CAR PRIVACY NOTICE

Last updated: December 12, 2022

This privacy notice explains how Volvo Cars (as defined below) processes car generated data, when customers use a Volvo vehicle and associated connected services provided by Volvo Cars. 

This document only explains the processing of personal data associated with the features of the newest Volvo car models, but you will not find here the explanation of the features themselves – for this, please check the owner’s manual for the relevant model. If you did not elect a car equipped with these features or if there are features which you did not choose the activate – the descriptions of those features may not apply to your car. Also, if you have an older model car, or if a new model is not equipped with a certain feature, the data processing associated with that feature will not happen.

Please note that if there is any discrepancy between this notice and the owner’s manual in what concerns the processing of personal data, this notice takes precedence. In addition, the manual may include descriptions of data being processed which are not included below. This is because the manual includes the full universe of data being processed, whereas this notice does not include: (i) local processing (instances where data processed does not leave the car) because this does not constitute the processing of personal data by Volvo Cars or (ii) processing of personal data by third parties as separate controllers (for example Google in the case of Android Automotive infotainment system).

This privacy notice does not apply to:

• Special vehicles (e.g. police cars);
• Processing of personal data that does not leave the car (local processing);
• Processing of personal data when you interact with one of our retailers (such as when you buy your car);
• Your use of software and third-party apps/services in the car (such as Google Automotive and any apps in the car’s infotainment system);
• Your use of mobile apps provided by Volvo Cars, such as Volvo on Call/Volvo Cars App (please see our Volvo Cars App privacy notice for more information);
• Your use of third-party value-added services based on car data (such as pay-as-you-drive insurance); or
• The provision of the internet service in your car, which is supplied by a mobile network operator independently from Volvo Cars.

You can find below:

1 Who is responsible for the processing of your personal data

2 What personal data we collect and what happens with it

2.1 Processing of personal data while you drive

2.1.1 Vehicle data analytics

2.1.2 Over the air software updates

2.1.3 Connected safety

2.1.4 Real-time traffic information

2.1.5 Speech messaging

2.2 Processing in the event of an incident

2.2.1 Active Safety Data Recorder (ASDR)

2.2.2 Event Data Recorder (EDR)

2.2.3 Emergency call (eCall)

2.2.4 Roadside Assistance

2.3 Processing of daaa related to maintenance and repairs

2.3.1 Service planning

2.3.2 Diagnostic read-out in workshops

2.3.3 Emissions reporting

2.3.4 Bug reporting

2.4 Third party apps and services

2.5 Law enforcement requests

3 Your rights in relation to the processing of personal data

3.1 Your rights under the EU General Data Protection Regulation

3.2 Your rights under US state laws

4 Children’s privacy

5 Information Security

6 Do not track

7 Contact information

8 Changes to this notice

 

1. Who is responsible for the processing of your personal data

The entity responsible for the processing of personal data referred to below is Volvo Car Corporation, having its registered office at Assar Gabrielssons Väg, SE-405 31 Gothenburg, Sweden, company registration number 556074-3089, hereinafter referred to as “Volvo Cars”, “we”, or “us”. For the purposes of European data protection legislation, Volvo Car Corporation is the data controller of this personal data. In some situations, the processing of personal data has joint controllers, which are identified in the respective sections. However, in all situations the joint controllers have agreed that the information is provided to you by Volvo Cars, and that you can exercise your rights (see section 3 below). All processing of personal data is subject to the limitations and requirements of applicable data protection laws, including the European General Data Protection Regulation (EU “GDPR”) and US state privacy laws.

2. What personal data we collect and what happens with it

2.1 Processing of personal data while you drive

2.1.1. Vehicle data analytics (VDA)

If you provide your consent when enabling VDA, we will collect and we process vehicle data (listed below) in order to obtain statistical information about our vehicles and how they are used. We use this information for product research and development purposes, in particular to improve and monitor the quality of vehicles and their safety features. This also serves to manage Volvo Cars’ warranty commitments and to comply with our legal requirements relating to emissions monitoring. 

