SEAT & CUPRA CONNECT PRIVACY POLICY

1. General information about the data processing

With this data protection statement, we hereby inform about the collection, processing and usage of your personal data when utilizing the online mobile services of SEAT / CUPRA CONNECT, (hereinafter, “SEAT CONNECT / CUPRA CONNECT”) through the user account, in accordance with the provisions of regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data (hereinafter, "GDPR") as well as the 3/2018, Data Protection Spanish Law (LOPDGG), and other local regulations that complement it.

SEAT, S.A.U. (hereinafter, “SEAT”) manufactures vehicles with connectivity that generate information. It also offers services related to the vehicle through the SEAT CONNECT / CUPRA CONNECT Application. The aforementioned systems have their own privacy policies as they can offer specific services and functionalities in addition to the vehicle’s. To register in SEAT Systems, a SEAT/CUPRA ID must be created, therefore the data (e-mail token and password) is transferred to your vehicle and related applications. On the other hand, the services available for your vehicle, licence durations and other kinds of information, are associated with your SEAT / CUPRA ID. Your vehicle also transfers data to SEAT / CUPRA CONNECT backends to provide consistent information among systems: the vehicle, SEAT / CUPRA CONNECT Application. More details about this are contained in this Privacy Policy.

2. Who is the data controller of your personal data?

Identity:SEAT, S.A.U with Tax Identification Number A-28 049 161
Address:Autovía A-2, Km. 585, Martorell (Barcelona)
Email:SEAT: customercare@seat.es CUPRA: customercare@cupraofficial.es

3. What data do we process, for what purposes and what is the legal basis?

3.1. Data processing for SEAT CONNECT / CUPRA CONNECT Services

In the context of functionalities offered by SEAT CONNECT / CUPRA CONNECT, and subject to the following purposes, SEAT / CUPRA will process the following data categories for the purposes described below subsequently:

This data will be processed for the specific purposes of:

For SEAT CONNECT / CUPRA CONNECT App registration and access to the connected functions in the vehicle, a SEAT / CUPRA ID is required.

Therefore, the use of the CONNECT services is only possible after the login in SEAT/CUPRA ID and a successful enrolment of the car.

The data provided in SEAT/CUPRA ID registration is processed during the use of CONNECT functions and services. You can read more about the SEAT/CUPRA ID conditions and privacy policy here.

To provide some of these services and assistance during your trips, it will be necessary to geo-locate your position and vehicle. You have the option to select the privacy mode in your vehicle's menu which will enable or disable SEAT CONNECT / CUPRA CONNECT functionalities using this technology.

SEAT will process your personal and vehicle data for the aforementioned purposes, considering that the legal basis for the processing is the contract performance, that is, the Terms and Conditions of SEAT CONNECT / CUPRA CONNECT (see SEAT CONNECT / CUPRA CONNECT Apps for this) according to article 6.1., letter b of the GDPR.

3.2. Anonymised data for automated driving

Depending on the vehicle model and, if the functionality is activated, SEAT will anonymise the vehicle’s data for automated driving research and development. This data will be pulled by vehicle sensors and sent to a server where it is immediately anonymised and used by SEAT and its partners, such as the companies of Volkswagen Group**, to research and develop automated driving**. On the basis of this data, a simulation environment is created which enables the testing of future automated driving functions in realistic conditions and can be compared in the outcome with the real driver’s preferred behaviour.

The legal basis for the collection of data for extracting data from the vehicle is the legitimate interest (article 6.1, letter f of the GDPR). In relation that the aims stated above for the research, development and safeguarding of automated driving functions can only be achieved by means of a significant data base from the widest possible variety of traffic scenarios based on real journeys. Classic endurance testing is no longer sufficient at this point because the data must consist of as many different driving scenarios as possible, whose environmental and traffic situations can only be recorded in the algorithms in real road traffic. On these grounds, SEAT has a legitimate interest in the processing of data and building an anonymous database. You can learn more here. You may object to this processing at any time disabling the functionality by yourself in the privacy setting of your car.

3.3. Marketing & Profiling activities

Additionally, and only if you have provided your explicit consent, SEAT will process your personal data for the following additional purposes:

The lawful basis for processing your personal data for these purposes is your consent, according to article 6.1.a) of GDPR. You can manage or revoke your consent at any time in the SEAT ID Portal: seatid.vwgroup.io/account or by sending an e-mail to customercare@seat.es / customercare@cupraofficial.com, depending on your car’s brand. Your consent withdrawal will not affect the processing lawfulness based on consent before its withdrawal.

3.4. Data disclosure to SEAT Importer or to SEAT/CUPRA Service Partner

The lawful basis for processing your personal data for these purposes is your consent, according to article 6.1.a) of GDPR. In case you have given your consent to the disclosure of your data to SEAT Importer or SEAT/CUPRA Service Partner and you want to withdraw it, you should turn to the Importer or SEAT/CUPRA Service Partner as data controller of these communications. You can also revoke this consent through the SEAT CONNECT / CUPRA CONNECT App by disabling the Favourite Service Partner Option. Your consent withdrawal will not affect the processing lawfulness based on consent before its withdrawal.

