This policy statement provides full details on the following;
- How we handle personal data.
- What personal data we collect.
- How and why we collect personal data.
- How we use personal data.
- How we secure personal data.
- What third parties have access to personal data.
- Customers legal rights concerning personal data.
1. PERSONAL DATA COLLECTION
1.1 We may collect and process personal data in the following ways:
- When contacted directly via our websites or via our customer services department to request information about our products and services.
- By purchasing a product or a service directly from us.
- By replying to a direct marketing campaign.
- When permitted contact details are transferred from one of our authorised dealers or other third parties.
- If vehicle data (incl. vehicle identification number) is transferred to Daimler AG while the vehicle is serviced or repaired, e.g. warranty repairs
- When permitted companies or business partners transfer personal data to us.
- When permitted personal data is secured via other sources.
(b) Persons under 16 years of age should not provide any personal data without consent from a parent or guardian.
Personal data: This is data supplied to us when a data subject provides personal data via our website/s or our social media pages or by corresponding with us by phone, email or otherwise, and is provided entirely voluntarily. The data may include a person’s name, contact details (such as phone number, email address and postal address), enquiry details and an opinion of our products.
We may automatically collect personal data from our web servers as part of standard details relating to browser and operating systems, additional personal data may be automatically collected from our website, to include pages visited and the date of visit. Personal data may also be automatically collected for security reasons, e.g. to identify attacks on our website, this may include data relating to the Internet protocol (IP) address assigned by an internet service. We may collect some of this information using cookies – see Cookies in Section 7 for further information. We may also collect personal data that is shared as part of a person’s public profile on a third party social network.
We may also receive certain personal data from other Daimler group companies or from our Mercedes-Benz Dealer network within the Irish Jurisdiction.
This information may include:
Personal data collected from a contract to purchase a motor vehicle and/or the purchase of a motor vehicle by way of a trade-in. It is a contract requirement to provide all personal data requested on this form, failure to provide such personal data may preclude us from completing the contract. In addition, during a vehicle repair or service, our dealer network is responsible for handling of personal data. The personal data collected may include a person’s name, postal address, contact information, telephone number, email address, or any other personal information collected during the servicing or repairing of the vehicle.
Please see Section 2 for further details outlining how we use personal data and for details of the purposes for which we use the personal data we obtain from these sources and the legal basis on which we rely to process such information. The remaining provisions of this policy also apply to any personal data we obtain from these sources.
2. HOW PERSONAL DATA MAY BE USED
Use of personal data under EU data protection laws must be justified under one of a number of legal grounds and we are required to set out the grounds in respect of each use in this policy. An explanation of the scope of these grounds is listed below:
2.1 Where valid consent is provided
We may use and process personal data where consent is agreed for the following purposes. Please note that consent will be agreed via a consent form in relation to any such use and may be withdrawn at any time. Please see withdrawing consent in Section 6 for further details.
- to contact via email, text message, post or telephone with marketing information on Mercedes-Benz vehicles and other products and services.
- to share personal data with our authorised dealers to arrange test drives or where further information has been requested.
- to supply brochures and other materials specifically requested from us.
- to share personal data with our authorised dealers or our recommended third-party partners to provide marketing information about their products and services.
2.2 Where we are required to perform a contract
We may use and process personal data where it is necessary for the performance of a contract for the following purposes:
a) entering a contract for the sale of motor vehicle.
b) entering a contract for the maintenance of a motor vehicle.
c) to exchange information for warranty/aftersales.
d) to allow for the provision of third party breakdown services by our service provider.
2.3 Where matters of Health and Safety are at issue
We may use personal data if there are any urgent safety or product recall notices to communicate with our customers or where we otherwise reasonably believe that the processing of personal data will prevent or reduce any potential harm to a customer. It is in the very best interests of our customers for us to use personal data in this way.
2.4 Where required to comply with Legal Obligations
We may use personal data to comply with our legal obligations in, (a) assisting an Garda Síochána, or any other public authority or statutory authority for the purposes of criminal or other related investigations, (b) so as to enable legitimate identification in complying with our legal obligations, and (c) to verify the accuracy of the data that we hold.
