You will find below:
This is not a privacy notice in the meaning of article 13 GDPR, but rather a general statement of practices which is supplemented by privacy notices under GDPR, such as:
- The car privacy notice: explains the processing of your data when you drive a Volvo car;
- Volvo ID: provides information on processing related to using the Volvo ID;
- Volvo Cars App: informs you about the processing of data as part of the Volvo Cars app;
- Customer service and support: describes our processing of data when you contact our customer care centers;
- Handling of Data Subject Rights under GDPR: describes our processing of data when you submit a data subject request under GDPR.
- our national sales companies outside of the European Economic Area;
- authorized Volvo Car retailers, unless they are part of the Volvo Car Group;
- authorized Volvo Car importers;
- third parties to whom you directly provide your information (such as subscription services, insurance companies, third party app providers and so on);
These entities are independent controllers from Volvo Cars and responsible for their own collection of information. Please refer directly to those entities and their particular privacy notices for more information.
1. What Personal Data We Generally Process
Processing your personal data is crucial for us to be able to provide you with our products and services. We appreciate the trust you place in us when giving us your personal data, and consider your privacy an essential part of the services we offer. When you use our vehicles or apps, we need to process personal data – i.e., information involving an identified or identifiable natural person. When we process your data, we do so with your consent, in order to perform a contract, to meet our legal obligations, or to pursue our own legitimate interests. The legal basis always depends on the specific personal data and processing activities in the individual case, and is indicated in the relevant privacy notice for the product or service in question.
In general, the data we process may include the following categories, which are further detailed in each relevant privacy notice for the product or service in question:
- Identification data such as your name, address, telephone number, email address, etc.
- Technical data about your vehicle, such as the vehicle identification number (VIN), model, purchase information, maintenance history, vehicle usage statistics, etc.
- Driving analysis data such as sensor readings, error codes, mileage, start/stop times, safety data, emission data, search queries, navigation services, vehicle position, etc.
- Contract data such as information about the purchase and use of our products and services as well as customer preferences/settings, order history, Volvo ID, etc.
- Other data that is generated when processing your request, e.g. data from our Volvo On Call or Pick-up & Delivery Service, credit history and bank details, etc.
In some cases, we do not collect your personal data from you directly, but instead receive it from third parties – but only if the law allows. One example when we obtain your personal data from elsewhere is when conducting credit checks – in this case we receive information about your creditworthiness from credit agencies in order to protect our own legitimate interests. If we do collect your personal data from a third party, we point this out separately in our individual privacy notices.
When Volvo Cars processes personal data about you, this occurs in the following circumstances which are further detailed in each relevant privacy notice for the product or service in question:
- We need the data to perform a contract with you: when you order a car or car parts, as well as various services provided by us, we need to process your data in order to deliver the product or service to you.
- We have legal obligations to process your data: there are situations when various laws require us to process data about you. This could be the case for certain car features, such as eCall (which, when activated, must send specific types of data to the emergency service), our product guarantees (which we can provide only if we know when and which car you purchased, as well as other conditions surrounding the guaranteed event), when we receive a mandatory order for disclosure of data from law enforcement agencies or courts, as well as our legal and regulatory obligations – for example under commercial, tax, money laundering, criminal and financial law – and ensuring our compliance with official requirements.
- We have a compelling interest: We will process your personal data in order to provide you with features of the car, guarantee services or recall information; to continuously enhance the performance, quality and safety of our vehicles, products and services; and to pursue legal rights or defend litigation. Volvo Car entities that provide services paid in arrears may perform credit checks in order to authorise the performance of the service to you (for example Care by Volvo).
- You accept the processing of your data: In other situations we will ask for your permission to process personal data.
2. How We Approach Customer Choice and Control
We ask for your consent wherever such consent is required for us to process your personal data. We see customer choice as a key enabler, but we are also aware that consent for processing of personal data is not always the right solution – due to this (and unless the applicable law requires another approach), we don’t request consent for personal data processing when, for example: this occurs as part of a contract with you, when we’re following a legal obligation, or when the processing of personal data is necessary for legitimate interests pursued by us or by a third party (unless your interests or fundamental rights and freedoms outweigh our interests). Processing of personal data for our legitimate interests would include, for example, the processing that occurs as part of the safety features of our cars, providing connected services to our customers, and researching future developments of our products and applications.
