DATA PROTECTION POLICY
Last updated: 01/02/2020
Information collected as part of your use of the app
When you first use the app, a unique random identification number is stored on your mobile device. This unique ID is used to assign information that is collected and stored in connection with your use of the app.
You can connect the app to your car's display via Bluetooth. Communication between the app and the vehicle is secured according to industry-standard encryption protocols.
Use of your location
You can authorise the app to record your location as long as you are actively using the app or it is open in the background. This information is only stored locally on the app. To use the app, you do not have to agree to record your location but certain features of the app depend on the location information about your mobile device and your vehicle being recorded. If you authorise the app to use your location, navigation via the app is possible (guiding, POI search and position display on the navigation maps). If you allow us to record your location, your journeys will also be recorded in the "activities" section. The "activities" function must be activated manually before the routes can be recorded. All data on the route can be viewed and deleted by the user in the app at any time. Deleting the vehicle profile also removes all associated activities. Please note, in this context, that the continued activation of GPS running in the background can significantly reduce the battery life of your mobile device.
If you have agreed to the recording of your location information, the app will store your location data indefinitely. If you decide not to release the information on your location for the app or the “activities” function is not switched on, the app will no longer record it.
Localisation via last-mile function
The app shows you the location of your parked vehicle on the map. The app requires the release of your location for its function.
The vehicle status displayed in the app (e.g. maintenance interval and check control messages) is only saved/displayed locally in the cache in the app and deleted as soon as the vehicle profile is removed in the app.
Finding a petrol station
Using the "petrol station search" function on the start page, the app determines the nearest petrol station for you. For this purpose, the app sends your current location to the servers of TOMTOM International BV. The server then determines the nearest petrol station and transmits this information to the app.
The app contains a search function to search for an address or a point of interest in the app as well as in the vehicle. To do this, the app sends the search term and your current location to an external service provider in order to display a list of locations or addresses that match the search criteria. The determined destination is transferred to the navigation and can be called up again via "recent destinations" or "favourites". The list can be deleted at any time using the corresponding menu entry at the bottom of the page.
The app also collects information about the use of the app. The information is anonymised at our partner MIXPANEL (Mixpanel, Inc., Attn: DPO, 405 Howard St., 2nd Floor, San Francisco, CA 94105). This information is also transmitted together with the app ID that is created when you first use the app. The app ID is created in a way that does not allow the user behind the app ID to be identified. We analyse this anonymous information to understand how each feature is used and which features are the most popular. This allows us to assess how the app can be further improved.
If you wish to object to this usage analysis, you can separate the unique app ID from the transmitted usage information. To do this, unselect "allow use of data analysis" in the app settings. There you have the possibility to use the app without collecting anonymous usage data.
In the unlikely event of a major malfunction and subsequent "crash" of the app, we offer you the option of sending technical details to us. This means that we can guarantee to continuously increase the stability and quality of the software. On the basis of your consent, this data will be transmitted to and processed by our designated service provider, APPCENTER (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399) in the USA, prior to it being reviewed by our support staff. The information cannot be traced back to you personally. More Information about APPCENTER can be found here: https://docs.microsoft.com/en-us/appcenter/gdpr/.
You have the option to send any inquiries or suggestions for improvement to us by e-mail. In order to be able to provide you with adequate support, the data required for technical support has already been automatically transferred to the e-mail template. This data can be deleted from the e-mail at any time if required. We reserve the right to contact you by e-mail in order to comprehensively process your request.
Rights of data subjects
According to the GDPR, you have specifically the following rights with respect to BMW as the data subject:
Right to information (Art. 15 GDPR)
You may request information from us at any time about the data which we hold concerning you. This information concerns, among other things, the categories of data processed by us, for what purposes we process them, the origin of the data, if we have not collected them directly from you, and, if applicable, the recipients to whom we have transmitted your data. You can receive a free copy of your data from us. If you are interested in further copies, we reserve the right to invoice you for the further copies.
Right to rectification (Article 16 GDPR)
You can ask us to correct your data. We will take reasonable measures to keep the information we hold and processing relating to yourself accurate, complete and current, based on the most current information available to us.
