INFORMATION ON DATA PROCESSING IN THE USE OF THE CAR2X FUNCTION

A. General information

With this Privacy Policy, we would like to inform you about the processing of your data for the use of the Car2X function, provided your vehicle is equipped with Car2X and Car2X is active.

You can also find information on data processing in your vehicle outside of Car2X use in the Privacy Policy for the use of mobile online services (CUPRA Connect).

The entity responsible for data processing linked to the Car2X function built into your vehicle is:

B. How do we use your personal data and what is the lawful basis for processing it?

CUPRA will process your personal data for the purposes of providing Car2X functions and promoting traffic safety in your interests and the interests of other road users.

The legal basis for data processing is the safeguarding of legitimate interests (Article 6, paragraph 1, letter f of the General Data Protection Regulation, hereinafter “GDPR”).

To protect your privacy, in the provision of Car2X, data is only processed to the most limited extent possible and transmitted to CUPRA exclusively for the purposes of issuing certificates for your Car2X system.

C. Data recipients

The disclosure of your personal and vehicle data to third parties only will take place in compliance with the corresponding legal obligations;

On the other hand, CUPRA will give access to data to third parties acting as data processors for the purpose to be able of offering this functionality. For instance, CUPRA contracts its data servers and the development and management of the Car2X function to Volkswagen AG and Audi AG, both located in Germany and belonging to the same business group of CUPRA, which will be considered our data processors. These third parties will process the personal data always on our behalf.

Additionally, Volkswagen AG has contract Amazon Web Services Inc. (AWS) cloud for storage data. AWS process the data in accordance with Volkswagen’s instructions as sub-processors. At AWS the data is encrypted according to agreements made with Volkswagen and exclusively processes on data servers in the European Union. A corresponding EU standard data protection agreement (appropriate guarantee for data processing in non-European countries) was concluded accordingly to ensure sufficient protection of your personal data.

D. How long do we retain your personal data?

CUPRA will retain your personal data as long as necessary to provide you with the mentioned functionality and, in any event, until you ask for their erasure or objection. In any case, we will retain your data to comply with any legal requirements corresponding to each category of data.

E. What are your rights as affected individual?

You can exercise the following rights before CUPRA in your condition of data subject:

You can exercise these rights by sending (i) a written request to CUPRA Customer Service department, Autovía A-2, Km. 585 (08760) Martorell, Barcelona (Spain) or (ii) by sending an email message to the email address customercare@cupraofficial.com. The exercise of these rights is free of charge at any time unless of manifestly unfounded or excessive requests.

If you consider that CUPRA has not processed your personal data in accordance with the applicable regulations, you also have the right to lodge a complaint with a supervisory personal data authority (e.g. with the Spanish Data Protection Authority through www.aepd.es) regarding our processing of your data.

F. Additional information about the function

Car2X communications

I. Principles

Your vehicle is equipped with a Car2X function. If you activate this function, your vehicle is capable of exchanging important traffic information, e.g. regarding accidents or traffic jams, with other road users or infrastructure, as long as they also support Car2X functionality. This makes it even safer for you to use the road.

Communication takes place directly between your vehicle and other road users or infrastructure in a surrounding area of around 200 to 800 metres. This range may vary depending on the surrounding environment, e.g. in tunnels or towns.

II. Technical availability and security

To provide the Car2X function, your vehicle uses certain basic functions which also process personal data.

1. Technical availability

To guarantee secure communication with your vehicle and ensure that you can use all services and functions acquired with your vehicle or booked additionally, your vehicle’s VIN and IP address and the time stored in your vehicle are compared with our database. To protect your identity and data, the VIN is pseudonymised as far as possible. We consider our legitimate interests in being able to provide you with services and functions while preventing unauthorised use of our services and functions.

2. IT support service providers

We also use various IT service providers who assist us with maintenance and technical support services. If they obtain access to your personal data, they process this exclusively on our behalf and at our instruction. Contracts for data processing are concluded with them in accordance with Article 28 of the GDPR, ensuring that your data is also subject to our high level of protection with data processors.

III. Data transfer

When you activate the Car2X system, this sends general traffic information to other Car2X users (e.g. other vehicles, infrastructure) on an ongoing basis and allows them to assess the current traffic situation. The following data is transmitted for these purposes: Information on the Car2X sender (temporary ID, type, direction of travel, speed), vehicle information (vehicle dimensions), journey-specific information (acceleration, geographic location), information from vehicle sensors (yaw rate, bend progression, light status, pedal status and steering angle) and route (waypoints, i.e. positioning data on the last 200 to 500 metres of the journey).

The activated Car2X system also transmits additional data to other Car2X users when certain events occur. The events include, in particular, a vehicle stopping, breakdowns, accidents, initiation of an active safety system and the end of traffic jams. Transmission only takes place when an event occurs. The following data is also transmitted: Event information (event type, event time and message time, geographic location, event area, direction of travel) and route (waypoints, i.e. positioning data on the last 600 to 1,000 metres of the journey).

Data sent to other Car2X users is pseudonymised, which means that you are not shown as the sender of the information to other Car2X users. CUPRA has no access to this data and does not store it.

IV. Certificates

To prevent misuse in Car2X communications, Car2X is information is signed with a pseudonymised certificate before being sent out. Based on the signatures, the receiving Car2X system can check whether a Car2X message is authentic, i.e. sent by a legitimate Car2X sender and not manipulated. The vehicle identification number (VIN) of your vehicle is used and transmitted to a Car2X server in order to be able to assign a unique certificate to your Car2X system. This allows the pseudonymised certificates for Car2X communications to be provided. The Car2X server in question is operated on behalf of CUPRA by NEXUS Technology GmbH, Carl-Zeiss-Strasse 2, 76275 Ettlingen, Germany. To continue improving the security of your data, new certificates are issued to your Car2X system at regular intervals. Data transmitted during access to the Car2X server is stored for five years following expiry of the relevant certificate’s validity, along with the control unit certificate, the VIN and the initial certificate generation parameters. It is then deleted automatically.

Data transmitted during access to the Car2X server is stored for five years following expiry of the relevant certificate’s validity, along with the control unit certificate, the VIN and the initial certificate generation parameters in accordance with the Certificate Policy for Deployment and Operation of European Cooperative Intelligent Transport Systems (C-ITS). It is then deleted automatically.