Subaru values your privacy and is committed to protect your personal data in accordance with applicable privacy and data protection regulations.
The purpose of this Privacy Statement is to inform you on how we collect and use your personal data in light of our legal obligation under Commission Implementing Regulation (EU) 2021/392 of 4 March 2021. We aim to be transparent regarding how we process your personal data and what we do with your personal data. This is clarified in more detail in this privacy statement.
SUBARU EUROPE NV/SA, with registered offices at 1930 Zaventem, Leuvensesteenweg 555/8 (Belgium) and registered with the Crossroads Bank of Enterprises under number 0438.574.810 (hereinafter, "Subaru", "we" or "us").
You can contact us to the attention of the Data Protection Officer (DPO) via one of the following contact details:
Per letter: Leuvensesteenweg 555/8, 1930 Zaventem, Belgium
Tel.: 0032 2 714 03 00
We process your personal data in accordance with the applicable legal provisions regarding the protection of personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the "GDPR") and the applicable national implementing legislation. Particularly, we shall process your personal data under this privacy statement in accordance with the provisions of Commission Implementing Regulation (EU) 2021/392 of 4 March 2021 on the monitoring and reporting of data relating to CO2 emissions from passenger cars and light commercial vehicles pursuant to Regulation (EU) 2019/631 of the European Parliament and of the Council and repealing Commission Implementing Regulations (EU) No 1014/2010, (EU) No 293/2012, (EU) 2017/1152 and (EU) 2017/1153 (hereinafter the “Regulation”).
As far as this privacy statement is concerned, the term "personal data" refers to: all information about an identified or identifiable natural person (the ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular through an identifier, such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In other words, all the information which can be used to identify a person. These elements include, for instance, your surname, first name, date of birth, telephone number and email address, as well as your IP address.
The term "processing" is very broad and covers, among other things, collecting, recording, organising, storing, updating, modifying, retrieving, consulting, using, disseminating, combining, archiving and deleting data.
Subaru is responsible for the processing of your personal data.
We are what the GDPR refers to as the “controller” of your personal data. In concrete terms, this means that Subaru determines the purpose and means for the processing of your personal data.
We collect your personal data in order to:
• send you the Subaru Magazine to which you subscribed;
• send you the Subaru Media Releases to which you subscribed;
• support you with a request related to your vehicle or any other product we provided and for which you contacted us via one of our communication channels;
• support you with a technical issue related to your vehicle or any other product we provided and for which you contacted an entity in the Subaru network and for which they are contacting us as next level of support;
• process resumes and recruitment information as part of our hiring process;
• comply with legal obligation(s) requiring us to collect and retain your Personal Data;
• manage your request to exercise your rights;
• if reasonably necessary in connection with a dispute or an investigation in which we are or may become involved either directly with you or with a third party.
We do not intend to collect any personal data from persons younger than 16 years old (to comply with article 8 of GDPR; we don’t consider local legislation in this area). These minors are not allowed to provide us with any personal data or a statement of consent without permission from the person who has parental authority.
In the table below you can read:
• column 1: why we do this (the ‘purposes’);
• column 2: on what legal grounds the processing is based;
• column 3: what categories of personal data we process; and
• column 4: the applicable retention period for this data
All processing activity involving your personal data takes place for one or more specific purposes.
In addition, we only process your personal data on the basis of a valid legal ground. The applicable legal ground, which you can find in the column ‘legal grounds’, means the following:
• 'Consent': you have given consent for the processing of Personal Data for a specific purpose;
• 'Legal obligation': the processing is necessary for compliance with a legal obligation to which we, as the controller, are subject;
• 'Legitimate interest': the processing is necessary to serve our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
• 'Agreement': the processing is necessary for the performance of an agreement to which you are a party;
To give you more control over the processing of your personal data, you have various rights at your disposal. These rights are laid down, inter alia, in articles 15-22 of the GDPR.
For more information about issues related to the processing of personal data or if you wish to exercise one of the rights above, please contact us at email@example.com. We will do our best to reply to you as soon as possible, but no later than within one month. If we need more time to fulfil your request, we will let you know within the month and get back to you within two months.
In order to verify your identity when exercising your rights, and solely for that purpose, we ask you to send us a copy of the front side of your identity card. The image on your electronic identity card shall not be retained by Subaru. We strongly advise you to “blackline” everything, except first name, surname and date of birth, before transmitting a copy of your electronic identity card to us.
You can exercise all these rights free of charge unless your request is manifestly excessive (for instance due to its repetitive nature). In such cases, we shall be entitled to charge you a reasonable fee.
You have the following rights:
• The right to access the personal data we process about you (art. 15 GDPR):
You have the right to be informed by us at any time whether or not we are processing your personal data. If we are processing them, you have the right to access these personal data and to receive additional information about:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients (in particular, recipients in third countries);
d) the retention period or, if that is not possible, the criteria for determining that period;
e) the existence of your privacy rights;
f) the right to lodge a complaint with the supervisory authority;
g) the source of the personal data if we obtain personal data from a third party;
h) whether we are using automated decision-making in respect of you.
If we cannot give you access to your personal data (e.g. due to legal obligations), we shall inform you as to why this is not possible.
You can also obtain a free copy, in an understandable format, of the processed personal data in an understandable format. Please note that we may charge a reasonable fee to cover our administrative costs for any additional copy you may request.
