1. Controller and data protection officer
Responsible for the data processing as controller in terms of data protection law is:
Dr. Ing. h.c. F. Porsche AG
Phone: +49 (0) 711 911-0
If you have any questions or suggestions regarding data protection, please feel free to contact us. You can reach our data protection officer as follows:
Dr. Ing. h.c. F. Porsche AG
Data Protection Officer
2. Subject of data protection
The subject of data protection is the protection of personal data. This is all information relating to an identified or identifiable natural person (so-called data subject). This includes information such as name, postal address, email address or telephone number, but also other information that may be generated when using the Online Service, in particular information about the beginning, end and extent of use as well as the transmission of your IP address.
3. Purposes and legal basis of data processing
In the following, you will find an overview of the purposes and legal basis of data processing in connection with the Online Service. In any case, we process personal data in accordance with the legal requirements, even if in individual cases a different legal basis should be relevant than that stated below.
The provision of personal data by you may be required by law or contract or may be necessary for the conclusion of a contract. We will point it out separately if you are obliged to provide personal data and what possible consequences the non-supply would then have (e.g. a loss of claims or our position not to provide the requested service without providing certain information). The use of the Online Service is generally possible without registration. The use of individual functions may require prior registration. Even if you use the Online Service without registration, personal data may still be processed.
3.1 Performance of a contract and pre-contractual measures
In particular, these are the following functions:
- Registration process and creation of a user profile
In particular, the following services and functions within the scope of our Online Service require registration and creation of a user profile: Car Configurator, Pre-Owned Car Locator (including e.g. Search Agent), Web-shop and Webspecials.
Registration is not possible without the mandatory data. The mandatory data required for the registration and creation of a user profile are marked with an “*” in the respective input field: salutation, first and last name, address and email address. When creating a user profile, you have the option of voluntarily providing additional information, such as company contact data, profession, date of birth, etc. Please note that these details are not required for registration and that you alone decide whether you wish to provide us with these details. If you do not provide us with this information, we may not be able to fully comply with your wishes when using this function. The data you provide will be used by us to create your user profile and to identify you later on each login. Depending on the function for which you are registering, further data, e.g. a vehicle configuration selected by you, may be collected and then linked to your profile data. When using the functions described in detail below, further personal data may also be collected and processed (e.g. payment data when placing orders) and, if necessary, transmitted to third parties (e.g. Porsche Centers) in order to provide you with these functions.
- Magazine Orders and Subscriptions
To order a magazine or subscription, e.g. Christophorus magazine, the following data is requested: title, first name, last name, address, e-mail address and, if applicable, payment data. In the case of a credit card payment, the card number, validity date of the card, holder name and card verification number are also collected. On a voluntary basis, you can also provide additional information; however, this information is not required for the execution of the order. The personal data you provide in the context of the order will be used by us for the execution and processing of orders placed and payment transactions.
- Live Chat
In certain areas of the Online Service, we offer contact and advice via live chat. With the help of the live chat, you can communicate with one of our consultants via text messages. When you access and use the live chat, your browser automatically transmits the following data at the beginning of use for technical reasons, which we store separately from other data that you may transmit to us: date and time of access, duration of the visit to our online offer, type of browser including version, operating system used, amount of data sent, type of event, IP address (shortened/altered). If you also provide us with additional personal data via the live chat, this is done on a voluntary basis.
- Marketing Materials Orders
In certain areas of the Online Service, we offer marketing materials such as stickers etc. that you can order. In order to send out the materials, we collect the data as required to deliver these materials to you. The personal data you provide in the context of the order will be used by us for the execution and processing of orders placed. If you also provide us with additional personal data in context of the order, this is done on a voluntary basis.