Sometimes simply driving a Volvo car can mean personal data needs to be processed by default. We aim to inform customers about this before they purchase the car, so that they can make an informed decision.
3. Who We Share Your Personal Data With
In order to provide our services, we also share your data with other recipients within the EEA, for example with our affiliates, data processors and other public and private entities, such as our services providers.
We share data with other recipients, to the greatest extent after pseudonymization, in a few justified reasons:
- in our regular business activities, we routinely utilize third-party entities that provide services to us, which requires access to data that we hold, or process data on our behalf - in the European Union these third party entities are called “processors”;
- we embed technology in our cars that involves the third party providers collecting data directly from the cars, for their own purposes (which, in the European Union, are called “separate controllers”);
- we share data with research institutes and universities as part of our research activities;
- we also share data with public authorities when we contribute to initiatives in the public interest (such as the monitoring of road conditions), and law enforcement agencies when they need information to perform their crime prevention and sanctioning activities; and
- In limited situations and as a rule only in anonymized form, we monetise data through licensing and other contractual arrangements with private entities.
This refers, of course, to voluntary sharing of data. We may also disclose your information to law enforcement agencies, courts, supervisory authorities, other governmental bodies or other third parties as necessary for Volvo Cars to comply with legal and regulatory obligations and to defend ourselves against legal claims or to enforce our own such claims. It may also be necessary to share your data in order to protect the rights of third parties, for example to ensure someone’s personal safety.
Voluntary sharing of personal data for a third party recipient’s own purposes will be made (subject to all applicable personal data protection laws) only:
- if the recipient can show that the need for this delivers a public benefit; or
- if it improves our products or services; or
- with the consent of the individual concerned.
Your personal data will be processed in accordance with European data protection law. If your personal data is shared with recipients in third countries, i.e., with recipients whose registered office or place of business is not in an EU or EEA member state, then this is done on the basis of adequacy decisions adopted by the European Commission pursuant to Art. 45 GDPR, or subject to appropriate and adequate safeguards for data transfer pursuant to Art. 46 f. GDPR, or on the basis of the derogations under Art. 49 GDPR. If you would like more information about how we protect your personal data when transferring it to countries outside the EEA in particular situations, please read the privacy notice applicable for the product or service you are interested in. If that is not sufficient, you can get in touch with us using the contact information provided below.
4. How Long We Keep Your Data
We process and store your personal data for various periods of time, which are further detailed in each relevant privacy notice for the product or service in question. How long we keep your data depends in particular on:
- The type of data processed;
- The purposes of the data processing;
- Your own settings and configurations, for example when using your vehicle;
- Whether you exercise your rights as a data subject under the GDPR, in particular your right to erasure (“right to be forgotten”), and
- Whether you withdraw your consent, for example in the context of email advertising.
As a rule, we only keep your personal data for as long as we need it to fulfil the purposes for which we collected it – or, in the case of consent, until you withdraw your consent (unless there is a different purpose for processing the same data and this is not based on your consent). Once the purposes have been achieved, we will either block the personal data so that it can’t be processed any more, or we will delete it, unless there are special reasons that entitle us to carry on processing it. Specifically, this may be the case if:
- You have consented to the further processing of your data, for example allowing us to process your email address so that we can email you advertising,
- A contractual agreement authorises us to carry on processing your data,
- Legal retention periods apply, which oblige us to keep certain data for a longer period of time (for example for tax reasons),
- We are legally authorised to carry on processing the data, or
- We need to keep the data for legal or legitimate business reasons, such as to defend ourselves against legal claims or to enforce our own such claims or to prevent fraud or abuse.
5. Your Rights in Relation to the Data Processing We Perform
As a data subject you have specific legal rights granted by the General Data Protection Regulation relating to the personal data we process about you. These are briefly explained below, and you can exercise them by filling out the dedicated form indicated below.
