(Version dated: March 2025- The Privacy Policy is updated regularly. The current version can always be found online at https://consent.vwgroup.io/consent/v1/texts/VWConnectTouareg/ie/en/dataprivacy_car/latest/html)
This privacy policy provides information on the processing of personal data by Volkswagen AG when using the vehicle. The “Privacy Policy for the use of Volkswagen AG mobile online services (VW Connect)” provides information when the Volkswagen AG mobile online services are used in the vehicle. The Privacy Policy can be accessed in the vehicle under “Legal information” or online at https://consent.vwgroup.io/consent/v1/texts/VWConnectTouareg/ie/en/dataprivacy_T/latest/html .
As a German company, Volkswagen AG is bound to German law and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)(“GDPR”). This also applies when Volkswagen AG processes personal data of persons with a permanent residence outside of Germany. Part I of this Privacy Policy contains information on the processing of personal data as required by German law and the GDPR.
To some extent, Volkswagen AG may also be bound by national legislation of other countries. Persons with a permanent residence in one of the countries specified in Part II of this Privacy Policy, can find further information in that section.
The responsible office for the processing of personal data is Volkswagen AG (hereafter also referred to as “we” or “us”).
Volkswagen AG can be reached at:
Volkswagen AG
Berliner Ring 2
38440 Wolfsburg
Germany
Tel.: +49-5361-9-0
Register of companies number HRB 100484 (Braunschweig district court)
Our data protection officer is your contact person for all matters relating to data protection.
Please address requests to:
Datenschutzbeauftragter der Volkswagen AG
Berliner Ring 2
38440 Wolfsburg
Germany
dataprivacy@volkswagen.de
Data subject rights can also be exercised by using the email address info-datenschutz@volkswagen.de (Germany) and privacy@volkswagen.de (outside of Germany) or our Volkswagen Privacy Portal https://www.datenschutz.volkswagen.de. You can select the desired language in the Volkswagen Privacy Portal.
For further information on data subject rights, refer to Part D of this Privacy Policy.
Control units are installed in the vehicle. Control units process data that they receive from vehicle sensors, generate themselves or exchange with other control units, for example. Some control units are required for the safe functioning of the vehicle, others provide support while driving (driver assist systems), and others enable convenience or Infotainment functions. The vehicle also has one or more connection units in which a SIM card is installed allowing the vehicle to be used online. This allows data to be sent from the vehicle for specific purposes. In addition, the vehicle is equipped with an on-board diagnosis interface, which enables data to be read out from the control units, e.g., by vehicle service centres.
Each vehicle is identified with a unique vehicle identification number. This vehicle identification number (“VIN”) can be used to trace the present and former owners of the vehicle by submitting an enquiry to the responsible authority in the respective country. There are also other ways of tracing data collected from the vehicle back to the owner or driver, e.g. via the vehicle registration number. Therefore, the data generated or processed by control units can be personal – or can be considered personal under certain conditions. Depending on the vehicle data available, it may be possible to draw conclusions, for example, about the driving behaviour, the location, the driving route or the usage behaviour.
As soon as personal data is retrieved from the vehicle and transmitted to us, we are responsible for it under data protection legislation. This Privacy Policy contains information on how we process this data.
The data stored in the control units can be read out by employees of the service network (e.g., vehicle service centres, manufacturers) or third parties (e.g., roadside assistance services) via the legally required OBD connection in the vehicle. The operating data that is read out documents technical statuses of the vehicle or individual components and helps, for example, with fault diagnosis, compliance with warranty obligations and quality improvement. This data, particularly information on component stress, technical events, operating errors and other faults, is transmitted to us for this purpose (together with the VIN where necessary).
Information on data retrieved by us for processing is available at the Volkswagen dealership.
The vehicle is equipped with a radio network connection that enables the exchange of data between the vehicle and other systems (such as the Volkswagen data server or third-party provider servers). The radio network connection is made possible by one or more on-board connection units. Telecommunication and online functions can be used via this radio network connection. This includes mobile online services and applications/apps.
The vehicle can be set to online or offline mode at any time using the privacy settings.
If the vehicle is in offline mode, no personal data is usually sent from the vehicle to the Volkswagen data server or other recipients. In this case, data processing only takes place locally in the vehicle. An exception applies for the provision of the manufacturer-owned “Emergency Call Service”, for example. We are providing information on these exceptions in this Privacy Policy or in the corresponding privacy policy for the respective function.
In online mode, it is possible to choose whether or not location data based on the GPS signal from the vehicle may be sent.
To provide the vehicle with online capability, a SIM card is installed at the factory. To ensure proper connectivity, the telecommunications service provider (Cubic Telecom GmbH, Landshuter Allee 8-10, 80637 München, Germany) receives a notification as soon as the SIM card is installed in the vehicle to inform them which SIM card has been assigned to which vehicle identification number (VIN).
