Privacy Policy for Data Subjects (Current and Previous Vehicle Keepers and Owners of Motor Vehicles)

The following information fulfills the obligation to provide information pursuant to Article 14 of the General Data Protection Regulation (GDPR), where personal data has not been obtained from the data subject, as in this case.

There is no obligation to provide the data subject with information directly in accordance with Article 14(5)(b) GDPR if the provision of such information proves impossible or would involve a disproportionate effort. Although CARFAX processes the personal data of vehicle keepers and owners, this does not include identification or contact information, such as the name, address, or telephone numbers of the data subject.

CARFAX therefore makes information publicly available on the website for all data subjects in accordance with GDPR.

Name and Contact Details of the Data Controller

CARFAX Europe GmbH Barthstraße 2-10 80339 Munich, Germany Email: info@carfax.eu (hereinafter referred to as "CARFAX", "we", "us").

Contact Details of the Data Protection Officer

Holzhofer Consulting GmbH Martin Holzhofer Lochhamer Str. 31 82152 Planegg, Germany Tel.: +49 (0) 89 125 01 56 00

Website: http://www.holzhofer-consulting.de/

Purposes for Which Personal Data Is to Be Processed and the Legal Basis for Processing the Data

Purposes for Data Processing

CARFAX processes personal data pursuant to Article 5 GDPR.

In particular, CARFAX processes vehicle identification numbers (VINs) to identify specific vehicles and provide interested parties with information about the vehicle history of used vehicles. In some countries, a vehicle retains the same license plate throughout its life cycle — in this case, the license plate can also be used to identify a vehicle.

Data Processing on the Basis of Legitimate Interest

In consideration of the rights and freedoms of vehicle keepers and owners, processing will be carried out if this is necessary for the purposes of a legitimate interest of CARFAX Europe GmbH or a third party and this is not overridden by the interests, fundamental rights, and fundamental freedoms that require protection of personal data. Article 6(1)(f) GDPR provides the legal basis in these cases.

CARFAX also processes data so that its services can contribute to the general improvement of fraud prevention measures and to the fight against organized crime in the international trade of used vehicles. Increased transparency relating to used vehicles leads to increased road safety, which is in the public interest. Finally, CARFAX has a legitimate economic interest in data processing in relation to the sale of its products and services.

CARFAX will provide information regarding any changes to the purposes of data processing pursuant to Article 14(4) GDPR.

Data Recipients and Data Sources

Categories of Recipients of Personal Data ("Third Parties")

To the extent permitted by law, we share personal data with third parties:

"Third parties" may be any individual or institution interested in receiving information about the life cycle of a used vehicle, including: Individuals and companies who want to buy or sell a used vehicle; companies such as insurance companies who want to insure a used vehicle and therefore need to evaluate the vehicle, or insurance companies dealing with traffic accidents; investigating authorities; law enforcement agencies; and other third parties.

We also share data with associated companies, in particular our parent company CARFAX Inc. and with subsidiaries within the EU, on a case-by-case basis and subject to certain conditions.

In order to process the personal data for the purposes mentioned above, we appoint the following categories of recipients as data processors as defined in Article 28 GDPR:

Service providers for hosting servers in order to provide web-based services

Software service providers for hosting and operating various software (e.g. for the support ticket system and document management system)

Data Sources

CARFAX currently has a database comprising over four billion data records collected from various sources, including government departments, regulatory authorities, service and repair workshops, inspection companies, car dealers, online marketplaces, and many others.

Categories of Personal Data That are Processed

The specific categories of personal data are the vehicle identification number (VIN) and license plate, which can be traced to an identifiable individual. Pursuant to GDPR, an identifiable natural person is one who can be identified, directly or indirectly, "in particular by reference to … an identification number…" — see Article 4(1) GDPR. Using the 17-digit VIN or the license plate, it is possible in principle to identify the keeper and/or the owner of a vehicle — but only if a request is submitted to the competent authority and if the request is related to traffic law issues. CARFAX never collects or processes identification and contact information of keepers, owners, possessors, drivers or passengers of vehicles. Furthermore, CARFAX does not process any special categories of personal data.

In addition to the VIN and the license plate, CARFAX processes event-based data about the vehicle (e.g. registration, change of ownership, damage, repairs, mileage, residual value and service data, type of usage) as well as technical and non-technical vehicle features, and provides third parties with requested information about a used vehicle.

Retention Period and Criteria for Determining Such a Period

Pursuant to Article 5(1)(e) GDPR, personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

CARFAX stores information relevant to the vehicle and the personal data mentioned above for an indefinite period. It is necessary to store this data indefinitely in order to prevent the crime of transferring the VIN of a vehicle that is to be scrapped (for example) to another vehicle which has been involved in an accident and is no longer deemed roadworthy, but is being repaired in order to be illegally returned to the used vehicle trade.

Only by storing this data indefinitely can competent authorities detect this crime and prevent these vehicles from returning to circulation as seemingly roadworthy vehicles. The purpose of storing this data is therefore considered not to be fulfilled, meaning the data may be stored for an indefinite period.

CARFAX also provides used car histories for vintage vehicles. Vehicles that are over 30 years old are considered to be vintage vehicles.

Data Transfer to a Third Country

Data is transferred to countries outside the EU and the European Economic Area ("third countries") as part of administering, developing and operating IT systems. Data will only be transferred on the basis of:

An adequacy decision by the European Commission as defined in Article 45 GDPR.

An approved certification mechanism pursuant to Article 42 GDPR together with legally binding and enforceable obligations on the part of the controller or the processor in the third country.

Standard data protection clauses issued by the European Commission in accordance with the examination procedure referred to in Article 93(2) GDPR.

At present, in the context of purchasing a CARFAX service, data will be transferred to countries outside the EU and the European Economic Area ("third countries") in the following cases:

Transfer of VIN to our parent company CARFAX Inc., 5860 Trinity Parkway, Suite 600, Centreville, VA 20120, USA, only when there is no data in our European database available related to a requested VIN and thereby to give the inquiring party total access to the global database.

Data transfer to Egnyte Inc., 1350 W. Middlefield Road, Mountain View, CA 94043, USA in conjunction with the provision and use of our document management system.

Data transfer to Atlassian Pty Ltd, Level 6, 341 George Street, Sydney, NSW 2000, Australia (Global HQ) in conjunction with the provision of web applications for project management, exchange of knowledge and collaboration.

Data transfer to AWS Inc., 410 Terry Avenue North, Seattle, WA 98109, USA in conjunction with the provision of server hosting and cloud services (although our data is located on servers in Europe, our contractual partner has a parent company based in the USA, meaning the transfer of data cannot be safely ruled out).

Data transfer to MongoDB, Inc., 229 West 43rd Street, New York City, NY 10036, USA in conjunction with support for the open source database MongoDB, a NoSQL database that stores data in JSON-like documents with flexible schemas (although our data is located on servers in Europe, our contractual partner has a parent company based in the USA, meaning the transfer of data cannot be safely ruled out).

For the USA, the European Commission has issued an adequacy decision according to Article 45(3) GDPR, which applies to the EU-US Data Privacy Framework (DPF). For data exports to recipients in the USA that are certified according to the DPF, the level of data protection is thus considered adequate. Slack, Microsoft and Atlassian are certified under the DPF and thus committed to complying with European data protection principles.

Automated Decision-Making including Profiling

CARFAX Europe GmbH does not employ automated individual decision-making, including profiling, pursuant to Article 22(1) and (4) GDPR.

Information about Data Subjects' Rights

Unless otherwise specified, CARFAX Europe GmbH, Barthstraße 2-10, 80339 Munich, Germany, is the data controller.

You can obtain information from us at any time, provided that the legal requirements are met (Article 15 GDPR) about the data stored about you and request that it be rectified (Article 16 GDPR) where there are errors. You can also request that processing be restricted (Article 18 GDPR), that the data you have given us be provided in a machine-readable format (data portability) (Article 20 GDPR) or that your data be erased (Article 17 GDPR) if it is no longer required.

Furthermore, you have the right to object to the use of your data based on public or legitimate interest (Article 21 GDPR) at any time.

If you wish to exercise your rights as a data subject, please contact:

CARFAX Europe GmbH Barthstraße 2-10 80339 Munich Germany privacy@carfax.eu

Right to Lodge a Complaint with a Supervisory Authority

You can also contact a supervisory authority at any time to lodge a complaint. The Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision), P.O. Box 1349, 91504 Ansbach, Germany, is the competent authority for CARFAX Europe GmbH. Alternatively, you can contact your local supervisory authority.

Version dated: January 2024