ACEA principles of data protection in relation to connected vehicles and services

ACEA PRINCIPLES OF DATA PROTECTION IN RELATION TO CONNECTED VEHICLES AND SERVICES September 2015 ACEA Principles of Data Protection in Relation to Connected Vehicles and Services – 11/09/2015 1 INTRODUCTION We, the member companies of ACEA, are committed to providing our customers with a high level of personal data protection. Therefore, we have adopted this statement which sets out the principles of data protection that we intend to respect in relation to the connected vehicles and services that we will put on the market in the European Union ourselves or through our affiliated companies. These principles are: 1. We are transparent; 2. We give customers choice; 3. We always take data protection into account; 4. We maintain data security; 5. We process personal data in a proportionate manner. These principles supplement existing laws and regulations governing personal data protection and privacy in the European Union, both at national and at EU level. Each of us may take additional measures to protect the personal data of our customers. Where we do not control personal data processed by unaffiliated third parties who provide applications or services through the communications platforms in our vehicles, we encourage these service providers to apply the same principles. ACEA Principles of Data Protection in Relation to Connected Vehicles and Services – 11/09/2015 2 DATA PROTECTION PRINCIPLES 1. WE ARE TRANSPARENT - We inform customers who use our connected vehicles and services (“customers”) about the personal data (ie information relating to an identified or identifiable natural person) or categories of personal data (including geolocation and driver behaviour data) that we process, the purposes we use them for, the third party or categories of third parties we may share them with, and the identity of the company or group of companies that governs the data processing (ie the data controller). - We make this information available in a clear, meaningful and easily accessible manner. This may be done in one or more of the following ways: o In a contract; o In a user manual; o With a special menu in the vehicle’s infotainment system; o With specific icons or pictures in the vehicle; o In our mobile apps; o On our websites and web portals; or o In any other appropriate manner. - We inform our customers in one or more of the ways mentioned above when we change the content of our privacy policies with respect to the categories of personal data we process, the purposes we use them for or the categories of third parties we may share them with, or in any other way that would impact the privacy of our customers. - We maintain one or more contact points where our customers can obtain information about the personal data we process about them and we enable them to exercise their legal rights regarding these data. 2. WE GIVE CUSTOMERS CHOICE - We aim to design our vehicles and services so that where possible our customers can choose whether to share personal data. - We share personal data of our customers with third parties who use these data for their own commercial purposes only on the basis of a contract, with the consent of our customers or to comply with our legal obligations. ACEA Principles of Data Protection in Relation to Connected Vehicles and Services – 11/09/2015 3 - We enable our customers to de-activate the geolocation functionality of their connected vehicles and in the connected services we offer, except where we need to process geolocation data to comply with our contractual or legal obligations (for example: emergency call). 3. WE ALWAYS TAKE DATA PROTECTION INTO ACCOUNT - We take data protection requirements into account when we design, develop and engineer new products, services and processes. - Where necessary to maintain a high level of data protection, we carry out a data protection impact assessment before putting new products on the market, product features or services with new technologies and implement the measures that this impact assessment shows to be appropriate. 4. WE MAINTAIN DATA SECURITY - We implement appropriate technical, security and organisational measures to protect the personal data of customers against accidental or unlawful destruction, loss, alteration or disclosure. - Where we outsource data processing, we impose contractual safeguards to protect the personal data of our customers. 5. WE PROCESS PERSONAL DATA IN A PROPORTIONATE MANNER - We process only personal data that are adequate, relevant and not excessive in relation to the purpose they are used for. - We consider data anonymisation, pseudonymisation and de-identification important mechanisms for protecting personal data and we apply them where appropriate. - Where we combine personal data with other inform