SEAT & CUPRA CONNECT PRIVACY POLICY

1. General information about the data processing

With this data protection statement, we hereby inform you of the collection, processing and use of your personal data when using SEAT / CUPRA CONNECT's online mobile services, (hereinafter "SEAT CONNECT / CUPRA CONNECT") via your user account, in accordance with the provisions of regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data (hereinafter "GDPR") as well as Organic Law 3/2018, Spanish Data Protection Act (LOPDGDD), and other local regulations that complement it.

SEAT, S.A.U. (hereinafter "SEAT") manufactures vehicles with connectivity that generate information. It also offers services related to the vehicle through the SEAT CONNECT / CUPRA CONNECT Application. The aforementioned systems have their own privacy policies as they offer specific services and functionalities in addition to those of the vehicle. To register in SEAT Systems, a SEAT/CUPRA ID must be created, therefore the data (email token and password) are transferred to your vehicle and related applications. This means that the services available for your vehicle, licence durations and other kinds of information are associated with your SEAT / CUPRA ID. Your vehicle also transfers data to SEAT / CUPRA CONNECT backends to provide consistent information among systems: the vehicle and the SEAT / CUPRA CONNECT Application. More details about this are contained in this Privacy Policy.

2. Who is the data controller of your personal data?

Identity:SEAT, S.A.U with Tax Identification Number A-28 049 161
Address:Autovía A-2, Km. 585, Martorell (Barcelona)
Email:SEAT: customercare@seat.es CUPRA: customercare@cupraofficial.es

3. What data do we process, for what purposes and what is the legal basis?

3.1. Data processing for SEAT CONNECT / CUPRA CONNECT Services

In the context of functionalities offered by SEAT CONNECT / CUPRA CONNECT, and subject to the following purposes, SEAT / CUPRA will subsequently process the following data categories for the purposes described below:

These data will be processed for the specific purposes of:

For SEAT CONNECT / CUPRA CONNECT App registration and access to the connected functions in the vehicle, a SEAT / CUPRA ID is required.

Therefore, the use of CONNECT services is only possible after logging in with the SEAT/CUPRA ID and successful enrolment of the car.

The data provided during the SEAT/CUPRA ID registration are processed during the use of CONNECT functions and services. You can read more about the SEAT/CUPRA ID conditions and privacy policy here.

To provide some of these services and assistance during your trips, it will be necessary to geolocate your position and vehicle. You have the option to select the privacy mode in your vehicle menu, which will enable or disable SEAT CONNECT / CUPRA CONNECT functionalities using this technology.

SEAT will process your personal and vehicle data for the aforementioned purposes, considering that the legal basis for this processing is the performance of the contract, i.e., the Terms and Conditions of SEAT CONNECT / CUPRA CONNECT (see SEAT CONNECT / CUPRA CONNECT Apps for this) according to article 6.1. letter b of the GDPR.

3.2. Anonymised data for automated driving

Depending on the vehicle model and, if the functionality is activated, SEAT will anonymise the vehicle data for automated driving research and development. These data will be pulled by vehicle sensors and sent to a server where it is immediately anonymised and used by SEAT and its partners, such as Volkswagen Group companies**, to research and develop automated driving. On the basis of these data, a simulation environment is created that enables future automated driving functions to be tested in realistic conditions and can be compared in the outcome with the actual driver’s preferred behaviour.

The legal basis for data collection by extracting data from the vehicle is legitimate interest (article 6.1. letter f of the GDPR). The aims stated above for the research, development and safeguarding of automated driving functions can only be achieved by means of a large database with information from the widest possible variety of traffic scenarios based on real journeys. Classic endurance testing is no longer sufficient at this point because the data must consist of as many different driving scenarios as possible, whose environmental and traffic situations can only be recorded in algorithms in real road traffic. On these grounds, SEAT has a legitimate interest in processing the data and creating an anonymous database. You can learn more here. You may object to this processing at any time by disabling the function yourself in your car's privacy settings.

