Who is responsible for data processing operations?
As defined by the basic EU data protection regulations, BMW AG (hereinafter referred to as "BMW" and/or "we" and/or "us"), Petuelring 130, 80788 Munich, is responsible for the processing of your personal data. The headquarters of BMW AG are in Munich.
The contact data for BMW Customer Care and the group data protection of BMW AG can be viewed here.
When does BMW acquire and process personal data?
BMW acquires and processes your personal data in the following cases, including:
- when you contact us directly, for example via our website, via BMW Customer Care or the BMW dealerships, and you are interested for example in our products or services or have any other concerns.
Please help us to keep your details up to date by notifying us regarding changes to your personal data – in particular your contact data.
Which data about you can be collected?
The following categories of personal data can be collected via the numerous services and contact channels described in this data protection information:
- Contact data: Name, telephone number, e-mail address.
- Other personal data: IP-address, VIN number, browser language version, browser version.
What is the purpose of processing your data?
The data acquired in the context of concluding contracts or the providing services are processed for the purposes stated below. An explanation of the area of application of the available legal basis can be found here.
A. Customer care
(Article 6 Paragraph 1 b, g, f) of basic EU data protection regulations)
BMW uses your personal data to handle any request you have submitted (for example queries and complaints to BMW Customer Care). Regarding all aspects of dealing with a concern, we will contact you without separate consent, for example in writing, by telephone, per messenger service or per e-mail, depending on which contact data you have specified.
BMW also processes your personal data on this basis to optimize your experience with BMW Customer Care, e.g. to identify you correctly if you make contact with us.
B. Compliance with legal obligations to which BMW is subject
(Article 6, Paragraph 1 c, f) of basic EU data protection regulations)
BMW will also process personal data if there is a legal obligation to do so.
Collected data are also processed within the framework of ensuring the operation of IT systems. Ensuring operation involves the following activities:
- Backup and restoring of data processed in IT systems
- Detection and defense against unauthorised access to personal data
- Incident and problem management to remedy malfunctions in IT systems.
BMW is subject to a large number of other legal obligations. In order to fulfill these obligations, we process your data to the required extent and, if necessary, pass them on to the authorities responsible within the framework of legal obligations of notification.
We also process your data in the event of legal conflicts if the legal conflict makes processing the data necessary.
C. Data transfer within the BMW Group
BMW AG is a company of the BMW Group. In some cases, after a careful check, we send your data to other companies belonging to the BMW Group, who are then responsible for further processing.
D. Data transfer to selected third parties
Data are forwarded to the following companies, among others, if and to the extent that the requirements in compliance with data protection legislation necessary for this are met:
- to carefully selected and verified service providers and business partners with whom we cooperate to be able to offer you products and services. We do this for BMW AG only within the framework of the strict conditions of data processing on your behalf or on the basis of your express consent (for example transfer to the insurance provider of BMW accident and breakdown coverage, if you so wish).
- to other third parties (for example public authorities) to the extent that we are legally obliged to do so.
How do we protect your personal data?
We employ various security measures such as encryption and authentication tools in line with the current state of the art to protect and maintain the security, integrity, and availability of your data.
100% protection against unauthorized access in the case of data transfers across the Internet or a website cannot be guaranteed, but we and our service providers and business partners do our utmost to protect your personal data in line with the prevailing data protection regulations by means of physical, electronic, and process-oriented security precautions in line with the current state of the art. Among other things, we use the following measures:
- Strict criteria for authorization to access your data according to the "need-to-know principle" (restriction to as few people as possible) and exclusively for the specified purpose
- Transfer of acquired data exclusively in encrypted form
- Storage of confidential data, exclusively in encrypted form
- Firewall safeguarding of IT systems to provide protection against unauthorized access, for example by hackers
- Permanent monitoring of accesses to IT systems to detect and prevent the misuse of personal data
How long do we keep your data?
In line with article 17 of the basic EU data protection regulations, we will keep your data only as long as necessary for the respective purposes for which we process your data. If we process data for a number of purposes, they are automatically deleted or stored in a format that does not permit conclusions to be drawn directly as regards your person as soon as the last specific task has been performed. To ensure that all of your data are deleted in line with the principle of data minimisation and article 17 of the basic EU data protection regulations, BMW has created an internal deletion concept. The fundamental principles by which this deletion concept envisages the deletion of your personal data are described below.