The vehicle also connects to the Volkswagen data server once (usually before it is handed over to the customer at the dealership, but no later than when the vehicle has an initial mileage of 25 km), regardless of current privacy settings, so that software certificates can be updated; the vehicle is then registered on the Volkswagen data server. The vehicle mileage (km), the vehicle identification number (VIN) and the SIM card details are processed for this purpose. The purpose of this configuration process is to enable the vehicle for the Internet. Only then does it become possible to use the vehicle’s online functions. If the vehicle was in offline mode immediately before the start of the configuration process, it will automatically return to offline mode after completion of the configuration process. On our data server, we also record whether the update and registration process was successful or whether errors occurred so that our Customer Care team can provide the best possible assistance in the event of technical problems.
Data is processed to fulfil the sales contract for the Internet-enabled vehicle between the vehicle purchaser and the dealership.
When the vehicle is in online mode, certain data (including personal data; see below) is transmitted from the vehicle to the Volkswagen data server to ensure a secure connection and enable online functions to run properly and in a technically secure manner. This is a necessary prerequisite to ensure secure communication with the Volkswagen data server to combat cyber attacks by third parties and to identify and eliminate malfunctions.
Data exchange also takes place between the vehicle and the Volkswagen data server so that Volkswagen AG's “VW Connect” mobile online services for your vehicle can be activated at any time.
We process the personal data specified below for the aforementioned purposes:
Whenever the vehicle enters online mode, it has to authenticate itself on the Volkswagen data server. The VIN, the IP address and the SIM card number of the vehicle are processed. The vehicle must also have the correct time in order to check the validity of the certificates transmitted from the vehicle for secure communication. Therefore, the time of the vehicle systems is synchronised with the time of the Volkswagen data server when switching on and operating the ignition.
In addition, log files containing the VIN, IP address, time stamp and, where applicable, fault information are created and evaluated so that faults, technical malfunctions and security threats can be detected and eliminated early on. Data processing is based on the overriding legitimate interest to warrant the integrity, availability and capacity of the vehicle systems and thereby vehicle security (Article 6(1)(f) GDPR). In the event of a fault being detected, we may process the contact details we hold on file to contact the customer should the need arise.
Data processing is carried out for the purpose of fulfilling the sales contract for the Internet-enabled vehicle between the vehicle purchaser and the dealership and, if applicable, for initiating the contract or fulfilling the “VW Connect” contract (Article 6(1)(b) GDPR).
The “Emergency Call Service” is functional not only in online mode but also in offline mode. However, if the vehicle is in offline mode, a data connection will be established only if you are involved in a traffic accident with the vehicle or make an emergency call using the control that is located in the roof console inside the vehicle.
If the vehicle is involved in a traffic accident, an emergency call will be made automatically – regardless of the selected privacy settings – to the Volkswagen Emergency Call Centre via the “Emergency Call Service”. The vehicle recognises when an accident has occurred via sensors in the airbag and in the belt tensioner and activates the “Emergency Call Service” in this case. Using the control located in the roof console of the vehicle, the customer can also manually report an emergency involving the customer's own vehicle at any time via the “Emergency Call Service”, or request assistance for other road users who are in an emergency situation.
Personal data: Vehicle identification number (VIN), vehicle type, time, location, direction of travel, number of persons in the vehicle, selected Infotainment system language, severity of accident, direction of accident (e.g. frontal or side collision), triggering event, driving type, possibly other information communicated via the voice connection
Legal basis: Article 6(1)(d) GDPR (protection of vital interests)
Other data recipients: Bosch Service Solutions GmbH, Mainzer Landstraße 193, 60326 Frankfurt am Main, Germany. (This recipient will process data only on our behalf and in accordance with our instructions.)
The “Emergency Call Service” function can be deactivated by any participating authorised Volkswagen repairer. Further information is provided in the vehicle wallet of the vehicle.
The vehicle comes enabled with online functionalities without the need to conclude a separate contract. Information on how data is processed when you use these functions online can be found in the settings for the relevant function. The most recently downloaded versions of the corresponding data privacy statements can be reviewed even when the vehicle is in offline mode.
The vehicle can be equipped with the (partially fee-based) “VW Connect and VW Connect Plus” mobile online services, other mobile online services and digital products of Volkswagen AG (such as certain In-Car-Apps). Information on data privacy is available in the corresponding Volkswagen AG Privacy Policies.
