Privacy statement

AMAG Group privacy statement

Version of 1 June 2018

In this privacy statement we, the AMAG Group (AMAG Automobil und Motoren Ltd, AMAG Vaduz Ltd, AMAG Import Ltd, AMAG Leasing Ltd, AMAG Corporate Services Ltd and Auto 1 Ltd; collectively: AMAG, we or us), explain how we collect and otherwise process personal data. This is not a comprehensive description; if need be, other privacy statements or general terms and conditions, conditions of participation and similar documents regulate specific matters. By personal data is meant any details concerning an identified or identifiable person.

Whenever you provide us with personal data on other people (e.g. family members, work colleagues), please ensure that they are familiar with this privacy statement and provide us with their personal data only if you are authorised to do so and such personal data is correct.

Controller/representative

Unless otherwise stated, the controller of the data processing which we describe here is AMAG Group Ltd (Data Protection, Utoquai 49, 8008 Zurich). If you have data protection concerns, you may inform us of them at the above contact address, this being for all AMAG Group companies. If possible, please state to what you are referring and attach a copy of an identity document in the case of requests for access and erasure. You can also email your concerns to us at privacy@amag.ch.

Our representative in the EEA under article 27 GDPR is: AMAG (Vaduz) Ltd, Austrasse 37, 9490 Vaduz

Collection and processing of personal data

We first and foremost process personal data which we receive, within the framework of our business relationship with our customers and other business partners, from them and from other involved persons or which we collect when operating our websites, apps and other applications from their users.

To the extent permitted, we also extract certain data from publicly accessible sources (e.g. debt collection registers, land registers, commercial registers, press, internet) or receive such data from other AMAG Group companies, from authorities and from other third parties (e.g. commercial credit agencies, list brokers). In addition to data from you which you give us directly, the categories of personal data which we receive on you from third parties comprise in particular details from public registers, details which we learn in connection with official and judicial proceedings, details connected with your occupational duties and activities (so that we can e.g. do business with your employer with your help), details on you in correspondence and discussions with third parties, credit checks (insofar as we do business with you personally), details on you which people close to you (family, advisers, legal representatives, etc.) give us so that we can conclude or process contracts with you or including you (e.g. references, your address for deliveries, powers of attorney, details on compliance with legal requirements such as combating money laundering and export restrictions, details on you from banks, insurers, distributors and other partners of services used or rendered by us (e.g. payments made, purchases made), details on your person from the media and internet (insofar as this is shown in concrete terms, e.g. in the context of a job application, press review, marketing/sales), your addresses and if applicable interests and other sociodemographic data (for marketing), data connected with use of websites (e.g. IP address, MAC address of smartphone or computer, details on your device and settings, cookies, date and time of visit, pages and content retrieved, functions used, referring website, location details).

Purposes of data processing and legal bases

We first and foremost use the personal data collected by us to conclude and settle our contracts with our customers and business partners, i.e. particularly within the framework of the vehicle trade, repairs, financing and rental with our customers and the purchase of products and services from our suppliers and subcontractors, and to comply with our legal obligations at home and abroad. If you work for such a customer or business partner, you may in such function of course be likewise affected thereby with your personal data.

We also process personal data from you and other people, where permitted and insofar as it appears advisable, including for the following purposes in which we (and from time to time also third parties) have a legitimate interest depending on the purpose:

  • supply and further development of our offers, services and websites, apps and other platforms on which we are present;
  • communication with third parties and processing of their enquiries (e.g. job applications, media enquiries);
  • verification and optimisation of procedures for needs analysis for the purpose of direct customer contact as well as collection of personal data from public accessible sources for the purpose of customer acquisition;
  • advertising and marketing (including holding events) insofar as you have not objected to use of your data (if we send you advertising as an existing customer of ours, you may object thereto at any time in which case we will place you on a blocking list to prevent further advertising mail);
  • market and opinion research, media observation;
  • assertion of legal claims and defence in connection with legal disputes and official proceedings;
  • prevention and investigation of crimes (e.g. conduct of internal investigations, data analyses to combat fraud);
  • warranties of our operations, particularly IT operations, our websites, apps and other platforms;
  • video surveillance to protect the premises and other measures connected with IT, building and system security and protection of our employees and other people and valuables belonging or entrusted to us (e.g. access controls, visitor lists, network and email scanners, telephone recordings);
  • purchase and sale of business divisions, companies or parts of companies and other corporate transactions associated therewith and the transfer of personal data as well as business management measures and measures to comply with legal and regulatory obligations as well as AMAG internal regulations.

