Volvo vehicle Privacy Notice

2.1. Processing of Personal Data While You Drive

2.1.1. Vehicle data analytics (VDA)

We automatically collect and process vehicle data (listed below) in order to obtain statistical information about our vehicles and how they are used. We use this information for product research and development purposes: in particular, to improve and monitor the quality of vehicles and their safety features. This also serves to manage Volvo Cars' warranty commitments and to comply with our legal requirements relating to emissions monitoring.

Data categories used:

Volvo cars also automatically collects the following information on the vehicle's high-voltage battery (where applicable):

For the purposes of GDPR, the legal basis for the processing of the data mentioned above is your consent (Art. 6(1)(a) GDPR).

The Vehicle Identification Number (VIN), identifiers of the vehicle's hardware and software versions, and Diagnostic Trouble Codes (DTC), are retained for 2 years, while the information on the vehicle's high-voltage battery is retained for the lifetime of the battery.

In the case of hybrid or electric vehicles, Volvo Cars and Polestar Performance AB (a Swedish company headquartered in Gothenburg, Assar Gabrielssons Väg 9, SE-405 31, Sweden, hereinafter referred to as "Polestar") share the analytical data listed above from their respective vehicles. The analysis data exchanged between Volvo Cars and Polestar is of a purely technical nature and does not involve actual customer data. The analytical data collected via the Volvo Cars and Polestar platforms are exchanged between the two companies for the purposes of improving and monitoring the quality of the vehicle, the performance of the electric and hybrid features, and the safety features.

As joint controllers under GDPR, Volvo Cars and Polestar are jointly responsible for this processing of analysis data. Volvo Cars and Polestar have agreed that Volvo Cars is responsible for providing information to its customers and that the respective rights under the applicable privacy law may be exercised by Volvo customers in relation to Volvo Cars. You can read about this in section 3 below (What rights you have in relation to the data processing we perform).

2.1.2. Over-the-air Software Updates

In order to be able to maintain the vehicle software and provide necessary software updates directly, we automatically collect and process the following data:

We process the data mentioned above if you consent to this (Art. 6(1)(a) GDPR). If you refuse over-the-air software updates, this will prevent you from being able to use our updated services, or you will not be able to use them fully. Failure to update may also increase the risk of cybersecurity incidents, much like in the case of all other smart devices. Note that you can also opt to have the updates installed in one of our workshops.

We will retain records of the software updates made to the car for the entire lifetime of the vehicle.

2.1.3. Connected Safety

If your vehicle has the Connected Safety feature activated, we automatically collect the following vehicle information from your car:

We use this information to provide you with the Connected Safety feature to you (Art. 6(1)(b) GDPR). You can turn the service on and off at any time.

This information, without the VIN number or driver's identity information, is shared with other vehicles (Volvo cars and trucks) that have the Connected Safety feature activated in order to inform you and them about current traffic situations on the route and provide alerts about upcoming hazards on the road (e.g., slippery road or hazard light alerts), allowing you and other drivers using Connected Safety to adapt driving style accordingly. If your own vehicle's hazard warning lights are activated or your vehicle detects reduced friction between your tires and the road (a.k.a. "slippery road alert"), information about this can be sent to vehicles approaching your own vehicle's position.

In addition, the aforementioned data is shared, in an anonymized manner, with traffic agencies (in order to avert and reduce dangers posed by road traffic).

We keep the data for 1 week before we delete or anonymize it.

2.1.4. Real-time Traffic Information

If your vehicle model is equipped with Real-Time Traffic Information service we collect from the car:

We process the data mentioned above in the course of performing a service for you (Art. 6(1)(b) GDPR). You can turn the service on and off at any time.

Car models equipped with sensors that can identify traffic signs in real time as you drive do this through local processing (in the car) only.

The data will be stored by Volvo Cars as long as the subscription is active. Once the subscription is inactive, VIN, speed, and position are stored for maximum of 90 days, unless a longer time is required under local applicable law.

2.1.5. Speech Messaging

Speech Messaging is part of a larger voice command system with which you can control features of your infotainment system and create and send SMS messages by giving verbal instructions.

