DATA-PRIVACY

BMW Privacy Notice

For us, the high standards you place on the characteristics of our products and services are the guideline for handling your data. Our aim is to create and maintain the basis for a trusting business relationship with our customers and prospects. The confidentiality and integrity of your personal data is of particular concern to us. We will therefore process and use your data carefully, for the intended purpose or in accordance with your consent and in accordance with the statutory provisions on data protection.

Who is the controller for data processing operations?

Bayerische Motoren Werke Aktiengesellschaft, Petuelring 130, 80788 Munich, Germany, registered office and court of registration: Munich HRB 42243 (hereinafter “BMW”), is the controller within the meaning of the EU General Data Protection Regulation (“GDPR”) for the processing of your personal data.
BMW AG is the parent company of the BMW Group and operates the website https://aos.bmwgroup.com, through which BMW business customers can access certain technical information, in particular information and applications for the professional service and repair of vehicles and motorcycles manufactured by BMW and/or sold under BMW brands.
BMW is the data controller for your data processed via the website https://aos.bmwgroup.com.
BMW also processes your data insofar as it is transmitted by BMW National Sales Companies or BMW partners (BMW authorised dealers and BMW authorised workshops) if and insofar as the data protection requirements necessary for this are met.
BMW partners and BMW National Sales Companies are responsible for processing the personal data that you yourself provide to them regarding your concerns and customer support. BMW partners and BMW National Sales Companies also process your data where it is provided to them by BMW, if and to the extent that the necessary data protection requirements are met.

When does BMW collect and process personal data?

BMW collects and processes your personal data in the following cases (among others):

  • When you contact us directly, e.g. via our website, BMW customer support or BMW branches, and you are, for example, interested in our products or services or have other concerns.
  • When you purchase services directly from us.
  • When you respond to our direct marketing activities, e.g. if you are interested in our products or services or have other concerns.
  • When you purchase services directly from us.
  • When you respond to our direct marketing activities, e.g. when you submit your data online on one of our websites.
  • When your personal data is transferred to us by BMW National Sales Companies, BMW partners or third parties, if and to the extent that the necessary data protection requirements are met, e.g. your consent has been given or you have not objected to the transfer of your data to BMW for the purpose of customer support (e.g. to identify you if you contact BMW customer support) and written communication, knowing that you have the right to object.
  • If other BMW Group companies as well as our business partners provide us with data about you in a permissible manner, and
  • if third parties (e.g. certified address providers) provide us with personal data about you in a permissible manner.
Please help us to keep your details up to date by informing us of any changes to your personal data - in particular your contact details.

What information may be collected about you?

The following categories of personal information may be collected through the numerous services and contact channels described in this Privacy Notice:

  • Contact information (name, address, phone number, email address)
  • Contractual information (AOS customer number)
  • Website usage and communication (information about how you use the website and whether you open or forward messages from us, including information collected through cookies and other tracking technologies. For more information, please see here in our BMW Cookie Policy.)
  • Transaction and interaction data (information on purchases of products and services, interactions with BMW customer support (your requests and complaints) and BMW National Sales Companies, BMW partners or BMW branches, and participation in market research studies.)
  • Credit rating and identity data (data to establish your identity; also information on transactions, any payments not made to us; plus information on cases of fraud, criminal offences, suspicious transactions, politically exposed persons and sanctions lists on which your data is included)

For what purposes is your data processed?

The data collected in connection with the conclusion of the contract or the provision of the services is processed for the purposes listed below. An explanation of the scope of the available legal bases is available here.

A. Fulfilment of contractual obligations (Article 6(1)(b)) GDPR)

BMW collects, processes and uses personal data in the context of steps taken prior to entering into and processing of the contract.
In the context of steps taken prior to entering into a contract, personal data are used to carry out the approval check (authorisation check, sanction list check, etc.).
In the course of this activity, the following categories of data are processed:

  • Contact data (name, address, email address, etc.)
For the purpose of the performance of the contract entered into between you and BMW, BMW provides various services, such as organisation data change requests, Technical Help Desk requests, etc. In addition, BMW offers various Aftersales applications such as Aftersales Information Research (AIR), Electronic Parts Catalogue, etc.
For the provision of these services or use of the applications, the following information, which may be personal, is processed and in individual cases stored by BMW and mandated service providers for the provision of these services:
  • Vehicle identification number (VIN)
  • Contact data (name, address, email address, etc.)
We collect the personal data mentioned in this section directly from you by you providing the personal data yourself or by the system extracting it. The provision of this data is not necessary for entering into the contract. However, BMW cannot provide the service or the relevant app for you without the provision of the data and its processing.
The processed personal data will be automatically deleted unless it is required to provide the service for a longer period.

