Data Protection Notice for our electric cars

We, SAIC Motor Europe BV, provide modern electric cars with a smart entertainment system which can be connected to your mobile phone via our app “ISMART”.

In context with the provision of the smart entertainment system and the app, we process personal data.

The protection of personal data is important to us. We process personal data only in accordance with the applicable data protection requirements, in particular the General Data Protection Regulation (GDPR).

In Section A of this Data Protection Notice we provide you with information about the controller responsible for the processing of your personal data and the controller’s data protection officer.

In Section B you find information about the processing of your personal data.

In Section C you further find information on your rights regarding the processing of your personal data.

The technical terms relating to data protection used in this Data Protection Notice have the meaning used in the General Data Protection Regulation. You will find more detailed information about this in Section D.

TABLE OF CONTENTS

  1. Information on the controller
    1. Identity and contact details of the controller
    2. Contact details of the controller’s data protection officer
  2. Information on the processing of personal data
    1. Use of the ISMART account on the mobile phone and on the Audio Visual Navigation (AVN), including use of remote control functions of the car via ISMART
    2. Use of the Navigation System on the Audio Visual and Navigation System (AVN)
    3. Use of Voice Recognition
    4. Use of third-party apps on our Audio Visual and Navigation (AVN) System
  3. Information on the rights of data subjects
    1. Right of access
    2. Right to rectification
    3. Right to erasure (“right to be forgotten”)
    4. Right to restriction of processing
    5. Right to data portability
    6. Right to object
    7. Right to withdraw consent
    8. Right to lodge a complaint with a supervisory authority
  4. Information about the technical terms of the General Data Protection Regulation used in this Data Protection Notice
  5. Effective date of and changes to this Data Protection Notice



A. Information on the controller

  1. Identity and contact details of the controller

    SAIC Motor Europe BV

    Oval Tower, 15th floor

    De Entree 159

    1101 HE Amsterdam

    dpo@mgmotor.eu

    Tel.: +31 (0) 202255401

  2. Contact details of the controller’s data protection officer

    SAIC Motor Europe BV

    Oval Tower, 15th floor

    De Entree 159

    1101 HE Amsterdam

    dpo@mgmotor.eu


B. Information on the processing of personal data

We wish to provide you the best experience when you use our cars. Therefore, we offer you the ISMART app and equipped the cars with a well-invented system. In our cars there are two devices which communicate with and can be controlled by the ISMART app: the Audio Visual Navigation (“AVN”) and the Telematic Box (“TBOX”). All communication between the devices and the app runs via our Telematics Service Platform (“TSP Backend”). The AVN provides you infotainment applications, such as the navigation or the message centre. The TBOX is responsible for providing network access for the vehicle and upload data to the TSP Backend. For certain functions the AVN communicates directly with and transfers personal data to third parties (e.g. Amazon). For the provision of the functions outlined in this Data Privacy Information we process your personal data and want to inform you on the details of the processing. However, you can use our cars without using the online functionalities of the ISMART system that require the processing of personal data. When you use the AVN for the first time and when you download the app, we will ask you if you want to enable all functionalities of the ISMART system, including those that require the processing of personal data. You can turn on and off individual functionalities of the AVN, that require the processing of personal data.

  1. Use of the ISMART account on the mobile phone and on the Audio Visual Navigation (AVN), including use of remote control functions of the car via ISMART

    In connection with our electric cars we provide our app “ISMART” to view and remote control certain functions of the car and to send information, such as navigation destinations or Points of Interest (POIs), to the car. In order to use these functions, the car needs to be bound to the ISMART account. In this context, we process personal data for the following purposes:

    • Creation and provision of an ISMART account in order to remote control your vehicle and view the vehicle status remotely
    • Provision of the function to bind and unbind your vehicle to your account
    • Provision of the function to check and control the vehicle state
    • Provision of the Find My Car function
    • Provision of the Charging Management function
    • Provision of the Rescue Call function
    • Provision of the message centre
    • Provision of the Feedback function
    • Processing your feedback
    • Provision of the My Calendar function
    • Provision of energy consumption function
    • Provision of digital key function

    You receive more detailed information on this below:

1. Details on personal data which are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation of the data subject to provide the data

Storage duration

Protocol Data

Protocol data which accrue for technical reasons when using our app to access content from our server:

The data which accrues during such access is defined by the network protocol for the transmission of information between your device and the server of our app.