• The 'right to be forgotten' (the right to request us to delete your personal data) (art. 17 GDPR):
In certain cases, you can request that we delete your personal data. In this event, however, please note that we shall no longer be able to offer you certain services if you exercise this right. Please also note that your right to be forgotten is not absolute. We are entitled to continue to store your personal data if this is necessary for, among other things, the execution of the agreement, compliance with a legal obligation, or the establishment, execution or substantiation of a legal claim. We shall inform you of this in more detail in our response to your request.
• The right to rectification (art. 16 GDPR):
If your personal data is incorrect, out of date or incomplete, you can ask us to correct these inaccuracies or incomplete information.
• The right to data portability (art. 20 GDPR):
Subject to certain conditions, you also have the right to have the personal data that you have provided to us, transferred by us to another controller. Insofar as technically possible, we shall provide your personal data directly to the new controller.
• The right to restriction of processing (art. 18 GDPR):
If any of the following elements apply, you may request us to restrict the processing of your personal data:
a) you dispute the accuracy of those personal data (in this case, its use shall be limited for a period that allows us to verify the accuracy of the personal data);
b) the processing of your personal data is unlawful;
c) we no longer need your personal data for the its purposes, but you need them in establishing, exercising or substantiating a legal claim;
d) as long as no decision has been taken on exercising your right to object to the processing, you may request that the use of your personal data be restricted.
• The right to object (art. 21 GDPR):
You can object to the processing of your personal data on the basis of your particular situation, if we process your personal data on the basis of legitimate interests or on the basis of a task of general interest. In this event, we shall cease the processing of your personal data, unless we can demonstrate compelling and legitimate grounds for processing which outweigh your own, or if the processing of the personal data is related to establishing, exercising or substantiating a legal claim.
• The right not to be subject to automated decision-making (art. 22 GDPR):
You have the right not to be subject to a decision made exclusively on the basis of automated data processing that significantly affects you or has legal consequences and that is made without substantial human involvement.
You cannot exercise this right in following three situations:
a) when automated decision-making is legally permitted (e.g. to prevent tax fraud);
b) when automated decision-making is based on your explicit consent; or
c) when automated decision-making is necessary for entering into, or performance of a contract (please note: we always endeavour to use less privacy-intrusive methods for entering into or performing the contract).
• The right to withdraw your consent (Art. 7 GDPR):
If your personal data are processed on the basis of your consent, you may withdraw this consent at any time upon simple request.
• The right to lodge a complaint
We make every effort to securely protect your Personal Data. If you have a complaint about the way in which we process your Personal Data, you can notify us thereof via our contact details (as mentioned at the beginning of this Privacy Notice), so that we can deal with it as quickly as possible.
You can also lodge a complaint with the competent supervisory authority. You have the right to lodge a complaint about the way we handle or process your Personal Data with your national data protection authority (https://edpb.europa.eu/about-edpb/about-edpb/members_en). The supervisory authority for Subaru is the Data Protection Authority, with the following contact details:
Data Protection Authority
Drukpersstraat 35, 1000 Brussels, Belgium
Tel: +32 (0)2 274 48 00
Fax: +32 (0)2 274 48 35
We shall only disclose your personal data to third parties in accordance with the applicable legal framework.
In connection with the purposes described above in section 3, we may need to share your personal data with the following recipients:
• Service providers: Subaru sometimes uses third parties, such as marketing companies or IT service providers, to perform tasks on its behalf and may need to share your personal data with them to provide the services described above. Any processing of that personal data will be on our instructions and in line with the original purposes.
• Authorized distributors or dealers: your personal data might be shared with your nearest Subaru authorized distributor or dealer to establish a quick and more flexible connection to fulfil your request.
• Legal obligations: as required by law, Subaru may disclose your personal data to law enforcement officials, in order to comply with legal requirements, court orders, government or law enforcement agency requests, including to meet national security or law enforcement requirements, and including to agencies and courts in the countries where we operate. Where permitted by law, we may also disclose such information to third parties (including legal counsel) when necessary for the establishment, exercise or defense of legal claims or to otherwise enforce our rights, protect our property or the rights, property or safety of others, or as needed to support external audit, compliance and corporate governance functions.
With regard to data protection, an agreement has been concluded with all these service providers to ensure that they manage your personal data securely, with respect and with due care and diligence.
We shall only transfer your personal data to processors or controllers in third countries to the extent we are legally entitled to do so or if this is necessary to handle a legal case.
Insofar as such transfers are necessary, we take the necessary measures to ensure that your personal data are highly protected and that all transfers of personal data outside the EEA take place lawfully. If a transfer takes place to a country outside the EEA for which the European Commission has not determined that it offers an adequate level of protection, this transfer shall always be subject to an agreement that complies with all requirements for transfers to third countries, such as the relevant safeguards and standard contractual clauses on data protection approved by the European Commission.
We have taken all reasonable and adequate technical and organisational security measures to protect your personal data as best as possible against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. For instance, we always store your personal data at a secured location to prevent third parties from accessing your personal data.
Subaru may update this Privacy Notice from time to time, and when we do so, we will re-issue a revised Privacy Notice, and notify you of any changes to the extent required by law. We invite you to always consult the latest version of this Privacy Notice.
If you have any questions regarding any changes to this Privacy Notice, please contact us using our contact details as set out in the beginning of this Privacy Notice.
Subaru processes your personal data acquired in the course of public road test as follows:
Subaru processes your personal data acquired for OBFCM regulation as follows:
Subaru processes your personal data acquired via the SUBARU Care Connected Services as follows: