Data protection

Declaration

The following data protection declaration is valid for the utilisation of our online offer www.automuseum-volkswagen.de/en.html (hereinafter referred to as “Website”). We place significant importance on data protection. Your personal data will be collected and processed in compliance with the applicable provisions of data protection law, in particular the General Data Protection Regulation (GDPR).


1 Controller

Responsible for the collection, processing and utilisation of your personal data within the meaning of Article 4 No. 7 GDPR is

Stiftung AutoMuseum Volkswagen, Dieselstraße 35, 38446 Wolfsburg, E-Mail: info@automuseum-volkswagen.de

If you wish to object to the collection, processing or utilisation of your data by us in accordance with these data protection regulations as a whole, or for individual measures, you can address your objection to the controller. You can save and print out this data protection declaration at any time.


2 General purposes of processing

We utilise personal data for the purpose of operating the website and for processing customer enquiries, e.g. regarding opening hours or guided tours through the Volkswagen AutoMuseum, as well as for processing orders in the online shop.


3 Which data do we utilise and why?

3.1 Hosting
The hosting services we utilise are intended for the provision of the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we employ to operate the website.

We and/or our hosting provider hereby process inventory data, contact data, content data, contract data, usage data, metadata and communication data from customers, interested parties and visitors to this website on the basis of our legitimate interests in an efficient and secure provision of our website in accordance with Article 6 Paragraph 1 S. 1 f) GDPR in connection with Article 28 GDPR.

3.2 Login data
We collect information about you when you utilise this website. We automatically collect information about your usage behaviour and interaction with us and thereby record data about your computer or mobile device. We collect, store and utilise data about every login to our website (known as server log files). The login data include, among others;

- Name and URL of the retrieved data
- Date and time of the access
- Amount of data transferred
- Notifications regarding successful login or access (HTTP response code)
- Browser model and browser version
- Operating system
- Referrer URL (i.e. the last page visited)
- Websites that the user’s system accesses via our website
- Internet service provider of the user
- IP address and the requesting provider

We utilise this log data without allocation to your person or other profiling for statistical evaluations for the purpose of operating our business, for security and optimisation of our website, but also for anonymous recording of the number of visitors to our website (traffic) as well as the extent and type of utilisation of our website and services, as well as for calculation purposes in order to measure the number of clicks received from cooperation partners. Based on this information, we can provide personalised and location-based content, analyse traffic, troubleshoot and remedy errors or faults as well as improve our services.

This is also relates to our legitimate interest pursuant to Article 6 Paragraph 1 S. 1 f) GDPR.

We reserve the right to subsequently inspect the log data in the event that there is a justified suspicion of illegal utilisation based on specific, defined evidence. We store IP addresses in the log files for a limited period of time when this is necessary for security purposes or for the provision of services or invoicing for a service e.g. when you utilise one of our offers. After the order process has been terminated or a remittance has been received, we will delete the IP address if this is no longer required for security purposes. We also store IP addresses when we have a specific, defined suspicion relating to a criminal offence in connection with the utilisation of our website. We also store the date of your last visit as a part of your account (e.g. registration, login, clicking on links etc.).

3.3 Cookies
We utilise so-called session cookies to optimise our website. A session cookie is a small text data file that is sent by the respective servers when you visit a website and is then stored temporarily on your hard drive. Such data also contain what is known as a Session ID, which enables various requests to be allocated to your browser during the shared session. This therefore enables your server to be recognised again when you return to our website. These cookies will be deleted once you close your browser. These enable you, for example, to utilise the shopping basket function across several pages.

We also utilise persistent cookies (also small text data files that are stored on your terminal device) to a limited extent, which remain on your terminal device and enable us to recognise your browser again the next time you visit the website. These cookies will be stored on your hard disc and are subsequently automatically deleted after the specified time. Their lifespan is 1 month to 10 years. This enables us to present our services to you in a more user-friendly, effective and secure manner and, for example, to display information on the website that is specifically tailored to your particular interests.

Our legitimate interest in the use of cookies pursuant to Article 6 Paragraph 1 S. 1 f) GDPR is intended to make our website more user-friendly, effective and secure. The following data and information will be stored in the cookies:

- Login information
- Language settings
- Entered search terms
- Information relating to the number of visits to our website as well as the utilisation of individual functions of our Internet presence.

When the cookie is activated, it will then be assigned an identification number and your personal data will not be assigned to this identification number. Your name, your IP address or similar data, which would enable the cookie to be assigned to you, will not be entered in the cookie. Based on the cookie technology involved, we only receive pseudonymous information, for example about which pages of our shop have been visited, which products have been viewed, etc.

