Version of 1 June 2018
In this privacy statement we, the AMAG Group (AMAG Automobil und Motoren Ltd, AMAG Vaduz Ltd, AMAG Import Ltd, AMAG Leasing Ltd, AMAG Corporate Services Ltd and Auto 1 Ltd; collectively: AMAG, we or us), explain how we collect and otherwise process personal data. This is not a comprehensive description; if need be, other privacy statements or general terms and conditions, conditions of participation and similar documents regulate specific matters. By personal data is meant any details concerning an identified or identifiable person.
Whenever you provide us with personal data on other people (e.g. family members, work colleagues), please ensure that they are familiar with this privacy statement and provide us with their personal data only if you are authorised to do so and such personal data is correct.
Unless otherwise stated, the controller of the data processing which we describe here is AMAG Group Ltd (Data Protection, Utoquai 49, 8008 Zurich). If you have data protection concerns, you may inform us of them at the above contact address, this being for all AMAG Group companies. If possible, please state to what you are referring and attach a copy of an identity document in the case of requests for access and erasure. You can also email your concerns to us at email@example.com.
Our representative in the EEA under article 27 GDPR is: AMAG (Vaduz) Ltd, Austrasse 37, 9490 Vaduz
We first and foremost process personal data which we receive, within the framework of our business relationship with our customers and other business partners, from them and from other involved persons or which we collect when operating our websites, apps and other applications from their users.
To the extent permitted, we also extract certain data from publicly accessible sources (e.g. debt collection registers, land registers, commercial registers, press, internet) or receive such data from other AMAG Group companies, from authorities and from other third parties (e.g. commercial credit agencies, list brokers). In addition to data from you which you give us directly, the categories of personal data which we receive on you from third parties comprise in particular details from public registers, details which we learn in connection with official and judicial proceedings, details connected with your occupational duties and activities (so that we can e.g. do business with your employer with your help), details on you in correspondence and discussions with third parties, credit checks (insofar as we do business with you personally), details on you which people close to you (family, advisers, legal representatives, etc.) give us so that we can conclude or process contracts with you or including you (e.g. references, your address for deliveries, powers of attorney, details on compliance with legal requirements such as combating money laundering and export restrictions, details on you from banks, insurers, distributors and other partners of services used or rendered by us (e.g. payments made, purchases made), details on your person from the media and internet (insofar as this is shown in concrete terms, e.g. in the context of a job application, press review, marketing/sales), your addresses and if applicable interests and other sociodemographic data (for marketing), data connected with use of websites (e.g. IP address, MAC address of smartphone or computer, details on your device and settings, cookies, date and time of visit, pages and content retrieved, functions used, referring website, location details).
We first and foremost use the personal data collected by us to conclude and settle our contracts with our customers and business partners, i.e. particularly within the framework of the vehicle trade, repairs, financing and rental with our customers and the purchase of products and services from our suppliers and subcontractors, and to comply with our legal obligations at home and abroad. If you work for such a customer or business partner, you may in such function of course be likewise affected thereby with your personal data.
We also process personal data from you and other people, where permitted and insofar as it appears advisable, including for the following purposes in which we (and from time to time also third parties) have a legitimate interest depending on the purpose:
To some extent and where permitted, we also incorporate visible and invisible image elements in our newsletters and other marketing emails as a result of whose retrieval from our servers we can establish whether and when you have opened the emails so that we can also measure here and understand better how you use our offers and customise them for you. You can also block this in your email program; most such programs are preset for you to do this.
By using our websites and apps and consenting to receive newsletters and other marketing emails, you consent to use of such techniques. If you do not want this, you must set your browser or email program accordingly or uninstall the app if it does not allow settings to be changed or unsubscribe the newsletter.
We now and then use Google Analytics or comparable services on our websites. This is a service provided by third parties who may be located in any country in the world (in the case of Google Analytics the third party is Google LLC in the USA, www.google.com) with which we can measure and evaluate (non-personal) use of the website. Cookies installed by the service provider are also used for such purpose. The service provider does not receive any personal data from us (nor does it store any IP addresses) but can track your use of the website, combine such details with data from other websites which you have visited and which are likewise tracked by the service provider and use such findings for its own purposes (e.g. management of advertising). If you have yourself registered with the service provider, the service provider also knows you. Processing of your personal data is then a matter for the service provider in accordance with its data protection provisions. The service provider tells us only how our website is used (no personal details on you).