3.3. Marketing & Profiling activities

Additionally, and only if you have provided your explicit consent, SEAT will also process your personal data for the following purposes:

The lawful basis for processing your personal data for these purposes is your consent, according to article 6.1.a) of the GDPR. You can manage or revoke your consent at any time in the SEAT ID Portal: seatid.vwgroup.io/account or by sending an email to customercare@seat.es / customercare@cupraofficial.com, depending on the brand of your car. Your withdrawal of consent will not affect the lawfulness of the processing based on consent prior to withdrawal.

3.4. Data disclosure to the SEAT Importer or the SEAT/CUPRA Service Partner

The lawful basis for processing your personal data for these purposes is your consent, according to article 6.1.a) of the GDPR. If you have given your consent to the disclosure of your data to the SEAT Importer or the SEAT/CUPRA Service Partner and you wish to withdraw it, you should contact the Importer or SEAT/CUPRA Service Partner as the data controller of these communications. You can also revoke this consent through the SEAT CONNECT / CUPRA CONNECT App by disabling the Favourite Service Partner option. Your withdrawal of consent will not affect the lawfulness of the processing based on consent prior to withdrawal.

3.5. Processing activities related to the safety and conformity of your connected vehicle

SEAT will monitor the status and alerts transmitted by your vehicle in order to ensure safety-related aspects, and also to detect possible errors, analyse them, then propose and implement improvements and solutions. Once collected, these data may be linked to technical production data and previous visits to the garage, in order to draw conclusions that are important for the safety and proper functioning of the vehicle. Appropriate security measures will be applied at all times to ensure the security of the data processed, including anonymisation, unless it is necessary for the Entity to process the VIN. The legal basis for this data processing is the Entity's legitimate interest (art. 6.1. f) of the GDPR) as the manufacturer of the vehicle and provider of the CONNECT service, in order to detect errors that affect the safety and quality of the product and service, thereby resulting in a direct benefit for the user. Without access to this information, SEAT would be unable to detect errors and improvements. With respect to this processing, the Entity has determined the existence of compelling legitimate grounds, which, as stipulated in article 21.1 of the GDPR, do not allow the data subject to exercise his or her right of objection.

3.6. Processing activities related to the optimisation and development of vehicle functions and the use of connected services

In order to optimise and improve your vehicle functions and adapt these to customer expectations and market developments in general, and in particular to achieve further and new developments of innovative functions, your vehicle generates various functional and technical data (for example, vehicle use, fuel consumption, status, control and infotainment data). This information will be associated with your VIN and vehicle IP. SEAT will not use these data to create profiles or evaluate them on the basis of individual vehicles. Furthermore, no data attributes will be used to create profiles or draw conclusions about your behaviour or behaviour patterns during the use of your vehicle. As soon as this information has been collected, appropriate security measures will be taken to ensure the security of the processed data, including anonymisation, unless it is strictly necessary for the Entity to process the VIN. SEAT will process the above data within the framework of time-limited activities in order to optimise the range of vehicle functions and adapt these to customer expectations, on the basis of safeguarding its legitimate interests or those of a third party, unless overridden by interests or fundamental rights and freedoms which require the protection of personal data (Art. 6.1.f) of the GDPR). You can deactivate data transmission via your vehicle privacy settings. If you wish to object definitively to the processing of your personal data, please contact our customer service department.

3.7. Third-party services and applications

You may be able to connect your smartphone to the vehicle in order to control it through the in-vehicle system (using apps such as Android Auto or Apple CarPlay). This integration allows the use of selected smartphone apps. The type of data processing performed is determined by the provider of the respective app used. You can obtain more information and set the selection via the respective app and your smartphone operating system. Additionally, under certain premises, you may be able to use apps for which third parties are responsible, for example, Google or Spotify, among others, in combination with the entertainment services offered by the Entity through the CONNECT services. The Entity will not be held liable at any time for such processing.