These include IP address, type and version of the mobile operating system used, the content accessed and date and time of access.

User of the app

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, our App cannot access content from our server.

Data are stored in server log files in a form allowing the identification of the data subject for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.

Registration Data

Data that you provide when registering your account for our app:

These include the following mandatory information: name, address, email address, password.

Additionally, these include the following optional information: gender, date of birth

User of the app

Provision of the information marked as mandatory during the registration process is a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the mandatory information is not provided, a registration and the creation of a user account is not possible.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Login Data

Data that you provide when logging into your account:

This includes: mobile phone number, email address and password. When logging into your account with your vehicle, this also includes a unique identifier stored in a QR code.

User of the app

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, you cannot log into your account.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Additional Account Data

Data that you can add to your account, e.g. security code, alarm settings, emergency contact, favourite places and radio stations and records of travel plans.

User of the app

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, certain functions may not work properly such as searching from the favourites list on the AVN.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Basic Vehicle Data

Basic information on your vehicle that is automatically obtained from your vehicle and viewable in the app:

This includes VIN number, engine number, brand name, model name, gearbox model, colour, TBOX serial number, AVN serial number.

User of the vehicle

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, the data cannot be viewed via the app.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Vehicle Status Data

Information on the current status of your vehicle that is automatically obtained from your vehicle and viewable and, where possible, changeable in the app:

This includes data on remaining gas/power, remaining mileage, tire pressure, battery voltage, engine status, EPS Status, handbrake status, temperature, window/ skylight status, door status, engine status, clutch status, illegal unlock status, impact sensor status.

User of the vehicle

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, the data cannot be viewed via the app and remote control function via the app are not available.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Location Data

Data on the location of your vehicle as well as your mobile phone:

This includes vehicle GPS location and mobile phone GPS location.

User of the vehicle/app

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, certain functions, such as the find my car function are not available.

We process the location data of your phone only temporarily when you use the check and control the vehicle state or Find my car function.

Battery Data

Data on the status of the battery of your vehicle:

This includes remaining power, remaining charging time, charging current, charging voltage, remaining mileage

User of the vehicle

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, the data cannot be viewed via the app.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Message Data

Data in messages which we deliver to the inbox in your vehicle and the app:

This includes important messages such as alarms, operation information and news.

Generated by us

-

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Feedback Data

Data that you provide to us when using the feedback function:

This includes the content of your feedback.

User of the app

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot respond to your feedback.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Calendar Data

Data that you provide to us when enabling the synchronisation of your calendar with our app:

This includes date and time of appointment, anniversary or commemoration day.

This also includes information that you provide in our app, such as theme, remarks, remind time and remind date.

User of the app

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot send you a reminder when the anniversary day arrives.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Bluetooth mac address

Data to activate the digital key function and generate the digital key control ID.

User of the app

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, you cannot use the digital key function.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Digital key control ID

Data to identify you when you request the unlocking of your vehicle.

Generated by us

-

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Advertising Management Data

Information regarding consents you gave for advertisement purposes as well as information regarding your potential objections to advertisements:

These include date and time of the consent, the IP-address of the device used to give consent, date and time of any withdrawal of consent or of an objection against the processing of persona data for advertisement purposes.

User of the vehicle/app

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot process your consents to and /or objections regarding advertisements.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored until the user deletes the ISMART account.

Additionally this includes documentation on the information we provided to you on a consent and/or on advertisement we carry out without your consent.

Generated by us

-

2. Details on the processing of personal data

Purpose of the processing of personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Creation and provision of an ISMART account in order to remote control your vehicle and view the vehicle status remotely:

After the initial registration of your account, you may store additional data in your account. This includes the optional storage of contact information, addresses and settings, such as language settings.

This also includes the function to login and logout from the app.