Use for compliance with a contract
To comply with contractual obligations, data acquired from you can be kept for as long as the contract is in force and - depending on the nature and scope of the contract - for 6 or 10 years beyond this point in order to comply with legal requirements for record keeping and to ensure clarification of any queries or claims after the end of the contract.
Use for the assessment of claims
Data that in our opinion will be necessary to assess and avert claims against us or to initiate criminal proceedings or assert claims against you, us or third parties can be kept by us for as long as corresponding proceedings could be initiated.
Use for customer care
For customer care, the data acquired from you can be kept for 3 to 10 years, unless you wish to have these data deleted and there are no contractual or legal requirements for preservation that prevent this request for deletion.
To whom do we grant international access to your data and how do we ensure protection?
BMW is a company that operates globally. Personal data are processed by BMW employees, and by service providers we have commissioned, preferably within the EU.
If data are processed in countries outside of the EU, BMW uses EU standard contracts, including suitable technical and organisational measures in order to ensure that your personal data are processed according to the same standards as European data protection.
In some countries outside the EU, for example Canada and Switzerland, the EU has already determined a level of data protection comparable with that in Europe. The comparable level of data protection means that data transfer into these countries does not require any special permission or agreement.
Contact us here if you wish to see the specific security precautions for the transfer of your data to other countries.
To support the provision of the services and intended purposes listed above, BMW uses a number of service providers that are commissioned by BMW AG within the framework of the strict conditions of data processing in compliance with data protection legislation.
Contact with us, your data privacy protection rights, and your right to file complaints with data privacy protection authorities
If you have any questions regarding the use of your personal data by us, it is best to use the contact form.
Over and above this, you can contact the data protection officer responsible. A list of data protection officers can be found here.
As the person affected by the processing of your data, the basic EU data protection regulations and other relevant data privacy protection regulations enable you to assert certain rights in relation to us. The following section contains explanations of your rights as defined by the basic EU data protection regulations. Depending on the type and scope of your inquiry, we ask you to put the inquiry in writing.
Rights of persons affected
In line with the basic EU data protection regulations, as the person affected you have the following rights in particular vis-à-vis BMW:
Right to information (Article 15 of basic EU data protection regulations):
You can ask us for information regarding any data of yours that we keep at any time. This information concerns, among other things, the data categories we process, for which purposes we process them, the origin of the data if we did not acquire them directly from you and, if applicable, the recipients to whom we have sent your data. You can obtain a copy of your data from us free of charge. If you are interested in additional copies, we reserve the right to charge for the additional copies.
Right to correction (Article 16 of basic EU data protection regulations):
You can request that we correct your data. We will initiate appropriate measures to keep the data of yours that we continuously process correct, complete, and up to date, based the latest information available to us.
Right to deletion (Article 17 of basic EU data protection regulations):
You can request that we delete your data provided the legal requirements have been met. In accordance with Article 17 of basic EU data protection regulations, this can be the case if
- the data are no longer required for the purposes for which they were acquired or otherwise processed
- you revoke your consent, which is the basis of the data processing, and there is no other legal basis for the processing
- you object to the processing of your data and there are no legitimate reasons for the processing or you object to data processing for the purposes of direct advertising
- the data have been processed illegally
Wherever the processing is not necessary
- to ensure adherence to a legal obligation that requires us to process your data
- In particular with regard to legal retention periods
- to assert, exercise or defend against legal claims
Right to restriction of processing (Article 18 of basic EU data protection regulations):
You can request that we restrict the processing of your data if
- you dispute the correctness of the data - for the period of time we need to check the correctness of the data
- the processing is illegal but you do not wish to have your data deleted and request a restriction of use instead
- we no longer need your data, but you need them to assert, exercise or defend against legal claims
- you have filed an objection to the processing, though it has not yet been decided whether our legitimate grounds outweigh yours.
Right to data transferability (Article 20 of basic EU data protection regulations):
At your request, we will transfer your data – where technically possible – to another responsible entity. However, this right only applies if the data processing is based on your consent or is required to fulfill a contract. Instead of receiving a copy of your data, you can ask us to send the data directly to another responsible entity that you specify.
Right to objection (Article 21 of basic EU data protection regulations):
You can object to the processing of your data at any time for reasons that arise from your special situation provided the data processing is based on your consent or our legitimate interest or that of a third party. In this case, we will no longer process your data. The latter does not apply if we are able to prove there are compelling, defensible reasons for the processing that outweigh your interests or we require your data to assert, exercise or defend against legal claims.