Extended Vehicle: Extended Vehicle allows you, as a Primary user, to enable other third parties (e.g. insurance companies, garages, petrol stations, charging station operators, etc.) to access the vehicle's telematics data (e.g. mileage, location, status of vehicle components, etc.) to obtain extra services. These data are generated by the vehicle as part of the activation and use of CONNECT services and are stored in SEAT backends. The prerequisite for this is that you have explicitly enabled the access to share the data with the applicable third party on the SEAT/CUPRA Extended Consents website. These third parties need to access these data to offer you specific services and fees (e.g. telematics tariffs). All the applicable use cases and associated data will be available on the SEAT Extended Consents website. The third party is independently responsible for the data processing. Please contact the third party directly and read the third party's terms of use and privacy policy before enabling the data access. You can grant or withdraw your authorisation for sharing simply by clicking here. Other users of the vehicle may request information regarding Extended Vehicle directly from you, as the Primary User. Every user of the vehicle is able to deactivate data collection in the vehicle via the privacy settings in the vehicle. If the Primary User changes the privacy setting to a mode that does not permit the gathering or sharing of information with third parties, no further data will be sent to the third party, and it will be possible to restrict the services and fees provided by them. The data are disclosed by SEAT to the applicable third party in the execution of a contract or in steps prior to entering into a contract, insofar as this is necessary (Article 6.1. b) of the GDPR) for you, as the Primary User. For Secondary and Guest Users, the transfer of data is necessary for the purposes of the legitimate interests pursued by SEAT/CUPRA or a third party. The purpose is to enable third parties to offer individual and personalised services to the Primary User, as the main user of the vehicle.

4. Who are the recipients of your personal data?

The disclosure of your personal and vehicle data to third parties will only occur in the following cases:

a) In compliance with the corresponding legal obligations. SEAT, as the vehicle's authorised manufacturer, will be required, at the request of the competent authorities, to process and report certain data stored in the vehicle related to the vehicle owner. Some of these obligations may arise from the investigation of criminal offences, traffic accidents, control of second-hand sales, etc. Thus, data may be disclosed concerning the vehicle's functioning, use, control, status and technical data associated with its VIN, such as mileage, speed, acceleration, navigation control, seat belt status, environmental conditions, battery, fluid and pressure statuses, etc. Data processing and notification of the Authorities is covered under SEAT’s compliance with a legal obligation (Art. 6 para. 1, Subs. 1 letter c) of the GDPR), as the vehicle manufacturer.

b) In certain cases of vehicle servicing and repair, it may be necessary for SEAT to process data on your vehicle's fuel consumption and functioning related to its VIN. These data may be processed by SEAT, by the service network (dealers and garages) or by third parties (breakdown service centres), within your vehicle's legal warranty period. SEAT may process these data and disclose them to third-party Entities (garages and dealers) in the case of recall operations covered under compliance with a legal obligation (Art. 6 para 1, Subs. 1 letter c) of the GDPR), as the vehicle manufacturer.

c) If it is necessary for the execution of the contract and, in particular, to offer the SEAT CONNECT / CUPRA CONNECT Services.

d) Likewise, some SEAT CONNECT / CUPRA CONNECT functionalities are provided by third parties, such as Google in the case of the map functionality. In this case, these third parties may process your personal data as a controller, subject to the respective privacy policies that may be accessed through the corresponding application in each case. As a preliminary step before starting to use these services, you must carefully read and accept the respective service provider's Terms and Conditions and Privacy Policy.

Finally, SEAT will provide access to your data to third parties such as Volkswagen AG and IT service providers, acting as data processors and subprocessors for the purpose of being able to offer certain online functions and services related to your vehicle. SEAT uses data servers provided by the Volkswagen Group, which also provides maintenance and technical support for the IT systems. These third parties, and the suppliers of Volkswagen AG, will always process the personal data on our behalf and in accordance with our instructions. Finally, we hereby inform you that the Entity may communicate your data to entities of the VW Group for the purpose of optimising internal group sales and aftersales processes and channels. Such processing is based on the safeguarding of our legitimate interests and for the benefit of you as a client of our cars.