Registration Data

Login Data

Additional Account Data

No automated decision-making takes place

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Developer

Provision of the function to bind and unbind your vehicle to your account:

In order to remote control your vehicle and view the vehicle status remotely via our app, it is necessary to bind your vehicle to your account. To bind your vehicle to your account, you need to scan the QR code displayed on the AVN with the app.

This also includes the binding relationship management, which enables you to view information on your vehicle that is automatically obtained from your vehicle:

This includes VIN number, engine number, brand name, model name, gearbox model, colour, TBOX serial number, AVN serial number.

Registration Data

Login Data

Basic Vehicle Data

No automated decision-making takes place

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Developer

Provision of the function to check and control the vehicle state:

With our app you can check the vehicle status. This enables you to ensure that the vehicle is secure to drive or securely locked when in a parking position.

This function also enables you to control the vehicle state remotely, such as locking or unlocking the vehicle or changing the temperature of the AC or the seat heating.

In particular, it also allows you to check the energy consumption on your phone by reviewing the mileage, cumulative power consumption, average speed and travel time.

In order to provide these functions remotely (i.e. without a connection between your mobile phone and your car), the relevant Vehicle Status Data are exchanged between your mobile phone and our servers as well as between your car and our servers via the internet.

This function also enables you to set vehicle alarms and receive alerts in our app. This includes low battery alerts, security alerts, geo-fence alerts, speed alerts, engine start alerts or alerts when there is anything abnormal about your vehicle.

Protocol Data

Registration Data

Login Data

Vehicle Status Data

Location Data

No automated decision-making takes place

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Developer

Map SDK provider

Provision of the Find My Car function:

When using the Find My Car function we will use your mobile phone GPS location as well your vehicles GPS location in order to show you the shortest way on foot to your car. These GPS locations are only retrieved from your mobile phone and your vehicle once you access the Find My Car function in the app.

After providing the security code the honking/lighting function will be unlocked to help you find your car in the dark.

Protocol Data

Registration Data

Login Data

Location Data

Additional Account Data

Vehicle Status Data

No automated decision-making takes place

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Developer

Map SDK provider

Provision of the Charging Management function:

This function enables you to see the current battery and charging status. You may also schedule the charging times by connecting the charging connector via Bluetooth. Moreover, you may set a charging target.

Protocol Data

Registration Data

Login Data

Battery Data

Location Data

No automated decision-making takes place

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Developer

Maps SDK

Provision of the Rescue Call function:

This function enables you to quickly set off a rescue call to the number saved on your account. We determine the relevant rescue number for you according to the country selected when you first bound your vehicle to the app.

Protocol Data

Registration Data

Login Data

Additional Account Data

No automated decision-making takes place

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Developer

Provision of the message centre:

We provide you with important messages such as alerts, operation information and news (including advertisements about MG service). These messages are accessible via the inbox functions in the app and in the AVN.

Protocol Data

Message Data

Login Data

Additional Account Data

Vehicle Status Data Advertising Management Data

No automated decision-making takes place

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Developer

Provision of the Feedback function:

With the Feedback function in the app you can provide feedback to us, such as on errors suggestions for further improvements.

Protocol Data

Registration Data

Login Data

Feedback Data

No automated decision-making takes place

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is to obtain feedback on our service in order to improve our services.

Developer

Processing your feedback:

We will process your feedback to improve our services.

Feedback Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is to process your feedback in order to improve our services.

Developer

Provision of My Calendar function:

Subject to your consent, this function allows us to synchronize your calendar on your mobile phone with our app, so we can send you reminders for appointments, anniversaries or commemoration days.

This function allows you to set a theme, remind date, remind time and make a remark for your anniversary.

Protocol Data

Registration Data

Login Data

Calendar Data

No automated decision-making takes place

Art. 6 (1) (a) GDPR (consent) and Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Developer

Provision of energy consumption function:

This function allows user to see the energy consumption statistics. Including mileage, cumulative power consumption, average speed and travel time.

Protocol Data

Registration Data

Login Data

No automated decision-making takes place

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Developer

Provision of digital key function:

This function allows you to unlock and start the vehicle with your app instead of the key.

Bluetooth mac address

Digital key control ID

No automated decision-making takes place

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Developer

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations

Recipient

Recipient’s role

Transfer to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations

Developer:

SAIC overseas intelligent mobility technology CO. Ltd

7th Floor, Intelligent Connected New Energy Vehicle Innovation Incubator, No.36 South YuTian Rd. JiaDing District, Shanghai, P.R.China

Processor

China

There is no adequacy decision of the European Commission for the third country concerned.

Transfers to the third country concerned take place on the basis of standard contractual clauses of the European Commission for the transfer of personal data to processors in third countries.

The European Commission's decision on standard contractual clauses can be obtained here: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32004D0915.

A copy of the standard contractual clauses can be obtained from our Data Protection Officer (Section A.II.).

Map SDK provider:

HERE Europe B.V.

Kennedyplein 222, 5611 ZT Eindhoven, Netherlands

Controller

-

-

II. Use of the Navigation System on the Audio Visual and Navigation System (AVN)

Through our audio visual and navigation system (AVN) you have the possibility to use a navigation system. The basic functions are available without an internet connection and without us or our service providers processing any of our personal data when you use these functions. This includes in particular, the search for a specific location or points of interests in the area, calculation of routes and the navigation function, battery range function. Certain other functions, such as considering real time traffic data for finding the best route, require an internet connection. When you use the online navigation system, we process your personal data for the following purposes:

  • Provision of information on real time traffic
  • Provision of online search function

If you are using our navigation system via voice recognition, please also view the chapter on voice recognition (-> Section B.III).

You receive more detailed information on this below:

1. Details on personal data which are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation of the data subject to provide the data

Storage duration

Protocol Data

Protocol data which accrue for technical reasons when an internet connection is established between your vehicle and our servers:

The data which accrues during such access is defined by the network protocol for the transmission of information between your vehicle and our servers.

These include IP address, HTTPS protocol (to secure Telenav Cloud) and API-key (to make sure only SAIC vehicles can connect to Telenav cloud).

User of navigation system

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, cloud-based navigation functions cannot be provided.

Data are stored in server log files in a form allowing the identification of the data subject for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.

Location Data

GPS location of your vehicle

Navigations send to Map SDK provider when user uses the function for searching a location, online navigation and realtime traffic.

User of navigation system

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, cloud-based navigation functions cannot be provided.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored for one year.

Search Function Data

Data that you enter in the search function of our navigation system:

These include all data entered as search terms, selected from the recent destination list, from the favourites list, from labels provided by you, such as home or work addresses or from Point of Interest categories, or via voice command. If you are using voice command please also view the chapter on voice recognition  Section B.III.

User of navigation system

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, cloud-based search cannot be provided.

We process your data no longer than is necessary for the purposes for which the personal data are processed. Your home address is stored until you delete it in the AVN. All other data is stored for a maximum period of one year.

Recent Locations

Data selected in the search function as destination.

User of navigation system

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, cloud-based navigation cannot be provided.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored for one year.

2. Details on the processing of personal data

Purpose of the processing of personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Provision of our navigation function with real time traffic data:

A basic navigation function is available without an internet connection.

For an enhanced navigation, the route is calculated on our server, considering real time traffic data. For this purpose, data on your location and your destination are temporarily processed on our server. We process information on your location regularly to provide convenient navigation services (e.g. calculate in the background if better routes are available, check traffic events nearby, etc.).

Protocol Data

Location Data

Recent Locations

No automated decision-making takes place.

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Map SDK provider

Developer

Provision of our online search function:

For this purpose, data that you enter into our search functions is temporarily processed on our server.

When logged into your ISMART account in your car, you can also view and select addresses, Point of Interests (e.g. gas stations, food and beverage stores and hotels)etc. which you added to your account via the app.

Moreover, you can search for nearby charging stations and check their availability.

Protocol Data

Search Function Data

Location Data

For viewing and selecting data stored in your ISMART account:

Registration Data ( Section B.I.1)

Login Data ( Section B.I.1)

Additional Account Data ( Section B.I.1)

No automated decision-making takes place.

