LEGAL INFORMATION ON DATA PROTECTION
The high standards that you require from our products and services are our guideline for handling your data. Our aim is to create and maintain the basis for a trusting business relationship with our customers and prospective clients. The confidentiality and integrity of your personal data is very important to us.
Who is responsible for data processing?
The Bayerische Motoren Werke Aktiengesellschaft (Bavarian Motor Works plc), Petuelring 130, 80788 Munich, headquarters and register court: Munich HRB 42243 (hereinafter “BMW” or “We”) provides customers of BMW Welt and the BMW Museum with certain services, for example:
- Ticket Purchase
- Event Services
And we are responsible for data processing in this context.
When does BMW collect and process personal data?
BMW collects and processes your personal data in the following cases (amongst others):
- If you contact us directly, for example, via our website or via BMW customer care and you are interested in our products or services or have any other concerns.
- If you buy services directly from us (e.g. admission tickets).
- If you request information about our products and services (e.g. newsletters or booklets).
- If you respond to our direct marketing activities, such as filling out a response card during events or if you enter your details online using one of our websites.
- If your personal details are transferred to us by BMW partners or third parties, if and insofar as the necessary data protection requirements are met, e.g. you have given your consent or you have not objected to the disclosure of your data to BMW for the purpose of customer service (e.g. to identify you in the case of contacting BMW customer service) and written discourse (e.g. sending newsletter/information) in the knowledge of a right of objection.
- If other BMW Group companies and our business partners provide us with data about you
Please help us to keep your information up-to-date by informing us about changes in your personal data – your contact details, in particular.
Which data can be collected?
The following categories of personal information may be collected through the many services and contact channels described in this data protection notice:
- Contact details ► Name, Address, Telephone Number, Email Address.
- Interests ► Information provided by you about your areas of interest, such as vehicles you are interested in, your preferred BMW partner or branch, hobbies, and other personal preferences.
- Contract data ► Contract number.
- Online Account Data ► Account information for ordering and purchasing tickets
- Transaction and interaction data ► Information on purchases of products and services, interactions with BMW Customer Care (your inquiries and complaints).
For what purpose we process your data?
Data collected in connection with the conclusion of the contract or the provision of services will be processed for the following purposes:
A. Fulfilment of the contractual obligation to provide Event Services (Art 6 Para. 1 lit. b) of GDPR)
For the purpose of fulfilling the contract for Event Services concluded between you and BMW, BMW provides various services such as Event tickets, BMW Lounge access
For the provision of these services, the following personal information is processed by BMW and commissioned service providers:
Contact details (surname, first name, address, email address etc.)
Business contact information (surname, first name, company, company address, business email address, etc.).
B. Customer care (Art. 6 Para. 1 lit. b, g, f) of GDPR)
BMW, BMW branches and BMW partners use your personal data to address the contract settlement (e.g. postponement of pick-up day or pick-up time) or handling of a request you have made (e.g. inquiries and complaints to BMW Customer Service). For all aspects of the contract or the settlement of a concern, we will speak to you without separate consent either in writing, by telephone, via messenger services, or by email, depending on the contact media you have specified.
C. Advertising communication and market research based on consent (Art. 6 Para. 1 lit. a) of GDPR)
If you have separately given your consent to further use of your personal data, your personal data may be used in accordance with the scope described in the consent, for example for advertising purposes and/or market research, and may be passed on to third parties. Details on this can be found in the respective declaration of consent, which is revocable at any time.
D. Fulfilment of legal obligations to which BMW is subject (Art. 13 Para. 1 lit. c, 6 Para. 1 lit. c) of GDPR)
BMW will also process personal data if there is a legal obligation to do so. This may be the case if we need to contact you because your vehicle is affected by a recall or a technical action.
Collected data is also processed in the course of securing IT systems operations. Securing is understood as the following activities:
- Back-up and recovery of data processed in IT systems
- Logging and monitoring of transactions to verify proper functioning of IT systems
- Detection and prevention of unauthorised access to personal data
- Incident and problem management for troubleshooting IT systems
- Collected data is also processed in the context of internal compliance management, in which we check, for example, whether you have been sufficiently advised in the context of a contract and that the dealer has complied with all legal obligations.
BMW is subject to a variety of other legal obligations. To comply with these obligations, we process your data to the required extent and, if necessary, pass these on to the responsible authorities as part of legal reporting requirements.
E. Data sharing with selected third parties
Data is forwarded to the following companies, amongst others, if and insofar as the necessary data protection requirements are met:
- To BMW Partners (e.g. to fulfill your request for a test drive or a service and make specific offers). Your requests will be prioritized to your chosen BMW partner - the one at which you have sourced products or services, the partner with whom you are in contact. If you do not have any known contact with a BMW partner, we will forward your request to a BMW partner in your region.
- To BMW Partners for data to be updated e.g. your contact information. The data for this update will be forwarded to all BMW partners who have you on their address list.
- To carefully selected and audited service providers and business partners with whom we work together to provide you with products and services. BMW plc only does this within the strict data protection requirements on behalf of, or on the basis of, your express consent.
- On the sale of one or more business areas of BMW plc to a company to which we transfer our rights, in compliance with any agreements existing with you.
To other third parties (e.g. public bodies) insofar as we are legally obliged to.
How is your personal data secured?
We secure your data according to the state of the technology. For example, the following safeguards are used to protect your personal information from misuse or other unauthorized processing:
- Access to personal data is restricted to a limited number of beneficiaries for the stated purposes.
