The party responsible for processing your data is
Berliner Ring 2
You can reach our data protection officer by mail at the aforementioned address, adding “Data Protection Officer” or by email to:
Please be informed, that when using the email-address, not only the data protection officer might gain knowledge of your inquiry. If you want to contact the data protection officer in confidentiality, please send another mail upfront.
2. Data Processing on our Website
2.1. Web server Logging
When you access our website, our web servers automatically capture information that is of a general nature. This includes:
- The type of web browser and operating system used
- The domain name of the Internet service provider
- The IP address of the computer being used
- The website from which you were directed to us
- The pages on our website that you visit as well as the date and duration of the visit.
The legal basis for processing this data is Article 6(1) lit. f GDPR. Our legitimate interest is the technical necessity of processing this data in order to be able to provide a functional website. The aforementioned data will also be stored in internal logfiles to improve the technical quality of our website. This data is only being processed as long as you access our website.
When you contact us (e.g. via email), we will use the included information such as contact information (e.g. name, email address) to
- help you with your inquiry
- if necessary, forward the included information to the relevant bodies and
- document a proper handling of your inquiry.
The legal basis for this is provided by Art. 6(1) lit. f GDPR. Our legitimate interest is providing effective support to persons approaching us with an inquiry.
When you use our Recruiting Chatbot, we process the data you provided in the chat, including your IT usage information. This website uses the chatbot to provide answers to users' questions regarding their career at CARIAD. The provider of the chatbot is e-bot7 GmbH, Perusastraße 7, 80333 Munich, Germany. E-bot7 does not collect or process personal data for behavioral analysis. Usage data such as chat duration, timestamps of messages, number of dialogs and approximate location of users are only stored anonymously for statistical purposes. In addition, customer questions are stored and processed for a maximum of 7 days to process your request and for internal purposes, e.g. to control and improve our business and service processes (Art. 6(1) lit b; Art. 6(1) lit. f GDPR).
A cookie is a small data file that is stored on your device and contains data such as your personal site settings and log-in information. This data file is generated and transmitted to you by the web server to which you have connected using your web browser. Comparable technologies are especially web storage (local / session storage), Fingerprints, tags or pixels. Most browser are accepting tools on default thus can be set to not accepting tools. If your browser does not accept tools, not all functions of our website might work for you.
In the following, we will give you information about the categories of cookies used on our website.
If that information might contradict the information given in our cookie-banner, the information below does prevail.
A comprehensive list of the cookies used on our website can be found in the cookie-list.
2.4.1. Legal base
Cookies necessary for the functioning of this website are based on § 25(2) Nr. 2 TTDSG and our legitimate interest as in Art. 6(1) lit. f GDPR to offer you a comfortable and individual use of our website. If in certain cases a tool is necessary for the performance of a contract, the legal base for the processing is § 25(2) Nr. 2 TTDSG in conjunction with Art. 6(1) lit. b GDPR.
All other tools, especially tools for marketing purposes will be used based on your previous informed consent according to § 25(1) TTDSG and Art. 6(1) lit. a GDPR.
2.4.2. Your consent
To obtain and manage your consent, we use the tool “OneTrust” by OneTrust Technology Ltd, 82 St John St, Farringdon, London EC1M 4JN, United Kingdom. OneTrust creates the cookie-banner to inform you about the data processing on our website and gives you the opportunity to agree or disagree to certain data processing by optional tools. The cookie-banner will appear on your first visit to our website and if you choose to change your settings. The cookie-banner will also appear on your future visits on our website, if you have deactivated the storage of the OneTrust-Cookie was deleted.
OneTrust will obtain your consents or withdrawals, your IP-Address, information about your browser, your device and the time of your visit. Also OneTrust will place the OneTrust-Cookie to remember your consent and/or withdrawal.
The data processing by OneTrust is necessary to offer you the necessary Consent-Management and to comply with our documentation duties. Legal base for the use of OneTrust is § 25(2) Nr. 2 TTDSG in conjunction with Art. 6(1) f GDPR, our legitimate interest to comply with the legal requires on the Cookie-Consent-Management.
