Data Privacy Notice for Customers
Protecting your personal data is our top priority and is taken into account for all of our business processes. The data privacy notice below provides you with a detailed overview on the processing of your personal data by EvoBus GmbH. "Personal data" means all information that relates to a natural person who has been or can be identified. This data privacy notice explains the type, scope and purposes of collecting personal data at EvoBus GmbH and how we handle this data. You will also learn what rights you are entitled to, as relates to the processing of your personal data.
1. To whom does this data privacy notice apply?
The following notice applies to customers and prospects for products and services, as well as work, of EvoBus GmbH and all other natural persons (such as authorized representatives or contact persons of the customer) that are in contact with EvoBus GmbH in relation to these products and services or work.
There may be other privacy notices in addition to this privacy notice for certain product and service or work components.
2. Who controls the processing of my data and whom can I contact about data protection?
The controller for the processing of personal data as set forth below (unless another controller is expressly listed) is:
The EvoBus GmbH is a company of Daimler AG and therefore part of the Daimler Group.
The Chief Officer for Corporate Data Protection of Daimler AG:
3. What data is processed and where does my data come from?
We process personal data ("Data") under the principles of data reduction and data minimization only to the extent necessary, as permitted due to applicable legal regulations, according to our obligations, or if you have granted your consent.
Unless otherwise set forth below, the terms "process" and "processing" include, but are not limited to, the collection, use, disclosure and transfer of personal data (see Art. 4 No. 2 of the EU General Data Protection Regulation ("GDPR")).
3.1. Data relating to the business relationship
If needed in a specific case, we collect, process and use the following data in particular for the initiation and performance of our business relationship:
• Master data of the customer, especially company, name, language, function, industry affiliation, and membership in associations;
• Contact information of the customer, in particular current address, previous addresses, other mailing addresses, telephone numbers and e-mail addresses;
• The customer's interests in marketing activities, especially events and marketing mailings;
• Contract information such as the start and end of the contract, installment payments, repayment conditions;
• Vehicle and fleet data, particularly date of first registration, VIN, license plate number, manufacturer's brand, information about vehicle repairs and accident damage;
• if authorized representatives or contact persons have been appointed: their master data, especially name, date of birth and tax ID, as well as contact information such as current address, previous addresses, other mailing addresses, telephone numbers and e-mail addresses and interests for marketing activities;
• Master data of guarantors, especially name, date of birth, nationality, marital status and tax ID;
• Contact information of guarantors, such as current address, previous addresses, other mailing addresses, telephone numbers and e-mail addresses;
• Income and assets relating to the voluntary disclosure of confidential information, in particular proof of income, information about income, supplemental income, installment obligations, household expenses, savings, securities, life insurance value and the value of real estate holdings;
• Data contained on the personal ID card or other proof of identity submitted;
• Authentication data, especially specimen signatures;
• Bank details, such as the IBAN of your account, BIC, information about your bank;
• Tax-related data, especially sales tax ID, tax ID number, certificates relating to tax matters;
• Annual financial statements or commercial assessments, company budget figures and other company and financial information;
• Payment history;
• In individual cases, the receipt of bank information;
• Data from postal, electronic and telephone communications between you and us;
• Data about your business activities and any business partners;
• Data from a chattel paper;
• Any other data relating to performance of the respective business relationship.
3.2. Data relating to our online services
For our online services, including portals and apps (such as OMNIplus ON), we also collect data if needed to fulfill our contractual obligations to you or if you have granted your consent. This includes, but is not limited to, the following data:
• Changes made by you to your master data, such as address changes;
• Data about functions you have performed online, such as the time and function used, and your settings for the online services you use.
• Time and scope of the terms and conditions of use that you have accepted for online services
A use of data collected by online services for statistical or research purposes, or for further development of the online services, or from vehicles, will take place only after your data has been anonymized, such as through an abbreviation of your IP address when transaction data is analyzed.
3.3. Where does my data come from?
In general, the data is collected directly from you. We also process – if needed in order to perform the contract concluded with you or for activities prior to the contract, or if you have granted your consent – personal data that we have lawfully obtained from other companies of the EvoBus Group (listed under Section 4.1. below) of Daimler AG and other Group companies of Daimler AG.
We also obtain data from publicly accessible sources such as public media (e.g. internet, newspapers) and public registers (such as the Commercial Register, or Creditreform). We also receive data from official agencies to meet our legal obligations (e.g. owner information from the Federal Motor Authority in the event of product recalls).
4. What is my data used for (purpose of processing) and on what basis (legal basis) does this take place?
4.1. Collection and processing in relation to fulfilling contractual obligation
We collect and process your personal data set forth in more detail in Section 3 for contacting you and to fulfill our contractual obligations to you.We process this data on the legal basis of Art. 6 (I) (1) b) GDPR and to perform pre-contractual activities, as well as fulfill contracts. For instance, we process your contact information, such as for the purpose of contacting you and, to the extent necessary, other data to conclude contracts of sale, contracts for work, or contracts for services, as well as to properly fulfill our contractual obligations.