- Collected data will only be transferred in encrypted form.
- Sensitive data is stored only in encrypted form.
- The IT systems for processing the data are technically isolated from other systems to prevent unauthorised access, e.g. to prevent hacking.
- In addition, access to these IT systems is permanently monitored to detect and ward off misuse at an early stage.
How long do we keep your data?
In accordance with Art. 17 of the GDPR, we will only store your data for as long as necessary for the respective purposes for which we process your data. If we process data for multiple purposes, it will automatically be deleted or stored in a format that does not allow for direct conclusions about your person once the final specific purpose has been met. To ensure that all your data is deleted in accordance with the principle of data minimization and Art. 17 of the GDPR, BMW has developed an internal deletion concept. The basic principles according to which this deletion concept provides for the deletion of your personal data are shown below.
Use for the fulfilment of a contract
In order to comply with contractual obligations, data collected from you may be kept for as long as the contract is in force and, depending on the nature and scope of the contract, for 6 or 10 years beyond the statutory retention requirements and for any requests after the contract has ended.
In addition, there are contracts for the supply of products and services that require longer retention periods. See also below: "Use for consideration of claims".
Use for customer care and marketing purposes
For customer care and marketing purposes, the data collected from you may be kept 3 years after the last contact, unless you wish for this data to be deleted and there are no contractual or statutory retention requirements that conflict with this deletion request.
To whom do we share your data and how do we protect it?
BMW is a globally active company. Personal data is preferably processed by BMW employees, national sales companies, authorized dealers, and service providers commissioned by us within the EU.
If data is processed in countries outside the EU, BMW will ensure through EU Standard Contracts, including appropriate technical and organizational measures, that your personal data is processed in accordance with European data protection standards. If you would like to see the specific safeguards for the transfer of data to other countries, please contact us using the communication channels listed below.
For some countries outside the EU, such as Canada and Switzerland, the EU has already established a comparable level of data protection. Due to the comparable level of data protection, data transfer to these countries does not require any special approval or agreement.
Contact details, your data rights of persons affected, and your right to complain to a supervisory authority
If you have any questions about our use of your personal data, please contact firstname.lastname@example.org or BMW customer care – either by email at email@example.com or by phone on +49 89 1250-16000 (daily from 8am to 8pm).
You can also contact the responsible data protection officer: firstname.lastname@example.org
As persons affected by the processing of your data, you may claim certain rights under the GDPR and other relevant data protection regulations. The following section contains an explanation of your rights according to the GDPR.
Rights of persons affected
According to the GDPR, you are entitled to the following rights in particular as an affected person:
Right of access (Art. 15 of GDPR):
You may request information about the data we hold on you at any time. This information includes, but is not limited to, the categories of data we process and for which purposes we process them, the source of the data if we have not collected it directly from you, and, if applicable, the recipients to whom we have submitted your information. You can obtain a free copy of your data from us. If you are interested in further copies, we reserve the right to charge you for these.
Right to correction (Art. 16 of GDPR):
You can ask us to correct your data. We will then take reasonable steps to keep your information up-to-date, and process it in a timely, complete, and accurate manner based on the most up-to-date information available to us.
Right to deletion (Art. 17 of GDPR):
You can demand that we delete your data, provided that the legal prerequisites exist. This may be the case under Art. 17 GDPR if:
- The data is no longer required for the purposes for which it was collected or otherwise processed
- You revoke your consent, which is the basis of data processing, and lack any other legal basis for processing
- You object to the processing of your data and there are no legitimate reasons for processing, or you object to the processing of data for direct marketing purposes
- The data was processed unlawfully insofar as processing is not necessary
- To ensure compliance with a legal obligation that requires us to secure your data
- Especially regarding statutory retention periods
- To assert, exercise, or defend legal claims.
Right to restriction of processing (Art. 18 of GDPR): You may ask that we restrict the processing of your data if:
- You deny the accuracy of the data for the period which we need to check to verify the accuracy of the data
- The processing is unlawful, and you refuse the deletion of your data and instead demand the restriction of its use
- We no longer need your information, but you need it to enforce, exercise or defend your rights
- You have objected to the processing, so long as it is not certain that our legitimate reasons outweigh yours
Right to data portability (Art. 20 of GDPR): We will transfer your data upon your request - as far as this is technically possible - to another person in charge. However, you are only entitled to this right if the data processing is based on your consent or is required to carry out a contract. Instead of receiving a copy of your data, you may also ask us to submit the data directly to another person in charge who you specify.
Right to objection (Art. 21 of GDPR): You may object to the processing of your data at any time for reasons that arise from your particular situation if the data processing is based on your consent or on our legitimate interests or those of a third party. In this case, we will no longer process your data. The latter does not apply if we can prove compelling legitimate reasons for the processing that outweigh your interests, or we need your data to assert, exercise, or defend legal claims.
Time limits for the fulfilment of the rights of persons affected
We make every effort to comply with all requests within 30 days. However, this period may be extended for reasons relating to the specific right or complexity of your request.
Restriction of information in the fulfilment of the rights of persons affected
In certain situations, we may be unable to provide you with information about all of your data due to legal requirements. If we must decline your request for information in such a case, we will inform you at the same time about the reasons for the refusal.
Complaints to regulators
BMW takes your concerns and rights very seriously. However, if you believe that we have not adequately complied with your complaints or concerns, you have the right to lodge a complaint with a competent data protection authority.