DATA PROTECTION.

Legal information on data protection

The high demands you make on the quality of our products and services form our guideline for the handling of your data. Our aim is to create and maintain the basis for a trusting business relationship with our customers and interested parties. The confidentiality and integrity of your personal data is of particular importance to us.

Who is responsible for data processing?

Bayerische Motoren Werke Aktiengesellschaft, Petuelring 130, 80788 Munich, registered office and register court: Munich HRB 42243 (hereinafter “BMW”) provides the customer with certain services under the name “BMW i Pure Impulse Experience Programme” (sending a Welcome Pack, registration option on the website bmw-i-pure-impulse.com, registration for BMW i Pure Impulse Experience Events, receipt of regular information on the program content by mail and/or email, use of BMW i Pure Impulse Experience privileges) and is responsible for data processing in this context.

Which data do we process about you and for what purpose?

 The data collected in connection with the conclusion of the contract or the provision of the services will be processed for the following purposes:

A.  Conclusion of contract (Art. 6 para. 1 lit. b) GDPR)

The following data categories are processed within the framework of the conclusion of the contract:

  • Contact details (surname, first name, address, telephone number, email address)
  • Account data (BMW i Pure Impulse Experience Programme login account)
  • Contract data (customer number)

The contract data is automatically deleted 1 year after contract expiry, financial transactions are deleted after 10 years in accordance with legal regulations.

B.  Fulfillment of the contractual obligation to provide the BMW i Pure Impulse Experience Programme contract (Art. 6 para. 1 lit. b) GDPR)

For the purpose of fulfilling the BMW i Pure Impulse Experience Programme contract concluded between you and BMW, BMW provides various services such as sending a Welcome Pack, registration option on the website bmw-i-pure-impulse.com, registration for BMW i Pure Impulse Experience Events, receipt of regular information on the program content by mail and/or email, use of BMW i Pure Impulse Experience privileges.

For the provision of these services, the following, possibly personal, information from the vehicle is processed by BMW as well as by commissioned service providers:

  • Event participation data (surname, first name of accompanying persons, arrival and departure times, personal preferences, etc.)
  • Interests (information you provide about your areas of interest – e.g., vehicles of interest to you, hobbies, and other personal preferences.)
  • Other personal data (information you provide about your date of birth, education, and professional situation.)
  • Use of websites and communication (information about how you use the website and whether you open or forward communications from us, including information collected through cookies and other tracking technologies. For further information, please refer to our BMW Cookie Policy.)
  • Transaction and interaction data (interactions with BMW customer service, such as your inquiries and complaints, and participation in BMW i Pure Impulse Experience Programme surveys.)
  • Vehicle-specific data (vehicle type, VIN number)

This data is not required for the finalization of the BMW i Pure Impulse Experience Programme contract. However, BMW will not be able to provide the relevant service for you unless you provide the data and grant your consent to process it.

The processed personal data will be automatically deleted 4 weeks after termination of the contract provided that they are no longer needed for the provision of the specific service.

BMW i Pure Impulse login

To make full use of the BMW i Pure Impulse Experience Programme services, you must register in the BMW i Pure Impulse Experience Programme portal. You will receive an online customer account when registering.

C.  Assurance of product quality and development of new products (Art. 6 para. 1 lit. f) GDPR) 

In addition to the mere provision of services, the data collected in accordance with section B. is also processed for quality assurance purposes of the products and services offered by the BMW Group and for the development of new products and services by BMW. This processing serves the legitimate interest of BMW to meet the high customer requirements on the existing products and services and to be in a position to meet the future wishes of our customers with new products and services still to be developed. For the protection of our customers’ privacy, the data is processed exclusively in a manner that cannot be directly traced back to the customer or the vehicle.

D.  Fulfillment of the sales, service, and administrative processes of BMW AG, national sales companies, and authorized dealers (Art. 6 para. 1 lit. f) GDPR) 

In order to continuously optimize the customer experience and the cooperation with authorized BMW dealers, we prepare evaluations and reports based on contract information, which we share with the responsible BMW dealer.