In this regard, we use IT systems of the Daimler Group, which are shared by our subsidiaries (EvoBus (Schweiz) AG (Switzerland), EvoBus Nederland B.V. (Netherlands), EvoBus UK Ltd. (Great Britain), EvoBus Belgium N.V. (Belgium), EvoBus Austria GmbH (Austria), EvoBus Ceská republika s.r.o. (Czech Republic) , EvoBus Danmark A/S (Denmark), EvoBus Sverige AB (Sweden), EvoBus France S.A.S. (France), EvoBus Réunion S.A. (France), EvoBus Ibérica, S.A.U. (Spain), EvoBus Portugal S.A., EvoBus Italia S.p.A. (Italy), EvoBus Polska S.p.z. o.o. (Poland), Mercedes-Benz Minibus GmbH), our automated sales and service partners, the Mercedes-Benz Customer Assistance Center Maastricht N.V. and Daimler AG.
The aforementioned companies have technical access to the shared IT systems and the data stored on them. This data will be accessed only if this is necessary to maintain and perform the business relationship with you, such as to perform maintenance, repairs, or services relating to our products, as well as for replacement parts orders and in relation to vehicle purchases.
4.2. Processing pursuant to a legitimate interest
We also process your personal data if needed to protect our legitimate interests as the controller or to protect the interests of a third party and you do not have any prevailing interests or basic rights and freedoms that require the protection of personal data (Art. 6 (I) (1) f) GDPR). "Third parties" are natural persons or legal entities such as companies, official agencies, institutions or other organizations. "Third parties" in this context are not us as the controller or those who process data on our behalf (see. Art. 4 Section 10 GDPR). Your data is processed based on a legitimate interest particularly in the following cases:
• To assess your creditworthiness and based on our interest in avoiding default of payment or any risk of insolvency, we transfer personal data about the initiation, performance and termination of our business relationship, as well as data about any violations of the contract to Verband der Vereine Creditreform e.V. ("Creditreform"). More information about the activities of Creditreform can be found online at www.creditreform.de.
• In relation to the maintenance and care of our IT systems, it may be necessary to process your personal data in individual cases. We assume that we have a prevailing legitimate interest because these activities serve to ensure IT security and maintenance of IT operations, and thus business and risk management in the Daimler Group.
• We also use your data, especially your contact information, for direct mail campaigns about products and contracts for services or work, and in some cases about special events. We also use this data to send marketing information about our online services or by e-mail, if we have received your e-mail address in relation to the sale of products or services/work, for marketing of our own similar products, or services or work. If you opt out of the use of your data, we will not send you any more marketing communications. We will inform you clearly and in full when we collect your data and each time we use it that you have a right to opt out of the use of your data at any time. We use this data in the aforementioned scope for advertising purposes because we assume that we have a legitimate interest in using your data. In regular intervals, we want to provide you with information about our products and services if we feel they would be of interest to you.
• We also process your data if needed to assert legal claims and for defense in legal disputes. Here as well, we assume that our interests override your basic rights and freedoms that require the protection of your data.
• On our websites, we also conduct online customer surveys in which we process your data. These surveys are used for regular monitoring and improvement of our service quality and therefore our competitiveness and customer orientation, which is why we assume that our legitimate interests prevail when processing your data.
To further develop our services and products and for statistical purposes, we process your data only in anonymous form.
4.3. Collection and processing under legal requirements
EvoBus GmbH is subject to a broad scope of legal and regulatory requirements, such as the Anti-Money Laundering Act and tax laws. The fulfillment of the resulting legal requirements requires the collection and processing of your personal data (Art. 6 (I) (c) GDPR). To meet the requirements of the Anti-Money Laundering Act (GwG) and the Tax Evasion Prevention Act (StUmgBG), we are required to identify you with your ID or passport and to collect and store the data it contains before starting a business relationship with you (Sections 11, 12 GwG). EvoBus GmbH as the obligated party has the right and obligation during the identity check under GwG to make full copies of these documents or create full digital scans (Section 8 (2) (2 ) GwG). If you do not provide us with the necessary information and documents, we cannot enter into or continue the business relationship requested by you.
4.4. Collection and processing pursuant to your consent
Your personal data is also collected and processed if you have previously expressly agreed and therefore provided your consent (Art. 6 (I) (1) a) GDPR).
If we are not already using your data for advertising purposes on the basis of our legitimate interest (as described above under Section 4.2), we will obtain a specific declaration of consent from you.
We also use market research institutes from time to time in order to determine customer satisfaction and improve our products and services in the interest of our customers. In this case as well, we will obtain your specific consent.
