Privacy policy of the joint controllers

Effective from 25 May 2018

ENGLISH VERSION | MAGYAR VÁLTOZAT

1. Vehicles

We make use of test vehicles for the purposes of development, testing, validation, quality assurance and/or safeguarding. “Test vehicle” may also mean a vehicle which only collects data for our developments.

Those vehicles are driven in test areas but also on public roads. They are equipped with sensors and measuring instruments as well as video measurement technology, and thus are inclined to film the surrounding of public roads. It could happen that your vehicle including its license plate or you as a driver, passenger of another vehicle or a pedestrian walking along the street might be filmed.

It is not our aim to identify persons or to collect personal data. Personal data collection is concerned to test purposes or development goals (improving autonomous vehicle functions).

Marking of the test vehicles

Our test vehicles are marked with the following or similar stickers.

Here below an example:

Those stickers identify our test vehicles and indicate that they may record some videos of their immediate environment.

The following Privacy Policy wants to inform you what kind of personal data might be processed and to whom it might be disclosed and what kind of rights you have regarding Privacy.

 

2. Privacy policy

Your personal data (“Data”) may be processed in connection with the use of test vehicles on public roads by following STELLANTIS legal entities in charge of research and development, acting for the purposes described in this privacy notice as the joint data controllers of your Data: PSA AUTOMOBILES S.A. (“Stellantis Auto S.A.S.”), 2-10 boulevard de l’Europe, 78300 Poissy, France; Opel Automobile GmbH, Bahnhofsplatz, 65423 Rüsselsheim am Main, Germany; Stellantis Europe S.p.A., Corso Giovanni Agnelli 200, 10135 Torino, Italy; FCA US LLC, 1075 W. Entrance Drive, Auburn Hills, Mi, USA 48326; aiMotive Informatikai Korlátolt Felelősségű Társaság (“aiMotive”), 1025 Budapest, Szépvölgyi út 22, (hereinafter, jointly,  “we” or “We”).

The data processing is based on our legitimate interest in improving vehicles and road safety through the development of driving assistance systems unless you have exercised your right to object.

This implies the processing and storage of videos and images, which are recorded directly by the test vehicles’ cameras.

Furthermore, we have the legitimate interest to defend ourselves in case of litigation.

What data do we process and what do we use it for?

As joint controllers, we process your Data as follows.

The measurement technology built into the test vehicles processes videos produced by outwardly directed cameras. Those cameras collect real-time images of the public traffic. This information may also include personal data referring to you, such as:

  • Images/Videos of you, as a road user (pedestrian, cyclist, motor rider, car driver, etc.)

  • Your vehicle’s license plate

  • GPS coordinates / location of the test vehicle at the moment of the recording

  • Time and date of the recording

  • Other personal data or information about you that might appear around the vehicles during the recording of images/videos (within sight of the on-board cameras)

Our technical teams use these Data in order to improve existing vehicle functions, or to develop new ones. We are not interested in determining the identity of an individual, and the measurement system is not configured for that purpose, as this is not necessary for the development of new functionalities. All recorded objects are only categorized as trucks, cars, motorcycles, pedestrians, etc.

How we use your data?

Data collected for the purposes indicated above are processed via automated processing, namely, through programs or algorithms.

How long do we store your data?

The above-mentioned Data are stored and processed for the needs of innovation projects, typically three to five years. For the development of some new driving assistance systems, we may be required to keep some cars’ data in archive databases for 10 years after the end of the model’s production, in case of litigation.

What does joint controllership means?

We have concluded a joint controller agreement according to which each of the mentioned entities may collect your Data and exchange it with each other for the purposes mentioned above. You may exercise your below detailed rights in respect of and against each of the controllers.

According to the Joint Controller Agreement that we have defined separately, we inform you that we act as joint controllers in the “Stellantis Test Vehicles” project, characterised by Stellantis test vehicles driven by Stellantis employees in particular for processing the personal information/data of individuals in connection with research and development activities, including the development and testing of artificial intelligence based applications, also as being addressed in a separate Master Service Agreement.

In this regard, we jointly perform the following tasks: performing test vehicles to improve existing vehicle functions, or to develop new ones. In particular, the measurement technology built into the test vehicles processes videos from outwardly directed cameras.

Who might receive your data?

We disclose the above-mentioned Data for product and services optimization, development, testing, and validation of driving assistance systems, to the following recipients.

We disclose your Data with the following list of persons/entities (“recipients”)

  • Within our legal entities, only the departments that need to use your Data as part of their activities have access to them, e.g. product development teams engaged in the development of driving assistance systems in our technical centers. Those persons have been authorized by us to perform any of the Data related activities described in this document. Our employees and collaborators have undertaken an obligation of confidentiality and abide by specific rules concerning the processing of your Data.

