
Or send an email to: contact.privacy@alphabet.be
We request that you clearly formulate your request, send a copy of a valid legal proof of identity and state a contract number or number plate.
You may submit a request for your data to be deleted. We can only meet this request if certain legal requirements are met. In accordance with Article 17 of the GDPR, this may be the case if:
- Your data are no longer necessary for the purpose for which they were obtained or processed;
- You revoke your consent, which formed the grounds for processing the personal data and there is no other legal basis for the processing thereof
- You object to the processing of your data and there is no other legitimate reason to process these, or if you object to the processing of your data for direct marketing purposes;
- The data have been processed unlawfully,
Or if the processing is unnecessary
- To ensure compliance with a legal obligation that requires us to process your data;
- In particular in connection with legal retention periods
- To facilitate assertion/exercise of legal claims or defence against legal claims.
You may submit a request for your data to be deleted. We can only meet this request if certain legal requirements are met. In accordance with Article 17 of the GDPR, this may be the case if:
- Your data are no longer necessary for the purpose for which they were obtained or processed;
- You revoke your consent, which formed the grounds for processing the personal data and there is no other legal basis for the processing thereof
- You object to the processing of your data and there is no other legitimate reason to process these, or if you object to the processing of your data for direct marketing purposes;
- The data have been processed unlawfully,
Or if the processing is unnecessary
- To ensure compliance with a legal obligation that requires us to process your data;
- In particular in connection with legal retention periods
- To facilitate assertion/exercise of legal claims or defence against legal claims.
Upon your request, where technically possible, we shall forward the data we collect to another responsible entity, or you may acquire certain data from us on a portable data carrier. This right only applies if the data processing is based on your consent or is required to execute a contract.
You may object to the processing of your personal data at any time, for reasons arising from a situation particular to you, provided that the data processing is based on your consent or our legitimate interest or that of a third party. Under these circumstances, we will no longer process your data. The latter does not apply if we are able to demonstrate that there are compelling, defensible reasons for processing which outweigh your interests. Or if we require your data to assert or exercise legal claims or to defend against legal claims.
In general, we will do our best to meet your request within 30 days. However, this period may be extended by a maximum of two months for reasons related to the specific rights of the data subject / depending on the reason underlying a specific individual right or due to the complexity of your request.
If you make a request of us regarding the exercise of your rights, we will quickly notify you as to whether and to what extent we are able to comply with your request. In some cases we may namely refuse this request, for example if you request that we delete data that we still need for fiscal reasons or other legal requirements. If this is the case, we will explain why we cannot fully comply with your request.
Complaints to the National Commission for Data Protection
Alphabet takes your qualified comments and reserved rights regarding personal data processing seriously. However, if you are of the opinion that we have not properly addressed your comment or objection, you have the right to lodge a complaint with the National Commission for Data Protection.
National Commission for Data Protection
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
(+352) 26 10 60-1
Or through following link: https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html
Alphabet may amend this Privacy Statement (last amended on 25 May 2018). We recommend that you regularly consult this Privacy Statement, at the very least for cases in which you provide (or once again provide) Alphabet with personal data.
Privacy notice information for informants
This privacy notice applies to informants who contact us to report compliance concerns (i.e., “whistleblowing”).
The protection of your privacy rights during the processing of personal data is a top priority for BMW Group. We process personal data in compliance with the provisions of the EU General Data Protection Regulation (“GDPR”) and in accordance with national statutory provisions.
The following provides information on how your personal data as an informant is processed. You can find further information on processing of personal data at BMW AG at: https://www.bmwgroup.com/en/general/data_privacy.html If you are an employee of BMW AG, please refer to the “Information on the processing of your employee data” on the Intranet page of Group Data Privacy Protection at: https://contenthub-de.bmwgroup.net/en/web/konzerndatenschutz/bmw-ag-documents
1. Who is responsible for data processing and how can the Data Protection Officer be contacted?
Bayerische Motoren Werke Aktiengesellschaft (”BMW AG”), Petuelring 130, 80788 Munich, Germany, domicile and court of registry: Munich HRB 42243, is responsible for accepting, reviewing, and investigating reports of compliance concerns and jointly responsible with other BMW Group affiliated companies for clarifying violations of rules within the meaning of Article 26 GDPR. You can contact our Data Protection Officer via the contact information under title “7. Contact for your data subject rights” below.
2. Which data from you do we process and for what purpose?
BMW AG processes your data for the following purposes:
Reviewing and processing your report and conducting any necessary investigations into the person(s) accused; where applicable, communicating with the authorities and courts in connection with your report; communicating with international attorneys and auditors or other investigators engaged by the company; communicating with other BMW Group companies and their affiliated companies.
Anonymity
You may report compliance concerns without sharing your personal data (“anonymous report”) and are under no obligation to provide your personal data. You may also choose to provide your personal data as part of your report (“non-anonymous report”).
Types of data
When you submit a report, we collect the following personal data and information:
- your name and/or private contact and identification data, should you choose to disclose your identity
- your work contact and (work) organization data, if disclosed by you, and,
- where applicable, the names and other personal data of the persons named in your report.
Legal basis
Case-specific processing of your personal data is justified by the following legal basis:
- Collection of your personal data in connection with a non-anonymous report: consent to the processing of personal data for the purposes referred to above. If you voluntarily provide your personal data by submitting a non-anonymous report, we will process your information solely for the purpose of processing your report under Article 6 (1) LIT. C), F) of the GDPR.