With the exception of customers who have concluded a contract for the mobile online services, we do not make software updates (e.g. for control unit software) available via the vehicle’s online connection (“Online Software Update”) for legal reasons. All other registered keepers will continue to receive essential software updates exclusively via their authorised workshop. This means that it is necessary to identify those vehicles for which a VW Connect contract has been concluded before we make an online software update available. For this purpose, it is necessary to verify the VIN of all vehicles that could potentially be eligible to receive a software update by checking their contract statuses. The VIN of vehicles that cannot be provided with an online software update, because no “VW Connect” contract is in place, will then be immediately deleted from the online software update lists. In the case of “VW Connect” customers, data processing is carried out for the purpose of contract fulfilment (Article 6(1)(b) GDPR). For all other registered keepers, it is carried out on the basis of our legitimate interest in being able to provide our “VW Connect” customers with the “Online Software Update/Online System Update” service in the proper manner and with online software updates in conformity with the law (Article 6(1)(f) GDPR). Where this instance of data processing is concerned, we are assisted by CARIAD SE, Major-Hirst-Straße 7, 38442 Wolfsburg, Germany; personal data is processed solely on our behalf and in accordance with our instructions. Further information on the “Online Software Update / Online System Update” service is provided in the Privacy Policy for the use of Volkswagen AG’s “VW Connect” mobile online services, which is available under “Legal information” or online at https://consent.vwgroup.io/consent/v1/texts/WeConnect/ie/en/dataprivacy/latest/html.
The personal data is stored on our behalf and in accordance with our instructions on servers of the following service providers:
CARIAD SE
Major-Hirst-Straße 7
38442 Wolfsburg
Germany
Amazon Web Services, Inc. (“AWS”)
410 Terry Ave. North
Seattle WA 98109
USA
Amazon Web Services EMEA SARL
Avenue John F. Kennedy 38
1855 Luxemburg
Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18
D18 P521
Ireland
AUDI AG
Auto-Union-Straße 1
85057 Ingolstadt
Germany
We also use various IT service providers. These assist us with the maintenance of our IT systems and with technical support, for example. Insofar as the service providers have access to personal data, they will process this data on our behalf and in accordance with our instructions only. IT support is provided in particular by the following service provider:
CARIAD SE
Major-Hirst-Straße 7
38442 Wolfsburg
Germany
For the purposes outlined in this Privacy Policy, Volkswagen AG also transfers personal data to recipients and processors domiciled outside the EU. Volkswagen AG agrees to EU standard contractual clauses with recipients in unsafe third countries to ensure that personal data is adequately protected. The EU standard contract clauses used in the EU languages can be accessed via the URL https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32021D0914.
If required by the applicable data protection legislation, other protective measures (such as encryption and additional contractual provisions) are also put in place to ensure that personal data is adequately protected.
If a customer makes use of the option to use mobile online services of other providers (third parties), these services are subject to the responsibility of the respective provider, as well as their Privacy Policy and Terms of Use. Information about the type, scope and purpose of the collection and use of personal data within the scope of third-party services must be requested from the respective service provider.
Insofar as legal regulations apply, we are obliged to hand over data stored by us to the necessary extent at the request of government agencies (e.g., in the investigation of a criminal offence). The legal basis for the transfer of data to the respective government agency is provided by the respective legal obligation (Article 6(1)(c) GDPR in conjunction with the respective legal obligation). Within the framework of the applicable law, public authorities may also be authorised to read data from vehicles themselves in individual cases. For example, in the event of an accident, information can be read from the airbag control unit that can help to resolve the details of an accident.
You can assert your rights below against Volkswagen AG at any time and free of charge, insofar as personal data is processed by us.
Please note that we do not identify the respective vehicle user, meaning that in the case of multiple vehicle users, we do not know which driver which data relates to. If you assert data subject rights, we will have to check your identity and may ask you to provide additional information or clarification where necessary (in particular, information relating to the period or other circumstances of vehicle use). We can request this additional information so that we can identify the personal data relating to you and make it available to you. We must also ensure when we provide personal data that we do not infringe the rights of other vehicle users.
More information on asserting your rights can be found at: https://datenschutz.volkswagen.de/.
You have the right to request confirmation from us as to whether or not personal data concerning you is being processed and – if it is – to be informed what personal data concerning you is being processed, and also which third parties within and outside the EU have had your data forwarded to them. You also have the right to obtain a copy of the personal data concerning you that is being processed by us.
You have the right to have incorrect or incomplete personal data concerning you rectified by us.
You have the right to demand erasure of your data if the requirements stated in Article 17 GDPR are met. According to this, you can request, for example, that your data be erased if it is no longer necessary for the purposes for which it was collected. In addition, you can request erasure if we process your data on the basis of your consent and you withdraw this consent.
you have the right to request restricted processing of your data if the requirements stated in Article 18 GDPR are met. This is the case, for example, if you dispute the accuracy of your data. You can request that processing is restricted for the period during which the accuracy of the data is being checked.
you have the right to object to the processing of your personal data in the following cases:
• If processing takes place for direct marketing purposes (including profiling for direct marketing purposes).
