Privacy Notice - SUBARU Care Connected Services
Subaru values your privacy and we are therefore open to explain you how we will process your personal and vehicle data (“Personal Data”) when providing the services to which you can subscribe to through your Account (“Account”) and access through the Platform (“Platform”):
- the “Connected Services”
- the “Remote Services’’
- the “Connected Multimedia Services”
Hereafter, in this document, the services listed above are collectively referred to as the (“Services”) and, the Connected- and Remote Services are together referred to as (“Connected Services”).
This privacy notice is focussing on the Connected & Remote Services provided by Subaru when installing the connected app. If you want to get more insights in how Subaru is handling personal data in total we refer to the General Subaru Privacy Policy.
Who are we?
SUBARU EUROPE NV/SA ("Subaru", "we" or "us")
Leuvensesteenweg 555/8
1930 Zaventem
Belgium
0438.574.810
You can contact us via the following contact details:
Per letter: to our registered offices to the attention of the Data Protection Team
Tel.: 0032 2 714 03 00
E-mail: privacy@subaru.eu
Who is responsible for the collection and use of your Personal Data?
When providing Services to you, and depending on your vehicle’s model and on the subscription you took, Subaru is responsible for the processing of your Personal Data. We are what the GDPR refers to as the “controller” of your Personal Data. In concrete terms, this means that Subaru, possibly along with any others, determines the purpose and means for the processing of your Personal Data.
Subaru may collaborate with the following partner acting as joint controller:
• TME (Toyota Motor Europe NV/SA): TME is joint controller as they use data based on your car trips for analysing purposes. More information on how they handle personal data can be found on their privacy statement - https://www.toyota-europe.com/legal/privacy-policy
Why do we collect and use your Personal Data?
We collect and use your Personal Data for the following purposes:
• To provide you the Services and manage your subscription (e.g. create your account, close inactive account, (de)activate your Services, provide you the Services, to renew your Services, …)
• To monitor, analyse, innovate, and improve the quality and performance of our products and services, as well as the products and services of our partners
• To perform updates over the air to update systems and improve functionalities and fix bugs or defects
• To gain aggregated insights into how our vehicles are performing (e.g. but not limited to warning lights, error codes, ...)
• To handle your queries and complaints
• To keep record of your privacy preferences
• To secure, maintain and support our IT systems, applications, and networks
• If reasonably necessary in connection with a dispute or an investigation in which we are or may become involved either directly with you or with a third party
• When we are required by law enforcement authorities, regulators, or courts to disclose your Personal Data
• Where we are legally obliged to process your Personal Data (e.g. we must retain certain billing information pursuant to tax and accounting laws)
We may share your Personal Data with third parties, where the law allows us to do so, for the following purposes:
• Where we are obliged to do so to fulfil our legal obligations, such as our obligations under environmental or competition law.
• Where you have given your consent (or where we are otherwise allowed to do so by law), to enable our network (affiliates, our national distributors and authorised dealer / repairers) to contact you in the framework of the provision/implementation of certain products or services or to conduct product improvement, research and development. Our authorised retailers /repairers are the retailers (companies and sole traders) that are authorized by our national distributors to sell Subaru vehicles. Our national distributors are our national marketing and sales companies that are responsible for (a) establishing and managing our networks of authorised retailers, brand enhancement activities and customer management responsibilities in their national territory, and (b) selling our Subaru vehicles at wholesale level;
• Where we are required by public authorities (e.g. law enforcement authorities), regulators and courts to disclose your Personal Data to them;
• If reasonably necessary in connection with a dispute in which we are or may become involved, we may share your Personal Data with, for example, the other party(ies) involved in the dispute or with a court of law;
Whose Personal Data will be processed?
We process the Personal Data of the person using a vehicle in respect of which there is an active subscription for the Services.
Please note that, if you allow persons to drive or use your vehicle, you have the responsibility to communicate this Privacy Notice to that person, to inform him/her about our processing of his/her Personal Data in the context of the Services.
