Privacy Notice Effective as of April 22, 2026

In the context of the provision of services to BMW AG or to another company within the BMW Group, your personal data, as well as the personal data of your employees (including temporary and agency workers) and other third parties acting on your behalf (e.g., subcontractors; collectively referred to as "Data Subjects"), will be processed.

Below, you will find relevant information regarding these data processing activities.

The contracting party for a contractual service may be either BMW AG or another company within the BMW Group (hereinafter referred to as "Client," "we," or "BMW"). The contractor is a partner of BMW AG or another company within the BMW Group (hereinafter referred to as "Contractor" or "Your Employer"); this also includes subcontractors acting on behalf of a direct contractor. 

 

Who is responsible for data processing?

Within the meaning of the EU General Data Protection Regulation ("GDPR") BMW AG, Petuelring 130, 80788 Munich, Germany (hereinafter "BMW") is responsible ("Controller") for the processing of your personal data. BMW is registered in Munich.

In the event that your personal data is processed within the IT systems of BMW in the course of contract performance, the respective client shall be regarded as the data controller.

Contact details of BMW Partner Management, BMW and BMW Group Data Privacy Protection:

BMW Group Partner Portal                                                      BMW AG Group Data Privacy Protection
PartnerPortal@bmw.de                                                           Datenschutz@bmw.de

 

When does BMW collect and process personal data?

BMW collects and processes your personal data, amongst others, in the following cases:

  • As part of the registration of the BMW Group Partner Portal
  • As part of the use of the BMW Group Partner Portal
  • In the context of the provision of services by the contractor, wherein the utilization of BMW IT systems is anticipated.
  • In the course of executing the respective contract of the contractor, including the initiation, execution, and completion of the respective contract.

Use of AI Systems

We utilize various IT systems that are based on artificial intelligence (AI), such as Microsoft Copilot. We may process your data, as well as the data of your employees and other authorized individuals, using AI systems.

 

What personal data can be collected about the data subjects?

The following categories of personal data can be collected:

  • Company name, postal address and supplier number of the contractor
  • Name, job title, organizational unit, telephone number and e-mail address of employees of the contractor as well as of employees of subcontractors, where applicable.
  • Online identification (user name) and password.
  • Application-related personal configuration settings and preferences.

Please help us to keep your information up to date by informing us about changes to your personal data - in particular to your contact details - or by changing this data yourself in the portal.

 

For what purposes is personal data of data subjects processed?

The personal data collected in connection with the conclusion of the contract or the performance of the commissioned service will be processed for the following purposes.

 

A. Fulfillment of the contractual obligation in the context of commissioning (Article 6 (1) (b) (f) GDPR)

When using services provided via the BMW Group Partner Portal, the above-listed personal data are collected, processed and used primarily for the purposes of authentication, authorization, process control and establishing contact within the framework of the provisions of applicable data protection laws.

The processing of master data is carried out based on Art. 6 (1) lit. b) and f) of the GDPR, provided that such collection, processing, and storage are necessary for the fulfillment of the contract between you or your employer and BMW.

The legitimate interest of BMW arises not only from the contractual relationship between your employer and BMW AG but also from BMW's TISAX certification and the associated information security requirements, which stipulate that BMW must be able to identify all individuals and their employers who utilize BMW Group IT systems. Therefore, a personal account for the affected individuals is required for any use of BMW IT systems.

Additionally, we process personal data that you enter into an IT system (including IT systems that utilize artificial intelligence) if this is necessary for the provision of services to BMW. BMW ensures that personal data of individuals is not used for training purposes of future AI models. Personal data processed by an AI system remains under the control of BMW.

 

B. Performance of legal obligations of BMW (Article 6 (1) (c) (f) GDPR)

Collected personal data is also processed to ensure the operation of IT systems. To ensure the operating of IT systems means e.g.:

  • the backup and recovery of personal data processed in IT systems,
  • the logging and monitoring of transactions to check the functioning of IT systems,
  • the detection and prevention of unauthorized access to personal data
  • Incident and problem management for troubleshooting on IT systems.

BMW is subject to a variety of other legal obligations. In order to comply with these obligations, BMW processes your data to the required extent and, if necessary, passes these on to the responsible authorities as part of legal reporting requirements.

If required, BMW will process your data in the event of a legal dispute only if the legal dispute requires the processing of your personal data.

 

How does BMW protect your personal data?

BMW uses various security measures, including state-of-the-art encryption and authentication tools, to protect and maintain the security, integrity, and availability of personal data. 

Your personal data and the personal data of your employees and other authorized persons will be protected by state-of-the-art physical, electronic and procedural safeguards in accordance with applicable data protection laws. BMW has implemented (among others) the following measures:

  • Strict eligibility criteria for accessing personal data on a need-to-know basis and solely for the agreed purpose,
  • Transfer of personal data only in encrypted form,
  • Storage of confidential data only in encrypted form,
  • Firewall protection of IT systems for protection against unauthorized access, e.g. by hackers and
  • Permanent monitoring of access to IT systems to detect and prevent the potential misuse of personal data.

     
How long does BMW store your personal data?