    If you have granted us consent to process your personal data for identified purposes (e.g. when you register to receive newsletters or to carry out a background check), we process your personal data within the framework and on the basis of such consent insofar as we do not have any other legal basis and do not require such legal basis. Any consent granted may be withdrawn at any time, which does not, however, have any effect on data processing already carried out.

Cookies/tracking and other technologies connected with using our website

We typically use cookies and comparable techniques on our websites and apps with which your browser or device can be identified. A cookie is a small file which is sent to your computer or automatically stored by the web browser used on your computer or mobile device when you visit our website or install our app. Whenever you retrieve such website again or use our app, we can recognise you again even though we do not know who you are. Apart from cookies used solely during a session and deleted after you have visited our website (session cookies), cookies may also be used to store user settings and other information over a specific time (two years) (permanent cookies). You can, however, set your browser in such a way that it rejects cookies, only stores them for one session or otherwise deletes them prematurely. Most browsers are preset to accept cookies. We use permanent cookies so that you can store user settings (e.g. language, automatic login), so that we can better understand how you use our offers and content and so that we can show you customised offers and advertising (which can also happen on websites of other firms; such other firms, however, do not learn from us who you are if we do not ourselves know since they see only that the same user is on their website as was on ours on an identified page). Some of the cookies are installed by us and some are also installed by contracting partners with whom we cooperate. If you block cookies, it may be that certain functionalities (e.g. language selection, shopping cart, ordering process) cease to function.

To some extent and where permitted, we also incorporate visible and invisible image elements in our newsletters and other marketing emails as a result of whose retrieval from our servers we can establish whether and when you have opened the emails so that we can also measure here and understand better how you use our offers and customise them for you. You can also block this in your email program; most such programs are preset for you to do this.

By using our websites and apps and consenting to receive newsletters and other marketing emails, you consent to use of such techniques. If you do not want this, you must set your browser or email program accordingly or uninstall the app if it does not allow settings to be changed or unsubscribe the newsletter.

We now and then use Google Analytics or comparable services on our websites. This is a service provided by third parties who may be located in any country in the world (in the case of Google Analytics the third party is Google LLC in the USA, www.google.com) with which we can measure and evaluate (non-personal) use of the website. Cookies installed by the service provider are also used for such purpose. The service provider does not receive any personal data from us (nor does it store any IP addresses) but can track your use of the website, combine such details with data from other websites which you have visited and which are likewise tracked by the service provider and use such findings for its own purposes (e.g. management of advertising). If you have yourself registered with the service provider, the service provider also knows you. Processing of your personal data is then a matter for the service provider in accordance with its data protection provisions. The service provider tells us only how our website is used (no personal details on you).

On our websites we also install plug-ins from social networks like Facebook, Twitter, YouTube, Google+, Pinterest and Instagram, as you will be able to see (typically with appropriate symbols). We have configured such elements in such a way that they are deactivated by default. If you activate them (by clicking on them), operators of the social networks in question can register that you are on our website and where and can use such information for their own purposes. Processing of your personal data is then a matter for such operator in accordance with its data protection provisions. We not receive any details on you from such operator.

Data transfer and data transmission at home and/or abroad

Where permitted and insofar as it appears advisable, we also disclose data to third parties within the framework of our business activities and the purposes as per clause 3, whether they process such data for us or wish to use the data for their own purposes. This relates in particular to the following entities:service providers provided by us (within and outside the AMAG Group, e.g. banks, insurers), including processors (e.g. IT providers);

  • dealers, service partners, suppliers, subcontractors and other business partners;
  • customers;
  • domestic and foreign authorities, offices or courts;
  • media;
  • the general public, including visitors to websites and social media;
  • competitors, sector bodies, associations, organisations and other forums;
  • buyers or those interested in buying business divisions, companies or other parts of the AMAG Group;
  • other parties in possible or actual legal proceedings;
  • other AMAG Group companies and participations (Europcar, Sharoo AG, autoSense AG, Orbix Schweiz AG, Carhelper AG, Catch a Car AG);

referred to jointly as Recipients.