You can set your browser in such a way that you will be informed in advance about the use of cookies and can decide in individual cases whether to accept individual cookies or refuse the acceptance of cookies for certain cases or in general or that the cookies will be prevented completely. This could result in the website functionality being reduced.

3.4 Data for fulfilling our contractual obligations
We process personal data that we require to fulfil our contractual obligations, such as name, address, e-mail address, ordered products, invoicing data and payment data. The collection of these data is required for concluding the contract.

The data will be deleted after the expiry of the guarantee and/or warranty periods and statutory retention periods. Data which are linked to the user account (refer to below) will be retained in all cases for as long as the account is active and being managed.

The legal basis for the processing of these data is Article 6 Paragraph 1 S. 1 b) GDPR, as these data are required so that we can fulfil our contractual obligations on your behalf.

3.5 E-mail contact

When you contact us (e.g. via contact form or e-mail), we will then process your details in order to deal with your enquiry and also in the event that follow-up questions could arise. If the data processing is implemented for the execution of pre-contractual measures, which will then be executed at your request and/or if you are already our customer, for the execution of the contract, then the legal basis for this data processing is Article 6 Paragraph 1 P. 1 b) GDPR. We will only process additional personal data when you provide your consent (Article 6 Paragraph 1 S. 1 a) GDPR) or if we have a legitimate interest in processing your data (Article 6 Paragraph 1 S. 1 f) GDPR). A legitimate interest could therefore be, for example, to be able to answer your e-mail.


4 Storage duration


Insofar as not otherwise specifically stated, we will only store personal data for as long as is necessary to fulfil the purposes pursued.

In some certain cases, the legislator provides for the storage of personal data, for example in cases of tax law or commercial law. In these cases, the data will only be stored by us for these legal purposes, but will not be processed in any other way and deleted after expiry of the legal retention period.


5 Your rights as someone affected by data processing

According to the applicable laws, you have various rights regarding your personal data. If you would like to assert these rights, then please send your request by e-mail or by post to the address specified in Section 1 and clearly identify yourself therein. You can find an overview of your rights in the following.

5.1 Right to confirmation and access
You have the right to access clear information about the processing of your personal data.

In detail:
You have the right to receive confirmation from us at any time as to whether personal data which relate to you will be processed. If this should be the case, then you have the right to request from us, free of charge, access to information about the personal data stored about you together with a copy of these data. Furthermore, there is a right to access to the following information:

1. The purposes of processing;
2. The categories of personal data concerned;
3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right to request from us rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
6. the a right to lodge a complaint with a supervisory authority;
7. where the personal data are not collected from you, any available information as to their source;
8. the existence of automated decision-making, including profiling, referred to in Article 22 Paragraphs 1 and 4 GDPR and – and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

Where personal data are transferred to a third country or to an international organisation, then you shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

5.2 Right to rectification
You have the right to request us to rectify and, if necessary, also complete any personal data concerning you.

In detail:
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

5.3 Right to erasure (“right to be forgotten”)
In a number of cases we are obliged to delete personal data concerning you.

In detail:
Pursuant to Article 17 Paragraph 1 GDPR, shall have the right to obtain from us the erasure of personal data concerning you without undue delay and we shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. You withdraw consent on which the processing is based according to Article 6 Paragraph 1 S. 1 a) GDPR or Article 9 Paragraph 2 a) GDPR and where there is no other legal ground for the processing.
3. You object to the processing pursuant Article 21 Paragraph 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 Paragraph 2 GDPR.
4. The personal data have been unlawfully processed.
5. the personal data have to be erased for compliance with a legal obligation in Union or the Member State law , to which we are subject.
6. The personal data have been collected in relation to the offer of information society services referred to in Article 8 Paragraph 1 GDPR .

Where we have made the personal data public and are obliged pursuant to Article 17 Paragraph 1 GDPR to erase the personal data, then we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

5.4 Right to restriction of processing
In a number of cases, you are entitled to request that we restrict the processing of your personal data.

In detail:
You shall have the right to obtain from us restriction of processing where one of the following applies:

1. the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
2. the processing is unlawful and you opposes the erasure of the personal data and request the restriction of their use instead;
3. We no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or
4. You have objected to processing pursuant to Article 21 Paragraph 1 GDPR pending the verification whether the legitimate grounds of the controller override yours.