  • Within Stellantis Europe S.p.A., PSA AUTOMOBILES SA, Opel Automobile GmbH, FCA US LLC and aiMotive, only the departments that need the Data as part of their activities have access to the Data, e.g. product development teams engaged in the development of driving assistance systems in our technical centers.

  •  We also may disclose your Data to our respective engaged IT service providers who act as data processors to support the administration of the above-mentioned purposes, in particular to archiving service providers, hosting service providers and/or IT service providers.

  • In addition, and especially for the development, test and/or validation of algorithms of new automated driving assistance systems, and only when anonymisation is not possible for technical reasons, we may also disclose your personal data to the following recipient categories, who may act as data processors: development partners, subcontractors, professional associations, universities.

We have signed agreements with each of our data processors to ensure that your data are processed confidentially, with appropriate safeguards, and only under our instruction.

We will be happy to provide you with further information on the data recipients involved in specific test drives. Feel free to contact us by e-mail (see paragraph “Contacting us”).

Is data transferred to third countries?

Insofar as the recipients are located in a country outside the European Union or the European Economic Area (so-called “third-party countries”), your Data may be transferred to a country that does not ensure an adequate level of data protection, i.e. one that is not comparable to European standards.

Please note that not all third-party countries have a level of data protection considered adequate by the European Commission. When transferring data to third-party countries that do not ensure an adequate level of data protection, we have taken appropriate steps, e.g. put standard contractual clauses in place to protect personal data and, if necessary, supplementary measures. You may request to receive a copy of these measures by using one of the contact means listed below (see paragraph “Contacting us”).

How do we protect your data?

We take reasonable precautions from a physical, technological and organizational point of view to prevent the loss, misuse, or modification of Data under our control. For example:

  • We ensure that your Data is only accessed and used by, transferred or disclosed to Recipients that need to have access to such Data.

We also limit the amount of Data accessible, transferred or disclosed to Recipients to only what is necessary to fulfil the purposes or specific tasks performed by the recipient/s. The computers and servers where your Data is stored are kept in a secure environment, are password-controlled with limited access, and have industry standard firewalls and anti-virus software installed. Paper copies of any documents containing your Data (if any) are kept in a secure environment as well. We destroy paper copies of documents containing your Data that is no longer needed. When destroying Data recorded and stored in the form of electronic files that is no longer needed, we make sure that a technical method (for example, low level format) ensures that the records cannot be reproduced. Laptops, USB keys, mobile phones and other electronic wireless devices used by our employees who have access to your Data are protected. We encourage employees not to store your Data on such devices unless it is reasonably necessary for them to do so to perform a specific task as outlined in this Privacy Policy. We train our employees to comply with this Privacy Policy and conduct monitoring activities to ensure ongoing compliance and to determine the effectiveness of our privacy management practices. Any data processor that we use is contractually required to maintain and protect your Data using measures that are substantially similar to those set out in this Privacy Policy or required under applicable data protection law.

In case required by the applicable legislation, if a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Data transmitted, stored or otherwise processed, will be notified to you and to the competent data protection authority as required (for example, unless Data is unintelligible to any person or the breach is unlikely to result in a risk to your rights and freedoms and those of others).

 

3. Your Rights

As a data subject, you have the right to access, right to rectification, right to erasure (right to be forgotten), right to restriction of processing, right to data portability, and the right to object to the processing of personal data concerning you.

Regarding the right to object the following applies: You have the right to object to the processing of your Data at any time for reasons that arise from your particular situation, as long as data processing is based on our legitimate interests or those of a third party. In this case, we will cease to process your data. This does not apply if we can show that there are compelling legitimate grounds for processing that outweigh your interests, or if we need your Data for the establishment, exercise or defense of legal claims.

Indeed, in certain situations, we may be unable to respond to your request as a data subject due to legal requirements or information available to us. For instance, we may not be able to retrieve videos of recorded persons without additional information.

Your rights may only apply if you provide us with additional information that enables us to clearly identify you, such as the exact location of the event, the timeframe or your clothing items.

If you want to exercise any of the rights listed above, please send us an e-mail (see below at section “Contacting us”).

At any time, you may also contact the Supervisory Authority. Here you can find the list of all the Supervisory Authorities by country:

4. Contacting us

You can request more information on this privacy policy and/or exercise any of the rights listed above by writing to [email protected] .

 

5. Contacting our Data Protection Officer

You can contact the Data Protection Officer to the following e-mail address: