Privacy Notice when you make a purchase
This Privacy Notice fulfills the obligation to provide information pursuant to Article 13 et seq. of the General Data Protection Regulation (GDPR) where personal data is collected in connection with the conclusion of a contract via our website.
1. Name and contact details of the data controller:
CARFAX Europe GmbH Lindwurmstraße 124 80337 Munich, Germany Email: email@example.com
(hereinafter referred to as "CARFAX", "we", "us").
2. Contact details of the data protection officer:
Martin Holzhofer Holzhofer Consulting GmbH Lochhamer Str. 31 82152 Planegg, Germany Tel.: +49 89 125 01 56 00 Email: firstname.lastname@example.org
3. Purposes for which the personal data is to be processed and the legal basis for processing
3.1. Data processing for the performance of the contract concluded between you and us (Article 6(1)(b) GDPR)
We, as well as third parties or processors appointed by us, will process the following data about you for the purposes of taking steps prior to entering into a contract, to perform the existing contractual relationship, to provide the services to be rendered and to send you contractual documentation, insofar as you have provided us with this information at the time the contract is concluded or during the course of the contractual relationship:
Personal details (name, email address)
Vehicle identification number (VIN) or an official registration number that you have entered
Bank details (IBAN, bank, account holder) and payment information
3.2. Data processing on the basis of legitimate interests (Article 6(1)(f) GDPR)
In consideration of your rights and freedoms, processing will be carried out beyond the scope of actual performance of the contract if this is necessary for the purposes of a legitimate interest on our part and this is not overridden by your interests, fundamental rights and fundamental freedoms, which require protection of personal data.
This will occur, for example, for the establishment of legal claims and defense in case of legal disputes.
Use of your email address for the sending of direct advertising
Unless you have opted out, we will use the email address we received from you in the context of selling a service to send you promotional material via electronic means about our services which are similar to those you have already purchased from us. You may opt out of your email address being used at any time by notifying us that you wish to do so. The contact details to be used for opting out can be found in the legal notice. You can also use the link provided in the promotional email. There will be no charges beyond the basic tariffs associated with communicating in these ways.
4. Obligation to provide the data
It is mandatory to provide an email address, VIN or registration number and payment information for the chosen method of payment. If you do not provide us with this information, it will not be possible to conclude a contract with us.
5. Automated decision-making including profiling
CARFAX Europe GmbH shall only employ automated individual decision-making, including profiling, pursuant to Article 22(1) and (4) GDPR in the event a contract is concluded during the order process as part of a credit check and scoring by the payment service provider Adyen N.V. This will be done on the basis of Article 22(2)(a) GDPR and is therefore necessary in order to conclude the contract between you and us.
6. Data transfer to a third country
Data is transferred to countries outside the EU and the European Economic Area ("third countries") as part of administering, developing and operating IT systems. Data shall only be transferred on the basis of:
an adequacy decision of the European Commission under Article 45 GDPR;
an approved certification mechanism pursuant to Article 42 GDPR together with legally binding and enforceable obligations on the part of the controller or the processor in the third country;
standard data protection clauses issued by the Commission in accordance with the examination procedure referred to in Article 93(2) GDPR.
At present, in the context of a contract being concluded via our website, data will be transmitted to countries outside the EU and the European Economic Area ("third countries") in the following case:
VIN is forwarded to our parent company CARFAX Inc., 5860 Trinity Parkway, Suite 600, Centerville, VA 20120 in the USA only when there is no data in our own database and thus to give you total access to the global database.
7. Recipients of data and data sources
7.1. Categories of data recipient
To the extent permitted by law, we share personal data, or data that can be used to identify persons, with external service providers:
Banks and payment service providers for billing and payment transactions (Adyen N.V., the Netherlands).
All personal data we collect will only be processed and used for the purpose of fulfilling and processing your order as well as for handling your inquiries. In addition, your personal data will only be shared with or transmitted to third parties as far as this is necessary for the purposes of processing the contract, in particular to our service partners, who are required in order to process the contractual relationship. In these cases, we strictly observe the requirements of the GDPR and the Bundesdatenschutzgesetz (German Federal Data Protection Act). The data transfer will be limited to a minimum.
In addition, we will only share your personal data with third parties if you have expressly consented to this. You have the right to withdraw your consent at any time with effect for the future.
Your data will also be shared as far as we are legally obliged to do so.
7.2. Data sources
We will process personal data we have received from you over the course of our business relations. As far as this is necessary in order to provide our service, we process personal data that we duly obtain from publicly accessible sources (records of debtors, land registers, trade and association registers, press, Internet) or that we are legitimately sent by other third parties (a credit agency or an address service provider).
8. Retention period and criteria for determining such period
We will store your data for the term of the existing contract and, once the contract entered into with you has ended, for a period until the statutory retention obligations expire. We will anonymize or delete this data again once the statutory retention obligations, which primarily reflect commercial and tax law (in particular Section 147 of the Abgabenordnung (German Fiscal Code) and Section 257 of the HGB (German Commercial Code)), have expired.
We will store your data for advertising purposes until you object to such use or we are no longer permitted by law to send promotional material to you. We will store your other data as long as we need it to fulfill the specific purpose (such as performance or processing of the contract) and will delete it once the purpose ceases to apply.
9. Information about your rights as a data subject
CARFAX Europe GmbH, Lindwurmstr. 124, 80337 Munich, Germany, is responsible for processing your data, unless otherwise stated.
You can obtain information from us at any time (Article 15 GDPR) regarding the data stored about you and request that it be rectified (Article 16 GDPR) where there are errors. You can also request that processing be restricted (Article 18 GDPR), request that data you give us be provided (Article 20 GDPR) in a machine-readable format (data portability) or that your data be erased (Article 17 GDPR) provided it is no longer required.
Furthermore, you have the right to object to the use of your data, which is based on public or legitimate interests (Article 21 GDPR), at any time.
If we process your data on the basis of your consent, you may withdraw this consent at any time with effect for the future (Article 7(3) GDPR). Once we have received your withdrawal, we will no longer process your data for the purposes covered by the consent.
If you wish to exercise your rights as a data subject, please contact:
CARFAX Europe GmbH Lindwurmstraße 124 80337 Munich, Germany email@example.com
10. Right to lodge a complaint with a supervisory authority
In addition, you can contact a supervisory authority at any time to lodge a complaint. The Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision), P.O. Box 1349, 91504 Ansbach, Germany, is the competent authority for us. Alternatively, you can contact your local supervisory authority.
Munich, Germany, May 3rd, 2021