5.5 Right to data portability
You have the right to receive, transmit or have us transmit personal data concerning you in a machine-readable, legible form.

In detail:
You shall have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where:

1. the processing is based on consent pursuant to Article 6 Paragraph 1 S. 1 a) GDPR or Article 9 Paragraph 2 a) GDPR or on a contract pursuant to Article 6 Paragraph 1 S. 1 b) GDPR and
2. the process is carried out by automated means.

In exercising your right to data portability pursuant to Paragraph 1, you shall have the right to have the personal data transmitted directly from us to another controller, where technically feasible.

5.6 Right to object
You have the right to object to the lawful processing of your personal data by us when this is justified by your particular situation and when our interests in the processing are not outweighing.

In detail:
You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you that is based on Article 6 Paragraph 1 S. 1 e) or f) GDPR, including profiling based on those provisions. We shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 Paragraph 1 GDPR, you, on grounds relating to your particular situation, shall have the right to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

5.7 Automated individual decision-making, including profiling
You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. An automated decision-making process based on the collected personal data will not take place.

5.8 Right to revocation of consent in terms of data protection law
You have the right to revoke your consent to the processing of personal data at any time.

5.9 Right to lodge a complaint with a supervisory authority
You shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you is unlawful.


6 Data security

We are particularly concerned about the security of your data in the context of the valid data protection laws and maximum available technical possibilities.

Your personal data will be transferred by us in an encrypted form. This applies both for your orders as well as the customer login. We utilise the SSL (Secure Socket Layer) coding system, but would like to still point out that data transmission via the Internet (e.g. communication by e-mail) can have security loopholes. A complete, loophole-free protection of data against access by third parties is not possible.

We maintain technical and organisational security measures in accordance with Article 32 GDPR, which we constantly adapt to the latest technological state of the art, to secure your data.

Furthermore, we cannot however guarantee that our offer will be available at certain times; disruptions, malfunctions, interruptions or failures cannot be excluded. The server that we use will be regularly and carefully backed up.


7 Transferring the data to third parties, no data transferring to non-EU countries

In principle, we will only utilise your personal data exclusively within our company.

When and insofar that we have to involve third parties in the performance of contracts (such as logistics service providers), then those personal data will only be received by them to the extent to which the transfer is necessary for the corresponding service.

In the event that we have to outsource certain parts of the data processing (“order processing”), we contractually oblige our contractors who process the data to use personal data only in accordance with the requirements of data protection laws and to ensure the protection of the rights of the affected person.

A data transfer to a body, position, location or person outside the EU, except for the stated case in this declaration in Section 4 , will not take place at any time and is not planned for the future.


8 Data protection information for card payments

We work with the following contractual partners in the area of card payments (iPayment/direct debits /girocard/credit cards):

- 1&1 Internet SE, Elgendorfer Str. 57, 56410 Montabaur (Email: datenschutz@1und1.de)
- American Express Payment Services Ltd., Frankfurt am Main branch, Theodor-Heuss-Allee 112, 60486 Frankfurt am Main (Email: EIRP@aexp.com)
- Concardis GmbH, Helfmann Park 7, D-65760 Eschborn (Email: Datenschutzbeauftragter@concardis.com)
- Volkswagen Bank GmbH, Gifhorner Str. 57, 38112 Braunschweig (Email: widerspruch@volkswagenbank.de)

If you make a card payment, your card details, payment amount and date of purchase will be shared with the companies listed above.

Any payment data and data concerning potential reversals will only be stored for the period needed for payment processing (including the processing of possible reversals and debt collections) and misuse prevention. Data is normally deleted no later than 24 months after collection. Furthermore, data may be stored for longer than stated insofar as this is required for compliance with statutory retention periods or for investigation of a specific case of misuse. Data is processed on the basis of Article 6 (1f) of the General Data Protection Regulation.

You can request information about how your data is processed, ask for your data to be corrected or deleted, request data processing to be restricted, and/or withdraw consent for data processing. If you have any questions about data processing or would like to exercise any of the aforementioned rights, please contact the relevant data protection officer by email. Furthermore, you also have the right to complain to a supervisory authority (a state data protection officer in Germany).

We would like to point out that you are not legally or contractually required to provide your payment details. If you do not wish to disclose your payment details, you can always use another payment method (cash payment or bank transfer).


9 Data protection officer

Should you still have any questions or concerns about data protection, then please contact our data protection officer: Eberhard Kittler, E-Mail: info@automuseum-volkswagen.de