These evaluations are primarily used to initiate appropriate measures (e.g., training for sales personnel) to improve the application and sales process. We will produce the reports described above exclusively in an aggregated and anonymous form so that the recipients of the reports cannot draw any conclusions about you as a person from the data contained therein.

Some of the vehicle-specific data collected in accordance with section B. is also processed to enable the service processes (e.g., repair, warranty, goodwill) of BMW AG, national sales companies, and authorized dealers. This processing is in the legitimate interest of BMW so that we may offer our customers the best possible service process. Sometimes the processing also takes place in connection with legal requirements (e.g., repair and maintenance information due to the provisions of competition law). To protect the privacy of our customers, the processing of technical data is always vehicle-related and without direct connection to the customer.

The following data categories are used for this:

  • Vehicle master data (vehicle type, color, equipment, etc.)

The technical vehicle data is deleted at the end of the life cycle of the vehicle.

BMW AG is a company of the BMW Group. We process some of your data in order to make the administration of the various companies within the BMW Group as efficient and successful as possible. This applies, for example, to joint group accounting in accordance with international accounting standards for companies (such as the International Financial Reporting Standards – IFRS).

E.  Customer service (Art. 6 para. 1 lit. b), f) GDPR)

BMW, BMW branches, and BMW partners use your personal data for the purpose of processing contracts as defined above (e.g., booking BMW ConnectedDrive services) or of processing a request formulated by you (e.g., inquiries and complaints to BMW customer service). For all purposes of contract processing or the processing of a request, we will contact you, without prior specific consent, via the contact media which you have specified: in writing, by telephone, email, or by messenger service.

F.  Advertising communication and market research based on consent (Art. 6 para. 1 lit. a) GDPR)

If you have given your separate consent to further use of your personal data, your personal data may be used to the extent described in the consent, e.g., for advertising purposes and/or market research, and, if necessary, is passed on to third parties. Details can be found in the respective declaration of consent, which can be revoked at any time.

G.  Fulfillment of legal obligations to which BMW is subject to (Art. 6 para. 1 lit. c) GDPR)

BMW will also process personal data if there is a legal obligation to do so. This may be the case, for instance, if we need to contact you because your vehicle is affected by a recall or a technical action.

Collected data is also processed in the context of ensuring the operation of IT systems. This includes, among other things, the following activities:

  • Backup and recovery of data processed by IT systems,
  • Logging and monitoring of transactions to check the correct functioning of IT systems,
  • Detection and prevention of unauthorized access to personal data,
  • Incident and problem management for troubleshooting in IT systems.

Collected data is also processed within the framework of internal compliance management, in which we check, for instance, whether you have received sufficient advice within the framework of concluding a contract and that the dealer has complied with all legal obligations.

BMW is subject to numerous other legal obligations. In order to meet these obligations, we process your data to the required extent and, if necessary, pass them on to the responsible authorities within the framework of statutory reporting obligations.

H.  Data transmission to selected third parties

BMW makes data collected in accordance with sections A. and B. available to third parties (partner companies subcontracted by BMW) for the purpose of providing services (e.g., organizational planning for event participation, etc.) of the BMW i Pure Impulse Experience Programme.

How long do we store your data? 

We store your personal data only for as long as the respective purpose requires. If data is processed for several purposes, the data is automatically deleted or stored in a form that cannot be directly traced back to you as soon as the last stated purpose has been fulfilled.

How is your data backed up?

 We secure your data using state-of-the-art technology. The following security measures, for instance, are used to protect your personal data from misuse or other unauthorized processing:

  • Access to personal data is restricted to a limited number of authorized persons and only to the stated purposes.
  • Collected data is only transmitted in encrypted form.
  • Furthermore, sensitive data is only stored in encrypted form.
  • The IT systems for processing the data are technically isolated from other systems in order to prevent unauthorized access, such as by hacking.
  • In addition, access to these IT systems is permanently monitored in order to detect and prevent misuse at an early stage.

Who do we share information with and how do we protect it? 

BMW is a globally active company. Personal data is processed by BMW employees, national sales companies, authorized dealers, and service providers commissioned by us, preferably within the EU.

