Data privacy statement

Thank you for your interest in our company and for visiting our website www.auto1.com (hereinafter the “Website”).

This data privacy statement provides information to you on the nature, scope and purpose of the personal data processed by AUTO1.com as well as the rights to which you are entitled.

This data privacy statement applies accordingly to the use of Apps operated by AUTO1.com or its affiliated companies.

1. THE CONTROLLER RESPONSIBLE FOR THE PROCESSING OF YOUR PERSONAL DATA

Responsible for the processing of your personal data within the meaning of the EU General Data Protection Regulation (hereinafter the "GDPR") and other data protection regulations is

AUTO1.com GmbH
Bergmannstraße 72
10961 Berlin
Deutschland
Tel.: +49 (0)30 / 201 63 405
E-Mail: info@auto1.com

2. DATA PROTECTION OFFICER

Should you have any questions and/or suggestions with regard to data protection, you may contact our data protection team directly at any time.

You can reach our data protection officer at the following contact details:

AUTO1.com GmbH
Bergmannstraße 72
10961 Berlin
Deutschland
Tel.: +49 (0)30 / 2016 38 8100
E-Mail: datenschutz@auto1.com

3. PROCESSING OF USAGE DATA

Every time this Website is accessed by a user, this Website collects general data and information. This general data and information is stored in the log files of the server. This concerns the following data:

browser types and versions used,
the operating system used by the accessing system,
the webpage from which an accessing system arrived on this Website (known as a referrer),
the sub-websites that are accessed on this Website via an accessing system,
the date and time of an access to the Website,
the IP address,
the internet service provider of the accessing system and
other similar data and information aimed at averting danger in the event of attacks directed at our IT systems.

AUTO1.com needs this data to:

correctly deliver the content of this Website and to ensure the permanent functionality of our IT systems and the technology underlying this Website.

The legal basis for this processing activity is Art. 6 (1)(b) GDPR.

optimize the content of and the advertising for this Website.

The legal basis for this processing activity is Art. 6 (1)(f) GDPR. Our legitimate interest is to adjust the website to individual user needs and to improve our services.

as well as to provide to law-enforcement authorities the information necessary for purposes of conducting criminal proceedings in the event of a cyberattack.

The legal basis for this processing activity is Art. 6 (1)(c)(f) GDPR. AUTO1.com has an overriding legitimate interest in ensuring the security of the Website and preventing misuse.

4. PROCESSING OF DATA THAT YOU HAVE PROVIDED TO US

We collect and store data that you provide to us when using the Website, and more specifically when using the Website’s applications, services or tools.

Such data includes:

data that you provide upon registration or upon signing up for one of our services, such as name, email address, telephone number, mobil phone number;
data that you have provided to us for purposes of entering into a purchase contract regarding a used vehicle;
Data that you submit to us via the website for the purpose of deregistering a vehicle that is imported from the Netherlands.

The legal basis for this processing activity is Art. 6 (1)(b) GDPR.

data that is transmitted in the context of resolving any problems and of correspondence/feedback on the Website or via email / fax / postal mail / telephone;

additional personal data which we request from you and which we need for the authentication or for verification purposes.

The legal basis for this processing activity is Art. 6 (1) (b) (f) GDPR. We have a legitimate interest in improving our services and protecting ourselves against misuse.

5. TRANSFER OF PERSONAL DATA TO AFFILIATED COMPANIES

Companies affiliated with AUTO1.com (hereinafter collectively "AUTO1 Group") may have access to or process your personal data if this is necessary to achieve the processing purposes stated in this data privacy statement or if this is necessary to fulfil the contractual or legal obligations of AUTO1 Group. AUTO1 Group contractually ensures that each company complies with high data protection and data security standards. The legal basis for this processing is Art. 6 (1) (f) GDPR, whereby our legitimate interest is to outsource internal administrative purposes to affiliated companies and thus improve our services.

If AUTO1.com transfers personal data to affiliated companies outside the European Union or the European Economic Area, Section 6. para. 3 applies accordingly.