2.4.3. Withdrawal of consent
You can withdraw your given consent to the use of a certain tool at any time. To do so, please click on the following button.
In the Cookie-Management, you can also change the selection of tools you consent to and also obtain further information, e.g. about the storage duration.
2.4.4. Necessary Tools
We use some tools, to offer fundamental functions of or website (“necessary tools”). Without those tools, we could not provide our Website. Therefore, necessary tools will be used without your consent based on § 25(2) Nr. 2 TTDSG and our legitimate interests according to Art. 6(1) lit. f GDPR or for the conclusion of a contract according to Art. 6(1) lit. b GDPR.
2.4.5. Functional Tools
We also use tools to enhance the user-experience and on our website and to offer you more functionality (“functional tools”). Those tools are not needed for the basic functions of our website but can create substantial advantages for users especially in terms of usability.
2.4.6. Analytical Tools
To improve our website, we use tools to gain and analyze the usage based on usage data (“analytical tools”). Also we use analytical tools to gain knowledge about the marketing tools we use.
2.4.7. Google Analytics
We use Google Analytics on our website. This is a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Contact point for all data privacy enquiries is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
To increase the level of data privacy, we chose the following setting for Google Analytics:
- Automatic deletion of Logs / limited duration period
- Deactivated marketing functions
- Deactivated personalized ads
- Deactivated measurement protocol
- Deactivated cross-page tracking
- Deactivated data transfer to other Google Products and Services
Google will process the following data:
- Anonymized IP-Address
- Page Visits (Date, Time, URL, Title, Duration of Visit)
- Downloaded Data
- Used Links to other websites
- If applicable, Conversions
- Technical Information: OS, Browsertype, Browserversion, Language, Deviceinformation
More Information about the cookies set by Google Analytics can be found in our cookie list.
We have concluded a data processing agreement with Google and also, if data is transferred to the US, the EU standard contract clauses (SCC).
3. Social Media
We have presences on social media, to communicate with our customers and to inform about our products and services.
User data are often used for analytical and marketing purposes by the social networks. Based on that, usage profiles can be created and used to show user’s specific ads in the social networks or on other websites. For this purpose, cookies and other identifiers could be stored on the user’s devices.
By our use of social media presence, there is a chance, that we can gain access to user statistics offered by the social network. Those statistics are aggregated. Details and links to the data we can obtain by the social networks, please the list below.
Legal base for the data processing is our legitimate interest in an effective communication with our customers as in Art. 6(1) lit. f GDPR as well as Art. 6(1) lit. b GDPR as far as the communications with are meant to stay in contact with our customers and for the conclusion of contracts.
Please be informed, that data privacy requests can be most efficiently filed directly with the social network itself. In the following, please find a list with information to the social networks we have presences in:
- Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland)
- Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland)
- Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Irland)
- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Irland)
- Joint-Controller-Agreement for Company Profiles: https://legal.linkedin.com/pages-joint-controller-addendum
- Information on processed data and contact details: https://legal.linkedin.com/pages-joint-controller-addendum
- Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- Xing (XING SE, Dammtorstraße 30, 20354 Hamburg)
4. Data Transfer
In principle, we will only pass on the data we collect if:
- you have given your explicit consent pursuant to Art. 6(1) lit. a GDPR;
- disclosure is necessary according to Art. 6(1) lit. f GDPR in order to establish, exercise or defend legal claims and there is no reason to assume that you have an overriding legitimate interest in your data not being disclosed;
- we are legally obliged to do so under Art. 6(1) lit. c GDPR; or
- this is permitted by law and is required under Art. 6(1) lit. b GDPR for the processing of contractual relationships with you or for taking steps at your request prior to entering into a contract.
In addition, data may be disclosed in connection with official requests, court orders and legal proceedings if this is necessary to pursue or enforce rights.
5. Data transfer to third countries
Where this is not possible, we transfer personal data under Art. 49 GDPR, in particular with your explicit consent or the necessity of the transfer for the fulfilment of the contract.