Data categories used:   

• Vehicle identification number (VIN);
• Identifiers of the vehicle’s hardware and software versions; and
• Diagnostic trouble codes (DTC).

Volvo Cars will also collect the following information regarding the operational status of the vehicle systems (where applicable):

• State of health; and
• Basic statistics relating to the operation of the onboard systems.

Volvo Cars also automatically collects the following information on the vehicle’s high-voltage battery (where applicable): 

• High voltage battery ID, capacity, and health status; 
• Vehicle market information; 
• Charging station information (e.g. availability status, the power type, pole ID, etc.); and
• Diagnostic data during charging (e.g. duration, state of charge, current fluctuation, etc.). 

The information above is retained for 2 years, other than the information on the vehicle’s high-voltage battery, which is retained for the lifetime of the battery. We will either delete this data or, should we identify a need to maintain data to aid in our assessment and development of our products, will anonymize it at the conclusion of this time period.

In the case of hybrid or electric vehicles, Volvo Cars and Polestar AB (a Swedish company headquartered in Göteborg, Assar Gabrielssons Väg 9, SE-405 31, Sweden, hereinafter referred to as “Polestar”) share analysis data from their respective vehicles. The analysis data exchanged between Volvo Cars and Polestar, as listed above, is of a purely technical nature and does not involve actual customer data. The analysis data collected via the Volvo Cars and Polestar platforms is exchanged between the two companies for the purposes of improving and monitoring the quality of the vehicle, the performance of the electric and hybrid features, and the safety features.

As so-called joint controllers under GDPR, Volvo Cars and Polestar are jointly responsible for this processing of analysis data. Volvo Cars and Polestar have agreed that Volvo Cars is responsible for providing information to its customers, and that the respective rights afforded by GDPR and applicable US state privacy laws, will be exercised by Volvo customers in relation to Volvo Cars. You can read about this in section 3 below (What rights you have in relation to the data processing we perform).

2.1.2. Over the air software updates

If you provide consent when enabling this functionality in your vehicle, we will collect the following information as part of our efforts to maintain the vehicle software and provide necessary software updates: 

• Vehicle identification number (VIN); 
• Vehicle software version;
• Diagnostic trouble codes; and
• Vehicle manufacturing date.

If you refuse over the air software updates, this will prevent you from being able to use our updated services, or you will not be able to use them fully. Failure to update may also increase the risk of cybersecurity incidents, much like in the case of all other smart devices. Note that you can also opt to have the updates installed in one of our workshops.  

We will retain records of the software updates made to the car for the entire lifetime of the vehicle.

2.1.3. Connected safety

If you provide consent when enabling Connected Safety feature from within your vehicle, we collect from your car the following vehicle information:

• Your car’s current location in order to collect and send road hazards close to your location to your vehicle;
• Vehicle identification number (VIN); 
• Information about the internet connection (Wi-Fi/PSIM/Bluetooth) ;
• Road hazard alerts sent by the vehicle when it detects a slippery road condition activation of the vehicle’s hazard light, time stamp of the alert, or location of the alert; and
• 3D road mapping.

You can switch the service on and off at any time.

This information, without the VIN number or driver’s identity information, is shared with other vehicles (Volvo cars and trucks) that have the Connected Safety feature activated in order to inform you about current traffic situations on your route and provide you with alerts about upcoming hazards on the road (e.g. slippery road, hazard light alerts) allowing you to adapt your driving style accordingly. If your own vehicle’s hazard warning lights are activated or your vehicle detects reduced friction between your tires and the road (aka “siippery road alert), information about this can be sent to vehicles approaching your own vehicle’s position.

In addition, the aforementioned data is shared, in an anonymized manner, with traffic agencies (in order to avert and reduce dangers posed by road traffic).

We keep the data for one week before we delete or anonymize it.

2.1.4. Real-time traffic information

If your vehicle model is equipped with Real Time Traffic Information service, and you provide your consent by enabling this service from within the vehicle, we collect from the car:

• Vehicle information (vehicle position and speed) which is shared in an anonymous form with the 3^rd party real time traffic information service provider to allow them to calculate traffic congestion and to inform you and other drivers where risks for congestion exist; and
• Vehicle identifier (Vehicle Identity Number (VIN)) which we use this to verify that your vehicle has a subscription for this service.