Prior to transferring the ownership of your vehicle to another person or to a reseller, you must:
• Remove, to the extent technically possible, all data and content (including any Personal Data),
if any, that you have stored on your vehicle and that is accessible from your Account; and
• Remove the vehicle from your Account.
Which Personal Data will be processed?
We will collect and use the categories of Personal Data listed below in connection with the Services.
Note that when referred to in this Privacy Notice, the category of Personal Data may include partly or wholly the specific Personal Data listed under each category.
1. Account information
- Identity information (e.g. title, family and first name, mother tongue);
- Contact information (e.g. mobile number, email address, postal address);
- Information relating to your Account (e.g. preferred contact method, subscription information, communication language preference, authorised dealer / repairer preference);
- Data relating to your privacy preferences (e.g. date you gave your consent; what you consented to; date on which you withdrew your consent; how consent was given (for example from which device));
- Preferred Head Unit settings (e.g. background color, navigation settings, volume settings);
- Any sound or image files that you may upload onto the Platform and/or your Account;
- IP address;
- User’s feedback on specific events or triggers of the Services;
- Data we use to identify your vehicle (e.g. vehicle identification number, the IP address of the
SIM-card that is built into the data communication module in your vehicle);
- App or service usage related data (e.g. login statistics, error message tracking).
2. Location data
- Geolocation information linked to your vehicle and/or your smartphone (e.g. geolocation of your vehicle (longitude and latitude), planned destination, journeys, direction of travel), at precise times;
- Journey information (e.g. recent destinations, favourite destinations).
3. Telematic data
- Driving behaviour (e.g. driving logs, driving speed, acceleration, and brake speed);
- Data we use to identify your vehicle (e.g. vehicle identification number, date of purchase of the vehicle, the IP address of the SIM-card that is built into the data communication module in your vehicle);
- Technical vehicle data (e.g. mileage, fuel consumption, warnings) and diagnostic data (e.g. system failures and warning lights);
- Driving scores which consist of derived data from the other telematic data.
4. Vehicle information
- Information about your vehicle (vehicle Identification Number);
- Head Unit hardware specific information (serial number of device, software version).
5. Security-related data
- We log certain information about your usage of our IT systems, applications, and networks to protect our systems and our customer’s data. For example, during a limited period, we keep logs of who has accessed your connected car data, and when, to be able to investigate any potential threat to the confidentiality, integrity, and availability of your connected car data.
What are the legal bases for Subaru’s use of your Personal Data?
1. Necessary for the performance of our contract with you
For the provision of the Services, we generally process your Personal Data to perform the contract you have subscribed to by accepting the corresponding Terms of Use.
2. Our legitimate interests
Where applicable, we process your Personal Data if this is necessary to pursue our legitimate interests in relation to the provision of the Services, provided that our interests are not outbalanced by your interests or rights and freedoms (e.g. your privacy rights). For example:
• We process your Personal Data to allow our Subaru network partners (e.g. national
distributors, authorised dealers / repairers) to contact you in the framework of maintenance
reminders and crash management;
• Where we want to use your Personal Data in anonymized form to improve our products and services and perform insights and analysis or to develop new products or services, the anonymization of your Personal Data is done on the basis of our legitimate business interest to innovate, to improve our products and services and to develop new products and services;
• To disclose your Personal Data when we are required to do so by law enforcement authorities or the courts.
3. Our legal obligations
We process your Personal Data if this is necessary for us to comply with our legal obligations, including to comply with decisions rendered by courts or public authorities.
4. Based on your consent
In certain instances, we will only process your Personal Data if you have given your prior consent. For example, where you have given your consent, we may process Personal Data:
• To support you in case of vehicle warnings.
You can manage your consent(s) preferences at any time through your Account in the app.
How can I suspend the use of my vehicle’s geolocation?
If you do not want your vehicle’s geolocation data to be used, you can at any time activate the Privacy mode (“Privacy mode”) through the settings in the Head Unit of your vehicle. If the Privacy mode is active, we will cease to use geolocation data.