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Map SDK provider

Developer

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations

Recipient

Recipient’s role

Transfer to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations

Developer:

SAIC overseas intelligent mobility technology CO. Ltd

7th Floor, Intelligent Connected New Energy Vehicle Innovation Incubator, No.36 South YuTian Rd. JiaDing District, Shanghai, P.R.China

Processor

China

There is no adequacy decision of the European Commission for the third country concerned.

Transfers to the third country concerned take place on the basis of standard contractual clauses of the European Commission for the transfer of personal data to processors in third countries.

The European Commission's decision on standard contractual clauses can be obtained here: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32004D0915.

A copy of the standard contractual clauses can be obtained from our Data Protection Officer (Section A.II.).

Map SDK provider:

HERE Europe B.V.

Kennedyplein 222, 5611 ZT Eindhoven, Netherlands

Controller

-

-

III. Use of Voice Recognition

It is possible to navigate through our audio visual and navigation (AVN) system by using voice recognition. The voice recognition function enables you to operate certain functions on the AVN using only your voice. This function may be used for several different functions such as the navigation. Setting a new destination, zoom in or out of the map or cancelling the route are only some examples for voice commands. Voice recognition may also be used for switching to the next song in the music app. When using the voice recognition function, your voice commands are converted into machine-readable commands by our voice recognition provider.

You receive more detailed information on this below:

1. Details on personal data which are processed

Categories of personal data processed

Personal data included in the categories

Sources of the data

Obligation of the data subject to provide the data

Storage duration

Protocol Data

Protocol data which accrue for technical reasons when an internet connection is established between your vehicle and our servers:

The data which accrues during such access is defined by the network protocol for the transmission of information between your vehicle and our servers.

User of voice recognition

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide the voice recognition function.

Data are stored in server log files in a form allowing the identification of the data subject for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.

Voice Command Data

Data that you provide via voice command:

This includes the content of your voice commands, i.e. your voice, which is recorded after activating the voice recognition function (by saying “Hello MG” or by pressing the Voice Recognition button on the steering wheel) until the voice recognition function is deactivated.

(This does not include your voice before activating voice recognition or when activating voice recognition by saying “Hello MG”: Recognizing the phrase “Hello MG” is performed offline by your vehicle.)

User of voice recognition

Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide the voice recognition function.

We process your data no longer than is necessary for the purposes for which the personal data are processed. At the most, the data is stored for three years.

Machine-readable data generated from your voice commands:

This includes all commands which our voice recognition provider was able to identify from the recorded voice, such as destination addresses for the navigation system or commands for the music player.

Generated by us

-

2. Details on the processing of personal data

Purpose of the processing of personal data

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Provision of the Voice Recognition function:

After activating the voice recognition function (by saying “Hello MG” or by pressing the Voice Recognition button on the steering wheel), your vehicle records your voice until the voice recognition function is deactivated. The record or your voice is then transmitted to our voice recognition provider in order to generate machine-readable commands from your voice commands.

These machine-readable commands can then be used by the audio visual and navigation (AVN) system in your vehicle for various functions, such as setting a destination addresses for the navigation system or adjusting the music player.

Voice records are not transmitted to us or our voice recognition provider before or for activating voice recognition. Activating voice recognition by saying “Hello MG” (i.e. recognizing the phrase “Hello MG” as an activation command) is performed offline by your vehicle.

Protocol Data

Voice Command Data

No automated decision-making takes place.

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Voice Recognition Provider

Developer

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations

Recipient

Recipient’s role

Transfer to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations

Developer:

SAIC overseas intelligent mobility technology CO. Ltd

7th Floor, Intelligent Connected New Energy Vehicle Innovation Incubator, No.36 South YuTian Rd. JiaDing District, Shanghai, P.R.China

Processor

China

There is no adequacy decision of the European Commission for the third country concerned.

Transfers to the third country concerned take place on the basis of standard contractual clauses of the European Commission for the transfer of personal data to processors in third countries.

The European Commission's decision on standard contractual clauses can be obtained here: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32004D0915.

A copy of the standard contractual clauses can be obtained from our Data Protection Officer (Section A.II.).

