Privacy Notice
Who is responsible for data processing?

Within the meaning of the EU General Data Protection Regulation ("DGSVO") BMW AG, Petuelring 130, 80788 Munich, Germany (hereinafter "BMW") is responsible ("Controller") for the processing of your personal data. BMW is registered in Munich.

BMW is Controller related to your personal data processed via the webpage b2b.bmw.com and b2b.bmwgroup.net

 

Definitions
The client of a contractual service is BMW, the contractor is a BMW Group Partner, hereinafter referred to as the employer.

 

Contact details of BMW Partner Management, BMW and BMW Group Data Privacy Protection:
BMW Group Partner Portal                                           BMW AG Group Data Privacy Protection

PartnerPortal@bmw.de                                                 Datenschutz@bmw.de

 

When does BMW collect and process personal data?

BMW collects and processes your personal data, amongst others, in the following cases:

  • As part of the registration of the BMW Group Partner Portal
  • As part of the use of the BMW Group Partner Portal

 

Which category of data can be collected?

The following categories of personal data are collected:

  • Contact details
    Company name, postal address and supplier number of your employer
    Name, job title, organizational unit, telephone number and e-mail address
    Online identification (user name) and password
  • Application-related personal configuration settings and preferences.

Please help us to keep your information up to date by informing us about changes to your personal data - in particular to your contact details - or by changing this yourself in the portal.

 

For what purposes is your personal data processed?

The personal data is collected in connection with the conclusion of the contract or the performance of the commissioned service. Collected personal data is processed for the following purposes.

 

A. Fulfillment of the contractual obligation in the context of commissioning (Article 6 (1) (b) (f) GDPR)

When using services provided via the BMW Group Partner Portal, the above-listed personal data are collected, processed and used primarily for the purposes of authentication, authorization, process control and establishing contact within the framework of the provisions of applicable data protection laws.

 

The master data of a sub-supplier is processed on the basis of Article 6 EU GDPR (1) lit f), provided that this collection, processing and storage serves to fulfill the contract between BMW Group and BMW's direct contractor. 
The sub-supplier registers and applies for a BMW Group supplier number on behalf of BMW's immediate contractor.
BMW's legitimate interest results from BMW's TISAX certification and the associated information security requirements, which state that BMW must be able to identify all people and companies that use BMW Group IT systems. 
 

B. Performance of legal obligations of BMW (Article 6 (1) (c) (f) GDPR)

Collected personal data is also processed to ensure the operation of IT systems. To ensure the operating of IT systems means e.g.:

  • the backup and recovery of personal data processed in IT systems,
  • the logging and monitoring of transactions to check the functioning of IT systems,
  • the detection and prevention of unauthorized access to personal data
  • Incident and problem management for troubleshooting on IT systems.

BMW is subject to a variety of other legal obligations. In order to comply with these obligations, BMW process your data to the required extent and, if necessary, pass these on to the responsible authorities as part of legal reporting requirements.

If required, BMW will process your data in the event of a legal dispute only if the legal dispute requires the processing of your personal data.

 

C. Data transfer within the BMW Group

BMW is part of the BMW Group. If it is necessary for the use of the B2B portal BMW will, after a careful review and only to the extent necessary, transfer your personal data to other BMW Group companies. If so, the respective BMW Group Company handles this personal data as personal responsible Processor.

 

D. How does BMW protect your personal data?

BMW uses various security measures, including state-of-the-art encryption and authentication tools, to protect and maintain the security, integrity, and availability of your personal data. It is protected by state-of-the-art physical, electronic and procedural safeguards in accordance with applicable privacy laws. BMW has implemented (among others) the following measures:

  • Strict eligibility criteria for accessing your personal data on a need-to-know basis and for the sole purpose,
  • Transfer of personal data only in encrypted form,
  • Storage of confidential data only in encrypted form,
  • Firewall protection of IT systems for protection against unauthorized access, e.g. by hackers and
  • Permanent monitoring of access to IT systems to detect and prevent the misuse of personal data.

 

How long does BMW store your personal data?

