Data protection information for customers and prospects
(Status May 2018, Version No 1)
I. Information on data protection regarding our processing under Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)
We take data protection very seriously and inform you herein how we process your data and what are your corresponding claims and rights under the respective data protection regulations.
1. Data Controller and contact details related there to
Our data-protection officer:
2. Purposes and legal basis for processing your data
We process personal data in accordance with the stipulations of the General Data-Protection Regulation (GDPR), under national law of data protection and other applicable data-protection provisions (details are provided in the following). The details of which data are processed and how they are used depends largely on the services requested or agreed in each case. Further details or additions for the purposes of data processing can be found in the respective contract documents, forms, a declaration of consent and/or other information provided to you (e. g. in the context of the use of our website or our terms and conditions). In addition, this data protection information may be updated from time to time, as you may find out from our website
2.1 Purposes pursuant to fulfilment of an agreement or pre-contractual measures (Art. 6, section 1 b of the GDPR)
The processing of personal data is carried out in order to carry out our contracts with you and the execution of your orders In particular, the processing thus serves to provide manufacturer warranty,optional extended warranty, roadside assistance, Mazda Care Service, maintenance of the Digital Service Record, good will processes, bonus programs for handicapped people, subsidies for vehicle financing etc. The processing of personal data is carried out as well as to carry out measures and activities within the framework of pre-contractual relations, e. g. with prospects asking for a test drive. According to your orders we provide the necessary services, measures and activities. This essentially includes contract-related communication with you, the verifiability of transactions, orders and other agreements as well as quality control by means of appropriate documentation, complaints, warranty and goodwill procedures, measures to control and optimize business processes as well as the fulfilment of general duties of care, control and supervision by affiliated companies (e. g. Parent company); product monitoring , maintaining product - and road traffic safety ( e.g. by recall and service campaigns) as well as product development –and improvement, statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, accounting and tax assessment of operational services, risk management, assertion of legal claims and defence in the event of legal disputes; ensuring IT security ((inter alia system and plausibility tests) and general security, including building and plant security, securing and exercising domestic authority (e. g. by means of access controls); guaranteeing the integrity, authenticity and availability of data, preventing and investigating criminal offences; control by supervisory bodies or supervisory authorities (e. g. auditing).
2.2 Purposes within the framework of a legitimate interest on our part or of third parties (Art. 6, section 1 f of the GDPR)
Above and beyond the actual fulfilment of the (pre-) agreement, we process your data whenever this is necessary to protect legitimate interests of our own or of third parties, in particular for the following purposes:
- advertising or market and opinion research, as far as you have not objected to the use of your data;
- obtaining information and exchanging data with credit agencies where this goes beyond our economic risk;
- the examination and optimization of processes for needs analysis;
- the further development of services and products as well as existing systems and processes;
- the disclosure of personal data within the framework of due diligence in the course of company sale negotiations;
- for comparison with European and international anti-terrorist lists, insofar as this goes beyond the legal obligations;
- the enrichment of our data, e. g. by using or researching publicly accessible data;
- statistical evaluations or market analysis;
- of benchmarking;
- the assertion of legal claims and defence in legal disputes which are not directly attributable to the contractual relationship;
- the restricted processing of data, if a deletion is not possible or only possible with disproportionately high effort due to the special type of storage;
- the development of scoring systems or automated decision-making processes;
- the prevention and investigation of criminal offences, if not exclusively for the fulfilment of legal requirements;
- building and plant security (e. g. by means of access control and video surveillance), insofar as this goes beyond the general duties of care;
- internal and external investigations, safety reviews;
- any monitoring or recording of telephone conversations for quality control and training purposes;
- Preservation and maintenance of certifications of a private-law or official government nature;
- the seizure and exercise of domestic authority by means of appropriate measures as well as video surveillance for the protection of our customers and employees as well as for securing evidence in the event of criminal offences and their prevention.
