Privacy Notice - SUBARU Care App and Account

Subaru values your privacy and is committed to protect your personal data (“Personal Data”) in accordance with applicable privacy and data protection regulations (in particular the General Data Protection Regulation or “GDPR”). 
We aim to be transparent regarding how we process your Personal Data and what we do with it. This is clarified in more detail in this privacy notice (the “Privacy Notice”).
This Privacy Notice relates to the processing of your Personal Data in the framework of your access to and use of the SUBARU Care app and the creation, access and use of your SUBARU Care account.

Who are we?

SUBARU EUROPE NV/SA ("Subaru", "we" or "us")
Leuvensesteenweg 555/8 
1930 Zaventem 
Belgium
0438.574.810

You can contact us via the following contact details:
Per letter: to our registered offices to the attention of the Data Protection Team
Tel.: 0032 2 714 03 00
E-mail: privacy@subaru.eu

Some definitions

As far as this Privacy Notice is concerned, the term "Personal Data" refers to: all information about an identified or identifiable natural person (being you as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular through an identifier, such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In other words, all the information which can be used to identify a person. These elements include, for instance, your surname, first name, date of birth, telephone number and email address, as well as your IP address. 

The term "processing" is very broad and covers, among other things, collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, disseminating, combining, archiving and deleting data.

Authorized Dealer/Repairer is to be understood as (1) the dealer or repairer that you have selected as your “preferred Authorized Dealer/Repairer” via the settings of your SUBARU Care account (which you can change at any time) or (2) in case you did not make such selection, the one identified by us based on location (the nearest to you based on your postcode, address) or based on the history of your contacts with our network.

“Account data”
means: 
 Identity data (e.g. title, family and first name);
 Contact data (e.g. mobile number, email address, postal address);
 Data relating to your privacy preferences (e.g. date you give your consent; what you consented to; date on which you withdrew your consent; how consent was given (for example from which device); etc.).

“Security-related data”
means certain data about your usage of our IT systems, applications and networks. 

“Usage data”
means e.g. your usage of certain functionalities of the Services.

“Technical vehicle data and diagnostics data”
means e.g. mileage, consumption, warnings, event history.

Whose Personal Data will be processed?

We process your Personal Data when you access or use the SUBARU Care app and when you create, access or use your SUBARU Care account. 

Please note that, if you allow other persons to access your SUBARU Care account, you have the responsibility to communicate this Privacy Notice to that person, in order to inform this person about our processing of Personal Data in the context of access and use of your SUBARU Care account.

Prior to transferring the ownership of your Subaru vehicle to another person or to a reseller, you must: 
 Remove, to the extent technically possible, all data and content (including any Personal Data), if any, that you have stored on your Subaru vehicle and that is accessible from your SUBARU Care account; and 
 Remove the Subaru vehicle from your SUBARU Care account.

See here [How to remove personal data] for practical and step-by-step guidance on how you can remove your Personal Data.

Entity responsible for the processing of your personal data ("Controller")

Subaru is responsible for the processing of your Personal Data. 

We are what the GDPR refers to as the “controller” of your Personal Data. In concrete terms, this means that Subaru, possibly along with any others, determines the purpose and means for the processing of your Personal Data.

Why do we collect and use your Personal Data?

We collect and use your Personal Data for the following purposes: 
 To allow you to create and access your SUBARU Care account and access the SUBARU Care app;
 To link your Subaru vehicle to your SUBARU Care account;
 To allow you to use the SUBARU Care app and your SUBARU Care account, and ensure maintenance of your SUBARU Care account and the SUBARU Care app;
 To allow you to use the face recognition functionality to access your driver profile;
 To allow our network partners (e.g. national distributors, Authorized Dealer/Repairer) to contact you in the framework of warning lights management (remote vehicle diagnostics & support);
 To allow our network partners (e.g. national distributors, Authorized Dealer/Repairer) to support and contact you (reactive and proactive) in case of trouble with your Subaru Care Mobile app account/profile or with your Subaru Solterra vehicle;
 To update, rectify and consolidate the Personal Data which will be collected based on this Privacy Notice;
 To improve the SUBARU Care app and ensure that the content on the SUBARU Care app is presented in the most effective manner;
 To ensure the security and confidentiality of the SUBARU Care app and your SUBARU Care account; 
 To respond to requests from enforcement authorities, regulators or courts to disclose your Personal Data;
 If reasonably necessary in connection with a dispute or an investigation in which we are or may become involved either directly with you or with a third party;
 To manage your request to exercise your rights.

We do not intend to collect any Personal Data from individuals younger than 16 years old. These minors are not allowed to provide us with any Personal Data or a statement of consent without permission from the person who has parental authority.

Summary: which Personal Data do we use, why, based on what lawful basis and for how long? 

In the table below you can read: 
 column 1: why we process your Personal Data (the ‘Purposes’);
 column 2: on what legal grounds the processing is based why we do this (the ‘Lawful Basis’);
 column 3: what categories of Personal Data we process (the ‘Categories of Data’); and
 column 4: for how long we process your Personal Data (‘Retention Period’).