If a transfer to a third country is intended and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence agencies) may be able to gain access to the transferred data in order to record and analyze it, and that the enforceability of your data subject rights cannot be guaranteed. You will also be informed of this when you give your consent via the cookie banner.
6. Storage Period
In principle, we only store personal data for as long as necessary to fulfill contractual or legal obligations for which we have collected the data. We then delete the data without delay, unless we still require the data until the end of the statutory limitation period for evidence purposes for claims under civil law or due to statutory retention obligations.
For evidence purposes, we must keep contract data for another three years after the end of the year in which the business relationship with you ends. After the standard statutory period of limitation, any claims become statute-barred at this point in time at the earliest.
Even after that, we are still required to store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations, which may arise on the basis of the German Commercial Code, the Fiscal Code, the Banking Act and the Money Laundering Act. The periods specified there for retaining documents range from two to ten years.
CARIAD SE, Berliner Ring 2, 38440 Wolfsburg,
registered in the commercial register of the district court of Braunschweig under the registration number HRB 208203.
2. Collection, processing and use of your personal data
Context of data processing and description of processing measures
For the development and refinement of driver assistance and information systems as well as automated driving functions for active and passive safety and comfort functions, our test vehicles record data from the environment using various sensors and video cameras in the vehicle. The recording mainly takes place on public roads. The recorded environmental information is then stored in a secure database and used for the development, refinement and maintenance of driver assistance and information systems as well as automated driving functions and comfort functions. These systems will use the recorded video data to improve comfort and safety on the road and ensure vehicle functionality. Information about the existing traffic infrastructure and the detection of road users, including their direction of travel, must be processed to determine the correct response of the vehicle.
CARIAD never identifies individuals in the data records.
Relevant data categories and processing purposes
The following data is processed for the development and further development of driver assistance and information systems as well as automated driving functions and comfort functions:
- Video recordings of the vehicle environment (images of other road users, vehicles, people, license plates and lettering on vehicles, lettering on stores and street signs, and other information that may be contained in the immediate vicinity of the vehicles),
- Additional data from other vehicle systems (such as radar, LIDAR) as well as GPS position and timestamp of data collection.
There is a joint controllership with other Volkswagen Group Companies for some specific automotive research projects, working together for the development and refinement of driver-assist systems and automated driving functions. The legally required joint controller arrangement for these specific data processing activities has been concluded (Art 26 Par 1 GDPR). Further information can be found here.
Furthermore, CARIAD collaborates with service providers and/or cooperation partners in refining and developing driver assist and information systems as well as automated driving functions and comfort functions. Insofar as CARIAD shares the aforementioned data with service providers and/or cooperation partners, this is done in compliance with the applicable data protection law on the basis of data processing agreements within the meaning of Art. 28 GDPR if necessary.
Service providers and/or cooperation partners, which receive data may include:
- VW Group companies that provide services (e.g. development services) for CARIAD
- Development service provider
- Suppliers of safety components for driver assistance systems
- Hosting service provider
- IT service provider
These companies are each involved in product development and the evaluation of tests. CARIAD will be happy to provide you with further information on recipients upon request. Please use the contact details below.
If recipients are located in countries outside the European Union or the European Economic Area (known as third countries), the data may be transferred to a country where there is not an appropriate level of data protection, i.e. one comparable to that of the EU.
Please note that the level of data protection in some third countries is not in line with what the European Commission considers appropriate. For transmission of data to third countries which do not have an appropriate level of data protection, CARIAD has taken suitable precautions to protect your personal data, for example by agreeing standard data protection clauses.
Legal basis for the processing of data by CARIAD
Your personal data is collected, processed and used on the basis of a consideration of interests in accordance with Art. 6(1), lit. f GDPR. CARIAD has a legitimate interest in processing your data for the refinement and development of driver assist and information systems as well as automated driving functions and comfort functions. Information on your rights, including the right to object to the processing of your personal data, can be found in section 3 of this policy.