- Collection, processing, and disclosure of the personal data of the persons mentioned in your report: to safeguard the legitimate interests of the person concerned or of a third party (Article 6 (1) LIT. C) GDPR), to fulfil a legal obligation (Article 6 (1) LIT. C) GDPR). BMW AG has a legitimate interest to identify, process, rectify, and sanction violations of the law and severe breaches of duty by employees’ company wide. This must be done in an effective manner with a high level of confidentiality to avert damage and liability risks for the BMW Group pursuant to sections 30 and 130 of the German Act on Regulatory Offenses (OWiG).
- BMW AG is also required to establish a complaints procedure in accordance with section 8 of the German Supply Chain Due Diligence Act (LkSG). Point 4.1.3. of the German Corporate Governance Code also requires that a system for reporting compliance concerns be established to give employees and third parties the opportunity to submit reports of infringements within the company safely and in an adequate manner (Article 6 (1) LIT. C), F) GDPR).
- Disclosure of your personal data from a non-anonymous report to other recipients, such as to authorities during the course of official proceedings: Your data is shared where there is a legal obligation to do so (Article 6 (1) LIT. C), F) GDPR).
3. How long do we store your data?
We store your personal data only as long as it is required for the purposes of the investigation and subsequent assessment, and, also, for as long as we are obliged to store it under country-specific legal, contractual, or statutory retention periods. Once the report has been processed, the data will be deleted or anonymized in accordance with country-specific legal requirements. In the case of anonymization, the reference to your identity as an informant is permanently and irreversibly removed.
4. How do we store your data?
We utilize state-of-the-art technology to store your data. The following safeguards are used, for example, to protect your personal data from misuse or any other form of unauthorized processing:
- Access to personal data is restricted to a limited number of authorized persons for the stated purpose.
- The data collected is only transmitted in encrypted form.
- Sensitive data is also only stored in encrypted form.
- The IT systems used for processing data are technically isolated from other systems, to prevent unauthorized access and hacking.
- Access to these IT systems is constantly monitored to detect and prevent misuse in the early stages.
5. Whom do we share data with?
The BMW Group is a global organization. Personal data is stored and processed by employees, National Sales and Financial Service Companies, the BMW Group partners and service providers engaged by us, preferably within the European Union. In certain cases, your personal data may also be transmitted to other recipients: In substantiated individual cases, it may be necessary, for the purpose of processing a report or as part of an internal investigation, to share information with other employees of BMW AG or other companies affiliated with BMW AG, e.g. if the report relates to incidents at BMW AG subsidiaries. If required by the investigation, information may be shared with BMW AG subsidiaries in a country outside the European Union or the European Economic Area, based on appropriate data privacy guarantees designed to protect data subjects (e.g. EU standard data protection clauses, for employee data Binding Corporate Rules under Article 47 GDPR or exceptions under Article 49 GDPR). We always ensure compliance with the relevant data protection provisions relating to the disclosure of information.
If there is a corresponding legal obligation or if BMW AG or a third party has a legitimate interest in investigating the report, further recipients may include law enforcement agencies, antitrust authorities, other administrative authorities and courts, as well as international attorneys and auditors engaged by BMW AG or any other company affiliated with BMW AG.
In certain cases, BMW AG is obliged by data protection legislation to inform the accused of the allegations made against them. This is a statutory requirement in cases where it can be objectively established that the disclosure of information to the accused can no longer have an adverse effect on the investigation in question. If you provided us with your name or other personal data (by making a non-anonymous report), your identity as an informant will not be disclosed, as far as legally possible, and steps will also be taken to ensure your identity as an informant cannot be traced.
6. Rights of the data subject
As the party affected by the processing of your data, you may claim certain rights under the GDPR and other relevant data protection regulations. Under the GDPR, you are entitled as the data subject to claim the following rights vis-à-vis BMW AG:
- Right of access by the data subject (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR): You have the right to object to the processing of your data at any time for reasons that arise from your particular situation, provided data processing is on the basis of our legitimate interests or those of a third party. In this case, we will cease to process your data. However, this does not apply if we can show that there are compelling legitimate grounds for processing that outweigh your interests, or if we need your data for the establishment, exercise, or defense of legal claims.
In the event of data privacy violation, you have the right as a data subject to lodge a complaint with your local supervisory authority.
To exercise your rights regarding your personal data, please refer to the contact information under “7. Contact for your data subject rights” below.
You can find more detailed information on your data protection rights at: https://www.bmwgroup.com/en/general/data_privacy.html.
If you are an employee of BMW AG, please refer to the “Information on the processing of your employee data” on the Intranet page of Group Data Privacy Protection at: https://contenthub-de.bmwgroup.net/en/web/konzerndatenschutz/bmw-ag-documents
7. Contact for your data subject rights
For questions relating to the use of your personal data as informant, please contact: notifications@bmwgroup.com.
You can also contact the BMW AG Data Protection Officer:
- Data Protection Officer, BMW AG, Petuelring 130, 80788 Munich, Germany
or - datenschutz@bmw.de
BMW AG takes your concerns and rights very seriously. However, if you believe that we have not responded in an appropriate manner to your complaints or concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
Updated: July 2024