On our websites we also install plug-ins from social networks like Facebook, Twitter, YouTube, Google+, Pinterest and Instagram, as you will be able to see (typically with appropriate symbols). We have configured such elements in such a way that they are deactivated by default. If you activate them (by clicking on them), operators of the social networks in question can register that you are on our website and where and can use such information for their own purposes. Processing of your personal data is then a matter for such operator in accordance with its data protection provisions. We not receive any details on you from such operator.
Where permitted and insofar as it appears advisable, we also disclose data to third parties within the framework of our business activities and the purposes as per clause 3, whether they process such data for us or wish to use the data for their own purposes. This relates in particular to the following entities:service providers provided by us (within and outside the AMAG Group, e.g. banks, insurers), including processors (e.g. IT providers);
referred to jointly as Recipients.
Such Recipients are in some cases domestic but may be anywhere in the world. You must in particular expect transmission of your data to all countries in which the AMAG Group is represented by group companies, branches or other offices (this is Switzerland and Liechtenstein) and to other countries in Europe and the USA where the service providers used by us are located (e.g. Microsoft, SAP, Amazon, Salesforce.com). Whenever we transmit data to a country without appropriate legal data protection, we ensure an appropriate level of protection as legally required by using appropriate contracts (on the basis of the European Commission’s standard contractual clauses, retrievable here, here and here) or binding corporate rules or rely on the legal exceptions of consent, contract processing, determination, exercise or implementation of legal claims, overriding public interest, of published personal data or because it is needed to protect the integrity of the data subjects. We reserve the right, however, to redact copies for data protection or secrecy reasons or only to supply extracts.
We process and store your personal data for as long as it is required for the fulfilment of our contractual and legal obligations or else the purposes pursued with the processing, e.g. for the duration of the entire business relationship (from initiation and processing until completion of a contract and the warranty period as well as any subsequent service phase) and additionally as per the legal retention and documentation obligations. In doing so, it is possible that personal data is retained for the time in which claims can be made against our companies and insofar as we are otherwise legally obliged to do so or legitimate business interests so require (e.g. for evidential and documentation purposes). As soon as your personal data ceases to be required for the aforesaid purposes, it is as a basic principle and as far as possible erased or anonymised. As a basic principle, shorter retention periods of 12 months or less apply to operational data (e.g. system protocols, logs).
We take appropriate technical and organisational security measures to protect your personal data from unauthorised access and misuse such as issuing instructions, training sessions, IT and network security solutions, access controls and restrictions, pseudonymisation and controls.
Within the framework of our business relationship, you must provide the personal data necessary for beginning and conducting a business relationship and fulfilling the associated contractual obligations (you do not usually have a legal obligation to provide us with data). Without such data we will not usually be able to conclude or process a contract with you (or the entity or person whom you represent). Nor can the website be used if certain details are not disclosed to ensure data traffic (e.g. IP address).
From time to time we process your personal data automatically with the aim of assessing certain personal aspects (profiling). We use profiling in particular to be able to inform and advise you about our products in a targeted manner. In doing so, we use evaluation tools which make needs-based communication and advertising possible for us including market and opinion research.
Moreover, we do not otherwise use fully automated decision making to justify and conduct the business relationship (as regulated in article 22 GDPR). If we use such procedures in individual cases, we will inform you separately if such is required by law and let you know your associated rights.
Within the framework of the data protection legislation applicable to you and to the extent provided therein (e.g. in the case of GDPR), you have the right of access, to rectification, to erasure, the right to restriction of processing and to object to our data processing and to publication of certain personal data for the purpose of transfer to another entity (data portability). Please note, however, that we reserve the right on our part to claim legally prescribed restrictions, e.g. if we are obliged to retain or process certain data in which we have an overriding interest (insofar as we invoke such right) or need it to make claims. Any request for access is as a basic principle free of charge. A charge may be levied in the event of a particularly onerous workload or an excessive or notorious request for access in the absence of any legitimate interest. If you incur costs, we will inform you first. We have already informed you in clause 3 of your right to withdraw your consent. Note that the exercise of such rights may be in conflict with contractual arrangements and give rise to consequences such as early termination and cost implications. We will inform you accordingly in advance where this is not already contractually regulated
Exercise of such rights presupposes that you prove your identity unequivocally (e.g. with a copy of an identity document in the event that your identity is otherwise unclear or cannot be verified). You can contact us at the address in clause 2 to assert your rights.
Every data subject further has the right to enforce his/her claims in the courts or to submit a complaint to the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch/edoeb/en/home.html). In Liechtenstein it is the Liechtenstein Data Protection Commission (http://www.datenschutzkommission.li/).
We may amend this privacy statement at any time without notice. The version published on our website is the current version. If the privacy statement is part of an agreement with you, we will in the event of any update inform you of the amendment by email or by any another appropriate means.