The party responsible for processing your data is
Berliner Ring 2
You can reach our Data Protection Officer by mail at the aforementioned address, adding “Data Protection Officer” or by email to:
Please be informed, that when using the email-address, not only the Data Protection Officer might gain knowledge of your inquiry. If you want to contact the Data Protection Officer in confidentiality, please send another mail upfront.
2. Data Processing on our Website
2.1. Web server Logging
When you access our website, our web servers automatically capture information that is of a general nature. This includes:
- The type of web browser and operating system used
- The domain name of the Internet service provider
- The IP address of the computer being used
- The website from which you were directed to us
- The pages on our website that you visit as well as the date and duration of the visit.
The legal basis for processing this data is Article 6 (1) (f) GDPR. Our legitimate interest is the technical necessity of processing this data in order to be able to provide a functional website. The aforementioned data will also be stored in internal logfiles du improve the technical quality of our website. This data is only being processed as long as you access our website.
When you contact us (e.g. via email), we will use the included information such as contact information (e.g. name, email address) to
- help you with your inquiry
- if necessary, forward the included information to the relevant bodies and
- document a proper handling of your inquiry.
The legal basis for this is provided by Art. 6 (1) (f) GDPR. Our legitimate interest is providing effective support to persons approaching us with an inquiry.
If you would like apply for a job at CARIAD SE, you can find information about data protection with regard to your application directly on our application portal.
A cookie is a small data file that is stored on your device and contains data such as your personal site settings and log-in information. This data file is generated and transmitted to you by the web server to which you have connected using your web browser. Comparable technologies are especially Wb Storage (Local / Session Storage), Fingerprints, tags or Pixels. Most browser are accepting Tools on default thus can be set to not accepting tools. If your browser does not accept Tools, not all functions of our website might work for you.
In the following, we will give you information about the categories of Cookies used on our website.
If that information might contradict the information given in our Cookie-Banner, the information below does prevail.
A comprehensive list of the Cookies used on our Website can be found in the Cookie-list.
2.4.1. Legal base
Cookies necessary for the functioning of this website are based on our legitimate interest as in Art. 6 (1) f GDPR to offer you a comfortable and individual use of our website. If in certain cases a tool is necessary for the performance of a contract, the legal base for the processing ist Art. 6 (1) b GDPR.
All other tools, especially tool for marketing purposes will be used based on your previous consent as in Art. 6 (19 a GDPR and §W 15 (3) 1 TMG, as far as usage profiles are created.
2.4.2. Your consent
To obtain and manage your consent, we use the Tool “OneTrust” by OneTrust Technology Ltd, 82 St John St, Farringdon, London EC1M 4JN, United Kingdom. OneTrust creates the Cookie-Banner to inform you about the data processing on our website and gives you the opportunity to agree or disagree to certain data processing by optional tools. The Cookie-Banner will appear on your first visit to our website and if you choose to change your settings. The Cookie-Banner will also appear on your future visits on our website, if you have deactivated the storage of the OneTrust-Cookie was deleted.
OneTrust will obtain your consents or withdrawals, your IP-Address, information about your browser, your device and the time of your visit. Also OneTrust will place the OneTrust-Cookie to remember your consent and/or withdrawal.
The data processing by OneTrust is necessary to offer you the necessary Consent-Management and to comply with our documentation duties. Legal base for the use of OneTrust is Art. 6 (1) f GDPR, our legitimate interest to comply with the legal requires on the Cookie-Consent-Management.
2.4.3. Withdrawal of consent
You can withdraw your given consent to the use of a certain tool at any time. To do so, please click on the following button.
In the Cookie-Management, you can also change the selection of tools you consent to and also obtain further information, e.g. about the storage duration.
2.4.4. Necessary Tools
We use some tools, to offer fundamental functions of or website (“necessary tools”). Without those tools, we could not provide our Website. Therefore, necessary tools will be used without your consent based on our legitimate interest as in Art. 6 (1) f GDPR or for the conclusion of a contract as in Art. 6 (1) b GDPR.
2.4.5. Functional Tools
We also use tools to enhance the user-experience and on our website and to offer you more functionality (“functional tools”). Those tools are not needed for the basic functions of our website but can create substantial advantages for users especially in terms of usability.
2.4.6. Analytical Tools
To improve our website, thee use tools to gain and analyze the usage based on usage data (“analytical tools”). Also we use analytical tools to gain knowledge about the marketing tools we use.