You can switch the service on and off at any time.

Car models equipped with sensors that can identify traffic signs in real time as you drive do this through local processing (in the car) only.

The data will be stored by Volvo Cars as long as the service is active. If the service is turned off, VIN, speed and position will be stored for maximum of 90 days, unless a longer time is required under local applicable law.

2.1.5. Speech messaging

Speech Messaging is part of a larger voice command system with which you can control features of your infotainment system and lets you create and send SMS messages by giving verbal instructions.

If you have activated “Speech Messaging” in your vehicle, we collect and we process the following data when you use the voice control system:

• Recorded voice data or commands;
• Vehicle identification number (VIN) which is used to verify that your car has a subscription for this service;
• Phone number; and
• Text messages created by the third-party service provider are stored in the cloud and sent back and saved in your vehicle. Text messages can be sent as SMS.

Voice control will remain activated until you deliberately stop it or until you have not responded to three prompts from the system.

The processing of your data is necessary to provide the voice control system and associated services, and therefore to perform the contract concluded with you. If you do not provide your data, it will not be possible to use the voice control system.

We will share the recorded voice data with the third-party service provider in order to provide the service to you. The resulting text message is shared by the third-party service provider with us, and then passed to your vehicle. The third-party service provider is a separate controller for this data.

Speech Messaging is not available in newer car models that are equipped with Android Automotive which allows you to activate Google Assistant. If activated, Google Assistant is provided by a third-party service provider which will provide a relevant privacy notice for that service.

2.2 Processing in the event of an incident

In the event of an incident or (near) accident, personal data will be processed for the following purposes for a certain period of time.

2.2.1 Active Safety Data Recorder (ASDR)

The “Active Safety Data Recorder” (ASDR) records data related to traffic accidents or collision-like situations. This data is collected by your car the car when traffic accidents or collision-like situations occur. The following information is collected:

• Vehicle Identity Number (VIN);
• Type of safety event triggered and its occurrences;
• Front-facing camera images are captured during 4 seconds before and after collision-like situations; and
• Vehicle location at time of incident.

If you consent to the sharing of this information with us by enabling ASDR from within the vehicle, we will use this information to help us better understand the circumstances in which traffic accidents, injuries, and damage occur, to address active safety-related complaints, and for future development purposes.

The ASDR does not record any data during normal driving conditions but rather only when a non-trivial collision situation occurs or is about to happen.

We keep this information for 10 years before we delete or anonymise it.

2.2.2 Event Data Recorder (EDR)

The vehicle is equipped with an Event Data Recorder (EDR) – also known as the car’s “black box” which stores safety-related information relating to crash or near-crash situations. To operate the EDR we collect and process the following vehicle information:

• How various systems in your vehicle were operating;
• Whether or not the driver and passenger safety belts were buckled/fastened;
• How far (if at all) the driver was depressing the accelerator and/or brake pedal; and
• How fast the vehicle was traveling.

The period recorded is usually up to 30 seconds. Recording only takes place if a non-trivial collision situation occurs. No data is recorded under normal driving conditions. Furthermore, the recording does not include who is driving the vehicle or the geographical location of the (near) crash.

The data recorded is also needed to allow Volvo Cars to comply with its legal requirements specified in laws and by government authorities.

2.2.3 Emergency call (eCall)

The Emergency Call (eCall) is a feature required by law to be available in all vehicles, which automatically makes a call to a call center in the event one or more sensors within the vehicle detect a severe accident. This function can also be triggered manually by pushing and holding the SOS button for at least 2 seconds; please be mindful that this is not recommended unless you are experiencing an emergency, and abuse is sanctioned under applicable laws.

When an emergency event triggers the eCall feature, we collect and process the following vehicle data:

• Vehicle Identification Number (VIN);
• Vehicle propulsion or engine specification;
• Vehicle model specification;
• Time of the incident;
• Location of the incident; and
• Direction of the vehicle travel.