2.3 Purposes within the framework of your consent (Art. 6, section 1 a of the GDPR)
Your personal data can also be processed for certain purposes (e.g. use of company communication systems for private purposes; photographs/videos of you for publication in the Intranet/Internet) including as a result of your consent. As a rule, you can revoke this consent at any time. This also applies to the revoking of declarations of consent that were issued to us before the GDPR went into effect, i.e. prior to 25 May 2018. You shall be separately informed about the consequences of revocation or refusal to provide consent in the respective text of the consent.
Generally speaking, revocation of consent only applies to the future. Processing that takes place prior to consent being issued is not affected by such and remains lawful
2.4 Purposes relating to adherence to statutory requirements (Art. 6, section 1 c of the GDPR) or in the public interest (Art. 6, section 1 e of the GDPR)
Just like any actor which takes part in business life, we are also subject to a large number of legal obligations. These are primarily statutory requirements (e.g. commercial and tax laws), but also if applicable supervisory law or other requirements set out by government authorities. The purposes of processing may also include identity and age checks, prevention of fraud and money laundering (e.g. comparisons with European and international anti-terror lists), compliance with control and notification obligations under tax law as well as the archiving of data for the purposes of data protection and data security as well as for purposes of audits by tax advisors/auditors, fiscal and other government authorities. In addition, it may be necessary to disclose personal data within the framework of official government/court measures for the purposes of collecting evidence, law enforcement and criminal prosecution or the satisfaction of civil law claims.
3. The categories of data that we process as long as we do not receive data directly from you, and its origin
If necessary for the contractual relationship with you and the activities performed by you, we may process data which we lawfully receive from our authorised Mazda Network, or other companies (e.g. Insurance Companies, Financing Providers) or other third parties(Credit Agencies, Address Publishers). In addition, we process personal data that we have lawfully collected, received or acquired from publicly accessible sources (such as, for example, commercial registers and association registers, civil registers, the press, internet and other media) if such is necessary and we are allowed to process this data in accordance with statutory provisions.
Relevant personal data categories may in particular be:
- personal data (name, date of birth, place of birth, nationality, marital status, occupation/trade and comparable data, contact person, driver and similar data)
- contact data (address, e-mail address, telephone number and similar data)
- Lessors and Lessees
- Address data (population register data and comparable data)´
- Driving License or Identity Card Data,
- payment confirmation/confirmation of cover for bank and credit cards
- information about your financial situation (creditworthiness data including scoring, i. e. data for assessing the economic risk)
- customer history
- Technical vehicle data including diagnostic data
- Maintenance and repair information
- data about your use of the telemedia offered by us (e. g. time of access to our websites, apps or newsletter, clicked pages/links of us or entries and comparable data)
- Video data
4. Recipients or categories of recipients of your data
At our company, your data is received by those internal offices or organisational units that need such to fulfil our contractual and statutory obligations or that require such data within the framework of processing and implementing our legitimate interests.
Your data is disclosed/passed on to external offices and persons solely
- in connection with the execution of the contract;
- for purposes where we are obligated or entitled to give information, notification or forward data (e.g. employer's liability insurance association, health insurance schemes, fiscal authorities) in order to meet statutory requirements or where the forwarding of data is in the public interest (see number 2.4);
- to the extent that external service-provider companies commissioned by us process data as contract processors or parties that assume certain functions (e.g. service providers for roadside assistance, optional extended warranty, Mazda Care Service, as well as Leasing and Financing Providers) external data centers, support and maintenance of IT applications, archiving, document processing, call center services, compliance services, controlling, data screening for anti-money laundering purposes, data validation and data protection. plausibility check, data destruction, purchasing/procurement, customer administration, lettershops, marketing, media technology, research, risk controlling, billing, telephony, website management, auditing services, credit institutions, printing plants or companies for data disposal, courier services, logistics);
- as a result of our legitimate interest or the legitimate interest of the third party within the framework of the purposes cited under number 2.2 (e.g. to government authorities, credit agencies, collection agencies, attorneys, courts of law, appraisers, companies belonging to company groups and bodies and control instances) ;
- if you have given us consent to transmit data to third parties.
We shall moreover refrain from transmitting your data to third parties if we have not informed you of such separately. If we commission service providers within the framework of processing an order, your data will be subject there to the security standards stipulated by us in order to adequately protect your data. In all other cases, recipients may only use the data for purposes for which the data has been sent to them.
5. Length of time your data is stored
We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
Above and beyond this, we are subject to various retention and documentation obligations that emanate inter alia from the Commercial or Tax Law. The periods and deadlines for retention and/or documentation stipulated therein are up to ten years beyond the end of the contractual relationship or the pre-contractual legal relationship.
Furthermore, special statutory provisions may require longer retention. (e.g. our obligation to monitor our products to the end of vehicle life to be able to initiate recall or service campaigns if necessary.)
If the data is no longer required to meet contractual or statutory obligations and rights, it is regularly deleted unless its further processing - for a limited period - is necessary to fulfil the purposes listed under number 2.2 due to an overriding legitimate interest. Such an overriding legitimate interest is deemed to be the case, for example, if it is not possible to delete the data as a result of the special type of storage or such is only possible at an unreasonably great expense and processing for other purposes is excluded by appropriate technical and organisational measures.
6. Processing data in a Third Country or by an international organisation
Data is transmitted to offices in countries outside the European Economic Area EU/EEA (so-called third states) whenever such is necessary to meet a contractual obligation towards you (e.g. if you are despatched to another country), such is required by law (e.g. notification obligations under tax law), such is in the legitimate interest of us or a third party or you have issued us your consent to such.
At the same time, your data may be processed in a third country including in connection with the involvement of service providers within the framework of the processing of the order. If no decision has been issued by the EU Commission regarding the presence of a reasonable level of data protection for the respective country, we warrant that your rights and freedoms will be reasonably protected and guarantied in accordance with EU data-protection requirements through contractual agreements to this effect. We will provide you with detailed information on request.
You can request information on the suitable or reasonable guarantees and the possibility, how and where to receive a copy of these from the company data-protection officer or the human resources department in charge of you.
7. Data Storage in the Vehicle
Electronic control units are installed in your vehicle. These control units process data they, for example, receive from vehicle sensors, generate themselves or exchange with each other. Some control units are required for the safe operation of your vehicle, others provide you with support while driving (driver assistance systems) or enable comfort or infotainment functions.
General information on in-vehicle data processing is provided below. Further information regarding which specific data is collected and stored in your vehicle and transmitted to third parties, and for what purpose, can be found under the heading ‘data protection’ in the respective operating instructions where direct links are made to the affected functional specifications. These operating instructions are also available online and, depending on the vehicle configurations, in digital format on the vehicle.
Every vehicle is identified by means of a unique vehicle identification number. This vehicle identification number is traceable to the current and former owners of the vehicle. Data collected from the vehicle also can be traced back to the owner or driver of the vehicle by other means, e.g., the license plate.
The data generated or processed by the control units therefore may be personal data or may, under certain circumstances, be personally identifiable data. Depending on what vehicle data is available, it may be possible to draw conclusions with regard to, for example, your driving behaviour, your location or your route, or consumption patterns.
Your rights with regard to data protection
Under current data protection law, you have certain rights with regard to companies which process your personal data.
Accordingly, you are entitled to request the comprehensive disclosure of information, free of charge, vis-a-vis the manufacturer and third parties (e.g., commissioned breakdown services or workshops, providers of online services on the vehicle), provided that these have stored personal data relating to you. You may request information regarding what data is stored about you, for what purpose and the origination of that data. Your right to information also extends to the transfer of data to other third parties.
Data, which is exclusively stored locally on the vehicle, may be viewed with expert assistance, e.g., in a vehicle workshop, in return for payment if appropriate.
Legal requirements regarding the disclosure of data
To the extent that legal regulations exist, manufacturers are obliged to release information stored by them, at the request of public authorities, to the extent required on a case-by-case basis (e.g., when a criminal offence is being investigated).
Public authorities are also permitted to read the data from vehicles in specific cases, within the scope of applicable law. For example, in the event of an accident, information can be read from the air bag control unit to help clarify the circumstances of the accident.
Operational data on the vehicle
Control units process data in order to operate the vehicle.
These include, for example:
- vehicle status information (e.g., speed, deceleration, lateral acceleration, wheel speed, seatbelt usage indicator),
- environmental conditions (e.g., temperature, rain sensor, distance sensor).
These data are generally volatile and are not stored beyond the operating time, and only processed on the vehicle itself. Control units frequently contain data storage media. These can be used to document, either temporarily or permanently, information about the condition of the vehicle, component stress, maintenance requirements and technical events and failures.
The following information may be stored, depending on the technical configuration:
- operating conditions of system components (e.g., fill levels, tyre pressures and battery status),
- malfunctions and defects in important system components (e.g., lighting and brakes),
- response of the system to extraordinary driving situations (e.g., deployment of an air bag, activation of stability control systems),
- information on events in which the vehicle is damaged,
- for electric vehicles, the state of charge of the high-voltage battery and the vehicle’s estimated range.
In particular cases (e.g., if the vehicle has detected a malfunction), it may be necessary to store data which would normally be volatile.
If you make use of services (e.g., repair and maintenance services), it may be possible, if necessary, to read out and use the stored operating data together with the vehicle identification number. The data from the vehicle may be read out by employees of the Mazda Network (e.g. authorised workshops, manufacturer) or by third parties (e.g., breakdown services, independent repair shops). The same applies in the case of warranty cases and quality assurance measures.
The data is usually read out via the mandatory OBD (on-board diagnostics) connection on the vehicle. The operating data read out document the technical conditions of the vehicle or individual components and help with fault diagnostics, compliance with warranty obligations and quality improvement. These data, in particular information regarding component stress, technical events, operating errors and other errors are transmitted to the manufacturer, if necessary, together with the vehicle identification number. In addition, product liability falls under the responsibility of the manufacturer. For this purpose, the manufacturer uses operating data external to the vehicles, for example, recall campaigns. These data also may be used to verify the customer’s statutory warranty and manufacturer warranty claims.
Error memory on the vehicle can be reset by a service operator within the course of repair and maintenance work or at your request.
Comfort and infotainment functions
You can store comfort settings and customisations on the vehicle, and change/reset these at any time.
Depending on the particular vehicle configurations, these may include:
- seat and steering wheel position settings,
- chassis adjustments and air-conditioning settings,
- customisations such as interior lighting.
You are also able to incorporate data into the vehicle’s infotainment functions yourself within the context of the selected configuration.
Depending on the particular vehicle configurations, these may include:
- multimedia data, e.g., music, films or photos for playback in an integrated multimedia system,
- address book data for use in conjunction with an integrated hands-free system or integrated navigation system,
- navigation destinations entered,
- data relating to the use of internet services.
This data for comfort and infotainment functions may be stored locally on the vehicle or it may be located on a device that you have connected to your vehicle (e.g., smartphone, USB stick or MP3 player). Provided that you have entered this data yourself, you will be able to delete it at any time.
Transmission of this data from the vehicle is exclusively at your request, in particular, relating to the settings you have selected when using online services.
Smartphone integration, for example, Android Auto or Apple car play
If your vehicle is equipped accordingly, you will be able to connect your smartphone or another mobile device to the vehicle so that you can control it using the integrated control elements within the vehicle. Smartphone images and sounds can be output via the vehicle’s multimedia system. At the same time, specific information is transferred to your smartphone. Depending on the type of integration, this may include location data, day/night mode and other general vehicle information. Please familiarise yourself with the operating instructions for the vehicle/infotainment system.
Integration enables selected smartphone apps to be used, for example, navigation or music playback. Further interaction between the smartphone and the vehicle does not take place, in particular, active access to vehicle data. The nature of any further data processing is determined by the app provider. Whether and which settings can be used depends on the particular app and the operating system of your smartphone.
If your vehicle is equipped with a wireless network connection, this enables the exchange of data between your vehicle and other systems. The wireless connection is enabled by means of a transmission and receiving unit which is specific to the vehicle or via a mobile terminal (e.g., smartphone) that you have installed. Online functions can be used via this network connection. These include online services and applications (apps) provided to you by the manufacturer or another provider.
