With this Privacy Policy, we would like to inform you about the processing of your data for the use of the Car2X function, provided your vehicle is equipped with Car2X and Car2X is active.
You can also find information on data processing in your vehicle outside of Car2X use in the Privacy Policy for the use of mobile online services (CUPRA Connect).
The entity responsible for data processing linked to the Car2X function built into your vehicle is:
CUPRA will process your personal data for the purposes of providing Car2X functions and promoting traffic safety in your interests and the interests of other road users.
The legal basis for data processing is the safeguarding of legitimate interests (Article 6, paragraph 1, letter f of the General Data Protection Regulation, hereinafter “GDPR”).
To protect your privacy, in the provision of Car2X, data is only processed to the most limited extent possible and transmitted to CUPRA exclusively for the purposes of issuing certificates for your Car2X system.
The disclosure of your personal and vehicle data to third parties only will take place in compliance with the corresponding legal obligations;
On the other hand, CUPRA will give access to data to third parties acting as data processors for the purpose to be able of offering this functionality. For instance, CUPRA contracts its data servers and the development and management of the Car2X function to Volkswagen AG and Audi AG, both located in Germany and belonging to the same business group of CUPRA, which will be considered our data processors. These third parties will process the personal data always on our behalf.
Additionally, Volkswagen AG has contract Amazon Web Services Inc. (AWS) cloud for storage data. AWS process the data in accordance with Volkswagen’s instructions as sub-processors. At AWS the data is encrypted according to agreements made with Volkswagen and exclusively processes on data servers in the European Union. A corresponding EU standard data protection agreement (appropriate guarantee for data processing in non-European countries) was concluded accordingly to ensure sufficient protection of your personal data.
CUPRA will retain your personal data as long as necessary to provide you with the mentioned functionality and, in any event, until you ask for their erasure or objection. In any case, we will retain your data to comply with any legal requirements corresponding to each category of data.
You can exercise the following rights before CUPRA in your condition of data subject:
Access: You can get information if CUPRA processes your personal data, as well as consult your personal data included in the CUPRA files.
Rectification: You can modify your personal data when it´s inaccurate as well as complete those that are incomplete.
Erasure: You have the right, in the event that the requirements specified in article 17 of the GDPR have been met, to demand the erasure of your personal data. Accordingly, you may request the deletion of your data, for instance, if it is no longer necessary for the purposes for which it was collected.
Objection: Insofar as the processing is predicated by an overriding legitimate interest on the part of CUPRA (article 6, paragraph 1, letter f, of the GDPR), you have the right to object to the processing of your personal data. It means that you may request that your personal information not be processed. CUPRA will stop processing the data, except for compelling legitimate reasons, or the exercise or defense of possible claims.
Restriction of the processing: If the requirements of article 18 of the GDPR are met, you can request the restriction of the processing of your personal data in the following cases:
Portability: You can receive, in electronic format, the personal data that you have given us and those that have been obtained from your contractual relationship with CUPRA, as well as to transmit them to another entity.
Right of revocation: Insofar as the data processing is undertaken based upon consent, you have the right to revoke your consent for the data processing, with future effect at any time, free of charge.
You can exercise these rights by sending (i) a written request to CUPRA Customer Service department, Autovía A-2, Km. 585 (08760) Martorell, Barcelona (Spain) or (ii) by sending an email message to the email address customercare@cupraofficial.com. The exercise of these rights is free of charge at any time unless of manifestly unfounded or excessive requests.
If you consider that CUPRA has not processed your personal data in accordance with the applicable regulations, you also have the right to lodge a complaint with a supervisory personal data authority (e.g. with the Spanish Data Protection Authority through www.aepd.es) regarding our processing of your data.
Your vehicle is equipped with a Car2X function. If you activate this function, your vehicle is capable of exchanging important traffic information, e.g. regarding accidents or traffic jams, with other road users or infrastructure, as long as they also support Car2X functionality. This makes it even safer for you to use the road.
Communication takes place directly between your vehicle and other road users or infrastructure in a surrounding area of around 200 to 800 metres. This range may vary depending on the surrounding environment, e.g. in tunnels or towns.
To provide the Car2X function, your vehicle uses certain basic functions which also process personal data.
1. Technical availability
To guarantee secure communication with your vehicle and ensure that you can use all services and functions acquired with your vehicle or booked additionally, your vehicle’s VIN and IP address and the time stored in your vehicle are compared with our database. To protect your identity and data, the VIN is pseudonymised as far as possible. We consider our legitimate interests in being able to provide you with services and functions while preventing unauthorised use of our services and functions.
2. IT support service providers
We also use various IT service providers who assist us with maintenance and technical support services. If they obtain access to your personal data, they process this exclusively on our behalf and at our instruction. Contracts for data processing are concluded with them in accordance with Article 28 of the GDPR, ensuring that your data is also subject to our high level of protection with data processors.
When you activate the Car2X system, this sends general traffic information to other Car2X users (e.g. other vehicles, infrastructure) on an ongoing basis and allows them to assess the current traffic situation. The following data is transmitted for these purposes: Information on the Car2X sender (temporary ID, type, direction of travel, speed), vehicle information (vehicle dimensions), journey-specific information (acceleration, geographic location), information from vehicle sensors (yaw rate, bend progression, light status, pedal status and steering angle) and route (waypoints, i.e. positioning data on the last 200 to 500 metres of the journey).
The activated Car2X system also transmits additional data to other Car2X users when certain events occur. The events include, in particular, a vehicle stopping, breakdowns, accidents, initiation of an active safety system and the end of traffic jams. Transmission only takes place when an event occurs. The following data is also transmitted: Event information (event type, event time and message time, geographic location, event area, direction of travel) and route (waypoints, i.e. positioning data on the last 600 to 1,000 metres of the journey).
Data sent to other Car2X users is pseudonymised, which means that you are not shown as the sender of the information to other Car2X users. CUPRA has no access to this data and does not store it.
To prevent misuse in Car2X communications, Car2X is information is signed with a pseudonymised certificate before being sent out. Based on the signatures, the receiving Car2X system can check whether a Car2X message is authentic, i.e. sent by a legitimate Car2X sender and not manipulated. The vehicle identification number (VIN) of your vehicle is used and transmitted to a Car2X server in order to be able to assign a unique certificate to your Car2X system. This allows the pseudonymised certificates for Car2X communications to be provided. The Car2X server in question is operated on behalf of CUPRA by NEXUS Technology GmbH, Carl-Zeiss-Strasse 2, 76275 Ettlingen, Germany. To continue improving the security of your data, new certificates are issued to your Car2X system at regular intervals. Data transmitted during access to the Car2X server is stored for five years following expiry of the relevant certificate’s validity, along with the control unit certificate, the VIN and the initial certificate generation parameters. It is then deleted automatically.
Data transmitted during access to the Car2X server is stored for five years following expiry of the relevant certificate’s validity, along with the control unit certificate, the VIN and the initial certificate generation parameters in accordance with the Certificate Policy for Deployment and Operation of European Cooperative Intelligent Transport Systems (C-ITS). It is then deleted automatically.