The data is only collected when the eCall is made.

By default, the “eCall” service in Volvo vehicles is routed to a third-party services provider (this is called a third-party service eCall or TPS eCall); this supplier varies by region, and you can get more information by contacting us. You can at any time choose to have the call routed to public emergency services by modifying your car settings accordingly.

The service provider or the emergency service may forward the information data to specialised emergency services (for example ambulance) if necessary.

The personal data will be retained for a period of 90 days, and the processing is limited to the emergency situations referred to above.

2.2.4 Roadside assistance

Our optional roadside assistance service helps you in the event of a flat tire, breakdown, or accident. By activating the black On Call button in the car or using the contact feature in the Volvo Cars app (previously Volvo on Call app), the car makes a call to the roadside assistance service. If you are subscribed to this service, roadside assistance support will be able to send suitable help to the driver of the vehicle whenever the driver may need assistance, such as sending out a tow truck. 

When the car makes the call to Roadside Assistance, we collect automatically and process the following vehicle information:

• Vehicle identification number (VIN);
• Vehicle propulsion or engine specification;
• Vehicle model specification;
• Time of the call;
• Location at time of the call; and
• Direction of the vehicle travel.

The Roadside Assistance service is offered in partnership with insurance companies that vary by country - you can get more information by contacting us. These insurance companies operate the call center that takes your call. The third-party services provider will forward some of this data to the specialised services you request (for example tow services).

We process this data in the course of providing the roadside assistance service to you.

We will process the data for a period of 8 years, except for geolocation data that is deleted after 90 days.

2.3 Processing of data related to maintenance and repairs

2.3.1 Service planning

Service Planning is an optional service that helps you keep your car in good condition and observe the vehicle’s health prior to service visits. When your car has an internet connection, and you provide your consent by enabling the service from within the vehicle, service planning works by collecting and analyzing certain vehicle diagnostic-related information.

To provide you with the feature, the following data will be collected:

• Data about the car including vehicle identification number (VIN), hardware revisions and software versions;
• Status and statistics and fault codes from components (of the engine, high voltage batteries etc.); and
• Driving data (Milage, Engine hours, Driving conditions e.g. ambient temperature, etc.)

You can switch the service on and off at any time.

The data will be shared with our national sales company in your country to notify you of and coordinate service needs with your retailer, to administer deliveries and bookings, and with your separate consent, to provide you with special service offers. Service planning will not directly perform service bookings but depending on availability in your market, you may have the possibility to book a service.

We will store data connected to the car high voltage battery and VIN for 10 years in order to follow up on the battery state of health. The other data will be kept for 3 years.

2.3.2 Diagnostic read-out in workshops

If servicing or repairs are carried out on your vehicle by one of our authorised service centres or partners, your vehicle is connected to the Vehicle Information Diagnostic for Aftersales system (“VIDA”) for this purpose, and we will receive from such authorised service centres or partners the following vehicle information and other information about the problem:

• Diagnostic data;
• Fault codes; and
• Data about the vehicle (VIN, software version) and condition of the vehicle.

This data is of purely technical nature, and we process it in order to follow up on the quality of our cars and manage our product manufacturer obligations, for product development as well as safety follow-up purposes (if necessary). This data is kept for the lifetime of the vehicle.

For the purpose of GDPR, we process this data in our legitimate interests mentioned previously, and where applicable also to fulfil legal and other official requirements, such as safety-related recalls.

2.3.3 Emissions reporting

When you visit an authorised Volvo workshop or service partner, they will collect emissions data from your car, which will be sent to us in order to be reported pursuant to Regulation (EU) 2021/392. This collection of data occurs every time your car is serviced, unless you inform the service retailer that you object.

The data collected is:

• Emission data: mainly total fuel consumed (lifetime), total distance travelled (lifetime), total grid energy into the battery – with several breakdowns provided under Annex XXII of Regulation (EU) 2017/1151; and
• Data about the vehicle (VIN).

We store the emissions data until that data has been reported upon.