3.5. Processing activities related to the safety and conformity of your connected vehicle

SEAT will monitor the status and alerts transmitted by your vehicle in order to ensure safety-related aspects, and also to detect possible errors, analyse them, then propose and implement improvements and solutions. Once collected, this data may be linked to technical production data and previous visits to the garage to draw conclusions that are important for the vehicle's safety and proper functioning. Appropriate security measures will be applied at all times to ensure the security of the data processed, including its anonymisation, unless it is necessary for the Entity to process the VIN. The legal basis for this data processing is the Entity's legitimate interest (art. 6.1 f) of the GDPR) as manufacturer of the vehicle and provider of the CONNECT service, in order to detect errors that affect the safety and quality of the product and service, thereby resulting in a direct benefit for the user. Without access to this information, SEAT would be unable to detect errors and improvements. With respect to this processing, the Entity has determined the existence of compelling legitimate grounds, which, as stipulated in article 21.1 of the GDPR, do not allow the data subject to exercise his or her right of objection.

3.6. Processing activities related to the optimisation and development of vehicle functions and the use of connected services

In order to optimise and improve your vehicle's functions and adapt them to customer expectations and market developments in general, and in particular to achieve further and new developments of innovative functions, your vehicle generates various functional and technical data (for example, vehicle usage, fuel consumption, status, control and infotainment data). This information will be associated with your VIN and vehicle IP. SEAT will not use this data to create profiles or evaluate them on the basis of individualised vehicles. Furthermore, no data attributes will be used to create profiles or draw conclusions about your behaviour or behaviour patterns during use of your vehicle. As soon as this information has been collected, appropriate security measures will be applied to ensure the security of the data processed, including its anonymisation, unless it is strictly necessary for the Entity to process the VIN. SEAT will process the above data within the framework of time-limited activities in order to optimise the range of vehicle functions and adapt them to customer expectations, on the basis of safeguarding its legitimate interests or those of a third party, unless overridden by interests or fundamental rights and freedoms which require the protection of personal data (Art. 6.1.f) of the GDPR). You can deactivate data transmission through your vehicle's privacy settings. If you wish to object definitively to the processing of your personal data, please contact our customer service department.

3.7. Third-party services and applications

You may be able to connect your Smartphone to the vehicle in order to control it through the in-vehicle system (using apps such as Android Auto or Apple CarPlay). This integration allows the use of selected Smartphone apps. The type of data processing performed is determined by the provider of the respective app used. You can obtain more information and set the selection via the respective app and your Smartphone's operating system. Additionally, under certain premises, you may be able to use apps that third parties are responsible for, for example, Google or Spotify, among others, in combination with the entertainment services offered by the Entity through the CONNECT services. The Entity will not be held liable at any time for such processing.

Extended vehicle: Extended Vehicle allows you, as a Primary user, to enable other third parties (e.g., insurance companies, garages, petrol stations, charging station operators…) to access the vehicle's telematics data (e.g., mileage, location, status of vehicle components etc.) to obtain extra services. This data is generated by the vehicle as part of the activation and use of CONNECT services and is stored in SEAT backends. The prerequisite for this is that you have explicitly enabled the access to share the data with the applicable third party on the SEAT/CUPRA Extended Consents website. These third parties need to access this data to offer you specific services and fees (e.g., telematics tariffs). All the applicable use cases and associated data will be available on the SEAT Extended Consents website. The third party is independently responsible for the data processing. Please contact the third party directly and read the third party's terms of use and privacy policy before enabling the data access. You can grant or withdraw your authorisation for sharing simply by clicking here. Other users of the vehicle can request information regarding Extended Vehicle directly from you, as the Primary User. Every user of the vehicle is able to deactivate data collection in the vehicle via the privacy settings in the vehicle. If the Primary User changes the privacy setting up a mode that that does not permit the gathering or sharing of information with third parties, no further data will be sent to the third party, with it being possible to restrict the services and fees provided by them. The data is disclosed by SEAT to the applicable third party in the execution of a contract or in steps prior to entering into a contact, insofar as this is necessary (Article 6.1 b) GDPR) for you, as the Primary User. For Secondary and Guest Users, the transfer of data is necessary for the purposes of the legitimate interests pursued by SEAT/CUPRA or of a third party. The purpose is to enable third parties to offer individual and personalised services to the Primary User, as the main user of the vehicle.

4. Other recipients to whom your data may be disclosed

The disclosure of your personal and vehicle data to third parties will only occur in the following cases:

a) In compliance with the corresponding legal obligations. SEAT, as the vehicle's authorised manufacturer, will be required, at the request of the competent authorities, to process and report certain data stored in the vehicle related to the vehicle owner. Some of these obligations may arise from the investigation of criminal offences, traffic accidents, control of second-hand sales, etc. Thus, data may be disclosed concerning the vehicle's functioning, use, control, status and technical data associated with its VIN, such as, for example: mileage, speed, acceleration, navigation control, seat belt status, environmental conditions, battery, fluid and pressure statuses, etc. Data processing and notification of the Authorities is covered under SEAT’s compliance with a legal obligation (Art. 6 para. 1, Subs. 1 letter c) of the GDPR), as the vehicle’s manufacturer.