Please note that, once activated, the Privacy mode will apply to all Services relying on geolocation. Many Services rely (wholly or partly) on the geolocation data from your vehicle. Therefore, when the Privacy mode is active, these Services will be unavailable, or their quality and accuracy may be affected. For example, if you have activated the Privacy mode, you will not be able to use the service allowing you to locate your vehicle and we will not be able to locate your vehicle after a crash notification.
The status of the Privacy mode (active or inactive) remains as you have set it until you decide to change the status. You can check the current status of the Privacy mode through the settings in the Head Unit of your vehicle.
General data collection and retention period summary
The below table provides a summary of the Personal Data that we may use in relation with the Services with an explanation on why we use them and how long they are kept.
Will my Personal Data be transferred to other countries?
Subaru operates globally. Therefore, your Personal Data may be stored and processed by us or our service providers in multiple countries, including countries other than your country of residence or purchase of your vehicle. Your Personal Data may, for example, be transferred to the United Kingdom, Japan or the United States.
If your Personal Data is being transferred to countries located outside of the European Economic Area (“EEA”), we will ensure that appropriate safeguards are taken, such as:
- The transfer falls within the scope of an adequacy decision taken by the European Commission under Article 45 of the GDPR;
- The transfer is governed by the standard data protection contractual clauses, as approved by the European Commission or a data protection authority pursuant to Article 46.2(c) or (d) of the GDPR.
For further information on how we implemented the appropriate safeguards, you can contact us as specified in the section “How can I exercise my privacy rights and contact Subaru?” below.
What are my rights in relation to my Personal Data?
To give you more control over the processing of your personal data, you have various rights at your disposal. These rights are laid down, inter alia, in articles 15-22 of the GDPR.
To exercise these rights, you can contact us by email at the following email address:
privacy@subaru.eu
In order to verify your identity when exercising your rights, and solely for that purpose, we ask you to send us a copy of the front side of your identity card. The image on your electronic identity card shall not be retained by Subaru. We strongly advise you to “blackline” the image before transmitting a copy of your electronic identity card to us.
You can exercise all these rights free of charge, unless your request is manifestly unfounded or excessive (for instance due to its repetitive nature). In such cases, we shall be entitled to charge you a reasonable fee or to refuse to respond to your request.
You have the following rights:
• The right to access the Personal Data we process about you (art. 15 GDPR):
You have the right to be informed by us at any time whether or not we are processing your Personal Data. If we are processing them, you have the right to access these Personal Data and to receive additional information about:
a) the purposes of the processing;
b) the categories of Personal Data concerned;
c) the recipients or categories of recipients (in particular, recipients in third countries);
d) the retention period or, if that is not possible, the criteria for determining that period;
e) the existence of your privacy rights;
f) the right to lodge a complaint with the supervisory authority;
g) the source of the Personal Data if we obtain Personal Data from a third party;
h) whether we are using automated decision-making in respect of you.
If we cannot give you access to your Personal Data (e.g. due to legal obligations), we shall inform you as to why this is not possible.
You can also obtain a free copy of the processed Personal Data in an understandable format. Please note that we may charge a reasonable fee to cover our administrative costs for any additional copy you may request.
• The 'right to be forgotten' (the right to request us to delete your personal data)
(art. 17 GDPR):
In certain cases, you can request that we delete your Personal Data. In this event, please note that we shall no longer be able to offer you certain Services if you exercise this right. Furthermore, your right to be forgotten is not absolute. We are entitled to continue to store your Personal Data if this is necessary for, among other things, the performance of the agreement, compliance with a legal obligation, or the establishment, execution or substantiation of a legal claim. We shall inform you of this in more detail in our response to your request.
• The right to rectification (art. 16 GDPR):
If your Personal Data is incorrect, out of date or incomplete, you can ask us to correct these inaccuracies or incomplete information.