Time limits for compliance with the rights the persons affected
As a general principle, we make every effort to comply with all requests within 30 days. This time limit, however, can be extended for reasons related to the specific rights of persons affected or the complexity of your request.
Restriction in the provision of information regarding the rights of persons affected
In certain situations, legal specifications might require us not to provide information regarding all of your data. If we have to refuse your request for information in such a case, we will inform you of the reasons for refusal at the same time.
Complaints to supervisory authorities
BMW AG takes your reservations and rights very seriously. However, if you are of the opinion that we have not dealt with your complaints or reservations adequately, you have the right to submit a complaint to the data privacy protection authorities responsible.
Contact data for BMW AG and BMW AG group data protection
If you have any questions regarding the use of your personal data, it is best to use the contact form (link to contact form) or use the following contact data:
Legal basis for the processing of personal data
We only process your data if this is permitted by an applicable legal regulation. We will process your data in particular on the basis of Article 6 and Article 9 of the basic EU data protection regulations as well as on the basis of consent in line with Article 7 of the basic EU data protection regulations. Here, we will base the processing of your data on, among others, the following legal principles. Please bear in mind that this is not a complete or conclusive list of the legal principles, rather only examples intended to make the legal principles more transparent.
- Consent (Article 6 Paragraph 1 Page 1 a), Article 7 of the basic EU data protection regulation, or Article 9 Paragraph 2 a), Article 7 of the basic EU data protection regulations): We will process certain data only on the basis of the consent you have given expressly and voluntarily. You have the right to revoke your consent at any time with effect for the future.
- Fulfillment of a contract / pre-contractual measures (Article 6 Paragraph. 1 Page 1 b) of the basic EU data protection regulations): For initiation and/or execution of your contract with BMW, BMW dealerships, and BMW partners, we require access to certain data.
- Fulfillment of a legal obligation (Article 6 Paragraph 1 Page 1 c) of the basic EU data protection regulations): BMW is subject to a number of legal specifications. We must process certain data to comply with these specifications.
Protection of legitimate interests (Article 6 Paragraph 1 Page 1 f) of the basic EU data protection regulations): BMW will process certain data in order to protect their legitimate interests or the interests of third parties. However, this only applies if your interests do not outweigh ours in individual cases.
What is a cookie?
A cookie is a small file that stores Internet settings. Almost every website uses cookie technology. It is downloaded by your Internet browser on the first visit to a website. The next time this website is opened with the same user device, the cookie and the information stored in it is either sent back to the website that created it (first-party cookie) or sent to another website it belongs to (third-party cookie). This enables the website to detect that you have opened it previously with this browser and in some cases to vary the displayed content.
Some cookies are extremely useful, as they can improve the user experience on opening a website that you have already visited a number of times. Provided you use the same user device and the same browser as before, cookies remember for example your preferences, how you use a site, and adapt the displayed offerings to be more relevant to your personal interest and needs.
More information about cookies and their use on this website, you can find here.
3. Use of social plug-ins on www.bmw.com
Within the framework of the BMW AG Internet site at the domain www.bmw.com, so-called social plug-ins of the social networks Facebook Inc., Twitter Inc., Instagram LLC and WhatsApp Inc. com are used. Web page elements are e.g. buttons (so-called “social plug-ins”) or integrated content from the providers.
The operator of Facebook is Facebook Inc.,1601 Willow Road Menlo Park, CA 94025, USA (“Facebook”). These plug-ins are marked with a Facebook logo. For an overview of Facebook web page elements and their look go to https://developers.facebook.com/docs/plugins.
The operator of Twitter is Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA (“Twitter”). These plug-ins are marked with a Twitter logo. For an overview of Twitter webpage elements and their look go to: https://dev.twitter.com/web/overview.
The operator of Instagram is Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA (“Instagram”). These plug- ins are marked with an Instagram logo. Website elements of Instagram are recognizable by the Instagram logo and lettering on the website element itself.
The operator of WhatsApp is WhatsApp Inc., 1601 Willow Road Menlo Park, CA 94025, USA (“WhatsApp“). These plug- ins are marked with a WhatsApp logo. Website elements of WhatsApp are recognizable by the WhatsApp logo and lettering on the website element itself.
If you activate the inactive Facebook/Twitter/Instagram/WhatsApp Plug-in on the internet site of BMW AG under the domain www.bmw.com, your browser sets up a direct connection to the servers of Facebook/Twitter/Instagram/WhatsApp. The content of the plug-in is transferred by Facebook/Twitter/Instagram/WhatsApp directly to your browser and then integrated in the website.
The integration of the plug-ins means that Facebook/Twitter/Instagram/WhatsApp receive the information that you have opened the corresponding page of the BMW AG internet site. If you are logged in to Facebook/Twitter/Instagram/WhatsApp, Facebook/Twitter/Instagram/WhatsApp, they can assign the visit to your Facebook/Twitter/Instagram/WhatsApp account. As soon as you interact with the plug-ins, for example by clicking the "like" button, the corresponding information is sent from your browser directly to Facebook/Twitter/Instagram/WhatsApp and stored there. The purpose and scope of the data acquisition and other processing and use of the data by Facebook/Twitter/Instagram/WhatsApp as well as your rights and setting options in this respect to protect your private sphere can be found in the data protection information provided by the social media operators:
If you do not want Facebook/Twitter/Instagram/WhatsApp to use our Internet site to collect data about you, you should not activate the inactive Facebook/Twitter/Instagram/WhatsApp Plug-in when visiting the BMW AG Internet site at the domain www.bmw.com.
© Copyright BMW AG, Munich, Germany. All rights reserved. The text, images, graphics, sound files, animation files, video files, and their arrangement on the BMW Group websites are all subject to copyright and other intellectual property protection. These objects may not be copied for commercial use or distribution, nor may these objects be modified or reposted to other sites. Some BMW websites may contain images whose copyrights are attributable to third parties.
5. Warranty, liability
The information on this website is provided "as is" and without warranty of any kind, expressed or implied, including (but not limited to) any implied warranties of merchantability, fitness for any particular purpose, or non-infringement of third party rights. While the information provided is believed to be accurate, it may include errors or inaccuracies. In no event shall BMW AG be liable to any person for any special, indirect or consequential damages relating to this material, unless caused by gross negligence or intentional misconduct. BMW AG is not responsible for the contents of websites that are maintained by third parties and therefore waives its liability for any links from this website to other websites.
Unless otherwise indicated, all trademarks on this website are subject to trademark rights of BMW AG, including marks, model names, logos, and emblems.
The BMW Group has sought to create an innovative and informative website. However, you also need to understand that the BMW Group must protect its intellectual property, including its patents, trademarks, and copyrights. Accordingly, please appreciate that no license to use the intellectual property of BMW Group companies or the intellectual property of third parties has been granted by this website.
8. Guidelines on fuel consumption and CO2 Emissions
Further information on the official fuel consumption, the official specific CO2 emissions and the electric energy consumption of new passenger cars can be found in the guidelines on fuel consumption, CO2 emissions and electric energy consumption of new passenger cars which are available free of charge at all retail outlets and from DAT Deutsche Automobil Treuhand GmbH (DAT), Hellmuth-Hirth-Str. 1, 73760 Ostfildern-Scharnhausen, Germany and at http://www.dat.de/leitfaden/LeitfadenCO2.pdf.
9. Web push notifications
Our website offers you the chance to register to receive free and personalised push notifications from BMW AG. We use the Accengage tool from Accengage SAS, 31 rue du 4 Septembre, 75002 Paris, France, to create and send these push notifications. The push notifications let you know when there is new content on the BMW.com website.
In order to be able to provide you with push notifications, Accengage processes your browser ID, and your device ID for mobile devices, on our behalf. As part of this service and based on your consent, Accengage SAS stores and processes additional information (collectively referred to as “usage data”) regarding your topics of interest, whether you open push notifications, your type of end device, operating system, browser and, if applicable, other device settings that you use. The data is processed for the purpose of optimising the push notification service according to your consent in accordance with Art. 6 (1) lit a of the General Data Protection Regulation (GDPR).
To register, you only have to consent to receive push notifications in your browser.
You can revoke your consent to receive push notifications at any time, which will unsubscribe you from further push notifications. To do this, you can deactivate push notifications in your browser. Please open the following link for directions of how to do this according to different browser types:
Google Chrome: https://support.google.com/chrome/answer/3220216
Mozilla Firefox: https://support.mozilla.org/de/kb/push-benachrichtigungen-firefox
Revoking your consent does not affect the legality of any processing carried out on the basis of your consent up until the revocation.