B. Ensuring product quality, research and development of new products (Article 6(1)(f) GDPR)

BMW uses the data obtained through the provision of services by BMW in a de-personalised form to ensure the quality of products and services and for research and development purposes. “De-personalised” means that the data can no longer be directly traced back to you or the vehicle.
This processing is based on the legitimate interest of BMW AG in meeting the high expectations of our customers with regard to high-quality products and services and in meeting the customer request for newly developed, innovative solutions. To protect your interests – in addition to de-personalisation – additional safety precautions and controls are implemented as required, e.g. strict data access restrictions, data use restrictions, security measures, storage times as well as data minimisation principles, such as the exclusive collection of relevant data.

C. Fulfilment of the sales, service and administrative processes of BMW AG and BMW National Sales Companies (Article 6(1)(f)) GDPR)

In order to optimise the customer experience and cooperation with the BMW National Sales Companies, we create evaluations and reports based on contractual information which we share with the relevant National Sales Company. These evaluations are primarily used to initiate appropriate measures (such as training for sales and service personnel) to improve sales processes. We will create the reports described above solely in aggregated and anonymised form, i.e. the recipients of the reports will not be able to make any inference about you as a person from the data contained therein.
Some of the vehicle-specific data collected will also be processed – insofar as necessary – to fulfil the service processes (e.g. repair, warranty, goodwill) of BMW, BMW partners and BMW National Sales Companies (including their branches) in the European Economic Area and other countries specified in the BMW Quality Letter. This processing is in the legitimate interest of BMW in providing our customers with the best possible service process. Occasionally, processing is also carried out in connection with legal requirements (e.g. repair and service information due to competition law requirements). In order to protect the privacy of our customers, the processing of technical data is done on a vehicle-related basis, without a direct connection to the customer.
The following data categories are used for this purpose:

  • Vehicle master data (e.g. vehicle identification number, vehicle type, production date, colour, vehicle equipment),
  • Vehicle status data (values such as odometer reading, battery voltage, door and flap status),
  • Vehicle service data (e.g. due date of next service, oil level, brake wear),
  • Fault memory entries (e.g. malfunction of turn indicator,
  • Vehicle maintenance data (e.g. due date of next service, oil level, brake wear). due date of next service, oil level, brake wear),
  • error memory entries (e.g. malfunction of direction indicator),
  • load duty cycles,
  • software statuses, as well as
  • service and workshop data (e.g. service requirements, work carried out, replacement parts installed, warranty cases, workshop logs)
The technical vehicle data is deleted at the end of the vehicle life cycle.
BMW AG is a company in the BMW Group. We partially process your data in order to make the administration of the various companies within the BMW Group as efficient and successful as possible. This applies, for example, to joint group accounting in accordance with international accounting standards for companies (such as the International Financial Reporting Standards – IFRS).

D. Customer support (Article 6(1)(b), (g), (f)) of the General Data Protection Regulation)

BMW uses your personal data to contact you when processing the contract, see above (e.g. processing your registration) or to deal with a concern expressed by you (e.g. requests and complaints to support or queries to the Technical Help Desk). We will contact you without a separate consent, e.g. in writing, by telephone, by email, depending on the methods of contact specified by you, for all aspects of the processing of the contract or to deal with a request.
We will also contact you in carefully considered cases with promotional communication (e.g. selected communication on product innovations or a customer survey) if and insofar as the data protection requirements necessary for this are met and you have not objected to the use of your data for the purpose of addressing you in writing, knowing that you have a right to object.
BMW also processes your personal data on this basis in order to further optimise your experience with BMW customer support, for example to clearly identify you when you contact us.
We collect the personal data specified in this section directly from you by you providing the personal data yourself or by the system extracting it.