• The right to data portability (art. 20 GDPR):
Subject to certain conditions, you also have the right to have the Personal Data that you have provided to us, transferred by us to another controller. Insofar as technically possible, we shall provide your Personal Data directly to the new controller.
• The right to restriction of processing (art. 18 GDPR):
If any of the following elements apply, you may request us to restrict the processing of your Personal Data:
a) you dispute the accuracy of those Personal Data (in this case, its use shall be limited for a period that allows us to verify the accuracy of the Personal Data);
b) the processing of your Personal Data is unlawful;
c) we no longer need your Personal Data for its purposes, but you need them in establishing, exercising or substantiating a legal claim;
d) as long as no decision has been taken on exercising your right to object to the processing, you may request that the use of your Personal Data be restricted.
• The right to object (art. 21 GDPR):
You can object to the processing of your Personal Data on the basis of your particular situation, if we process your Personal Data on the basis of legitimate interests or on the basis of a task of general interest. In this event, we shall cease the processing of your Personal Data, unless we can demonstrate compelling and legitimate grounds for processing which outweigh your own, or if the processing of the Personal Data is related to establishing, exercising or substantiating a legal claim. You have a right to object at any time to the processing of your Personal Data for direct marketing purposes.
• The right not to be subject to automated decision-making (art. 22 GDPR):
You have the right not to be subject to a decision made exclusively on the basis of automated data processing that significantly affects you or has legal consequences and that is made without substantial human involvement.
You cannot exercise this right in following three situations:
a) when automated decision-making is legally permitted (e.g. to prevent tax fraud);
b) when automated decision-making is based on your explicit consent; or
c) when automated decision-making is necessary for entering into, or performance of a contract (please note: we always endeavour to use less privacy-intrusive methods for entering into or performing the contract).
• The right to withdraw your consent (Art. 7 GDPR):
If your Personal Data are processed on the basis of your consent, you may withdraw this consent at any time upon simple request.
• The right to lodge a complaint
We make every effort to securely protect your Personal Data. If you have a complaint about the way in which we process your Personal Data, you can notify us thereof via our contact details (as mentioned at the beginning of this Privacy Notice), so that we can deal with it as quickly as possible.
You can also lodge a complaint with the competent supervisory authority. You have the right to lodge a complaint about the way we handle or process your Personal Data with your national data protection authority. You can find the national data protection authority in your country on this website: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Please note that you may exercise the abovementioned rights only in relation to the Personal Data we hold about you in the context of the Services.
How can I exercise my privacy rights and contact Subaru?
For more information about our use of your Personal Data and to exercise your privacy rights, please contact us as follows:
- you can exercise your right of access, right to data portability, right to erasure and right to object, by sending an e-mail to privacy@subaru.eu;
- you can directly rectify your Account-related Personal Data through the Platform.
We will try to comply with your requests as soon as reasonably practicable and always in accordance with the legally prescribed timeframes. Please note that, if we have doubts about your identity, we may require you to provide us a proof of your identity to, for example, prevent unauthorised access to your Personal Data.
Please note that, if you have requested the erasure of your Personal Data, we may still have to retain certain Personal Data if so required or authorised by law.
Changes to this Privacy Notice
Subaru may update this Privacy Notice from time to time, and when we do so, we will re-issue a revised Privacy Notice, and notify you of any changes to the extent required by law. If you have any questions regarding any changes to this Privacy Notice, please contact us as set out in the section “How can I exercise my privacy rights and contact Subaru?” above.
Cookies-and similar technologies
The Subaru app uses cookies or similar technologies to understand how you use the app, clicks and scrolls across the app by way of example, which once analysed will help us improve or personalize products, content, offers or services on the Platform and Subaru websites.
As part of this activity, we will measure the performance of the app in terms of user engagement and acquisition and assess the simplicity and efficiency of app user journeys and functionalities. We produce anonymized statistics in order to measure behavioural characteristics such as location, mobile app usage and thus we can identify potential areas of improvements and instability issues.
Regarding our use of cookies, please specifically consult our Cookie policy.