6. TRANSFER OF PERSONAL DATA TO EXTERNAL SERVICE PROVIDERS

AUTO1.com receives assistance from outside service providers for certain technical data analysis, processing or storage processes (e.g. to obtain aggregated, non-personal statistics from data bases or for the storage of backup copies). These service providers are carefully selected and meet high data protection and data security standards. They are obligated to maintain strict confidentiality and process personal data only when commissioned to do so by AUTO1.com and according to AUTO1.com’s instructions.

AUTO1.com cooperates with companies and other entities which provide specialized expertise with regard to special areas (e.g. tax consultants, legal counsel, accounting firms, logistics companies). These entities are either legally or contractually obliged to maintain confidentiality. If a transmission of personal data to these entities is necessary, the legal basis is, depending on the respective kind of cooperation is Article 6(1)(b) or, (f) GDPR. AUTO1.com has a legitimate interest in improving services by using external expertise.

If we transfer personal data to recipients outside the European Union or the European Economic Area (so-called "third countries"), we ensure that the appropriate level of data protection is guaranteed in the respective third country or by the respective recipient in the third country. The transfer may be based on an "adequacy decision" of the European Commission or appropriate safeguards, such as EU standard contractual clauses or binding corporate rules.

7. NEWSLETTER SIGN-UP

If you sign up for a newsletter, we will use your e-mail address to send the respective issue of our newsletter, through which we regularly provide information to you about interesting topics.

In order to ensure your proper sign-up to the newsletter — that is to say, in order to prevent unauthorized sign-ups on behalf of third parties —, after your initial newsletter sign-up we will, as part of a double-opt-in procedure, send you a confirmation e-mail in which we ask you to confirm that you have signed up. We will also store your IP address and the date and time of the newsletter sign-up and the confirmation in order to be able to track and produce evidence of the sign-up at a later date. We will store your e-mail address in order to send you the newsletter unless and until you unsubscribe or we stop sending you the newsletter. For purposes of statistical analyses of our newsletter campaigns, the newsletters contain what is known as tracking pixels. This a thumbnail graphic embedded in the e-mail formatted in HTML which allows us to detect whether and when you have opened an e-mail and which links contained within the e-mail were clicked on. As part of this process, your IP address, too, is transmitted to our servers. We do not, however, store this IP address nor do we store any other personal data.

The legal basis for this processing activity is your consent according to Art. 6(1)(a) GDPR. You may, at any time, withdraw your consent with effect for the future to any types of newsletters without incurring any costs other than base rate transmission costs (i.e., for example, the costs of your internet service provider).In this case, we unfortunately cannot send you the newsletter any longer.

If we do receive a withdrawal from you, we add your personal contact data to a blocking list which we use to make sure that we do not send you any advertising that is no longer welcome. The legal basis for this processing activity is Art. 6(1)(f) GDPR. Our legitimate interest is to avoid unsolicited newsletters.

8. COOKIES

The Website uses cookies. Cookies are text files that are placed and stored on a computer system via an internet browser. Cookies are stored on the hard drive of the user’s computer and do not cause any damage there. The cookies of the Website contain personal data about the user. Cookies save the user of the Website the trouble of, for example, having to re-enter data, simplify the transmission of specific content and help AUTO1.com in identifying particularly popular areas of the Website. This enables AUTO1.com, among other things, to adjust the contents of the Website exactly to the needs of its users.

The legal basis for this processing activity is either Art. 6 (1) a or Art. 6(1)(f) GDPR. Insofar as we base the processing on Art. 6 (1)(f) GDPR, our legitimate interest is to ensure the functionality of the Website and to make the visit and use of the Website as comfortable and efficient as possible.

Unless the cookies are absolutely necessary, you can revoke your consent to the use of cookies via this link at any time with effect for the future.

The user may, at any time, prevent this Website from placing any cookies by making a corresponding adjustment to the settings of the internet browser used, and thereby permanently objecting to the placing of cookies. Furthermore, any cookies that have already been placed may be deleted at any time via an internet browser or other software programs. This is possible in all the commonly-used internet browsers. If the user deactivates the placing of cookies in the internet browser used, potentially not all functions of this Website will be usable to their full extent.

We divide the cookies used into three categories depending on their function and purpose: Essential Cookies, Analytical Cookies and Marketing Cookies.