Services provided by the manufacturer
For our online services, the respective functions are described by Mazda in an appropriate place (e.g., in the operating instructions and/or on the country-specific Mazda website) and provided together with the associated data protection information. Personal data may be used to provide online services. The exchange of data for this purpose takes place via a protected connection, for example, using the IT systems intended for this. In addition to the provision of services, the collection, processing and use of personal data takes place exclusively on the basis of a legal permission, for example, in the case of emergency call systems required by law, by means of a contractual agreement or approval.
You can activate or deactivate the (sometimes chargeable) services and functions in the vehicle, and sometimes even the entire wireless connection. Functions and services required by law, such as emergency call systems, are excluded from this.
Please inform yourself about the nature, scope and purpose with regard to the collection and use of personal data within the context of third-party services by the respective service provider.
8. Your data-protection rights
If certain conditions are met, you can assert your data-protection rights against us
- Thus, you have the right to receive information from us on the data stored on you in accordance with the rules of Art. 15 of the GDPR (if applicable with restrictions in accordance with § 34 of the German Federal Data-Protection Act (BDSG))
- If you so request, we shall correct data stored on you in accordance with Art. 16 of the GDPR if such data is incorrect or flawed.
- If you so desire, we shall delete your data in accordance with the principles of Art. 17 of the GDPR if such is not prevented by other statutory provisions (e.g. statutory retention obligations or the restrictions laid down in § 35 of the German Federal Data-Protection Act (BDSG)) or an overriding interest on our part (for example, to defend our rights and claims)
- Taking into account the preconditions laid down in Art. 18 of the GDPR, you can demand that we restrict the processing of your data .
- Furthermore, you can file an objection to the processing of your data in accordance with Art. 21 of the GDPR, as a result of which we have to stop processing your data. This right of objection only applies, however, if very special circumstances characterise your personal situation, whereby the rights of our company may run counter to your right of objection.
- You also have the right to receive your data in accordance with the arrangements laid down in Art. 20 of the GDPR in a structured, commonplace and machine-readable format or transmit such data to a third party.
- You furthermore have the right to revoke consent that has been issued to us to process personal data at any time effective into the future (see number 2.3).
- You are in addition entitled to file a complaint with a data-protection supervisory authority (Art. 77 of the GDPR). We recommend, however, to first always send a complaint to our data-protection officer.
Whenever possible, your applications for the exercise of your rights should be sent in writing to the address stated above or addressed directly to our data-protection officer.
9. Scope of your obligations to provide us your data
You only need to provide data that is necessary for the commencement and performance of the business relationship or for a pre-contractual relationship with us or the collection of which we are required by law. Without this data, we are generally not able to conclude the agreement or continue to perform such. This may also relate to data that is required later within the framework of the contractual relationship. If we request data from you above and beyond this, you shall be informed about the voluntary nature of the information separately.
10. Presence of an automated decision made in individual cases (including profiling)
We do not use any purely automated decision-making procedure as set out in Article 22 of the GDPR. If we do institute such a procedure in individual cases in the future, we shall inform you pursuant hereto separately if this is required by law.
Under certain circumstances, we may process your data in part with the aim of evaluating certain personal aspects (profiling).
In order to provide you with targeted information and advice on products, we may use evaluation tools. These enable a needs-oriented product design, communication and advertising including market and opinion research.
Such procedures can also be used to assess your solvency and creditworthiness as well as to combat money laundering and fraud. "Score values" can be used to assess your creditworthiness and creditworthiness. In the case of scoring, the probability is calculated using mathematical methods with which a customer will meet his payment obligations in accordance with the contract. Such score values thus support us, for example, in assessing our creditworthiness, decision-making in the context of product deals and are incorporated into our risk management. The calculation is based on mathematically and statistically recognised and proven methods and is based on your data, in particular income, expenditure, existing liabilities, profession, employer, length of service, experience from the previous business relationship, repayment of previous loans in accordance with the contract and information from credit agencies.
Information on nationality and special categories of personal data according to Art. 9 GDPR are not processed.
Information on your right of objection under Art. 21 of the GDPR
The objection can be filed without adhering to any form requirements and should if possible be sent to
II.Supplementary Privacy Statement for our Website
The protection of your privacy in the processing of your personal data is an important concern to Mazda, and any personal data collected during visits to our web site is processed by us according to the legal provisions valid for the countries in which the web sites are maintained. Our web sites may include links to other sites whose content is not under our control and Mazda cannot accept any responsibility for the content within these web sites.
Collecting and processing personal data
When you visit our web sites, our web server automatically records the name of your internet service provider, the web site from which you visit us, the web sites you actually visit and the date and length of your visit. Additional personal data is only stored if volunteered by you, for example in the context of a registration, survey, contest, or in execution of a contract.
It should be noted that social plug-ins on the web site such as Facebook directly submits data to us of those logged-in users to the server and also user data of visitors who are not Facebook members. A link to the Facebook private policy is attached for your information www.facebook.com/policy.php
Collection and processing of data in the vehicle
Data stored by the driver
Usually, all data stored in the vehicle by the driver, such as phone contacts, navigation destinations, and favorites, can be deleted at any time.
Data storage in the vehicle
Many electronic components inside your vehicle contain data storage media, which temporarily or permanently store technical information such as vehicle status, events and errors. This technical information generally documents the conditions of a component, module, system or the environment:
- Operating conditions of system components (e.g., fill levels)
- Status messages of the vehicle or its individual components (e.g., wheel speed/driving speed, deceleration, lateral acceleration)
- Malfunctions and defects in important system components (e.g., lighting and brakes)
- Response of the vehicle to extraordinary driving situations (e.g., deployment of an airbag, activation of stability control systems)
- Environmental conditions (e.g., temperature)
This data is solely of a technical nature and serves the purpose of identifying and resolving errors as well as optimizing vehicle functions. Movement profiles of driven routes cannot be derived from this data.
When obtaining services (e.g., repairs, maintenance, warranty services, quality assurance), this technical information can be downloaded from the event and error memory by members of the service network (including Mazda Motor Corporation and, if necessary, other companies and affiliated with the Mazda group) using special diagnostic devices. Once an error has been resolved, the information in the error memory will be deleted or overwritten.
When using the vehicle, situations may occur in which this technical data in combination with additional information (accident log, damages to the vehicle, witness statements, etc.) could become personally identifiable, possibly with the help of an expert.
Add-on functions contractually agreed upon with the customer or legally required, such as the automatic emergency call system (eCall), allow certain vehicle data to be transmitted from the vehicle.
Use and disclosure of personal data and purpose specification
Mazda Motors Ireland Ltd will use any personal information collected for customer administration and marketing related purposes including customer support and to inform you about new products and services. Your data will be treated in accordance with current Data Protection legislation and will only be disclosed to Mazda Motors Ireland Ltd affiliated or associated companies, agencies and dealers for the purpose of marketing and customer administration including customer support.
Freedom of choice
We should like to use your data to inform you about our products and services and where applicable request your opinion. Naturally your participation is completely voluntary.
You have a right to request a copy of the personal data we hold about you and to correct any inaccuracies in your information.
Mazda Motors Ireland Ltd may wish to use your information (or provide it to its Dealer Network or third party providers) to contact you or keep you informed about new products and services it provides from time to time .
If you do not wish your information to be stored for such purposes you are at liberty to opt out of such correspondence by contacting us free of charge and confirming your desire to opt out.
It would be our preference to use your data and contact you through electronic communication i.e. by telephone, e-mail or sms. If you do not wish to be contacted in this manner you are at liberty to opt out of such correspondence by contacting us free of charge and confirming your desire to opt out.
Mazda uses technical and organisational security measures in order to protect the data we have under our control against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons.
Please note: Mazda Motors Ireland Ltd reserves the right to introduce at any time alterations in specification and equipment. All specifications shown may vary and may not be available in the Ireland.