- Right to withdraw consent: Where you have given consent for the processing of your personal data, you may withdraw your consent at any moment with effect for the future.
- Right to access your personal data: You may ask from us information regarding personal data that we hold about you. We will provide you with a copy of your personal data upon request. If you request further copies of your personal data, then we can charge you with a reasonable fee that we base on the administrative costs. You have the right to the information about our safeguards for the transfer of your personal data to a country that is outside the EU and the EEA if you request that we confirm whether or not we process your personal data, and we transfer your personal data to a country that is outside the EU and the EEA.
- Right to rectification: You may obtain from us rectification of incorrect or incomplete personal data concerning you. We make reasonable efforts to keep personal data in our possession or control which are used on an ongoing basis, accurate, complete, current and relevant, based on the most recent information available to us.
- Right to restriction: You may obtain from us restriction of processing of your personal data, if:
- you contest the accuracy of your personal data, for the period we need to verify the accuracy,
- the processing is unlawful and you request the restriction of processing rather than erasure of your personal data,
- we do no longer need your personal data for the processing purpose but you require them for the establishment, exercise or defense of legal claims, or
- you object to the processing while we verify whether our legitimate grounds override yours.
- Right to portability: You have the right to receive your personal data that you have provided to us, and, where technically feasible, request that we transmit your personal data (that you have provided to us) to another organization, if:You have the right to receive your personal data in a structured, commonly used and machine-readable format. Your right to receive your personal data must not adversely affect the rights and the freedoms of other persons. Your right to have your personal data transmitted from us to another organization is a right you have if such transmission is technically feasible.
- we process your personal data by automated means;
- we base the processing of your personal data on your consent, or our processing of your personal data are necessary for the execution or performance of a contract to which you are a party;
- your personal data are provided to us by you; and
- your right to portability does not adversely affect the rights and the freedoms of other persons.
- Right to erasure: You have the right to request that we delete the personal data we process about you. We must comply with this request if we process your personal data, unless processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
- for the establishment, exercise or defense of legal claims.
- Right to object: You may object – at any time – to the processing of your personal data due to your particular situation, provided that the processing is not based on your consent but on our legitimate interests or those of a third party. In this event we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds and an overriding interest for the processing or for the establishment, exercise or defense of legal claims. If you object to the processing, please specify whether you also wish the erasure of your personal data, otherwise we will only restrict it. You also have the right to object at any time, regardless of any reason, to the processing of your personal data for direct marketing (which includes profiling to the extent that it is related to such direct marketing), if such processing was based on our legitimate interest. If the marketing was based on your consent, you can withdraw consent (see above).
- Right to lodge a complaint: You can lodge a complaint to your local data protection supervisory authority or with any other data protection authority in the EU. However, we will appreciate if you first contact us to try and solve your problem – you can find our contact details below.
You can exercise your rights in relation to us by filling out this form, which will help us to deal with your request properly. The online form contains the information that we need to verify your identity and review your request. For requests submitted by telephone or email, you will need to provide us with sufficient information that allows us to reasonably verify that you are the person whose personal data we collected and describe your request in sufficient detail to allow us to properly evaluate and respond to it. If we are not able to verify your identity for access and deletion requests with the information provided, we may ask you for additional pieces of information.
6. Information Security
To protect your personal information from loss, theft, and unauthorized access, use, or disclosure, we have implemented technical, administrative, and physical security measures including encryption, access controls, and secure development processes. We also pass on these standards to our external service providers. Unfortunately, no method of transmission over the Internet, or method of electronic storage, is 100% secure or impenetrable.
7. Contact Information
In order to exercise your rights, please use the applicable web form mentioned above. If you have any other questions regarding the subject matter of personal data protection, you can contact the Volvo Car entity that is indicated as controller in the applicable privacy notice, at the contact details mentioned therein. Ultimately, you can contact the Volvo Car Corporation data protection officer as follows:
Company: Volvo Car Corporation
Postal address: Volvo Car Corporation, Assar Gabrielssons Väg, SE-405 31 Gothenburg, Sweden