Such Recipients are in some cases domestic but may be anywhere in the world. You must in particular expect transmission of your data to all countries in which the AMAG Group is represented by group companies, branches or other offices (this is Switzerland and Liechtenstein) and to other countries in Europe and the USA where the service providers used by us are located (e.g. Microsoft, SAP, Amazon, Salesforce.com). Whenever we transmit data to a country without appropriate legal data protection, we ensure an appropriate level of protection as legally required by using appropriate contracts (on the basis of the European Commission’s standard contractual clauses, retrievable here, here and here) or binding corporate rules or rely on the legal exceptions of consent, contract processing, determination, exercise or implementation of legal claims, overriding public interest, of published personal data or because it is needed to protect the integrity of the data subjects. We reserve the right, however, to redact copies for data protection or secrecy reasons or only to supply extracts.

Personal data retention period

We process and store your personal data for as long as it is required for the fulfilment of our contractual and legal obligations or else the purposes pursued with the processing, e.g. for the duration of the entire business relationship (from initiation and processing until completion of a contract and the warranty period as well as any subsequent service phase) and additionally as per the legal retention and documentation obligations. In doing so, it is possible that personal data is retained for the time in which claims can be made against our companies and insofar as we are otherwise legally obliged to do so or legitimate business interests so require (e.g. for evidential and documentation purposes). As soon as your personal data ceases to be required for the aforesaid purposes, it is as a basic principle and as far as possible erased or anonymised. As a basic principle, shorter retention periods of 12 months or less apply to operational data (e.g. system protocols, logs).

Data security

We take appropriate technical and organisational security measures to protect your personal data from unauthorised access and misuse such as issuing instructions, training sessions, IT and network security solutions, access controls and restrictions, pseudonymisation and controls.

Obligation to provide personal data

Within the framework of our business relationship, you must provide the personal data necessary for beginning and conducting a business relationship and fulfilling the associated contractual obligations (you do not usually have a legal obligation to provide us with data). Without such data we will not usually be able to conclude or process a contract with you (or the entity or person whom you represent). Nor can the website be used if certain details are not disclosed to ensure data traffic (e.g. IP address).

Profiling and automated decision making

From time to time we process your personal data automatically with the aim of assessing certain personal aspects (profiling). We use profiling in particular to be able to inform and advise you about our products in a targeted manner. In doing so, we use evaluation tools which make needs-based communication and advertising possible for us including market and opinion research. 

Moreover, we do not otherwise use fully automated decision making to justify and conduct the business relationship (as regulated in article 22 GDPR). If we use such procedures in individual cases, we will inform you separately if such is required by law and let you know your associated rights.

Rights of data subjects

Within the framework of the data protection legislation applicable to you and to the extent provided therein (e.g. in the case of GDPR), you have the right of access, to rectification, to erasure, the right to restriction of processing and to object to our data processing and to publication of certain personal data for the purpose of transfer to another entity (data portability). Please note, however, that we reserve the right on our part to claim legally prescribed restrictions, e.g. if we are obliged to retain or process certain data in which we have an overriding interest (insofar as we invoke such right) or need it to make claims. Any request for access is as a basic principle free of charge. A charge may be levied in the event of a particularly onerous workload or an excessive or notorious request for access in the absence of any legitimate interest. If you incur costs, we will inform you first. We have already informed you in clause 3 of your right to withdraw your consent. Note that the exercise of such rights may be in conflict with contractual arrangements and give rise to consequences such as early termination and cost implications. We will inform you accordingly in advance where this is not already contractually regulated

Exercise of such rights presupposes that you prove your identity unequivocally (e.g. with a copy of an identity document in the event that your identity is otherwise unclear or cannot be verified). You can contact us at the address in clause 2 to assert your rights.

Every data subject further has the right to enforce his/her claims in the courts or to submit a complaint to the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch/edoeb/en/home.html). In Liechtenstein it is the Liechtenstein Data Protection Commission (http://www.datenschutzkommission.li/).

Amendments

We may amend this privacy statement at any time without notice. The version published on our website is the current version. If the privacy statement is part of an agreement with you, we will in the event of any update inform you of the amendment by email or by any another appropriate means.