All processing activity involving your Personal Data takes place for one or more specific purposes. 

In addition, we only process your Personal Data under a lawful basis. The applicable lawful basis, which you can find in the column ‘Lawful basis’, means the following: 
 'Agreement': the processing is necessary for the performance of an agreement to which you are a party;
 'Legal obligation': the processing is necessary for compliance with a legal obligation to which we, as the controller, are subject;
 'Legitimate interests': the processing is necessary to protect our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of Personal Data; 
 Explicit consent’: you have given explicit consent for the processing of your Personal Data for one or more specific purposes and related to special categories of Personal Data.

Connected Services App

Removal of your SUBARU Care account and deletion of your Personal Data

If your SUBARU Care account related information indicates that you have not been active on your SUBARU Care account for a period of 6 months or you have not fully activated your SUBARU Care account, then Subaru shall notify you that it shall delete your SUBARU Care account (including any Personal Data that is processed when accessing and/or using the SUBARU Care app) 14 calendar days before closing your SUBARU Care account. 

If your SUBARU Care account related information indicates that you own one or more Subaru vehicles and that you have not logged in on your SUBARU Care account for 5 years, we will consider that you do not wish to keep your SUBARU Care account and no longer wish to rely on certain of its features that are linked to the ownership and use of your vehicle(s) (for example, the link between the use of a connectivity device in your car and your SUBARU Care account). We will then close your SUBARU Care account and delete your Personal Data related to your SUBARU Care account.

14 calendar days before effectively closing your SUBARU Care account and deleting your Personal Data, we will send you an e-mail so that you can confirm whether or not you want to keep your SUBARU Care account.

The above applies equally if your SUBARU Care account related information does not indicate that you do not own a Subaru vehicle and you have not logged in on your SUBARU Care account for 2 years.

Your privacy rights

To give you more control over the processing of your personal data, you have various rights at your disposal. These rights are laid down, inter alia, in articles 15-22 of the GDPR.

To exercise these rights, you can contact us by email at the following email address: privacy@subaru.eu 

In order to verify your identity when exercising your rights, and solely for that purpose, we ask you to send us a copy of the front side of your identity card. The image on your electronic identity card shall not be retained by Subaru. We strongly advise you to “blackline” the image before transmitting a copy of your electronic identity card to us. 

You can exercise all these rights free of charge, unless your request is manifestly unfounded or excessive (for instance due to its repetitive nature). In such cases, we shall be entitled to charge you a reasonable fee or to refuse to respond to your request.

You have the following rights:

The right to access the Personal Data we process about you (art. 15 GDPR): 

You have the right to be informed by us at any time whether or not we are processing your Personal Data. If we are processing them, you have the right to access these Personal Data and to receive additional information about:
a) the purposes of the processing;
b) the categories of Personal Data concerned;
c) the recipients or categories of recipients (in particular, recipients in third countries);
d) the retention period or, if that is not possible, the criteria for determining that period;
e) the existence of your privacy rights;
f) the right to lodge a complaint with the supervisory authority;
g) the source of the Personal Data if we obtain Personal Data from a third party;
h) whether we are using automated decision-making in respect of you.

If we cannot give you access to your Personal Data (e.g. due to legal obligations), we shall inform you as to why this is not possible. 

You can also obtain a free copy of the processed Personal Data in an understandable format. Please note that we may charge a reasonable fee to cover our administrative costs for any additional copy you may request.

The 'right to be forgotten' (the right to request us to delete your personal data) (art. 17 GDPR):

In certain cases, you can request that we delete your Personal Data. In this event, please note that we shall no longer be able to offer you certain services if you exercise this right. Furthermore, your right to be forgotten is not absolute. We are entitled to continue to store your Personal Data if this is necessary for, among other things, the performance of the agreement, compliance with a legal obligation, or the establishment, execution or substantiation of a legal claim. We shall inform you of this in more detail in our response to your request.

The right to rectification (art. 16 GDPR):

If your Personal Data is incorrect, out of date or incomplete, you can ask us to correct these inaccuracies or incomplete information.

The right to data portability (art. 20 GDPR):

Subject to certain conditions, you also have the right to have the Personal Data that you have provided to us, transferred by us to another controller. Insofar as technically possible, we shall provide your Personal Data directly to the new controller.

The right to restriction of processing (art. 18 GDPR):

If any of the following elements apply, you may request us to restrict the processing of your Personal Data:
a) you dispute the accuracy of those Personal Data (in this case, its use shall be limited for a period that allows us to verify the accuracy of the Personal Data);
b) the processing of your Personal Data is unlawful;
c) we no longer need your Personal Data for its purposes, but you need them in establishing, exercising or substantiating a legal claim;
d) as long as no decision has been taken on exercising your right to object to the processing, you may request that the use of your Personal Data be restricted.

The right to object (art. 21 GDPR):

You can object to the processing of your Personal Data on the basis of your particular situation, if we process your Personal Data on the basis of legitimate interests or on the basis of a task of general interest. In this event, we shall cease the processing of your Personal Data, unless we can demonstrate compelling and legitimate grounds for processing which outweigh your own, or if the processing of the Personal Data is related to establishing, exercising or substantiating a legal claim. You have a right to object at any time to the processing of your Personal Data for direct marketing purposes.