2.3.4 Bug Reporting

When you provide consent by enabling the bug reporting function from within the vehicle, or when you visit an authorised Volvo workshop or service partner, we collect and we process the vehicle databelow: 

• Vehicle identification number (VIN); 
• Start-up diagnostics;
• Vehicle configuration;
• Head unit local configuration;
• Android automotive diagnostics;
• Vehicle network diagnostics; 
• Software versions; and 
• Reports and logfiles targeted to developers. 

We use this data to collect software bugs reports, understand the impact of the bugs, generate a fix for theses bugs and maintain our software in good health. The report will then be processed internally by Volvo Cars, to understand the impact of the bugs. 

2.4 Third party apps and services

When you provide your consent, we will share specific data from the vehicle with third parties which provide applications that may be used in the vehicle or services offered by our business partners. This data will be provided on your request to support a subscription or program as indicated in the consent you provide. For example, you may ask us to share certain vehicle data with Sirius XM to facilitate your subscription to satellite radio services or with your insurance provider to facilitate insurance discount programs you have enrolled in.

The infotainment system of new car models runs on the Google Android Automotive operating system. In this regard, Google is an independent controller for the purpose of GDPR and an independent business for the purpose of the California Consumer Privacy Act (CCPA) when it comes to processing your personal data.

Third party apps you download in the car from the PlayStore are also offered by independent controllers / independent businesses, similarly with how they operate on a smartphone. For further information, please refer to the individual service providers’ own terms and conditions as well as their privacy notices.

2.5 Law enforcement requests

We occasionally receive requests from law enforcement or regulatory agencies (police, customs authorities, etc) to provide various types of data related to our cars. As a general approach, we only provide personal data when legally required. We do provide data that is technical in nature and which does not in itself reveal a link with an individual (e.g., serial number of a car part connected to a VIN number, service history for a VIN number, etc.).

When we are presented with a request from a law enforcement authority that includes personal data, but we are not under a legal obligation to provide the data, we make an assessment of necessity and proportionality of the requested information. We may decide to provide all or part of the requested information.

We keep records of the requests received and responses provided, without the actual data provided (where applicable), however this is not an additional processing of personal data.

3 Your rights in relation to the processing of personal data

3.1 Your rights under the EU General Data Protection Regulation

As a data subject you have specific legal rights granted by the EU-General Data Protection Regulation relating to the personal data we process about you. These are briefly explained below, and you can exercise them by filling out the dedicated form as indicated below. 

1. Right to withdraw consent: Where you have given consent for the processing of your personal data, you may withdraw your consent at any moment with effect for the future.
2. Right to access your personal data: You may ask from us information regarding personal data that we hold about you. We will provide you with a copy of your personal data upon request. If you request further copies of your personal data, then we can charge you with a reasonable fee that we base on the administrative costs. You have the right to the information about our safeguards for the transfer of your personal data to a country that is outside the EU and the EEA if you request that we confirm whether or not we process your personal data, and we transfer your personal data to a country that is outside the EU and the EEA.
3. Right to rectification: You may obtain from us rectification of incorrect or incomplete personal data concerning you. We make reasonable efforts to keep personal data in our possession or control which are used on an ongoing basis, accurate, complete, current and relevant, based on the most recent information available to us.
4. Right to restriction: You may obtain from us restriction of processing of your personal data, if:
   • You contest the accuracy of your personal data, for the period we need to verify the accuracy;
   • The processing is unlawful and you request the restriction of processing rather than erasure of your personal data;
   • We do no longer need your personal data for the processing purpose but you require them for the establishment, exercise or defense of legal claims; or
   • You object to the processing while we verify whether our legitimate grounds override yours.
5. Right to portability: You have the right to receive your personal data that you have provided to us, and, where technically feasible, request that we transmit your personal data (that you have provided to us) to another organization, if:
   • We process your personal data by automated means;
   • We base the processing of your personal data on your consent, or our processing of your personal data are necessary for the execution or performance of a contract to which you are a party;
   • Your personal data are provided to us by you; and
   • Your right to portability does not adversely affect the rights and the freedoms of other persons.