E. Fulfilment of legal obligations to which BMW is subject (Article 13(1)(c), 6(1)(c) GDPR)

BMW will also process personal data if there is a legal obligation to do so.
Data collected will also be processed in the course of safeguarding the operation of IT systems. Safeguarding includes the following activities:

  • Backing up and restoring data processed in IT systems
  • Logging and monitoring transactions to check IT systems are functioning correctly
  • Detecting and defending against unauthorised access to personal data
  • Incident and problem management to rectify faults in IT systems
BMW is subject to a range of other legal obligations. In order to fulfil these obligations, we process your data to the required extent and pass it on if necessary to the responsible authorities as part of our statutory reporting obligations.
We also process your data in the event of a legal dispute, if the legal dispute makes it necessary to process your data.

F. Data transmission within the BMW Group

BMW AG is part of the BMW Group. Sometimes, after careful review, we send your data to other companies in the BMW Group, which process it further as their own data controller. Data transfer of this kind may occur, for example, in the following circumstances and for the following purposes:
Please note that this is not a complete or exhaustive list of data transfer processes within the BMW Group, just examples intended to make the data transfers more transparent.

  • For the fulfilment of the sales, service and administrative processes of BMW AG, cf. point C.

G. Data transfer to selected third parties

Data will be transferred to the following companies, among others, if and to the extent that the necessary data protection requirements are met:

  • To carefully selected and screened service providers and business partners with whom we work in order to offer you products and services. We do this for BMW AG solely in the context of the strict conditions on data processing on its behalf, for the fulfilment of a contractual obligation (e.g. forwarding to a payment service provider) or on the basis of your express consent.
  • In the event of the sale of one or more of the business areas of BMW AG, to a company to which we are transferring our rights in compliance with any existing agreements with you.
  • To other third parties (e.g. public bodies/authorities) where we are legally obliged to do so.

H. Storage of and access to information in your terminal equipment (section 25 of the German Telecommunications Telemedia Data Protection Act)

In certain situations we write or read information to or from your terminal equipment. This occurs for example in the form of cookies when using websites. This storage or access is based on your consent in accordance with section 25(1) of the German Telecommunications Telemedia Data Protection Act, or, where absolutely necessary in accordance with section 25(1) of the German Telecommunications Telemedia Data Protection Act in order to provide you with a service specifically requested by you, without your consent. Subsequent processing is based on the GDPR in accordance with the purposes set out above.

How do we protect your personal data?

We use a range of state-of-the-art security measures, such as encryption and authentication tools, to protect and maintain the security, integrity and availability of your data.
It is not possible to guarantee 100% protection against unauthorised access when transferring data over the Internet or a website, but we and our service providers and business partners use our best efforts to protect your personal data in accordance with the applicable data protection regulations using state-of-the-art physical, electronic and procedural security measures. The measures we use include the following:

  • Strict criteria for authorisation to access your data in line with the “need-to-know principle” (restriction to as few persons as possible) and solely for the specified purpose,
  • Transmission of collected data exclusively in encrypted form,
  • Storage of confidential data exclusively in encrypted form,
  • Firewall protection of IT systems to protect agains unauthorised access, e.g. by hackers and
  • permanent monitoring of access to IT systems to detect and prevent the misuse of personal data.
If you receive a password from us, this will be used to protect your data. by hackers and
  • permanent monitoring of access to IT systems to detect and prevent misuse of personal data.
  • If you receive a password from us or have assigned one yourself that gives you access to certain areas of our website or to other portals, apps or services operated by us, you are responsible for keeping this password secret and for complying with all other security procedures we inform you of. In particular, we ask that you do not share your password with anyone.

    How long do we retain your data?

    We will only retain your data for as long as is necessary for the respective relevant purposes for which we process your data. If we process data for multiple purposes, it is either automatically deleted or stored in a format that does not permit any direct inferences to be made about you as soon as the last specific purpose has been fulfilled. To ensure that all your data is deleted again in accordance with the principle of data minimisation, BMW has designed an internal deletion concept. The basic principles according to which this deletion concept provides for the deletion of your personal data are set out below.

    Use for the performance of a contract

    For the performance of contractual obligations, data collected from you may be retained for as long as the contract is in force and, depending on the nature and scope of the contract, 6 or 10 years beyond that in order to comply with legal retention obligations and to clarify any enquiries or claims after the contract has expired.
    There are also contracts for the supply of products and services that require longer storage times, see also “Use for the investigation of claims”.

    Use for the investigation of claims

    Data which, in our view, will be necessary to investigate or defend claims against us or to bring a criminal prosecution or claim against you, us or a third party, may be retained by us for as long as such proceedings may be brought.