5. Will your personal data be sent outside the EU?

All the processing of your data will be carried out within the European Economic Area and will receive the same level of protection as in the European Economic Area. Additionally, depending on the vehicle model, data might be processed on servers that contract their services outside the European Economic Area guaranteeing the processing of your data with the corresponding safeguards. In this sense, we inform you that our Entity, as part of the VW Group has contracted certain subprocessors including SalesForce, Inc. Amazon Web Services (AWS) and Microsoft Corporation to provide data hosting services. These companies encrypt the data and process them exclusively on data servers located in the European Union. As these Entities are based in the United States of America, access to the data from the United States of America cannot be ruled out, and therefore, corresponding EU standard contract for data protection clauses have been signed to ensure that your personal data are sufficiently protected. You can contact us at dataprotection@seat.es if you would like to obtain a copy of these or if they have been made available to you.

6. How long do we keep your personal data for?

SEAT will keep your personal data generated by SEAT CONNECT / CUPRA CONNECT systems as long as necessary to provide the functionalities included in SEAT CONNECT / CUPRA CONNECT, and, in any event, until you ask for them to be deleted. SEAT will keep your data while the contractual relationship with the client is in force and, after completion, for a maximum period of 10 years according to local legal provisions.

In relation to the data generated by the vehicle and sent to the data server for automated driving research and development, once collected, they are quality controlled and then immediately anonymised. The data are stored for a maximum of 24 hours for anonymisation purposes. The original data are then completely deleted from the vehicle. The anonymisation procedure is reviewed for efficiency and effectiveness and developed on an ongoing basis, taking into account the latest scientific knowledge and the state of the art.

Additionally, SEAT informs that, as your personal data will be stored in your SEAT/CUPRA ID account, if you ask for your SEAT CONNECT / CUPRA CONNECT data to be erased, your personal data will not be deleted from your SEAT/CUPRA ID account, as you may have other SEAT digital services associated. However, you can, at any time, manage your data and privacy settings at https://seatid.vwgroup.io/.

In any case, SEAT will retain your data to comply with any Spanish legal requirements corresponding to each category of data.

7. Users and privacy settings

The online services are available to different users who may use the vehicle. You can log in as a Primary, Secondary, Guest or Anonymous User, depending on the vehicle generation and the desired selection of functions and applications. Please note that in order to enjoy all services and functions, you must log in as a Primary or Secondary user and buy the CONNECT licence. The processing of your personal data is mainly enabled by the execution of the licence and contract for CONNECT services (art. 6.1. b) of the GDPR). If you access as a Guest User, the legal basis for the processing of your data is the legitimate interest of offering you the CONNECT services (art. 6.1. f) of the GDPR). Finally, if you access as an Anonymous User, SEAT will not process your personal information.

Additionally, depending on the vehicle, the privacy modes of the car allow you to select the desired privacy mode, and you can even completely limit access to and the sending of data from the services. Please note that other guest users logged into this vehicle may see your parking position or settings preferences. You can manage the users and the privacy settings via the vehicle Infotainment. In any case, communication may be established to ensure the vehicle's general Internet access or in the event of an accident, for activation of the "eCall system":

8. What are your rights and contact channels?

8.1. Rights definition

As the data subject, you may exercise the following rights:

Should you consider that SEAT has not processed your personal data in accordance with applicable law, you may lodge a complaint with the relevant supervisory authority, www.agpd.es.

8.2. Contact channels

You can manage your personal data regarding SEAT CONNECT / CUPRA CONNECT services at any time in the SEAT ID / CUPRA ID Portal: seatid.vwgroup.io/account or by submitting a written request to SEAT, S.A. – Digital Business & Product Strategy, Autovía A-2 Km. 585, Martorell (Barcelona) or to the following email address customercare@seat.com or customercare@cupraofficial.com depending on your vehicle brand. You must specify the right you wish to exercise. The exercise of these rights is free of charge.

If you wish to exercise your data protection rights before the SEAT Importer or SEAT Service Partner, please contact them directly.

If you have any queries about data protection, or wish to get in touch with the data protection officer ("DPO"), you can also contact our company data protection delegate by sending an email to dataprotection@seat.es.

Version: September 2023