IV. Use of third-party apps on our Audio Visual and Navigation (AVN) System

The audio visual and navigation (AVN) system provides the possibility to use third-party apps, such as Amazon Music. With these apps you can use functions offered by third-party providers under their own responsibility. The relevant app is not activated by default but first needs to be activated by you in the relevant settings. Once the respective app is activated, the provider of the respective app may receive personal data from you. We do not have any knowledge about the personal data the provider actually obtains. We also do not have any knowledge about specific purposes of the processing of data collected by the provider of the relevant third-party app or about any further details of the data processing of the relevant provider. In particular, we also do not know whether the relevant provider only processes the data collected to provide the function of the relevant plug-in (e.g. to stream music) or, beyond this, for any other purposes (e.g. to create usage profiles or to personalise advertising).

If you are using our AVN via voice recognition please also view the chapter on voice recognition ( Section B.III).

You receive more detailed information on this below:

1. Third-party apps provider embedded in the AVN

The following third-party provider apps are embedded in our AVN:

App

Third-party provider

Further information of the provider of the app

Amazon Music App

It depends on your country of residence which entity provides the Amazon Music App to you: Amazon.com Services LLC, Amazon.com.ca, Inc., Amazon Digital UK Ltd, Amazon Digital Germany GmbH, Amazon.com Sales, Inc., Amazon Seller Services Private Limited, Amazon Australia Services Inc., Amazon Commercial Services Pty Ltd, Servicios Comerciales Amazon México, S. de R.L. de C.V., Amazon Serviços de Varejo do Brasil Ltda., or one of their affiliates.

https://www.amazon.de/-/en/gp/...

Weather App

AccuWeather, Inc.

https://www.accuweather.com/de/privacy

2. Potential data transfers to third countries without an appropriate level of protection

It is possible that when you use a third-party app, personal data may be transferred to third countries for which there is no so-called adequacy decision of the European Commission and for which no suitable guarantees are provided. In this respect, there is a risk that there is no adequate level of protection for the personal data transferred. This means that your personal data processed by the third-party provider may not be subject to a level of protection comparable to the GDPR. In particular, this means that the principles for the processing of personal data set out in Art. 5 GDPR may not be complied with. In addition, you may not have enforceable rights and effective remedies with respect to the processing of personal data. By activating the respective third-party app, you accept these possible risks on your own responsibility.

C. Information on the rights of data subjects

As a data subject, you have the following rights with regard to the processing of your personal data:

  • Right of access (Article 15 of the General Data Protection Regulation)
  • Right to rectification (Article 16 of the General Data Protection Regulation)
  • Right to erasure (“right to be forgotten”) (Article 17 of the General Data Protection Regulation)
  • Right to restriction of processing (Article 18 of the General Data Protection Regulation)
  • Right to data portability (Article 20 of the General Data Protection Regulation)
  • Right to object (Article 21 of the General Data Protection Regulation)
  • Right to withdraw consent (Article 7 paragraph 3 of the General Data Protection Regulation)
  • Right to lodge a complaint with a supervisory authority (Article 77 of the General Data Protection Regulation)

You may contact us for the purpose of exercising your rights using the contact information in Section A.

Where applicable, you find information on any specific modalities and mechanisms which facilitate the exercise of your rights, in particular the exercise of your rights to data portability and to object, in the information on the processing of personal data in Section B of this Data Protection Notice.

Below you find more detailed information on your rights with regard to the processing of your personal data:

I. Right of access

As a data subject, you have a right to obtain access and information under the conditions provided in Article 15 of the General Data Protection Regulation.

This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data. If so, you also have the right to obtain access to the personal data and the information listed in Article 15 paragraph 1 of the General Data Protection Regulation. This includes information regarding the purposes of the processing, the categories of personal data that are being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (Article 15 paragraph 1 points (a), (b) and (c) of the General Data Protection Regulation).

You can find the full extent of your right to access and information in Article 15 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

II. Right to rectification

As a data subject, you have the right to rectification under the conditions provided in Article 16 of the General Data Protection Regulation.

This means in particular that you have the right to receive from us without undue delay the rectification of inaccuracies in your personal data and completion of incomplete personal data.