    Use for customer support and marketing purposes

    For the purposes of customer support and marketing, the data we collect from you may be retained for 3 to 10 years after collection, unless you request that we delete this data and there are no contractual or legal retention obligations that prevent this deletion request.

    Who do we give access to your data internationally and how do we protect it while doing so?

    Your data is stored by us or by service providers mandated by us exclusively in the EU.
    BMW is a company that operates globally. Personal data is processed preferably within the EU by BMW employees, BMW National Sales Companies and service providers commissioned by us.
    In the context of IT services, particularly for support purposes, it may also be necessary for commissioned service providers based outside the EU to access personal data. We select these service providers carefully and ensure an appropriate level of data protection by means of contractual as well as technical and organisational measures. We generally agree the EU standard contractual clauses, where necessary with supplementary contractual regulations.
    For some countries outside the EU, such as Israel and Switzerland, the EU has already established a comparable level of data protection. Due to the comparable level of data protection, data transfer to these countries does not require any special approval or agreement.

    Contacting us, your data protection rights and your right to complain to a data protection authority.

    For questions about the use of your personal data by us, it is best to first contact AOS Support - either by email at aos@bmwgroup.com or via the contact form AOS Support.
    In addition, you can contact the responsible data protection officer:

    As a data subject affected by the processing of your data, you may assert certain rights with us under the GDPR as well as under other relevant data protection provisions. The following section explains about your rights as a data subject under the GDPR. Depending on the nature and scope of your request, we will ask you to send it to us in writing.

    Rights of data subjects

    Pursuant to the GDPR, as a data subject you have to the following rights in particular in respect of BMW:

    Right of access (Article 15 GDPR)

    You can request information from us at any time about the data we hold on you. This information includes, but is not limited to, the categories of data we process, the purpose for which we process them, the source of the data if we have not collected it directly from you, and, if applicable, the recipients to whom we have submitted your data. You can get a free copy of your data from us. If you are interested in additional copies, we reserve the right to charge you for these additional copies.

    Right to rectification (Article 16 GDPR):

    You can request that we correct your data. We will take reasonable steps to keep the information we hold and continually process about you accurate, complete and up-to-date, based on the most up-to-date information available.

    Right to erasure (Article 17 GDPR)

    You may request that we erase your data, once the legal requirements for this are met. Pursuant to Article 17 GDPR, for example, this may include the following cases

    • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
    • you withdraw your consent which is the basis for the data processing and there is no other legal basis for the processing;
    • you object to the processing of your data and there are no overriding legitimate grounds for the processing, or you object to the data processing for direct marketing purposes;
    • the data has been processed unlawfully;
    • the processing is not necessary to ensure compliance with a legal obligation requiring us to process your data; in particular with regard to legal storage periods; to assert, exercise or defend legal claims.

    Right to restriction of processing (Article 18 GDPR)

    You may request that we restrict the processing of your data if:

    • you contest the accuracy of the data, for a period enabling us to verify the accuracy of the data;
    • the processing is unlawful and you oppose the erasure of your data and request the restriction of its use instead;
    • we no longer need your data, but you need it to establish, exercise or defend legal claims;
    • you have objected to the processing pending the verification whether our legitimate grounds override yours.

    Right to data portability (Article 20 GDPR)

    At your request, we will transfer your data - insofar as this is technically possible - to another controller. However, you are only entitled to this right if the data processing is based on your consent or is required to carry out a contract. Instead of receiving a copy of your data, you can also ask us to transfer the data directly to another controller specified by you.

    Right to object (Article 21 GDPR)

    You can object to the processing of your data at any time on grounds relating to your particular situation, provided that the data processing is based on your consent or on our legitimate interests or those of a third party. In this case, we will no longer process your data. The latter does not apply if we can demonstrate compelling legitimate grounds for the processing that outweigh your interests or if we need your data to establish, exercise or defend legal claims.

    Deadlines for the fulfilment of data subject rights

    We will make every effort to comply with all requests within 30 days. However, this deadline may be extended for reasons relating to the specific right or complexity of your request.

    Restriction of information when fulfilling data subject rights

    In certain situations, we may be unable to provide you with information about all of your data due for legal reasons. If we have to decline your request for information in such a case, we will inform you at the same time about the reasons for the refusal.

    Complaints to supervisory authorities

    BMW takes your concerns and rights very seriously. However, if you believe that we have not adequately dealt with your complaints or concerns, you have the right to lodge a complaint with a competent data protection authority.