Essential Cookies

Essential cookies are those cookies that ensure the functions of our website. Without the essential cookies, the website cannot be used as intended. The legal basis for the use of essential cookies is Art. 6 (1) (f) GDPR.

These are the following cookies:

Name: MPSESSID

Description: This cookie is used to manage user session.

Name: cookieBannerClosed

Description: This cookie helps to manage cookies on the website.

Name: isUserLogged

Description: This cookie is used to manage user session.

Name: Covid19BannerHide

Description: This cookie is used to inform the user about the current restrictions due to the Covid 19 pandemic.

Name: redux-cache-*

Description: This cookie is used to cache search filters. It makes the website work faster.

Name: APP_VERSION

Description: This cookie is used to detect if the local store contains an outdated version of our app, and to delete it if it does.

Name: JSESSIONID

Description: This cookie is generated by servlet containers and used for session management in J2EE web applications for the HTTP protocol.

Name: _GRECAPTCHA

Description: This cookie from Google is used to distinguish between humans and bots. It sets a necessary cookie for the purpose of risk analysis.

Analytical cookies

Analytical cookies are those cookies that allow statistical web analysis and reach measurement, e.g. to further develop and improve our offer for you. The legal basis for the processing is your consent (Art. 6 (1) (a) GDPR). You can revoke your consent at any time via this link with effect for the future.

These are the following cookies:

Name: auto1_tracking_session

Description: This cookie stores a custom session ID for internal tracking.

Name: SID

Description: This cookie is set by Google Analytics (see Sec. 9). It is used for security purposes to store records of a user's Google Account ID and last login time, which enable Google to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties. This can also be used for targeting purposes to display relevant and personalized advertising content.

Name: SIDCC

Name: _gid

Description: This cookie is set by Google Analytics (see Sec. 9). It is used to store information about how visitors use the website and helps to create an analytics report about the website's performance. We can see from what website users come to our website and what webpages they have visited on our website.

Name: _ga

Description: This cookie is set by Google Analytics (see Sec. 9). It is used to distinguish users and improve the usability of our website.

Name: _gat

Description: This cookie is set by Google Analytics (see Sec. 9). It is used to limit the request rate of Google Analytics.

Name: _gcl_au

Description: This cookie is used by Google Tag Manager (see Sec. 10) to measure advertising efficiency on the website. It takes information from ad clicks and stores it in a first-party cookie so that the efficiency of advertising can be measured.

Name: _ce.s

Description: This cookie is used by CrazyEgg (see Sec. 12). It tracts a visitor session via a unique ID, the host and the start time of a visitor session.

Name: ce_clock

Description: This cookie from CrazyEgg (see Sec. 12) sets a timestamp of when the visitor entered the website. This is used for analytical purposes on the website.

Marketing Cookies

Marketing cookies are used to offer content that is relevant to the user and adapted to his interests. Marketing cookies are also used to measure and control the effectiveness of campaigns. They can be used to create user profiles in order to display targeted advertising. These cookies may share information with third parties (so-called third-party cookie, such as cookies from Google). The legal basis for the processing is your consent (Art. 6 (1) (a) GDPR). You can revoke your consent at any time via this link with effect for the future.

These are the following cookies:

Name: NID

Description: This cookie from Google stores visitors' preferences and personalizes advertising on Google websites, based on recent searches and interactions.

Name: JP_JAR

Description: This cookie from Google allows custom ads to be placed on Google websites based on recent searches and past interactions.

Name: DV

Description: This cookie from Google is used to store the visitor's preferences and other information. This includes, in particular, the preferred language, the number of search results to be displayed on the page, and the decision whether or not to activate the Google SafeSearch filter.

Name: __Secure-1PAPISID

Description: This cookie from Google creates an interest profile of the visitor in order to display relevant and personalized advertising through retargeting.

Name: __Secure-1PSID

Description: This cookie from Google creates an interest profile of the visitor in order to display relevant and personalized advertising through retargeting.

Name: __Secure-3PSID

Description: This cookie from Google creates an interest profile of the visitor in order to display relevant and personalized advertising through retargeting.

Name: __Secure-3PAPISID

Description: This cookie from Google creates an interest profile of the visitor in order to display relevant and personalized advertising through retargeting.

Name: SAPISID

Description: This cookie from Google collects visitor information for videos provided by YouTube.