BMW stores personal of you, your employees and other authorized persons only as long as the relevant purpose requires it for BMW obtained the date. If personal data is processed for multiple purposes, the personal data will be automatically deleted or stored in a form that cannot directly be traced back to you, as soon as the last specified purpose has been fulfilled. To ensure that all personal data is deleted, BMW has developed an internal deletion concept. The fundamental principles governing the deletion of your personal data as outlined in this deletion concept are presented below.

Use to fulfill a contract

In order to comply with contractual obligations, data collected from you may be kept as long as the contract is in force and, depending on the nature and scope of the contract, for additional 6 or 10 years to assure compliance with legally required retention periods and to clarify any inquiries or claims after the expiry of the contract.

In addition, there are contracts for the development, production or supply of products and services that require longer retention periods. Please see section "Use for consideration of claims" below.

Use for consideration of claims

Data that BMW deems necessary to assess or defend against claims made against us, or to initiate criminal proceedings or assert claims against you, us, or third parties, may be retained for as long as such proceedings could be initiated.

 

How can you view and revoke your registration online?

You can see your registration here . To revoke or delete your registration go to "My Account" and "Personal Data". There you can "Apply for deletion".

 

To whom does BMW give international access to your personal data and how does BMW protect it?

BMW is a global company. Personal data is preferably processed within the EU by BMW and service providers commissioned by us.

To the extent necessary, we will transmit your data to other companies within the BMW Group after careful review, where they will be processed by these legal entities as independent controllers. In the case of data transfer to BMW Group companies located outside the EU/EEA, such transfers will be conducted in accordance with the provisions of the GDPR regarding international data transfers.

Should data be processed in countries outside the EU, this is necessary for the execution of the contract concluded with BMW. BMW ensures, through appropriate technical and organizational measures, that personal data is processed within the portal in accordance with the European data protection standards.

For certain countries outside the EU, such as Canada and Switzerland, the EU has determined that a comparable level of data protection exists. Due to this comparable level of data protection, the transfer of data to these countries does not require special authorization or agreement.

BMW relies on a number of service providers which are processing personal data on behalf of BMW to assist in the provision of the listed services and use cases. The service providers are commissioned under the strict requirements of applicable data protection laws.

 

Contact with us, your data protection rights and your right to complain to the Data Protection Supervisory Authority

If you have any questions regarding the use of your personal data by BMW, please contact the BMW Hotline - by e-mail at PartnerPortal@bmw.de.

In addition, you can contact BMW Data Protection Officer, contact information see above.

As data subject, you may assert certain rights under the GDPR and other applicable data protection regulations. Under the GDPR, you, your employees, and other authorized individuals are entitled to claim the following rights as data subjects in relation to BMW: 

Right of access by the data subject (Art. 15 GDPR):

You may request information about the data we hold about you at any time. This information includes, but is not limited to, the categories of data we have processed, the purposes for which we have processed this data, the origin of the data if we did not collect it from you directly, and, if applicable, the recipients to whom we have transferred your data. In general, the personal data we hold has been provided by you or an authorized administrator of your employer in the portal. 

Right to rectification (Art. 16 GDPR):

You can ask us to rectify your data. We will take reasonable measures to keep the information we hold and process about you accurate, complete, and up to date, based on the most current information available to us. As the data subject, you or another employee of your employer may also modify the data directly. You are also responsible for any necessary corrections.

Right to erasure (Art. 17 GDPR):

You can request the deletion of your data, provided there are legal requirements in place to support this. The data in the portal can be deleted by you or an authorized administrator of your employer. 

Right of restriction of processing (Art. 18 GDPR):

You can request a restriction of processing of your data under the following circumstances: if

  • you dispute the accuracy of the personal data for the period BMW needs to verify the accuracy of the personal data;
  • processing is unlawful and you reject the deletion of your personal data and instead request the restriction of its use;
  • BMW no longer needs your personal data, but you need it to assert, exercise or defend legal claims;
  • You have objected to the processing, as long as it has not yet been determined that our legitimate interests outweigh yours

Right to data portability (Art. 20 GDPR):

Upon request from a data subject, we will transfer the relevant data (to the extent technically feasible) to another controller. However, this right is granted to you or an employee or other authorized person only if the data processing is based on the relevant consent or is necessary for the performance of a contract. Instead of receiving a copy of the respective data, you or an employee or other authorized person may also request that we transmit the data directly to another controller specified by you or an employee or other authorized person. 

Right to object (Art. 21 GDPR):

You, or an employee or other authorized person on your behalf, may object to the processing of the relevant data at any time for reasons arising from your particular situation, provided that the data processing is based on your consent or on our legitimate interests or those of a third party. In such cases, we will no longer process your data. This does not apply if we can demonstrate compelling legitimate grounds for the processing that override your interests, or if we need your data for the establishment, exercise, or defense of legal claims. 

Restriction of Information in the Fulfillment of Data Subject Rights

In certain situations, we may be unable to provide you with information regarding all data due to legal requirements. If we must deny a request for information in such a case, we will inform you or an employee or other authorized person on your behalf of the reasons for the denial at the same time.

Complaint to Supervisory Authorities

BMW takes your concerns and rights very seriously. However, if you believe that we have not adequately addressed your complaints or concerns, you have the right to file a complaint with a relevant data protection authority. This also applies to an employee or other authorized person on your behalf.