5. Will my data be shared?
We do not share your personal data with third parties unless you have consented to the disclosure of this data or we are entitled or obligated to disclose data due to another legitimate reason.
5.1. Data transfer to processors on our behalf
To perform the services related to our services and products, we use processors on our behalf in the European Union
(such as market research institutes, IT providers and storage providers, call center companies to perform our customer services, or external collection agencies, for instance, to collect receivables). The disclosure of your data to these organizations takes place under strict confidentiality obligations and under the requirements of the GDPR and the German Federal Data Protection Act. We have concluded proper agreements for data processing on our behalf with providers that are allowed to process the data for us only, and not for their own purposes, under Art. 28 GDPR.
5.2. Data transfer for joint controllership
We store and process your data to initiate and fulfill our contractual relationship with you in IT systems that are also used by the other companies set forth in Section 4.1 Thus, the data we store there is technically accessible by these companies as well. The companies will access this data only if needed for the business relationship with you as described under Section 4.1.
5.3. Data transfer to suppliers
Under the business relationship with you, we transfer your data, especially your first and last names, your address, your customer number, the order number (if any), the vehicle purchase price, and the VIN also to suppliers in Germany (such as Mercedes-Benz Minibus GmbH or Daimler AG) that we have hired to manufacture or deliver the vehicles or equipment that you have ordered.
5.4. Data transfer to sales partners
When you purchase a vehicle from us, we transfer your data, especially your first and last names, your address, your customer number, the order number (if applicable), the vehicle purchase price and the VIN to our sales partners in Germany (such as Setra general distributors) who were contacted by you or consulted by us for the processing of the vehicle transaction due to their regional responsibility, so that we may provide you with better service. If you, as the customer, are domiciled outside Germany, we will send your above data as needed to the local sales partner responsible for you.
5.5. Data transfer to workshops
If you use workshop services of our authorized service partners, we send your data, especially your first and last names, contact information, date of initial registration of your vehicle, the VIN, vehicle type and brand, and the license plate number also to our authorized service partners in Germany and the European Union ("EU") or the European Economic Area ("EEA"), if this data is needed to fulfill your workshop orders. This is the case particularly for warranty or goodwill claims, or to perform service and maintenance agreements for your vehicle and the performance of online services that you request.
5.6. Data transfer to Verband der Vereine Creditreform e.V.
Under the business relationship with you, we send the personal data collected on the request for, performance of, and end of our business relationship, along with data on conduct that violates the contract, to Verband der Vereine Creditreform e.V., Hellersbergstraße 12, 41460 Neuss, Germany if permitted by law.
5.7. Data transfer pursuant to used vehicle warranties
If you have purchased a warranty package (such as BusStore warranty) for a used vehicle purchase, the data required for the conclusion and performance of the relevant warranty agreement, in particular your contact information, term of the BusStore warranty, invoice amount, VIN, internal vehicle number, vehicle type and brand (if known), delivery date, expiration date of the TÜV inspection and current odometer status, will be sent to our partners who will be the contract partners for the used vehicle warranty.
For conclusion of a BusStore warranty, your contract partner is currently AutoProtect MBI Ltd, Warwick House, Roydon Road, Harlow, CM19 5DY, United Kingdom (Great Britain).
5.8. Transfer to credit institutions and payment services providers
We also give your personal data relating to the performance of business relationships for products and services to credit institutions and providers of payment services for invoices and the completion of payments if you have granted your consent or this is permitted by law.
5.9. Data transfer for accounting purposes
For the purposes of loan loss provisions and the preparation of the balance sheets of Daimler AG and the EvoBus Group, certain master data from financing agreements with a residual value guarantee, specifically including your name, address, term of the contract, contract number, and VIN will be sent to Daimler AG. To prepare the balance sheets, certain voucher data including payment and posting information will also be sent to Daimler AG for these purposes only.
6. Will my data be sent to a third country or an international organization?
Data will not be transferred to countries outside the EU or EEA ("third countries") unless we are required to do so by official order or court order. We also send your data in the shared IT systems to – as specified under Section 4.1 – EvoBus (Schweiz) AG. Switzerland has an adequate level of data protection. This has been verified by the EU Commission by way of adequacy decision (under Art. 45 GDPR).
7. Does automated decision-making take place?
To evaluate your liquidity, in order to protect our legitimate interests with regard to new customers or changes in customer master data (last name, first name, address, e-mail address, bank information) we will obtain an evaluation of the default risk based on a scientifically validated, mathematical/statistical method along with a plausibility check of the e-mail address provided from the Verband der Vereine Creditreform e.V. (scoring). To this end, the personal data required (last name, first name, date of birth, address, e-mail address and bank information) will be sent to this credit agency for the credit check and plausibility check. For the credit check, a statistical probability will be calculated for payment default (profiling), expressed with a score, and on this basis we will make a decision on whether to enter into the contractual relationship. Please note that the address information can also be used to calculate the score.