Should data be processed in countries outside the EU, BMW uses EU standard contracts including appropriate technical and organizational measures to ensure that your personal data is processed in accordance with the European data protection level standards. If you would like to have an insight into the specific protection measures for the transfer of data to other countries, please contact us using the communication channels listed below.

For some countries outside the EU, such as Canada and Switzerland, the EU has already established a comparable level of data protection. Due to the comparable level of data protection, the transfer of data to these countries does not require special approval or agreement.

How can you examine and change your data protection settings?

You can view and change privacy settings in your customer account at any time on the BMW i Pure Impulse website at My Profile.

Contact details, your rights as a data subject, and your right to file a complaint with a regulatory authority.

For questions about our use of your personal data, please contact BMW i Pure Impulse Experience Programme Customer Care first by email at service@pure-impulse.com

You can also contact the responsible data protection officer:

Data protection officer

BMW AG

Petuelring 130

80788 Munich

datenschutz@bmw.de

As the person concerned by the processing of your data, you may assert certain rights against us in accordance with the GDPR and other relevant data protection regulations.

The following section contains explanations of your rights under the GDPR.

Rights of persons concerned 

According to the GDPR, you have the following rights vis-à-vis BMW as the person concerned:

Right to information (Art. 15 GDPR): You may request information from us at any time about the data we hold about you. This information concerns, among other things, the categories of data processed by us, for what purposes we process them, the origin of the data if we have not collected it directly from you, and, if applicable, the recipients to whom we have transmitted your data. You can receive a free copy of your data from us. If you are interested in further copies, we reserve the right to invoice you for the further copies.

Right to correction (Art. 16 GDPR): You can ask us to correct your data. We will take reasonable measures to keep the information we hold and process about you accurate, complete, and current, based on the most current information available to us.

Right to deletion (Art. 17 GDPR): You may request us to delete your data, provided that the legal requirements are met. According to Art. 17 GDPR, this may be the case if

  • the data is no longer needed for the purposes for which they were collected or otherwise processed;
  • you revoke your consent, which is the basis of the data processing, and there is no other legal basis for the processing;
  • you object to the processing of your data and there are no overriding legitimate reasons for the processing, or you object to the processing of your data for direct marketing purposes;
  • the data has been processed unlawfully, unless processing is necessary,
  • we have to ensure compliance with a legal obligation that requires us to process your data;
  • especially with regard to legal retention periods;
  • to assert, exercise, or defend legal claims.

Right to limitation of processing (Art. 18 GDPR): You may request us to restrict the processing of your data if

  • you dispute the accuracy of the data for the period we need to verify the accuracy of the data;
  • the processing is unlawful, you reject the deletion of your data, and request the restriction of use instead;
  • we no longer need your data, but you do need it to assert, exercise, or defend legal claims;
  • you have filed an objection against the processing as long as it is not yet clear whether our justified reasons outweigh yours.

Right to data transferability (Art. 20 GDPR): If you so request, we will transfer your data – as far as technically possible – to another data controller.

However, you are only entitled to this right if the data processing is based on your consent or is necessary to execute a contract. Instead of receiving a copy of your data, you can also ask us to transmit the data directly to another data controller specified by you.

Right of objection (Art. 21 GDPR): You can object to the processing of your data at any time for reasons arising from your particular circumstances – provided that the data processing is based on your consent, on our legitimate interests, or those of a third party. In this case, we will no longer process your data. The latter does not apply if we can prove compelling reasons worthy of protection for the processing which outweigh your interests or if we need your data to assert, exercise, or defend legal claims.

Time limits for the fulfillment of rights of data subjects

As a matter of principle, we do our best to respond to all inquiries within 30 days. However, this period may be extended for reasons relating to the specific right of the person concerned or the complexity of your request.

Restrictions on the provision of information when fulfilling the rights of persons concerned

In certain situations, we may not be able to provide you with information about all of your data due to legal requirements. In such a case, if we have to reject your request for information, we will also inform you of the reasons for the rejection.

Complaint to supervisory authorities 

BMW takes your concerns and rights very seriously. However, if you believe that we have not adequately addressed your complaints or concerns, you have the right to file a complaint with a competent data protection authority.