You have the right to receive your personal data in a structured, commonly used and machine-readable format. Your right to receive your personal data must not adversely affect the rights and the freedoms of other persons. Your right to have your personal data transmitted from us to another organization is a right you have if such transmission is technically feasible.

6. Right to erasure: You have the right to request that we delete the personal data we process about you. We must comply with this request if we process your personal data, unless processing is necessary:
   • For exercising the right of freedom of expression and information;
   • For compliance with a legal obligation which requires processing by Union or Member State law to which we are subject;
   • For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
   • For the establishment, exercise or defense of legal claims.
7. Right to object: You may object – at any time – to the processing of your personal data due to your particular situation, provided that the processing is not based on your consent but on our legitimate interests or those of a third party. In this event we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds and an overriding interest for the processing or for the establishment, exercise or defense of legal claims. If you object to the processing, please specify whether you also wish the erasure of your personal data, otherwise we will only restrict it.

You also have the right to object at any time, regardless of any reason, to the processing of your personal data for direct marketing (which includes profiling to the extent that it is related to such direct marketing), if such processing was based on our legitimate interest. If the marketing was based on your consent, you can withdraw consent (see above).

8. Right to lodge a complaint: You can lodge a complaint to your local data protection supervisory authority or with any other data protection authority in the EU. However, we will appreciate if you first contact us to try and solve your problem – you can find our contact details below.

You can exercise your rights in relation to us by filling out this form (first, choose your country or region, then open and fill out the online form), which will help us to deal with your request properly. The online form contains the information that we need to verify your identity and review your request. For requests submitted by telephone or email, you will need to provide us with sufficient information that allows us to reasonably verify that you are the person whose personal data we collected and describe your request in sufficient detail to allow us to properly evaluate and respond to it. If we are not able to verify your identity for access and deletion requests with the information provided, we may ask you for additional pieces of information. You can exercise these rights in relation to all of the joint controllers mentioned in this notice.

3.2 Your rights under US State Laws

Laws in various states provide rights to you with respect to your personal information. Our General Privacy Statement outlines these rights and how you can exercise those rights in the US.

4. Children’s privacy

Our products and services are not intended to be used by children. We do not intentionally or knowingly solicit, collect or sell any personal data about children under the age of sixteen (16) nor intentionally or knowingly allow children to order our products, communicate with us, or use any of our online services or mobile applications. If a child has provided us with personal data, a parent or guardian of that child may contact us to have that data deleted from our records. If you believe that we might have any data from a child under the age of sixteen (16), please tell us using the contact information listed below. We will take all reasonable steps to delete the child’s data as soon as possible except where necessary to protect the safety of the child or others as required by law.

5 Information security

To protect your personal data from loss, theft, and unauthorized access, use, or disclosure, we have implemented technical, administrative, and physical security measures including, for certain data, 256-bit encryption, access controls, and secure development processes. Unfortunately, no method of transmission over the Internet, or method of electronic storage, is 100% secure or impenetrable.

6 Do not track

We respond to Do Not Track (DNT) signals. DNT is a preference you can set on your web browser to inform websites that you do not want to be tracked. You can enable or disable DNT by visiting the preferences or settings page of your web browser. For more information, visit: https://www.eff.org/issues/do-not-track.

7 Contact information

In order to exercise your rights, please see section 3 above. If you have any other questions regarding the subject matter of personal data protection, you can contact us at the following contact details:

Company: Volvo Car Corporation

Postal Address: Volvo Car Corporation, Assar Gabrielssons Väg, SE-405 31 Gothenburg, Sweden

Website: https://www.volvocars.com/intl/support/contact

Volvo Cars have appointed a Data Protection Officer under GDPR having the following contact details:

E-Mail

Postal Address: DPO, Volvo Car Corporation, Assar Gabrielssons Väg, SE-405 31 Gothenburg, Sweden

8 Changes to this notice

We reserve the right, at our discretion, to modify our privacy practices and update this privacy notice as needed. Whenever we make substantial changes to this notice, and in particular when this notice underlies your consent, we will inform you of the changes. This privacy notice is current as of the date which appears at the top of the document.