You can find the full extent of your right to rectification in Article 16 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

III. Right to erasure (“right to be forgotten”)

As a data subject, you have a right to erasure (“right to be forgotten”) under the conditions provided in Article 17 of the General Data Protection Regulation.

This means that you have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17 paragraph 1 of the General Data Protection Regulation applies. This can be the case, for example, if personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Article 17 paragraph 1 point (a) of the General Data Protection Regulation).

If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (Article 17 paragraph 2 of the General Data Protection Regulation).

The right to erasure (“right to be forgotten”) does not apply if the processing is necessary for one of the reasons listed in Article 17 paragraph 3 of the General Data Protection Regulation. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (Article 17 paragraph 3 points (b) and (e) of the General Data Protection Regulation).

You can find the full extent of your right to erasure (“right to be forgotten”) in Article 17 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

IV. Right to restriction of processing

As a data subject, you have a right to restriction of processing under the conditions provided in Article 18 of the General Data Protection Regulation.

This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18 paragraph 1 of the General Data Protection Regulation applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (Article 18 paragraph 1 point (a) of the General Data Protection Regulation).

Restriction means that stored personal data are marked with the goal of restricting their future processing (Article 4 paragraph 3 of the General Data Protection Regulation).

You can find the full extent of your right to restriction of processing in Article 18 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

V. Right to data portability

As a data subject, you have a right to data portability under the conditions provided in Article 20 of the General Data Protection Regulation.

This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us if the processing is based on consent pursuant to Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation or on a contract pursuant to Article 6 paragraph 1 point (b) of the General Data Protection Regulation and the processing is carried out by automated means (Article 20 paragraph 1 of the General Data Protection Regulation).

You can find information as to whether an instance of processing is based on consent pursuant to Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation or on a contract pursuant to Article 6 paragraph 1 point (b) of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B of this Data Protection Notice.

In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller if technically feasible (Article 20 paragraph 2 of the General Data Protection Regulation).

You can find the full extent of your right to data portability in Article 20 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

VI. Right to object

As a data subject, you have a right to object under the conditions provided in Article 21 of the General Data Protection Regulation.

At the latest in our first communication with you, we expressly inform you of your right, as a data subject, to object.

More detailed information on this is given below:

1. Right to object on grounds relating to the particular situation of the data subject

As a data subject, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6 paragraph 1 point (e) or (f), including profiling based on those provisions.

You can find information as to whether an instance of processing is based on Article 6 paragraph 1 point (e) or (f) of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B of this Data Protection Notice.

In the event of an objection relating to your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

2. Right to object to direct marketing

Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

You can find information as to whether and to what extent personal data are processed for direct marketing purposes in the information regarding the legal basis of processing in Section B of this Data Protection Notice.

If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

VII. Right to withdraw consent

Where an instance of processing is based on consent pursuant to Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation, as a data subject, you have the right, pursuant to Article 7 paragraph 3 of the General Data Protection Regulation, to withdraw your consent at any time. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal. We inform you of this before you grant your consent.

You can find information as to whether an instance of processing is based on Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B of this Data Protection Notice.

VIII. Right to lodge a complaint with a supervisory authority

As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 of the General Data Protection Regulation.

D. Information about the technical terms of the General Data Protection Regulation used in this Data Protection Notice

The technical terms relating to data protection used in this Data Protection Notice have the meaning used in the General Data Protection Regulation.

The full scope of the definitions of the General Data Protection Regulation can be found in Article 4 of the General Data Protection Regulation, which can be downloaded from the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

You will find more detailed information on the most important technical terms of the General Data Protection Regulation used in this Data Protection Notice below:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Data Subject” means the respective identified or identifiable natural person, to which the personal Data refers to;

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

“International organisation” means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

“Third country” means a country which is not a member state of the European Union (“EU”) or the European Economic Area (“EEA”);

“Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

E. Effective date of and changes to this Data Protection Notice

The effective date of this Data Protection Notice is 12th October 2021.

It may be necessary to modify this Data Protection Notice due to technical developments and/or amendment of statutory or official requirements.

An up-to-date version of this Data Protection Notice can be retrieved at any time at https://www.mgmotor.eu/fi-FI/privacy-notice/ismart