- Saving a configuration as a Pass in the Wallet app
Once you have configured your desired Porsche model in the Car Configurator, you can use a QR code or link to save the selected configuration as a Pass in the Wallet app of your end device (available on Apple’s iOS and Android). A Porschecode is stored in the Pass, which can be used to display your configuration directly in the Car Configurator or to communicate it to your Porsche Centre. No registration or login with a user profile is required to use this function. The process can be repeated for further configurations. In the settings on the back of the Pass, you can decide whether the Pass should be updated if necessary and whether push notifications relating to the Pass can be sent to you. Such push notifications will generally contain information about updates and news related to your saved configuration. Per configuration, a separate Pass will be offered for you to save. Please note that the required Wallet app is not offered by Porsche AG and may need to be installed separately. The Pass is saved within the functionalities of iOS or Android via a device-related ID. It is generally not possible for us to determine your identity via the Pass. For statistical purposes, we record how often Passes with certain configurations are saved and deleted. We process your personal data in order to provide you with the desired functions. Insofar as you have given us your consent to also use the push notifications for other Porsche offers when saving the Pass, the data processing is carried out on the basis of Article 6 paragraph 1 letter a) GDPR. You can revoke your consent at any time with effect for the future by selecting the corresponding unsubscribe link on the back of the Pass. Insofar as we record how often Passes with certain configurations are saved and deleted or insofar as we align the sending of other Porsche offers with your configuration in order to safeguard our interests in the further development of products and services as well as in customer segmentation, e.g. by calculation and evaluation of affinities, preferences and customer potential, the data processing is based on Article 6 paragraph 1 letter f) GDPR.
3.2. Compliance with legal obligations
We process your personal data to comply with legal obligations to which we are subject. The data processing is based on Article 6 paragraph 1 letter c) GDPR. These obligations may arise, for example, from commercial, tax, money laundering, financial or criminal law. The purposes of the processing result from the respective legal obligation; as a rule, the processing serves the purpose of complying with state control and information
3.3 Safeguarding of legitimate interests
We also process your personal data to pursue the legitimate interests of ourselves or third parties, unless your rights, which require the protection of your personal data, outweigh these interests. The data processing is based on Article 6 paragraph 1 letter f) GDPR. The processing to safeguard legitimate interests is carried out for the following purposes or to safeguard the following interests:
- Further development of products, services and support offers as well as other measures to control business transactions and processes;
- Improvement of product quality, elimination of errors and malfunctions, among other things by means of analysis of vehicle data and customer feedback;
- Processing of data in a central prospective customer and customer care platform as well as upstream and downstream systems for customer retention and sales purposes;
- Needs analysis and customer segmentation, e.g. calculation and evaluation of affinities, preferences and customer potential;
- Handling of non-contractual inquiries and concerns;
- Handling of warranty and goodwill cases;
- Risk management and coordination of recall actions;
- Credit assessment through data exchange with credit agencies (e.g. SCHUFA);
- Ensuring legally compliant actions, prevention of and protection against legal violations (especially criminal offences), assertion of and defense against legal claims, internal and external compliance measures;
- Ensuring availability, operation and security of technical systems as well as technical data management;
- Answering and evaluation of contact requests and feedback.
3.3.1 Retrieval of the online offer
When you call up the Online Service, data relating to your end device and your use of the online offer are processed and stored in a so-called log file. This concerns in particular technical data such as date and time of access, duration of the visit, type of terminal device, operating system used, functions used, amount of data sent, IP address and referrer URL. We process this data to ensure technical operation and to determine and eliminate faults. In doing so, we pursue the interest of permanently ensuring technical operability. We do not use this data for the purpose of drawing conclusions about your person.
When we send emails for customer and prospect management, we may use commercially available technologies such as tracking pixels or click-through links. This enables us to analyse which or how many emails are delivered and/or rejected and/or opened. The latter is done in particular using tracking pixels. It will not be possible to fully measure the opening rate of our emails using tracking pixels if you have deactivated the display of images in your email program. In this case, the email will not be displayed completely. However, we are still able to track whether an email has been opened if you click on text or graphic links in the email. By using click-through links, we can analyse which links in our emails are clicked and derive what interest there is in certain topics. When you click on the corresponding link, you are guided through our separate analysis server before the target page is called up. Based on the results of the analysis, we can make emails more relevant, send them in a more targeted manner or stop them from being sent. If you do not want such data to be collected and tracked, do not click on text or graphic links in emails.
3.3.3 Studies and surveys
We process your personal data on the basis of corresponding consent. The data processing is based on Article 6 paragraph 1 letter a) GDPR. If you give your consent, it is always for a specific purpose; the purposes of processing are determined by the content of your declaration of consent. You may revoke any consent you have given at any time, without affecting the legality of the processing that has taken place on the basis of the consent until revocation.
If you have given your consent, the companies listed in the declaration of consent can use the data on this basis, e.g. for individual customer and prospective customer support and contact you for these purposes via the communication channels you have requested. Your data will be used in this context to offer you an inspiring brand and customer care experience with Porsche and to make communication and interaction with you as personal and relevant as possible. Which of your data is actually used for individual customer and prospective customer support depends in particular on which data has been collected on the basis of orders and consultations (e.g. when buying or servicing Porsche products) and which data you have provided (e.g. your personal interests) at the respective contact points (e.g. at the Porsche Center).
We send out newsletters after respective registration, i.e. with your consent. If the contents of the newsletter are specifically described in the context of a registration, these are decisive for the scope of the consent. Furthermore, our newsletters contain information about our products, offers, promotions and our company. The entity named in the registration process is responsible for processing your data. The registration is carried out by means of the so-called double opt-in procedure, i.e. after your registration you will receive an email asking you to confirm your registration in order to prevent the misuse of your email address. The registrations for the newsletter are logged by us in order to be able to prove the registration process and the consent contained therein in accordance with the legal requirements. The logging of the registration and the necessary processing of the data entered by you during the registration process is accordingly based on our legitimate interests in accordance with Article 6 paragraph 1 letter f) GDPR. You can revoke your consent to receive our newsletter at any time, e.g. by unsubscribing from the newsletter. You will find an unsubscribe link to exercise this right at the end of each newsletter.
3.5 Change of purpose
If we process your personal data for a purpose other than that for which the data was collected, beyond the scope of a corresponding consent or a mandatory legal basis, we will take into account, in accordance with Article 6 paragraph 4 GDPR, the compatibility of the original and the now pursued purpose, the nature of the personal data, the possible consequences of further processing for you and the guarantees for the protection of the personal data.
We do not carry out automated decision making or profiling in accordance with Article 22 GDPR. Profiling is only carried out to protect our legitimate interests as described above.
4. Access authorizations in the end device
To the extent functions of the Online Service require the granting of authorization to access your end device (e.g. access to location data or photos), the granting of these authorizations is voluntary. However, if you wish to use the corresponding functions, you must grant the appropriate authorizations, otherwise you will not be able to use these functions. The permissions remain active as long as you have not reset them in your device by deactivating the respective setting.
5. Cookies and comparable technologies
6. Integrated third-party services
Services of other providers which we integrate or to which we refer are provided by the respective third parties. We have no influence on the content and function of the third-party services and are generally not responsible for the processing of your personal data by their providers, unless the third-party services are completely designed on our behalf and then integrated by us on our own responsibility. Insofar as the integration of a third-party service results in us establishing joint processes with its provider, we will define with this provider in an agreement on joint controllership pursuant to Article 26 GDPR how the respective tasks and responsibilities in the processing of personal data are structured and who fulfils which data protection obligations. Insofar as Cookies are to be set on the basis of your consent, you will receive further information on the responsibility for setting these Cookies and any associated third-party services in the corresponding area of the consent management.
Unless otherwise stated, profiles on social media are generally only included in the Online Service as a link to the corresponding third-party services. After clicking on the integrated text/image link, you will be redirected to the offer of the respective social media provider. After the redirection, personal data may be collected directly by the third-party provider. If you are logged in to your user account of the respective social media provider, the provider may be able to assign the collected information of the specific visit to your personal user account. If you interact via a “share” button of the respective social media provider, this information can be stored in the personal user account and published if necessary. If you want to prevent the collected information from being assigned directly to your user account, you must log out before clicking the included text/image link.
7. Sources and categories of data in case of third party collection
We also process personal data that we receive from third parties or from publicly accessible sources. Below you will find an overview of the corresponding sources and the categories of data obtained from these sources.
- Group companies, Porsche dealers and service companies: information on the products you use and on your interests.
8. Recipients of personal data
Within our company, only those persons who need your personal data for the respective purposes mentioned have access to it. Your personal data will only be passed on to external recipients if we have legal permission to do so or have your consent. Below you will find an overview of the corresponding recipients:
- Commissioned processors: Group companies or external service providers, for example in the areas of technical infrastructure and maintenance, which are carefully selected and reviewed. The processors may only use the data in accordance with our instructions.
- Public bodies: Authorities and state institutions, such as tax authorities, public prosecutors’ offices or courts, to which we (must) transfer personal data, e.g. to fulfil legal obligations or to protect legitimate interests.
- Private bodies: Group companies, Porsche sales companies (incl. companies offering services in the area of Porsche Connect and Smart Mobility), dealer and service operations, cooperation partners, service providers (not bound by instructions) or commissioned persons such as Porsche Centres and Porsche Service Centres, financing banks, credit agencies or transport service providers.
9. Data processing in third countries
If a data transfer takes place to entities whose registered office or place of data processing is not located in a member state of the European Union, another state party to the Agreement on the European Economic Area or a state for which an adequate level of data protection has been determined by a decision of the European Commission, we will ensure prior to the transfer that either the data transfer is covered by a statutory permit, that guarantees for an adequate level of data protection with regard to the data transfer are in place (e.g., through the agreement of contractual warranties, officially recognized regulations or binding internal data protection regulations at the recipient), or that you have given your consent to the data transfer.
If the data is transferred on the basis of Articles 46, 47 or 49 paragraph 1, subparagraph 2 GDPR, you can obtain from us a copy or reference to the availability of the guarantees for an adequate level of data protection in relation to the data transfer. Please use the information provided under Section 1.
10. Storage duration, erasure of data
We store your personal data, if there is legal permission to do so, only as long as necessary to achieve the intended purposes or as long as you have not revoked your consent. In the event of an objection to processing, we will delete your personal data, unless further processing is still permitted by law. We will also delete your personal data if we are obliged to do so for other legal reasons. Applying these general principles, we will usually delete your personal data immediately
- after the legal permission has ceased to apply and provided that no other legal basis (e.g. commercial and tax law retention periods) intervenes. If the latter applies, we will delete the data after the other legal basis has ceased to apply;
- if your personal data is no longer required for the purposes we pursue and no other legal basis (e.g. commercial and tax law retention periods) intervenes. If the latter is the case, we will delete the data after the other legal basis has ceased to apply.
11. Rights of data subjects
Right to access: You have the right to receive information about your personal data stored by us.
Right to rectification and erasure: You can demand that we correct incorrect data and, if the legal requirements are met, delete your data.
Restriction of processing: You can demand that we restrict the processing of your data, provided that the legal requirements are met.
Data portability: If you have provided us with data on the basis of a contract or consent, you may, if the legal requirements are met, demand that the data you have provided us with are handed over in a structured, common and machine-readable format or that we transfer it to another controller.
Objection: You have the right to object at any time to data processing by us based on the safeguarding of legitimate interests for reasons arising from your particular situation. If you make use of your right to object, we will stop processing the data unless we can prove compelling reasons for further processing worthy of protection which outweigh your rights and interests.
Objection to direct marketing: If we process your personal data for the purpose of direct marketing, you have the right to object to our processing of your data for this purpose at any time. If you exercise your right to object, we will stop processing your data for this purpose.
Revocation of consent: If you have given us your consent to process your personal data, you can revoke it at any time with effect for the future. The legality of the processing of your data until revocation remains unaffected.
Right to lodge a complaint with a supervisory authority: You can also lodge a complaint with the competent supervisory authority if you believe that the processing of your data violates applicable law. You can contact the supervisory authority responsible for your place of residence or your country or the supervisory authority responsible for us.
Your contact with us and the exercise of your rights: Furthermore, you can contact us free of charge if you have questions regarding the processing of your personal data and your rights as a data subject. Please contact us https://www.porsche.com/international/privacy/contact/ or by letter mail to the address provided under Section 1. Please make sure that we can definitely identify you. If you revoke your consent, you can alternatively choose the contact method that you used when you gave your consent.
12. Links to Third-Party Services
The websites and services of other providers to which our Online Service links are designed and provided by third parties. We have no influence on the design, content and function of these third-party services. We dissociate ourselves expressly from all content of all linked services from third parties. Please note that the services of third parties linked on our Online Service may install their own cookies on your end device or collect personal data. We have no influence on this. In this respect, please refer to the providers of these linked third-party services. The services of third parties generally also include those of other Porsche Group Companies and Porsche Centers which are linked on our Online Services or which are otherwise integrated into our Online Services.
13. Effective date