2.5 Where there is a Legitimate Interest
We may use and process personal data where it is necessary for us to pursue our legitimate interests as a business, and where our reasons for using it outweigh any prejudice to data protection rights, as follows:
- for market research in order to ensure continued improvements in the products and services that we and our authorised dealers provide.
- to administer our websites and for internal operations, including troubleshooting, testing, statistical purposes.
- for analysis, and profiling to inform our marketing strategy, and to enhance and personalise a customer or visitor experience.
- for marketing activities (other than where we rely on consent) e.g. to tailor marketing communications or send targeted marketing messages via social media and other third-party platforms.
- for the prevention of fraud and other criminal activities.
- for the purposes of credit checks for finance in the purchase of our products.
- to correspond and communicate in legitimate matters.
- for network and information security in order for us to take steps to protect data against loss or damage, theft or unauthorised access.
- to comply with a request in connection with the exercise of a person’s rights, e.g. where we are asked not to contact a person for marketing purposes.
- for reviews, accuracy or other improvements of our databases and IT systems, e.g. by combining systems or consolidating records we or our group companies hold.
- to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings.
- for general administration including managing queries, complaints, or claims and to send service messages to our customers.
3. THIRD PARTIES WHO MAY PROCESS PERSONAL DATA
3.1 Mercedes-Benz (Daimler AG) Group Companies
We may share data with other companies within the Mercedes-Benz (Daimler AG) organisation. These Companies, which may include authorised dealers within our network, may use personal data in similar ways to that outlined in Section 2 of this policy document.
Our websites may also contain offers from third parties. By engagement in such an offer, we may transfer data to the respective provider, e.g. information indicating engagement with this offer on our website and if applicable, additional information already provided on our websites for this purpose.
When we use social plug-ins on our websites from social networks such as Facebook, Twitter and Google+, we integrate them as follows:
Social plug-ins are deactivated on our websites (i.e. no data is transmitted to the operators of these networks). To use one of these networks, click on the respective social plug-in to establish a direct connection to the server of the respective network.
A user account holder on the network, who has activated the social plug-in, can be associated to the network visit to our websites. To avoid this, log out of the network before activating the social plug-in. A social network cannot associate a visit to other Daimler websites until an existing social plug-in is activated.
When a social plug-in is activated, the network transfers the content that becomes available directly to the user’s browser, which integrates it into our websites. In this situation, data transmissions can also take place that are initiated and controlled by the respective social network. Connection to a social network, the data transfers taking place between the network and a user system, and user interactions on that platform are governed solely by the privacy policies of that network.
The social plug-in remains active until deactivated or deleted in cookies.
3.2 Contracted suppliers and service providers
We may disclose personal data to our third-party service providers, agents, subcontractors and other organisations for the purposes of providing services to us or directly to a customer on our behalf. Such third parties may include cloud services providers (such as hosting and email management) or advertising agencies, administrative services or other third parties who provide services to us.
When we use third party service providers, we only disclose to them any personal data that is necessary for them to provide their service and we commit to ensuring valid Data Protection Agreements are in place with all third parties so as to ensure all personal data is secure and only used in accordance with our specific contract terms and conditions.
3.3 Third parties who provide products and services
Personal data which we collect may be transferred to third parties with customer consent.
Such data is shared in a secure manner, using a consistent security protocol. When we share data with other parties we ensure that they only use the data for the purpose it was collected.
The types of third parties apart from Mercedes-Benz (Daimler AG) companies already stated are:
- Marketing agencies who run and manage marketing campaigns on our behalf.
- Event companies who run and manage sponsored events on our behalf.
4. STORAGE OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)
Data provided to us may be transferred to countries outside the EEA. By way of example, this may happen where any of our group companies are incorporated in a country outside of the EEA or if any of our servers or those of our third-party service providers are from time to time located in a country outside of the EEA. These countries may not have similar GDPR data protection laws.
If we transfer data outside of the EEA in this way, we will ensure that appropriate security measures are taken with the aim of ensuring that data privacy rights continue to be protected as outlined in this policy. These steps include imposing contractual obligations on the recipient of personal data or ensuring that the recipients are subscribed to ‘international frameworks’ that aim to ensure adequate protection of personal data.
The use of our services whilst outside the EEA, may involve the onward transfer of data outside the EEA in order to provide those services.