8. How long will my data be stored?
We process and store your personal data only as long as we need it to meet our contractual or legal obligations. If there is no more legal basis for processing your data, we will delete the data or, if this is not possible, we will block all of your identifying details in our system in accordance with data protection laws. In this regard, we retain your data specifically as follows:
• The periods for compliance with retention obligations under commercial and/or tax law are 6 and 10 years, respectively. For this reason, we keep billing documents for this amount of time.
• Under the regulations of the German Civil Code (BGB), periods of limitation can be up to 30 years; the regular period of limitation is three years. For this reason, we retain the contract documents and documents that relate to the contract in line with the limitation regulations of the BGB.
We will store your personal data for marketing purposes, i.e. sending information and offers on products and services, for a maximum period of six years from the last relevant contact with you. "Relevant contact" means verbal, telephonic or mutual written communications between you and us. When our websites (www.evobus.com, www.mercedes-benz.com, www.setra.de, www.omniplus.com, www.omniplus-on.com, www.bus-store.com) and services (survey.omniplus.com, survey.mb-buses.com, and survey.setra-buses.com) are used, we track such information as your IP address. This will remain stored for a term of seven days after collection. If you access the aforementioned websites, you can find additional details about the use of your data in the data privacy policies shown there.
If you have registered for online services and deactivate these services, we will delete your data after no more than three years unless you decide beforehand to reactivate the online services.
9. What are my rights vis-à-vis EvoBus GmbH?
You have extensive rights regarding the processing of your personal data. Making you aware of these rights is very important to us:
• Right of access: You have the right to access personal data stored by us, particularly to determine for what purpose the data is processed and how long the data is stored (Art. 15 GDPR).
• Right to rectification of inaccurate data: You have a right to demand from us the immediate rectification of your personal data, should it be inaccurate (Art. 16 GDPR).
• Right to erasure: You have the right to demand that we delete your personal data. You can demand the deletion of your personal data if we, for instance, no longer need the personal data for the purposes for which it was collected or otherwise processed, if we unlawfully process the data, or if you have rightfully objected to the use of your data, revoked your consent to the same or there is a legal obligation to delete it (Art. 17 GDPR).
• Right to restriction of processing: You have the right to demand a restriction of the processing of your data. This right especially applies for the duration of the review if you have disputed the accuracy of your personal data, as well as in the case that, for an existing right to deletion, you request restricted processing instead of erasure. Furthermore, there will be a restriction of processing in the case that the data is no longer needed for our purposes, but you still need the data in order to assert, exercise or defend legal rights, as well as if the successful assertion of an objection is disputed between you and us (Art. 18 GDPR).
• Right to data portability: You have the right to receive personal data about you that you have provided to us in a structured, standard, machine-readable format (Art. 20 GDPR) if it has not been deleted yet.
If you would like to assert one of your rights or receive further information about this, please e-mail mbox-datenschutz-evobus[at]daimler.com or write to EvoBus GmbH, HPC G562, Mercedesstraße 127/6, 70327 Stuttgart.
10. Can I withdraw my consent to data processing?
You can withdraw consent to the processing of your personal data at any time, with future effect and free of charge. This also applies to declarations of consent that were granted before the GDPR took effect, i.e. before May 25, 2018.
You can withdraw your consent by e-mail to Einwilligung-EvoBus@daimler.com by writing to EvoBus GmbH, Mercedesstraße 127/6, HPC R511, 70327 Stuttgart.
Please note that the withdrawal does not apply until we have received it and will take effect for the future. For example, if you withdraw your consent to the use of your data for marketing purposes, once we receive your withdrawal we will not send you advertisements in the future.
11. Can I object to the processing of my personal data?
For reasons relating to your particular situation, you have the right to file an objection at any time to processing of personal data pertaining to you that is collected under Art. 6 (I) (1) e) or f) GDPR (Art. 21 GDPR). We will no longer process your personal data unless we can prove compulsory, legitimate reasons for processing that outweigh your interests, rights and freedoms, or if the processing is required to assert, exercise or defend against legal claims. In the event that you object to the use of your data for marketing purposes, we will not use your data for these purposes any longer.
If you wish to object to the processing of your personal data, please e-mail us at Einwilligung-EvoBus@daimler.com or write to us at EvoBus GmbH, HPC R511, Mercedesstraße 127/6, 70327 Stuttgart.
12. Right to lodge a complaint with the supervisory authority
If you feel that we are violating the GDPR by processing personal data about you, you have the right to lodge a complaint with a supervisory authority, e.g. a data protection agency responsible for your place of residence, workplace or location where the alleged data protection violation occurred.
Dated May 2018