• If processing (including profiling) takes place on one of the following legal bases:
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Article 6(1)(e) GDPR).
• Processing is necessary for the protection of our legitimate interests and those of a third party (Article 6(1)(f) GDPR). If you do raise any objection of this kind, we kindly request that you inform us of the reasons why you are objecting to data processing. If you object, we will no longer process your data unless we can prove compelling reasons for processing that outweigh your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.
If data processing is based on consent or contract performance and processing takes place using automated means, you have the right to obtain your data in a structured, commonly used and machine-readable format and to transmit this data to another controller. In addition, you have the right to have the personal data transmitted directly by us to another controller.
Where data processing is based on consent, you have the right to withdraw your consent, free of charge, at any time with effect for the future by sending an email to info-datenschutz@volkswagen.de (Germany), privacy@volkswagen.de (outside of Germany), at the Volkswagen Privacy Portal https://www.datenschutz.volkswagen.de or through the contact details in the site notice.
You also have the right to lodge a complaint with a supervisory authority or another competent data protection authority about our processing of your data. This can, for example, be the data protection authority in your country of residence. A list of all data protection authorities in the European Union can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_de#member-de
Customers domiciled in Jersey have the right to lodge a complaint at the Jersey data protection authority, which can be contacted at https://jerseyoic.org/.
Customers domiciled in the United Kingdom have the right to lodge a complaint at the UK Information Commissioner's Office (ICO), the British regulatory authority for data protection matters, which can be contacted at https://ico.org.uk/.
Besides, from the legal bases described in Part I the legal bases for processing personal data under Albania law is a consent given by the data subjects. The consent of the data subjects is given by using the vehicle in knowledge of the data processing. Data controller representative in Albania:
Porsche Albania Sh.p.k
Autostrada Tirane-Durres
Km. 3, Tirane,1051
dataprotection@porsche.al
In deviation from the legal bases described in Part I the legal bases for processing personal data under the law of Bosnia and Herzegovina is a consent given by the data subjects. The consent of the data subjects is given by using the vehicle in knowledge of the data processing.
Data controller representative in Bosnia and Herzegovina:
PORSCHE BOSNA I HERCEGOVINA
Porsche BH d.o.o. Sarajevo
Porsche Inter Auto BH d.o.o. Sarajevo
BIH-71000 SARAJEVO | Bulevar Meše Selimovića 16
zastita.podataka@porschebh.ba
Personal information obtained from residents in Japan (“Personal Data”) shall be handled in accordance with the following rules in addition to the rules set forth in Part I of this Privacy Policy.
1. Purpose: We will handle the Personal Data in accordance with the Purposes set forth in Part I of this Privacy Policy (“Purposes”), and not use Personal Data for any purpose other than such Purposes. We shall promptly notify the relevant data subjects, or disclose to the public of the Purposes (and any subsequent changes thereof), unless the Purposes have already been disclosed to the public;
2. Collection: We will not obtain any Personal Data through any deceptive, fraudulent, or other wrongful means;
3. Accuracy: We will make reasonable efforts to ensure that Personal Data handled by us is accurate and up to date and within the scope necessary to achieve the Purposes;
4. Retention: We will retain Personal Data in accordance with Section A.IV of Part I, and cease retention as soon as it is reasonable to assume that the Purposes are no longer being served by retention of Personal Data;
5. Protection: We will protect Personal Data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, damage, loss or similar risks. We will adequately supervise processing of Personal Data by our officers, employees, third party vendors and any other parties who process Personal Data on our behalf;
6. Transfer: Without obtaining the prior consent of the relevant data subjects, we will not transfer or provide any part of Personal Data to any individual or entity unless an exception under the APPI applies.
7. Extraterritorial Transfer: Without obtaining the prior consent of the relevant data subjects, we will not transfer or provide any part of Personal Data to any individual or entity located outside Japan, European Union or the United Kingdom unless (a) a transferee is located in a country or area certified by the Personal Information Protection Commission of Japan ("PPC") as having data protection standards equivalent to those of Japan or (b) the transferee has data protection standards equivalent to the standards specified by the PPC; and,
8. Data Subject's Right: If a data subject requests pursuant to the APPI disclosure of Purposes, access to, correction, or deletion of any of Personal Data relevant to such data subject, or lodge a complaint, we will respond to such request or complaint promptly and in accordance with the APPI. Any fee charged to data subjects shall be reasonable.
To the extent data processing falls within the scope of the Swiss Federal Act on Data Protection (FADP), (a) the scope of "personal data" shall be determined in accordance with the FADP, and (b) references to the GDPR shall be understood as references to the FADP.
In addition to the rights listed in the section “Your rights” you also have the right to define directives concerning the fate of your personal data after your death (post-mortem right).