BMW does store your personal data only as long as the relevant purpose requires it. If personal data is processed for multiple purposes, the personal data will be automatically deleted or stored in a form that cannot directly be traced back to you, as soon as the last specified purpose has been fulfilled. To ensure that all your personal data is deleted, BMW has developed an internal deletion concept. The basic principles are shown below.

 

Use to fulfill a contract

In order to comply with contractual obligations, data collected from you may be kept as long as the contract is in force and, depending on the nature and scope of the contract, for additional 6 or 10 years to assure compliance with legally required retention periods and to clarify any inquiries or claims after the expiry of the contract.

In addition, there are contracts for the development, production or supply of products and services that require longer retention periods. Please see section "Use for consideration of claims" below.

 

Use for consideration of claims

Any information BMW deems necessary to investigate, defend, or prosecute you, us, or any third party, or make any claims, may be retained by us for as long as any such action could be brought.

 

To whom does BMW give international access to your personal data and how does BMW protect it?

BMW is a company with an international presence. Personal data is preferably processed within the EU by BMW employees, national sales companies, authorized dealers, and service providers commissioned by us.

BMW will transfer your personal data to countries outside the EU only if it is necessary to fulfill the contractual obligations. BMW uses appropriate technical and organizational measures to ensure that your personal data is processed within the portal in accordance with the European data protection standard.

For certain countries outside the EU, such as Canada and Switzerland, the EU has already determined a comparable level of data protection. Given the comparable level of data protection, data transmission to these countries does not require any special approval or agreement.

BMW relies on a number of service providers which are processing personal data on behalf of BMW AG to assist in the provision of the listed services and use cases. The service providers are commissioned under the strict requirements of applicable data protection laws.

 

How can you view and revoke your registration online?

You can see your registration here . To revoke or delete your registration go to "My Account" and "Personal Data". There you can "Apply for deletion".

 

Contact us, your privacy rights and your right to complain to the Data Protection Authority

If you have any questions regarding the use of your personal data by BMW, please contact the BMW Hotline - by e-mail at PartnerPortal@bmw.de.

In addition, you can contact the responsible data protection officer. Address see above.

As an individual whose data is subject to processing, you may assert certain rights against us in accordance with the GDPR and other relevant data protection regulations. The following section contains explanations of your rights under the GDPR.

 

Rights of affected persons

In accordance with the GDPR, you, as an affected person, are entitled to the following rights in particular:

 

Right of access by the data subject (Art. 15 GDPR):

You may request information about the data we hold about you at any time. This information includes, but is not limited to, the categories of data we have processed, the purposes for which we have processed this data, the origin of the data if we did not collect it from you directly, and, if applicable, the recipients to whom we have transferred your data. You can request a copy of your data free of charge. If you are interested in obtaining additional copies, we reserve the right to charge you accordingly.

 

Right to rectification (Art. 16 GDPR):

You can ask us to rectify your data. We will take reasonable measures to keep the information we hold and process about you accurate, complete, and up to date, based on the most current information available to us.

 

Right to erasure (Art. 17 GDPR):

You can request the deletion of your data, provided there are legal requirements in place to support this. This may be the case under Art. 17 GDPR.

 

Right of limitation of processing (Art. 18 GDPR):

You can request a limitation of processing of your data.

  •  you deny the accuracy of the personal data for the period BMW needs to verify the accuracy of the personal data;
  • the processing is unlawful and you refuse the deletion of your personal data and instead demand the restriction of use;
  • BMW no longer needs your personal data, but you do need it to enforce, exercise or defend your rights;
  • You have objected to the processing, as long as it is not certain that BMW legitimate reasons outweigh yours

 

Right to data portability (Art. 20 GDPR):

At your request, BMW can transfer your personal data to another person in charge as far as technically possible. However, you are entitled to this right only if the data processing is based on your consent or is necessary to execute a contract. Rather than receive a copy of your personal data, you may also ask BMW to transfer the personal data directly to another person in charge specified by you

 

Right to object (Art. 21 GDPR):

You may object to the processing of your personal data at any time for reasons that arise from your particular situation, if the personal data processing is based on your consent or on our legitimate interests or those of a third party. In this case, BMW will no longer process your personal data. The latter does not apply if BMW can provide compelling legitimate reasons for the processing that outweigh your interests or BMW needs your personal data to enforce, exercise, or defend legal claims.