If you have activated "Speech Messaging" in your vehicle, we automatically collect and process the following data when you use the voice control system:

Voice control will remain activated until you deliberately stop it or until you have not responded to three prompts from the system.

The processing of your data is necessary to provide the voice control system and associated services and therefore to perform the contract entered into with you (Art. 6(1)(b) GDPR). If you do not provide your data, it will not be possible to use the voice control system.

We will share the recorded voice data with the third-party service provider in order to provide the service to you. The resulting text message is shared by the third-party service provider with us and then passed to your vehicle. The third-party service provider is a separate controller for this data.

Speech Messaging is not available in newer car models that are equipped with Android Automotive, which allows you to activate Google Assistant. If activated, Google Assistant is provided by a third-party service provider, which will provide a relevant privacy notice for that service.

2.2. Processing in the Event of an Incident

In the event of an incident or (near) accident, personal data will be processed for the following purposes for a certain period of time.

2.2.1. Active Safety Data Recorder (ASDR)

The "Active Safety Data Recorder" (ASDR) service records data related to traffic accidents or collision-like situations. This data is automatically collected by your car the car when traffic accidents or collision-like situations occur. The following information is collected:

If you enable sharing of this information with us, we use this information to help us better understand the circumstances in which traffic accidents, injuries, and damage occur to address active safety-related complaints and for future development purposes.

The ASDR does not record any data during normal driving conditions but rather only when a non-trivial collision situation occurs.

We collect the data mentioned above based on your consent (Art. 6(1)(a) GDPR), and we keep it for 10 years before we delete or anonymize it.

2.2.2. Event Data Recorder (EDR)

The vehicle is equipped with an Event Data Recorder (EDR) – also known as the car's "black box" – which stores safety-related information relating to crash or near-crash situations. To operate the EDR we automatically collect the following vehicle information from the car and process it:

The period recorded is usually up to 30 seconds. Recording only takes place if a non-trivial collision situation occurs. No data is recorded under normal driving conditions. Furthermore, the recording does not include who is driving the vehicle or the geographical location of the (near) crash.

The data recorded is also needed to allow Volvo Cars to comply with its legal requirements specified in laws and by government authorities applicable to Volvo Cars (Art. 6(1)(c) GDPR). The provision of personal data is thus required by such laws.

2.2.3. Emergency Call (eCall)

The Emergency Call (eCall) is a feature which automatically makes a call to a call center in the event that one or more sensors within the vehicle detect a severe accident. This function can also be triggered manually by pushing and holding the SOS button for at least 2 seconds. Please be mindful that this is not recommended unless you are experiencing an emergency, and abuse of emergency response systems may sanctioned under applicable laws.

When an emergency call is made, we automatically collect the following vehicle data from the car and process it:

The data is only collected when the eCall is made. We process this data for the purpose of protecting the vital interests of the driver and of other occupants in the car (Art. 6(1)(d) GDPR), as well as under a legal obligation (Art. 6(1)(c) GDPR) to equip all modern cars sold In the European Economic Area with eCall.

By default, the "eCall" service in Volvo vehicles is routed to a third-party service provider (this is called a eCall or TPS eCall third-party service); this provider varies by region, and you can get more information by contacting us. You can choose to have the call routed to the public emergency service at any time by modifying your car settings accordingly.

The service provider or the emergency service may forward the information data to specialized emergency services (for example ambulance), if necessary.

The personal data will be retained for a period of 90 days, and the processing is limited to the emergency situations referred to above.

2.2.4. Roadside Assistance

Our optional roadside assistance service helps you in the event of a flat tire, breakdown or accident. By activating the black On Call button in the car or using the contact feature in the Volvo Cars app (previously Volvo On Call app), the car makes a call to the roadside assistance service. If you are subscribed to this service, roadside assistance support may be able to send suitable help to the driver of the vehicle whenever the driver may need assistance, such as sending out a tow truck, in accordance with the terms of the service.