The right not to be subject to automated decision-making (art. 22 GDPR):

You have the right not to be subject to a decision made exclusively on the basis of automated data processing that significantly affects you or has legal consequences and that is made without substantial human involvement.

You cannot exercise this right in following three situations:
a) when automated decision-making is legally permitted (e.g. to prevent tax fraud);
b) when automated decision-making is based on your explicit consent; or
c) when automated decision-making is necessary for entering into, or performance of a contract (please note: we always endeavour to use less privacy-intrusive methods for entering into or performing the contract).

The right to withdraw your consent (Art. 7 GDPR):

If your Personal Data are processed on the basis of your consent, you may withdraw this consent at any time upon simple request. 

The right to lodge a complaint
We make every effort to securely protect your Personal Data. If you have a complaint about the way in which we process your Personal Data, you can notify us thereof via our contact details (as mentioned at the beginning of this Privacy Notice), so that we can deal with it as quickly as possible.

You can also lodge a complaint with the competent supervisory authority. You have the right to lodge a complaint about the way we handle or process your Personal Data with your national data protection authority. You can find the national data protection authority in your country on this website: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Please note that you may exercise the abovementioned rights only in relation to the Personal Data we hold about you in the context of the SUBARU Care app and/or your SUBARU Care account.

We share your Personal Data with third parties only for the following purposes: 

We shall only disclose your personal data to third parties in accordance with the applicable legal framework. 

Within Subaru, we ensure that your personal data are only accessible to persons who need them to comply with our contractual and legal obligations. 

In certain cases, our employees are assisted in their work by external service providers. With regard to data protection, an agreement has been concluded with all these service providers to ensure that they manage your personal data securely, with respect and with due care and diligence. For instance, we may pass your Personal Data to the Authorised Dealer/Repairer of your choice (list can be found in the SUBARU Care App), so that they can process your request and contact you as needed in the framework of your requests. 

All of our Authorised Dealers/Repairers are independent groups or companies. They are instructed that they must have appropriate data security safeguards in place and that they must not use any of your Personal Data for any purpose outside the fulfilment of your specific request to us. The Authorised Dealer/Repairer concerned may separately ask you to provide your name and contact information for other purposes, such as, for example, marketing activities. Such contacts will be made in compliance with applicable data protection law.

Furthermore, we may share your Personal Data on following occasions:

- We use service providers in connection with the development and provision of the Services. These service providers may in certain circumstances obtain access to your Personal Data when providing the Services to Subaru. Our main service providers include the following: 
• Toyota Motor Europe (providing the infrastructure for the Services);
• Microsoft (hosting data on infrastructure - The Netherlands);
• Amazon Web Services (hosting data on infrastructure - Germany);
• Infosys (providing business support and product development services - India);
• BDB (providing business support and product development services - India);
• Our national distributors who, on our instruction, may assist us from time to time with customer queries and support;
• Toyota Connected Europe Limited (providing part of the infrastructure for the Services - United Kingdom).

- Where we are required by public authorities (e.g. law enforcement authorities), regulators or courts to disclose your Personal Data to them; 

If reasonably necessary in connection with a dispute in which we are or may become involved, we may share your Personal Data with, for example, the other part(y)(ies) involved in the dispute or with a court of law.

Personal information received from others

Some of the Personal Data we process, we may not have received directly from you. In such instance, we collect this Personal Data indirectly through third parties.

If we receive Personal Data from third parties, we shall only process them further if we have a legitimate purpose for doing so and if such processing is necessary and proportionate in order to achieve that purpose.

Will my Personal Data be transferred to other countries?

Subaru operates globally. Therefore, your Personal Data may be stored and processed by us or our service providers in multiple countries, including countries other than your country of residence or purchase of your Subaru vehicle. Your Personal Data may, for example, be transferred to the United Kingdom, Japan and/or the United States.

If your Personal Data is being transferred to countries located outside of the European Economic Area (“EEA”), we will ensure that appropriate safeguards are taken, such as: 

 The transfer falls within the scope of an adequacy decision taken by the European Commission under Article 45 of the GDPR; 
 The transfer is governed by the standard data protection contractual clauses, as approved by the European Commission or a data protection authority pursuant to Article 46.2(c) or (d) of the GDPR. For further information about how transfers of personal data outside of the EEA are regulated, please consult the following link: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

 

Security of your personal data

We have taken all reasonable and adequate technical and organisational security measures to protect your Personal Data as best as possible against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. For instance, we always store your personal data at a secured location to prevent third parties from accessing your Personal Data.

Changes to this Privacy Notice

Subaru may update this Privacy Notice from time to time, and when we do so, we will re-issue a revised Privacy Notice, and notify you of any changes to the extent required by law. We invite you to always consult the latest version of this Privacy Notice.

If you have any questions regarding any changes to this Privacy Notice, please contact us using our contact details as set out in the beginning of this Privacy Notice.