2.4.7. Google Analytics
We use Google Analytics on our website. This is a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Contact point for all data privacy enquiries is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
To increase the level of data privacy, we chose the following setting for Google Analytics:
- Automatic deletion of Logs / limited duration period
- Deactivated marketing functions
- Deactivated personalized ads
- Deactivated measurement protocol
- Deactivated cross-page tracking
- Deactivated data transfer to other Google Products and Services
Google will process the following data:
- Anonymized IP-Address
- Page Visits (Date, Time, URL, Title, Duration of Visit)
- Downloaded Data
- Used Links to other websites
- If applicable, Conversions
- Technical Information: OS, Browsertype, Browserversion, Language, Deviceinformation
More Information about the Cookies set by Google Analytics can be found in our Cookie List.
We have concluded a Data Processing Agreement with Google and also, if data is transferred to the US, the EU Standard Contract Clauses (SCC).
3. Social Media
We have presences on Social Media, to communicate with our customers and to inform about our products and services.
User data i soften used for analytical and marketing purposes by the Social Networks. Based on that, Usage profiles can be created and used to show user’s specific ads in the social network or on other websites. For this purpose, Cookies and other identifiers could be stored on the user’s devices.
By our use of Social media presence, there is a chance, that we can gain access to user statistics offered by the social network. Those statistics are aggregated. Details and links to the data we can obtain by the Social network, please the list below.
Legal base for the data processing is our legitimate interest in an effective communication with our customers as in Art. 6 (1) f GDPR as well as Art. 6 (1) b GDPR as far as the communications with are meant to stay in contact with our customers and for the conclusion of contracts.
Please be informed, that data privacy requests can be most efficiently filed directly with the Social Network itself. In the following, please find a list with information to the Social networks we have presences in:
- Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland)
- Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland)
- Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Irland)
- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Irland)
- Joint-Controller-Agreement for Company Profiles: https://legal.linkedin.com/pages-joint-controller-addendum
- Information on processed data and contact details: https://legal.linkedin.com/pages-joint-controller-addendum
- Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- Xing (XING SE, Dammtorstraße 30, 20354 Hamburg)
4. Data Transfer
In principle, we will only pass on the data we collect if:
- you have given your explicit consent pursuant to Art. 6(1) Sentence 1(a) GDPR;
- disclosure is necessary pursuant to Art. 6(1) Sentence 1(f) GDPR in order to establish, exercise or defend legal claims and there is no reason to assume that you have an overriding legitimate interest in your data not being disclosed;
- we are legally obliged to do so under Art. 6(1) Sentence 1(c) GDPR; or
- this is permitted by law and is required under Art. 6(1) Sentence 1(b) GDPR for the processing of contractual relationships with you or for taking steps at your request prior to entering into a contract.
In addition, data may be disclosed in connection with official requests, court orders and legal proceedings if this is necessary to pursue or enforce rights.
5. Data transfer to third countries
Where this is not possible, we base the transfer of data on exceptions of Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the fulfilment of the contract.
If a transfer to a third country is intended and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence agencies) may be able to gain access to the transferred data in order to record and analyze it, and that the enforceability of your data subject rights cannot be guaranteed. You will also be informed of this when you give your consent via the cookie banner.
6. Storage Period
In principle, we only store personal data for as long as necessary to fulfill contractual or legal obligations for which we have collected the data. We then delete the data without delay, unless we still require the data until the end of the statutory limitation period for evidence purposes for claims under civil law or due to statutory retention obligations.
For evidence purposes, we must keep contract data for another three years after the end of the year in which the business relationship with you ends. After the standard statutory period of limitation, any claims become statute-barred at this point in time at the earliest.
Even after that, we are still required to store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations, which may arise on the basis of the German Commercial Code, the Fiscal Code, the Banking Act and the Money Laundering Act. The periods specified there for retaining documents range from two to ten years.
CARIAD SE, Berliner Ring 2, 38440 Wolfsburg,
entered in the register of companies at Braunschweig District Court under the register no. HRB 208203.
B. Collection, processing and use of your personal data
Context of data processing and description of processing measures
For the development and refinement of driver assist and information systems as well as automated driving functions for active and passive safety and for comfort functions, our test vehicles record data from the surroundings using various sensors and video cameras in the vehicle. The recording mainly takes place on public roads. The recorded ambient information is then stored in a secure database and used for the development, refinement and maintenance of driver assist and information systems as well as automated driving functions and comfort functions. These systems are intended to improve comfort and safety in road traffic and to safeguard the functionality of the vehicle by means of the recorded video data. Information on the existing traffic infrastructure and the detection of road users including their direction of travel has to be processed in order to determine the correct response by the vehicle.
CARIAD never identifies individuals in the data records.
Relevant data categories and processing purposes
For the purposes of developing and refining driver assist and information systems as well as automated driving functions and comfort functions, video recordings of the surroundings are made and saved. Data including the following is collected for these purposes:
- Video recordings of other road users (vehicles and persons)
- Number plates and lettering on vehicles
- Lettering on shops and street signs
- Other information in the immediate surroundings of the test vehicles which is captured using cameras.
CARIAD collaborates with service providers and/or cooperation partners in refining and developing driver assist and information systems as well as automated driving functions and comfort functions. Insofar as CARIAD shares the aforementioned data with service providers and/or cooperation partners, this is done in compliance with the applicable data protection law on the basis of data processing agreements within the meaning of Article 28 GDPR.
Service providers used by CARIAD (known as data processing contractors) which receive data include:
- VW Group companies that provide services (e.g. development services) for CARIAD
- Development service providers
- Suppliers of driver assist system safety components
- Hosting service providers
- IT service providers
These companies are involved in product development and analysis of trials. CARIAD will be happy to provide you with further information on recipients for specific trials. Please use the contact details below.
If recipients are located in countries outside the European Union or the European Economic Area (known as third countries), the data may be transferred to a country where there is not an appropriate level of data protection, i.e. one comparable to that of the EU.
Please note that the level of data protection in some third countries is not in line with what the European Commission considers appropriate. For transmission of data to third countries which do not have an appropriate level of data protection, CARIAD has taken suitable precautions to protect your personal data, for example by agreeing standard data protection clauses.
Legal basis for the processing of data by CARIAD
Your personal data is collected, processed and used on the basis of a consideration of interests in accordance with Article 6(1) sentence 1, lit. f GDPR. CARIAD has a legitimate interest in processing your data for the refinement and development of driver assist and information systems as well as automated driving functions and comfort functions. Information on your rights, including the right to object to the processing of your personal data, can be found in section C of this policy.
Duration of processing and deletion of data
The data is only stored for as long as is necessary for the purpose of refinement or development. Refinement of the systems may also include quality improvement and fault elimination after they are released. In certain cases, CARIAD is legally obliged to correct these faults for reasons of product liability.
C. Your rights
You may exercise the following rights vis-a-vis CARIAD at any time free of charge. The contact details for exercising your rights can be found in section D.
Right of access: You have the right to obtain information from us about our processing of your personal data.
Right to rectification: You are entitled to request us to rectify any of your personal data that may be incorrect or incomplete.
Right to erasure: You have the right to have your data erased if the conditions set out in Article 17 of the GDPR are met. For example, you may ask for your data to be erased if it is no longer necessary for the purposes for which is was collected. You may also ask for your data to be erased if we process your data based on your consent and you withdraw that consent.
Right to restriction of processing: You have the right to ask for a restriction of the processing of your data if the conditions set out in Article 18 of the GDPR are met. That is the case, for example, if you dispute the accuracy of your data. You can then demand a restriction of processing for the period it takes to verify the accuracy of the data.
Right to object: You have the right to object to the processing of your data if processing is based on an overriding interest or your data is used for the purposes of direct advertising. An objection is permitted if processing is conducted in either the public interest or for the exercise of official authority, or if it is conducted for a legitimate interest of CARIAD or of a third party. If you object to the processing of your data, please notify us of the grounds for your objection. You also have the right to object to data processing for the purpose of direct marketing. The same applies to profiling, insofar as it is related to direct marketing.
Right of complaint: You also have the right to lodge a complaint about our processing of your data with a supervisory authority (such as the Data Protection Commissioner for the State of Lower Saxony [Landesbeauftragte für den Datenschutz Niedersachsen]).
If you have any data protection concerns, contact our Data Protection Officer:
Data Protection Officer CARIAD SE, Berliner Ring 2, Brieffach 1080/2, 38440 Wolfsburg
Version dated: March 2021
1. General information on data processing by CARIAD in cooperation with project partners
The protection of your personal data is an important concern for the companies of CARIAD SE and its affiliated companies within the meaning of §§ 15 ff. AktG („CARIAD“). We process personal data about our project partners (e.g. owners, managers, employees, etc.) in accordance with the provisions of the European General Data Protection Regulation (GDPR) and in accordance with the legal provisions of the country in which the entity responsible for data processing is based.
In addition, the companies of CARIAD have committed themselves to a comprehensive and uniform protection of personal data through a binding Group policy on data protection.
Furthermore, the employees of CARIAD are obliged to maintain confidentiality with regard to the handling of personal data.
b) Controller under the GDPR and contact persons
The controller according to the GDPR is the company of CARIAD which processes personal data of data subjects of a project partner (e.g. executives, employees, owners, etc.) in the context of an existing or upcoming contractual or cooperation relationship with the project partner. CARIAD as part of the Volkswagen Group currently consists of the following companies (Data Protection Officers).
If you have any data protection-related questions, please contact the data protection officer/data protection coordinator at CARIAD company with which a contractual or cooperation relationship with the specific project partner exists or is in the process of being established.
The responsible data protection officers/data protection coordinators of CARIAD can be found here (Data Protection Officers).
2. Collection and processing of personal data
a) Purpose limitation and legal basis
The CARIAD company which acts as controller under the GDPR processes your personal data in order to carry out and manage the contractual relationship existing or in the process of being established with the respective project partner. In this context, your personal data is processed within the scope of various processing activities for different purposes and on different applicable legal basis.
b) Data sources
As a rule, your personal data will be collected directly from you as a manager or employee or owner of one of our project partner companies within the framework of the existing or developing contractual or cooperation relationship with this project partner company.
c) Obligation to provide data
As a manager, employee or owner of one of our project partners, the personal data required to carry out the cooperation must be provided. Without this provision, no proper cooperation between the relevant CARIAD company and the project partner company can take place. The personal data that you, as a manager, employee or owner of a project partner company make available to a CARIAD company depends on the necessity in connection with the specific activity or the role of the project partner company to successfully perform with CARIAD.
(d) the purpose of the processing activities
Below we provide you with an overview of the purposes of our processing activities:
Tendering of services and materials
Sending out enquiries, requesting outstanding offers, commercial review and completeness check of offers, conducting negotiations.
Order processing (material, services)
Write, place, send and track your order in the system.
Supplier and service provider support
Communication regarding the products or services, answering enquiries or requirements, bottleneck and risk management.
Turnover figures for suppliers or for item numbers.
e.g. preparation of market analyses, trade fair presence, internet presence, etc.
e.g. communication within the project team, creation and management of user accounts, assignment of delivery results
Fulfilment of statutory duties
Adherence to retention obligations, ensuring compliance requirements through audit activities (e.g. sanctions list audit, money laundering) , operation of an internal control system (ICS) and other monitoring systems to ensure the regularity of business processes
The personal data processed are classified under the following data categories:
- Professional contact and (work) organisation data
- IT usage data
- Data on personal/professional circumstances & characteristics
- Creditworthiness and bank data
- Contract data
The above-mentioned processing activities are legitimised by the following legal bases:
- Consent for one or more specific purposes (Art. 6 para. 1 lit. a DS-GVO)
- Fulfilment of the contract or initiation of the contract directly with you as the data subject, e.g. if you are a natural person as a project partner of CARIAD (Art. 6 para. 1 lit. b DS-GVO)
- Fulfilment of legal obligations (Art. 6 para. 1 lit. c DS-GVO)
- legitimate interests (Art. 6 para. 1 lit. f DS-GVO)
- existence of a relevant and appropriate relationship between a CARIAD company as controller under the GDPR and you as data subject
- fraud prevention
- direct marketing
- transfer of personal data within a group of companies for internal administrative purposes
3. Disclosure of personal data
In certain cases, your personal data may also be disclosed to other group companies as data controllers or processors:
If the transfer of your personal data is necessary for the implementation or initiation of the contractual relationship with our project partner as your employer or you are a natural person as our project partner, e.g. project management or project fulfilment.
We disclose personal data with data processors according to Art 28 GDPR (e.g. cloud providers, collaboration platforms).
If we are obliged to disclose your personal data to comply with national legislation, e.g. transfer to tax authorities, courts, auditors.
Data protection agreements have been concluded with all data-receiving companies of CARIAD and the Volkswagen Group to ensure a high level of data protection.
If we transfer personal data to affiliated companies or service providers outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection or if other appropriate and sufficient data protection guarantees (e.g. EU standard data protection clauses) are concluded.
4. Data storage and deletion
As a matter of principle, we delete your personal data as soon as they are no longer required for the above-mentioned purposes.
Your personal data will be stored as long as we are legally obliged to do so or as long as statutory limitation periods apply. This regularly results from legal obligations to provide proof and to retain data, which are regulated in Germany in the German Civil Code (BGB), the German Commercial Code (HGB), or in the German Fiscal Code (AO), among others.
In addition, storage takes place insofar as further legal or contractual storage obligations exist or CARIAD has a justified interest in storing the personal data, such as in connection with product liability.
5. Your rights
In addition to the right to information about the data concerning you and correction of your data, you also have the right to deletion as well as the right to object to the processing or the right to restrict the processing of your data, insofar as this does not conflict with any statutory regulations. Furthermore, you have the right to data portability.
If we collect and process your personal data based on your consent, you also have the right to revoke the consent you have given with effect for the future. Your revocation does not affect the lawfulness of the data processing carried out on the basis of the consent until the revocation.
Where necessary, we will need to verify your identity before we can process your applications.
If, despite our efforts to ensure that the data is correct and up to date, incorrect information is stored, we will correct this after being notified accordingly.
In the event of complaints, it is possible to contact a data protection supervisory authority. The relevant supervisory authority is listed with the respective CARIAD company (Data Protection Officers).
6. Automated decision making
There is no automated decision-making according to Art. 22 Para.1,4 DS-GVO.