b) In certain cases of vehicle servicing and repair, it may be necessary for SEAT to process data on your vehicle's fuel consumption and functioning related to its VIN. This data may be processed by SEAT, by the service network (dealers and garages) or by third parties (breakdown service centres), within your vehicle's legal warranty period. SEAT may process this data and disclose it to third-party Entities (garages and dealers) in the case of recall operations covered under compliance with a legal obligation (Art. 6 para 1, Subs. 1 letter c) of the GDPR), as the vehicle’s manufacturer.

c) If it is necessary for the execution of the contract and, in particular, to offer the SEAT CONNECT / CUPRA CONNECT Services.

d) Likewise, some SEAT CONNECT / CUPRA CONNECT functionalities are provided by third parties, such as Google in the case of using map functionality. In that case, these third parties may process your personal data as controller, which are subject to the respective privacy policies that may be accessed through the corresponding application in each case. As a preliminary step before starting to use these services, you must carefully read and accept the respective service provider's Terms and Conditions and Privacy Policy.

On the other hand, SEAT will give data access to third parties acting as data processors for the purpose of providing SEAT CONNECT / CUPRA CONNECT services. You can find hereafter some cases where we hire services’ providers.

  1. SEAT contracts the development and management of the IT program to Volkswagen AG, located in Germany and belonging to the same business group, which will act as SEAT data processor. Likewise, Volkswagen AG provide us the service for managing the relation between the requests of the customer and the SEAT Service Partner for the alerts and appointments, and to comply with this purpose, they have contracted Salesforce, Inc. an entity based in the United States of America, having the consideration of a subprocessor. This being an international transfer of personal data is carried out subject to appropriate safeguards according to GDPR, through having signed the standard data protection clauses adopted by the Commission.

  2. Additionally, the data collected by SEAT within the framework of SEAT CONNECT / CUPRA CONNECT is stored in the AWS cloud and, therefore, is transferred to Amazon Web Services (AWS). AWS processes the data on our behalf and in accordance with our instructions within the European Economic Area.

5. How long do we keep your personal data for?

SEAT will keep your personal data generated by SEAT CONNECT / CUPRA CONNECT systems as long as necessary to provide y the functionalities included in SEAT CONNECT / CUPRA CONNECT, and, in any event, until you ask for its deletion. SEAT will keep your data while the contractual relationship with the client is in force and, after completion, for a period maximum of 10 years according to local legal provisions.

In relation to the data generated by the vehicle and sent to the data server for automated driving research and development, once collected is quality controlled and then immediately anonymised. The data is stored for a maximum of 24 hours for anonymisation purposes. The original data is then completely deleted from the vehicle. The anonymisation procedure is reviewed for efficiency and effectiveness and developed on an ongoing basis taking into account the latest scientific knowledge and the state of the art.

Additionally, SEAT informs that, as your personal data will be stored in your SEAT/CUPRAID account, if you ask for SEAT CONNECT / CUPRA CONNECT data erasure, your personal data will not be deleted from your SEAT ID / CUPRA ID account, since you could have other SEAT’s digital services associated. However, you can, at any time, manage your data and privacy settings at https://seatid.vwgroup.io/

In any case, SEAT will retain your data to comply with any Spanish law requirements corresponding to each category of data.

6. Users and Privacy settings

The online services are available to different users who may use the vehicle. You can log in as a Primary, Secondary, Guest or Anonymous User, depending on the vehicle generation and the desired selection of functions and applications. Please note that in order to enjoy all services and functions, you must log in as a Primary or Secondary user and buy the CONNECT licence. The processing of your personal data is mainly enabled by the execution of the licence and contract for CONNECT services (art. 6.1. b) GDPR). If you access as a Guest User, the legal basis for the processing of your data is the legitimate interest of offering you the CONNECT services (art. 6.1 f) of the GDPR). Finally, if you access as an Anonymous User, SEAT will not process your personal information.

Additionally, depending on the vehicle, the privacy modes of the car allow you to select the desired privacy mode, and you can even completely limit access to and the sending of data from the services.

7. What are your rights and contact channels?

7.1. Rights definition

You can exercise the following rights in your condition of data subject:

Should you consider that SEAT has not processed your personal data in accordance with applicable law, you can lodge a complaint with the relevant supervisory authority, www.agpd.es.

7.2. Contact channels

You can manage your personal data regarding SEAT CONNECT / CUPRA CONNECT services at any time in the SEAT ID / CUPRA ID Portal: seatid.vwgroup.io/account or by submitting a written request to SEAT, S.A. – Digital Business & Product Strategy, Autovía A-2 Km. 585, Martorell (Barcelona) or to the following email address customercare@seat.com or customercare@cupraofficial.com depending on your vehicle brand. You must specify the right you wish to exercise. The exercise of these rights is free of charge.

If you wish to exercise your data protection rights before the SEAT Importer or SEAT Service Partner, please contact them directly.

If you have any doubts about data protection, or wish to get in touch with the data protection officer (“DPO”), you can also contact our company data protection delegate by sending an email to dataprotection@seat.es.