5. HOW LONG DO WE KEEP PERSONAL DATA
When we collect personal data, the length of time we retain it is determined by a number of factors including the purpose for which we use that data and our obligations under GDPR and related laws. We do not retain personal data for longer than is necessary.
We may need personal data in the bringing or in defence of a legal claim, in which case we will retain personal data for a period of seven years after the last occasion on which we have used the personal data as specified in Section 2 of this policy document.
The only exceptions to this are; (a) where the law requires us to hold personal data for a longer period or (b) when requested to have the data deleted if we do not need to hold it in connection with any of the reasons permitted in Section 6 of this policy document.
6. DATA SUBJECTS RIGHTS
6.1 Rights as a ‘Data Subject’
A data subject, has the right of access (Art. 15 GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction of processing (Art. 18 GDPR) and right to data portability (Art. 20 GDPR). A person’s rights as a Data Subject include the following:
- Information on the type of personal data we hold and what we do with that information.
- To request how long we hold personal data.
- Rectify any inaccurate personal data we hold.
- To erase personal data we hold.
- Prevent us from using personal data in certain cases, including if you believe that the personal data we hold is inaccurate, or our use of personal data is unlawful.
- To receive personal data in a structured, commonly used and machine-readable format and to have that data transmitted to another data controller.
The right of consent to the processing of personal data by us may be revoked at any time. The legality of processing personal data before revocation remains unaffected. We may further process such data pursuant to another applicable legal basis, e.g. for the fulfilment of our legal obligations.
A data subject has the right to object at any time to the processing of personal data (Art 21 GDPR). In such circumstances we will only process personal data if we can prove compelling legitimate reasons that outweigh a person’s interests, rights and freedoms, or for the establishment, exercise or defense of a legal claim.
If a person believes that the processing of personal data violates legal requirements, that person has the right to lodge a complaint with the Offices of the Data Protection Commissioner (Art. 77 GDPR).
7. SECURITY / COOKIES / LINKS / SOCIAL PLUGINS
All companies within the Daimler Organisation use technical and organisational security measures to protect the personal data supplied and managed by us against manipulation, loss, destruction and access by third parties. Our security measures are continually improved in line with technological developments.
Unfortunately, the transmission of data via the internet is not completely secure. We will do our utmost to protect personal data, however we cannot guarantee the security of all data whilst in transit to our website, transmission is at the user’s own risk.
Where we have given (or where chosen) a password which enables access to an account, the user is responsible for keeping this password confidential. Do not share this password with any other person.
7.1 Use of 'cookies'
By clicking on to a link of an offer or by activating a social plug-in, personal data may reach providers in countries outside the European Economic Area (EEA) that, from the point of view of the European Union ("EU"), may not guarantee an "adequate level of protection" for the processing of personal data in accordance with EU standards. Please be aware of this alert before clicking on a link or activating a social plug-in and thereby triggering a transfer of data.
Cookies are small files that are placed on a desktop, notebook or mobile device by a website visited. From this we can, for example, recognise whether there has already been a connection between a device and our websites, or which language or other settings the user prefers. Cookies may also contain personal data.
7.4 Links to other websites
In addition, if linked to our website from a third-party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third-party website and recommend that all users check the policy of all third-party websites.
7.5 Social plugins
We use so-called social plugins (buttons) of social networks such as Facebook, Google+ and Twitter.
When visiting our website, these ‘buttons’ are deactivated by default, i.e. without intervention they will not send any data to the respective social networks. These ‘buttons’ are activated by clicking on them. They remain active until deactivated or deleted.
After their activation, a direct link to the server of the respective social network is established. The contents of the ‘button’ are then transmitted from the social network directly to the user’s browser and incorporated in the website.
After activation of a ‘button’, the social network can retrieve data, independently of whether interaction with the ‘button’ took place. When logged on to a social network, the network can assign a visit to the website of the user account. A social network cannot assign a visit to websites operated by our other group companies unless and until activation.
Data provided in subscribing to a newsletter offered on our website will only be used in order to provide the newsletter, unless agreed for further use. Subscription to the newsletter can be withdrawn at any time using the unsubscribe option provided.
9. Contact Us
Customers may contact our offices with any questions or suggestions regarding the processing of personal data or if they wish to amend/update their personal data. Contact details can be found on our website.