Duration of processing and deletion of data
The data is only stored for as long as is necessary for the purpose of refinement or development. Refinement of the systems may also include quality improvement and fault elimination after they are released. In certain cases, CARIAD is legally obliged to correct these faults for reasons of product liability.
3. Your rights
You may exercise the following rights vis-a-vis CARIAD at any time free of charge. The contact details for exercising your rights can be found in section D.
Right of access: You have the right to obtain information from us about our processing of your personal data.
Right to rectification: You are entitled to request us to rectify any of your personal data that may be incorrect or incomplete.
Right to erasure: You have the right to have your data erased if the conditions set out in Art. 17 of the GDPR are met. For example, you may ask for your data to be erased if it is no longer necessary for the purposes for which is was collected. You may also ask for your data to be erased if we process your data based on your consent and you withdraw that consent.
Right to restriction of processing: You have the right to ask for a restriction of the processing of your data if the conditions set out in Article 18 of the GDPR are met. That is the case, for example, if you dispute the accuracy of your data. You can then demand a restriction of processing for the period it takes to verify the accuracy of the data.
Right to object: You have the right to object to the processing of your data if processing is based on an overriding interest or your data is used for the purposes of direct advertising. An objection is permitted if processing is conducted in either the public interest or for the exercise of official authority, or if it is conducted for a legitimate interest of CARIAD or of a third party. If you object to the processing of your data, please notify us of the grounds for your objection. You also have the right to object to data processing for the purpose of direct marketing. The same applies to profiling, insofar as it is related to direct marketing.
Right of complaint: You also have the right to lodge a complaint about our processing of your data with a supervisory authority. The competent supervisory authority for CARIAD is:
Die Landesbeauftragte für den Datenschutz Niedersachsen, Prinzenstrasse 5, 30159 Hannover, email@example.com.
4. Contact details of our Data Protection Officer
If you have any data protection concerns, contact our Data Protection Officer:
Data Protection Officer CARIAD SE, Berliner Ring 2, Brieffach 1080/2, 38440 Wolfsburg
Version dated: April 2023
1. General information on data processing by CARIAD in cooperation with project partners
The protection of your personal data is an important concern for the companies of CARIAD SE and its affiliated companies within the meaning of §§ 15 ff. AktG („CARIAD“) listed here. We process personal data about our project partners (e.g. owners, managers, employees, etc.) in accordance with the provisions of the European General Data Protection Regulation (GDPR) and in accordance with the legal provisions of the country in which the entity responsible for data processing is based.
In addition, the companies of CARIAD have committed themselves to a comprehensive and uniform protection of personal data through a binding Group policy on data protection.
Furthermore, the employees of CARIAD are obliged to maintain confidentiality with regard to the handling of personal data.
b) Controller under the GDPR and contact persons
The controller according to the GDPR is the company of CARIAD which processes personal data of data subjects of a project partner (e.g. executives, employees, owners, etc.) in the context of an existing or upcoming contractual or cooperation relationship with the project partner. CARIAD as part of the Volkswagen Group currently consists of the following companies (Contacts).
If you have any data protection-related questions, please contact the data protection officer/data protection coordinator at CARIAD company with which a contractual or cooperation relationship with the specific project partner exists or is in the process of being established.
The responsible data protection officers/data protection coordinators of CARIAD can be found here (Contacts).
2. Collection and processing of personal data
a) Purpose limitation and legal basis
The CARIAD company which acts as controller under the GDPR processes your personal data in order to carry out and manage the contractual relationship existing or in the process of being established with the respective project partner. In this context, your personal data are processed within the scope of various processing activities for different purposes and on different applicable legal basis.
b) Data sources
As a rule, your personal data will be collected directly from you as a manager or an employee or an owner of one of our project partner companies within the framework of the existing or developing contractual or cooperation relationship with this project partner company.
c) Obligation to provide data
As a manager, an employee or an owner of one of our project partners, the personal data required to carry out the cooperation must be provided. Without this provision, no proper cooperation between the relevant CARIAD company and the project partner company can take place. The personal data that you, as a manager, an employee or an owner of a project partner company make available to a CARIAD company depends on the necessity in connection with the specific activity or the role of the project partner company to successfully perform with CARIAD.
(d) the purpose of the processing activities
Below we provide you with an overview of the purposes of our processing activities:
Tendering of services and materials
Sending out enquiries, requesting outstanding offers, commercial review and completeness check of offers, conducting negotiations.
Order processing (material, services)
Write, place, send and track your order in the system.
Supplier and service provider support
Communication regarding the products or services, answering enquiries or requirements, bottleneck and risk management, sending surveys (e.g. to improve cooperation).
Turnover figures for suppliers or for item numbers.
e.g. preparation of market analyses, trade fair presence, internet presence, etc.
e.g. communication within the project team, creation and management of user accounts, assignment of delivery results
Fulfilment of statutory duties
Adherence to retention obligations, ensuring compliance requirements through audit activities (e.g. sanctions list audit, money laundering) , operation of an internal control system (ICS) and other monitoring systems to ensure the regularity of business processes
The personal data processed are classified under the following data categories:
- Professional contact and (work) organisation data
- IT usage data
- Data on personal/professional circumstances & characteristics
- Creditworthiness and bank data
- Contract data
- If using CARIAD test vehicles: usage data with VIN, registration number, vehicle settings, driving behavior, navigation and position data.
The above-mentioned processing activities are legitimized by the following legal bases:
- Consent for one or more specific purposes (Art. 6(1) lit. a GDPR)
- Fulfilment of the contract or initiation of the contract directly with you as the data subject, e.g. if you are a natural person as a project partner of CARIAD (Article 6(1) lit. b GDPR)
- Fulfilment of legal obligations (Article 6(1) lit. c GDPR)
- legitimate interests (Article 6(1) lit. f GDPR)
3. Disclosure of personal data
In certain cases, your personal data may also be disclosed to other group companies as data controllers or processors:
If the transfer of your personal data is necessary for the implementation or initiation of the contractual relationship with our project partner as your employer or you are a natural person as our project partner, e.g. project management or project fulfilment.
We disclose personal data with data processors according to Art. 28 GDPR (e.g. cloud providers, collaboration platforms).
If we are obliged to disclose your personal data to comply with national legislation, e.g. transfer to tax authorities, courts, auditors.
Data protection agreements have been concluded with all data-receiving companies of CARIAD and the Volkswagen Group to ensure a high level of data protection.
If we transfer personal data to affiliated companies or service providers outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection, if other appropriate and sufficient data protection guarantees (e.g. EU standard data protection clauses) are concluded or if Art 49 Par 1 GDPR allows us such a transfer.
4. Data storage and deletion
As a matter of principle, we delete your personal data as soon as they are no longer required for the above-mentioned purposes.
Your personal data will be stored as long as we are legally obliged to do so or as long as statutory limitation periods apply. This regularly results from legal obligations to provide proof and to retain data, which are regulated in Germany in the German Civil Code (BGB), the German Commercial Code (HGB), or in the German Fiscal Code (AO), among others.
In addition, storage takes place insofar as further legal or contractual storage obligations exist or CARIAD has a justified interest in storing the personal data, such as in connection with product liability.
5. Your rights
In addition to the right to information about the data concerning you and correction of your data, you also have the right to deletion as well as the right to object to the processing or the right to restrict the processing of your data, insofar as this does not conflict with any statutory regulations. Furthermore, you have the right to data portability.
If we collect and process your personal data based on your consent, you also have the right to withdraw the consent you have given with effect for the future. Your withdraw of consent does not affect the lawfulness of the data processing carried out on the basis of the consent until the revocation.
Where necessary, we will need to verify your identity before we can process your applications.
If, despite our efforts to ensure that the data is correct and up to date, incorrect information is stored, we will correct this after being notified accordingly.
In the event of complaints, it is possible to contact a data protection supervisory authority. The relevant supervisory authority is listed with the respective CARIAD company (Contacts).
6. Automated decision making
There is no automated decision-making according to Art. 22 GDPR.