When the car makes the call to Roadside Assistance, we automatically collect and process the following vehicle information:

The Roadside Assistance service is offered in association with insurance companies that vary by country; you can get more information by contacting us. These insurance companies operate the call center that takes your call. The third-party service provider will forward some of this data to the specialized services you request (for example tow services).

We process this data in the course of providing the roadside assistance service to you (Art. 6(1)(b) GDPR).

We will process the data for a period of 8 years, except for geolocation data, which is deleted after 90 days.

2.3. Processing of Data Related to Maintenance and Repairs

2.3.1. Service Planning

If you activate the service planning feature, we automatically, and continuously collect and analyze certain vehicle diagnostic-related information. Using this feature, we collect and process the following vehicle information:

We process the data mentioned above in the course of performing a service for you (Art. 6(1)(b) GDPR). You can turn the service on and off at any time. As part of the service, the car provides you with information that helps you keep your car in good condition by predicting early signs of vehicle issues and then helping you to set up a maintenance program before you visit a workshop. For example, we use the information collected to: prompt you to change certain filters earlier or later than at the recommended fixed period of time if their actual wear and tear requires this, or to schedule production and delivery of spare parts, which is an important component in our sustainability goals and also in our endeavor to provide you with a premium service and repair experience by optimizing content, logistics and workshop utilization.

We share the data with Volvo Car Canada Limited in order to administer deliveries and bookings and, if you have opted in to this, to tailor special offers for you. Service planning will not directly perform bookings, and thus the data is not shared with workshops.

We will store data connected to the car high-voltage battery and VIN for 10 years in order follow up on the battery state of health. The other data will be kept for three years. Data connected to the car high-voltage battery will be kept in relation to the VIN for 10 years in order follow up on the battery state of health.

2.3.2. Connected Service Booking

If you activate the Connected Service Booking, when you send a booking request from the vehicle to your workshop to make an appointment to have your vehicle serviced or repaired, we automatically collect and process the following vehicle information:

To activate the service, you will need to create a Volvo ID and register it for your vehicle, and also connect your vehicle to the internet. You can read more about how your data is processed when you create a Volvo ID here.

We use this data to book the service, organize performance, contact you in matters regarding the service booked or that are a direct consequence of using the service, such as sending confirmations and notifications. (In other words for the purposes of GDPR, our legal basis for this processing is your contract with us (Art. 6.1. b) GDPR).

We share this data with Volvo Canada Limited and the retailer selected (which might be a service/repair workshop, body paint workshop, car reconditioning specialist, or car logistics service).

We will store your data for a period of 15 months; however please note that the Volvo service partner retailer providing the service may subject to various retention and documentation obligations and may also be required by law to disclose personal data to the authorities under the applicable law. This information may be found in the privacy policy of the service partner.

2.3.3. Diagnostic Read-out in Workshops

If servicing or repairs are carried out on your vehicle by one of our authorized service centers or partners, your vehicle is connected to the Vehicle Information Diagnostic for Aftersales system ("VIDA") for this purpose, and we will receive the following vehicle information and other information about the problem from such authorized service centers or partners:

This data is of purely technical nature, and we process it in order to follow up on the quality of our cars and manage our product manufacturer obligations, for product development as well as safety follow-up purposes (if necessary). This data is kept for the lifetime of the vehicle.

For the purpose of GDPR, we process this data in our legitimate interests mentioned previously (Art. 6(1)(f) GDPR) and, where applicable, also to fulfill legal and other official requirements, such as safety-related recalls under applicable law (e.g. Art. 6(1)(c) GDPR).

2.3.4. Bug Reporting

When you enable the bug reporting function, when you visit an authorized Volvo workshop or service partner, we automatically collect and process the vehicle data below:

We process the data mentioned above if you consent to this (Art. 6(1)(a) GDPR) and use it to collect software bugs reports, understand the impact of the bugs, generate a fix for these bugs and maintain our software in good health.

After we have processed the data above, we will delete or anonymize your data on our server after 90 days.

2.4. Third-Party Apps

The infotainment system for new car models runs on the Google Android Automotive operating system. In this regard, Google is an independent controller for the purpose of GDPR and an independent organization for the purpose of the Personal Information Protection and Electronic Documents Act (PIPEDA) and other privacy laws when it comes to processing your personal data.

Third-party apps you download in the car from the PlayStore are also offered by independent controllers/independent organizations, similar to how they operate on a smartphone. For further information, please refer to the individual service providers' own terms and conditions, as well as their privacy notices.

2.5. Law Enforcement Requests

Occasionally, we receive requests from law enforcement or regulatory agencies (police, customs authorities, etc.) to provide various types of data related to our cars. As a general approach, we only provide personal data when legally required (Art. 6(1)(c) GDPR). We do provide data that is technical in nature and which does not in itself reveal a link with an individual (e.g., serial number of a car part connected to a VIN number, service history for a VIN number, etc.).

When we are presented with a request from a law enforcement authority that includes personal data, but we are not under a legal obligation to provide the data, we make an assessment of necessity and proportionality of the requested information and we may decide to provide all or part of the requested information (Art. 6(1)(f) GDPR).

We keep records of the requests received and responses provided, without the actual data provided (where applicable); however this is not an additional processing of personal data.

3.1. Your rights under the EU General Data Protection Regulation

As a data subject, you have specific legal rights granted by the General Data Protection Regulation relating to the personal data we process about you. These are briefly explained below, and you can exercise them by filling out the dedicated form indicated below.

You can exercise your rights in relation to us by filling out this form, which will help us to deal with your request properly. The online form contains the information that we need to verify your identity and review your request. For requests submitted by telephone or email, you will need to provide us with sufficient information that allows us to reasonably verify that you are the person whose personal data we collected and describe your request in sufficient detail to allow us to properly evaluate and respond to it. If we are not able to verify your identity for access and deletion requests with the information provided, we may ask you for additional pieces of information.

You can exercise these rights in relation to all of the joint controllers mentioned in this notice.

3.2. Your rights under Canadian Law

If our processing of your personal data is subject to Canadian law, the following section applies to you:

Accessing and correcting your personal data: For residents of Canada, you have a right to request access to your personal data and to request a correction to it if you believe it is inaccurate. If you would like to have access to the personal data we have about you, or if you would like to have it corrected, please fill out this form, which will help us to deal with your request properly. In some cases, we may not be able to allow you to access certain personal data in certain circumstances: for example, if it contains personal data of other persons, or for legal reasons.

To help protect against fraudulent requests for access to your personal data, we may ask you for information to allow us to confirm that the person making the request is you or is authorized to access your information before granting access. You will need to provide us with sufficient information that allows us to reasonably verify that you are the person whose personal data we collected, and you must describe your request in sufficient detail to allow us to properly evaluate and respond to it. If we are not able to verify your identity for access and correction requests using the information provided, we may ask you for additional pieces of information.

3.2.1. Right to withdraw consent: If you have given consent for the processing of your personal data, you may withdraw your consent with effect for the future. Please note that if you withdraw consent that is necessary for us to provide you with products or services, we may no longer be able to provide those products or services to you. You may withdraw any consent you have provided to our use of personal data to market to you without withdrawing consent needed to provide our goods and services. Your withdrawal of consent does not have retroactive effect, and there may be cases where we are permitted under the applicable law to process certain personal data without consent.

3.2.2. Security: In order to help prevent unauthorized access to or disclosure of personal data, we have put in place physical, electronic, and organizational procedures to help safeguard and secure the personal data we collect. Personal data may be accessed by persons within our organization or our third-party service providers who require such access to carry out the purposes described in this Privacy Notice or are otherwise permitted or required by applicable law. Personal data we collect are managed from our offices in Canada and European Union.

Even though we have taken steps to help protect the personal data in our control, you should know that we cannot fully eliminate security risks associated with personal data. No security measures can provide absolute protection. We cannot ensure or warrant the security of any information you provide to us.

3.2.3. International Data Transfers: Personal data that we collect may be stored and processed in Canada and the European Union. Personal data processed and stored in another country may be subject to disclosure or access requests by the governments, courts, or law enforcement or regulatory agencies in that country, according to its laws. By providing us with personal data, you consent to any such transfer of information outside of your country.