Name: SSID

Description: This cookie from Google collects visitor information for videos provided by YouTube on maps integrated in Google Maps.

Name: HSID

Description: These Google security cookies help authenticate the user, prevent fraudulent use of login credentials, and protect user data from unauthorized access.

Name: APISID

Description: This cookie from Google is used to customize advertising on Google websites based on users' recent searches and interactions.

9. GOOGLE ANALYTICS

This Website uses Google Analytics. Google Analytics is a web-analytics service. Web analytics is the collection, compilation and analysis of data regarding the behavior of visitors to webpages. A web-analysis service collects, among other things, data as to the question from which webpage a Data Subject has arrived on a webpage (known as a referrer), which sub-sites of the website were accessed or how often and for which length of stay a sub-site was viewed. A web analysis is primarily used to optimize a webpage and to carry out a cost-benefit analysis of internet advertising. The operating company of the Google-Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

Google uses the data and information collected, among other things, to analyze the use of the Website in order to compile online reports for us that show the activities on the Website and to provide additional services connected to the use of the Website.

In the context of this process, Google will learn of personal data — such as the IP address of the Data Subject —, which enables Google, among other things, to trace the provenance of the visitors and clicks and as a result to allow commissions to be invoiced. By means of the cookie, personal data — for example the time of access, the place from which our Website was accessed, and the number of times that the Data Subject visited our Website — is stored. Each time our Website is visited, this personal data, including the IP address of the internet connection used by the Data Subject, is transferred to Google in the US. This personal data is stored by Google in the US.

Google potentially transmits this personal data, which was collected via the technical process, to third parties. As has already been set out above, the Data Subject may, at any time, prevent our Website from placing any cookies by making a corresponding adjustment to the settings of the internet browser used, and thereby permanently object to the placing of cookies. Such an adjustment to the settings of the internet browser used would also prevent Google from placing a cookie on the IT system of the Data Subject. In addition, a cookie that has already been placed by Google Analytics can be deleted at any time via the internet browser or other software programs. Besides, the Data Subject has the option of objecting to the collection of the data produced by Google Analytics and related to the use of this Website as well as of objecting to the processing of such data by Google and of preventing such collection and processing.

In order to do this, the Data Subject needs to download a browser add-on at https://tools.google.com/dlpage/gaoptout and install it. This browser add-on lets Google Analytics know via JavaScript that no data and information about the visits of webpages may be transmitted to Google Analytics. Google considers the installation of the browser add-on to constitute an objection. If the IT system of the Data Subject is deleted, formatted or reinstalled at a later date, then the Data Subject must reinstall the browser add-on in order to deactivate Google Analytics. If the browser add-on is deinstalled or deactivated by the Data Subject or by any other person who is attributable to the Data Subject’s sphere of control, there is an option of reinstalling or reactivating the browser add-on. For more information and the applicable data protection provisions of Google please see https://www.google.de/intl/de/policies/privacy/ and http://www.google.com/analytics/terms/de.html abgerufen werden.

Google Analytics is explained in more detail at https://www.google.com/intl/de_de/analytics/. The legal basis for this processing activity is Art. 6(1)(a) GDPR.

10. GOOGLE TAG MANAGER

This Website uses Google Tag Manager. This service allows website tags to be managed via an interface. Tags are small code elements which serve, among other things, to measure traffic and visitor behavior. Google Tag Manager only implements tags. No cookies are used, and hence no personal data is collected, as part of that process. Google Tag Manager triggers other tags, which in turn potentially collect data. Google Tag Manager does not, however, access this data. If a deactivation was effected at the level of the domain or cookie, it remains in place for all tracking tags provided that they are implemented with Google Tag Manager.

11. AMAZON CLOUDFRONT

This Website uses Amazon CloudFront, a CDN (content delivery network) of Amazon Web Services, Inc. (hereinafter “Amazon”).

Using a CDN shortens the loading time of the Website. Amazon operates numerous servers in Europe (including in Frankfurt am Main, Germany, and Milan, Italy) in order to be able to send our data to you as quickly as possible. However, in technical terms it cannot be ruled out that your browser may access a server outside the EU (e.g. because you access this Website from outside the EU, or for some other reason). In such a case, data is sent from your browser directly to the respective country and/or region (North and South America, Asia, Australia).