Right to deletion (Art. 17 GDPR);
You may ask us to delete your data, provided that the legal requirements are met. According to Art. 17 GDPR, this may be the case if
- the data are no longer necessary for the purposes for which they were collected or otherwise processed;
- you revoke your consent, which is the basis of the data processing and there is no other legal basis for the processing;
- you object to the processing of your data and there are no overriding legitimate reasons for the processing or you object to the processing of your data for direct marketing purposes;
- the data have been processed unlawfully unless processing is necessary,
- to ensure compliance with a legal obligation that requires us to process your data;· to ensure compliance with a legal obligation that requires us to process your data;
- especially with regard to legal retention periods;
- to assert, exercise or defend legal claims.
Right to restriction of processing (Art. 18 GDPR)
You may request us to restrict the processing of your data if
- you dispute the accuracy of the data for the period of time we need to verify the accuracy of the data;
- the processing is unlawful and you refuse the deletion of your data and instead request the restriction of use;
- we no longer need your data but you need it to assert, exercise or defend legal claims;
- you have filed an objection to the processing of your data, as long as it is not yet clear whether our justifiable grounds outweigh yours.
Right to data portability (Article 20 GDPR)
Upon your request, we will transfer your data - as far as technically possible - to another data controller. However, you are only entitled to this right if the data processing is based on your consent or is necessary to execute a contract. Instead of receiving a copy of your data, you can also ask us to transmit the data directly to another person in charge who is specified by yourselves.
Right to objection (Article 21 GDPR)
You can object to the processing of your data at any time for reasons arising from your particular situation, provided that the data processing is based on your consent or on our legitimate interests or those of a third party. In this case we will no longer process your data. The latter does not apply if we can prove compelling reasons for the processing, which are worthy of protection and outweigh your interests or if we need your data to assert, exercise or defend legal claims.
Time limits for the fulfilment of rights of the data subjects
As a matter of principle, we endeavour to comply with all enquiries within 30 days. However, this period may be extended for reasons relating to the specific right of the data subject or the complexity of your request.
Restrictions on the provision of information in the fulfilment of rights of the persons concerned
In certain situations, we may not be able to provide you with information about all of your data due to legal requirements. If we have to reject your request for information in such a case, we will also inform you of the reasons for the rejection.
Complaint to supervisory authorities
BMW takes your concerns and rights very seriously. However, if you believe that we have not adequately addressed your complaints or concerns, you have the right to file a complaint with a competent data protection authority.
Further information on data protection
De-activation of data processing and deletion of your data
At any time, you can object to the collection of your location data and, if necessary, access to location and contacts and change your notification settings by changing the settings for use in the system settings of your mobile device.
Data transmission to selected third parties
In order to be able to offer you all services of the app, it is possible that information in connection with your use of the app will be passed on to service providers commissioned by us.
How long do we store your data for?
We store your personal data exclusively for as long as the respective purpose lasts. If data are processed for several purposes, the data are automatically deleted or saved in a form that cannot be directly traced back to you, as soon as the last specified purpose has been fulfilled.
How are your data backed up?
We secure your data according to the state of the technology. For example, the following security measures are used to protect your personal data from misuse or other unauthorised processing:
- Access to personal data is restricted to a limited number of authorised persons for the stated purposes only.
- Collected data are only transmitted in encrypted form.
- Furthermore, sensitive data are only stored in encrypted form.
- The IT systems for processing the data are technically isolated from other systems in order to prevent unauthorised access, e.g. by hacking.
- In addition, access to these IT systems is permanently monitored in order to detect and prevent misuse at an early stage.
With whom do we share information and how do we protect this information?
BMW is a globally-operating company. Personal data are processed by BMW employees, national sales companies, authorised dealers and service providers commissioned by us, preferably within the EU.
Should data be processed in countries outside the EU, BMW uses EU standard contracts including appropriate technical and organisational measures to ensure that your personal data are processed in accordance with the European data protection level. If you would like to have an insight into the specific protection measures for the transfer of data to other countries, please contact us using the communication channels listed below.
For some countries outside the EU, such as Canada and Switzerland, the EU has already established a comparable level of data protection. Due to the comparable level of data protection, the transfer of data to these countries does not require special approval or agreement.
Contact details, your rights as a data subject and your right to complain to a regulatory authority.
If you have any questions about our use of your personal data, please contact BMW Customer Service first - either by e-mail at firstname.lastname@example.org or by phone at +49 89 1250 16200 (Mon.- Fri from 8:00 am to 5:00 pm)
You can also contact the responsible data protection officer:
As persons concerned by the processing of your data, you may assert certain rights against us in accordance with the GDPR and other relevant data protection regulations. The following section contains explanations of your rights under the GDPR.