For more information on Amazon CloudFront see https://aws.amazon.com/de/cloudfront/. You can find the Amazon privacy policy at https://aws.amazon.com/de/privacy/?nc1=f_pr.

12. CRAZYEGG.COM

This Website uses the tracking tool CrazyEgg.com in order to record randomly selected individual visits (only with an anonymized IP address). Using cookies, this tracking tool allows an analysis of the way in which you use the Website (e.g. what content is being clicked on). To that end, a user profile is displayed visually. The tool creates user profiles using pseudonyms. The legal basis for this processing activity is Art. 6(1)(a) GDPR.

You may at any time object to the processing of the data generated by CrazyEgg.com by following the instructions at http://www.crazyegg.com/opt-out. For further information on data protection at CrazyEgg.com please see http://www.crazyegg.com/privacy.

13. ERASURE AND BLOCKING OF PERSONAL DATA

AUTO1.com processes and stores other personal data only for such period of time as is required in order to achieve the purpose of the storage. Once the purpose of the storage has ceased to exist, the personal data is erased or anonymized as a matter of routine and in accordance with legal provisions.

This does not apply to vehicle identification numbers. AUTO1.com uses vehicle identification numbers for market analysis purposes. For this purpose, AUTO1.com processes and stores vehicle identification numbers for an unlimited period of time. The legal basis is Art. 6 (1)(f) GDPR. We have a legitimate interest in using vehicle identification numbers for the above-mentioned purpose for an unlimited period of time because the information to be derived from the vehicle identification number is essential for the provision of our services.

14. RIGHTS OF THE DATA SUBJECT

Should you wish to exercise any of the rights listed in this clause, you may at any time send a message using the contact details referred to in clause 1 or clause 2 (e.g. by e-mail or letter).

a. Right to confirmation

You have the right to request confirmation whether personal data concerning you is being processed.

b. Right of access

You have the right to obtain information about the following in particular:

the personal data stored on you;
the purposes of the processing;
the categories of personal data that is being processed;
the recipients or categories of recipients to whom the personal data has been or will be disclosed;
the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
the right to lodge a complaint with a supervisory authority;
the existence of automated decision-making;
whether personal data has been transferred to a third country or to an international organization.

c. Right to rectification

You have the right to demand

the rectification of inaccurate personal data concerning you

and

the completion of incomplete personal data concerning you.

d. Right to erasure

You have the right for any personal data concerning you to be erased without undue delay in particular if

the purpose for which personal data was collected or otherwise processed has ceased to exist;
you withdraw your consent on which the processing was based and there is no other legal basis for the processing;
you object to the processing and there are no overriding legitimate grounds for the processing;

and/or

the personal data has been unlawfully processed.

e. Right to restriction of processing

You have the right to demand a restriction of the processing if

you contest the accuracy of the personal data, namely for a period which enables AUTO1.com to verify the accuracy of the personal data;
the processing is unlawful and instead of the erasure of the personal data you demand the restriction of the use of the personal data;
the personal data is no longer needed for the purposes of the processing, but you require the personal data for the establishment, exercise or defense of legal claims;
you have objected to the processing and it has not yet been clarified whether your objection will lead to the data processing being stopped.

f. Right to data portability

You have the right to receive the personal data concerning you in a structured, commonly-used and machine-readable format.

In addition, you have the right to have the personal data transmitted directly to another controller to the extent that this is technically feasible and if this does not adversely affect the rights and freedoms of others.

g. Right to object

You have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you, if the processing is based on the following ground:

processing is necessary for the purposes of the legitimate interests pursued by AUTO1.com or by a third party.

In the event of an objection, AUTO1.com will no longer process the personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or the aim of the processing is to establish, exercise or defend against legal claims. Should you wish to exercise a right of objection, you may at any time send a message using the contact details referred to in clause 1 or clause 2 (e.g. by e-mail, fax, letter).

h. Right to complain

You have the right to file a complaint if you are of the opinion that a processing activity violates the GDPR. The authority competent for AUTO1.com GmbH is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), Friedrichstr. 219, 10969 Berlin, Germany.

Version as at March 2022