This is the Privacy Policy (hereinafter the "Policy") of the company under the name "BMW Hellas Trade of Cars A.E." (hereinafter "BMW Hellas"). This Policy applies to personal data BMW Hellas holds about individuals. Information about companies and other organizations are not included in the scope of this Policy.

BMW Hellas coordinates the BMW/MINI business in Greece: it appoints dealers and workshops, deals with second level support and technical issues, operates the BMW/MINI website and the ConnectedDrive service and promotes the BMW/MINI brand.

Financial services are provided through BMW Austria Bank GmbH - Athens Branch.

Official dealers and authorized repairers (hereinafter "Dealers") are independent businesses and not part of the BMW Group, but operate using the BMW/MINI brand under license to sell and service BMW/MINI vehicles.

BMW AG is the parent company of the BMW Group and provides much of the IT infrastructure through BMW Hellas. Dealers provide services to customers and third level support for technical issues.

BMW Hellas is responsible for, and the data controller of, your information that it receives through the BMW/MINI website, ConnectedDrive service and through dealing with any second level support and technical issue.

BMW Austria Bank GmbH - Athens Branch is the data controller of the information which is used to grant and provide finance to you and has its own privacy policy which you should consult separately.

Dealers are data controllers of information about you that you and in addition BMW Hellas provide them in relation to your sales and service requests.

BMW AG is generally a service provider or data processor to BMW Hellas. However, BMW AG is in addition the data controller for information received through the usage of the Connected App, as well as a joint data controller for the technical provisioning of ConnectedDrive Services.

All the controllers listed above will ensure with reasonable effort that any questions relating to processing by any other controllers as listed above are routed to the correct controller for response.

Although this Policy describes some of the uses of your information made by Dealers, Dealers may collect other information relating to you and have their own privacy policy, which you should consult separately. For any changes or questions relating to the use of your information by Dealers, you must liaise directly with them. References to "we" in this Policy are to BMW Hellas and BMW AG and do not include Dealers. For processing by BMW Austria Bank GmbH - As Branch, please refer to their privacy policy.

This Policy and its terms may be updated from time to time and, for this reason, you should regularly consult and check its content for any changes. 

BMW Hellas is the data controller of your personal data, which it processes for the provision of BMW Group products and services (including vehicle long-term leasing services) to you. BMW AG and other BMW Group companies may also process your personal data, as indicated in this Policy.

The following types of data about you may be collected and further processed through the various services and contact channels described in this Policy:

(a)  Contact Data ► e.g. name & surname, address, phone numbers, e-mail address, fax number;

(b)  Personal Details ► e.g. ID or passport number, Tax Registration Number, birth date, gender, nationality, family status, family members, driving license (type), education, profession, test drive, hobbies, preferred method of payment, preferred contact channel, VIN, company name;

(c)  Interests ► information you provide us about your interests, including the type of vehicles you are interested in;

(d)  Site & Communication Usage ► how you use our site and whether you open or forward our communications, including information collected through cookies (our Cookies Policy found [here] [link: Cookie Policy] sets out details);

(e)  Sales and Services Information ► information relating to purchases, including preferred dealer, customer ID, information relating to contract data (e.g. contract number, services offered such as support and repair services), as well as information relating to transactional behavior data (e.g. transactions, payments, complaints, recorded calls), and financial data (e.g. income) exclusively if you submit an application and enter into a long-term vehicle leasing contract with us;

(f)  Customer History Information ► e.g. customer satisfaction rates, received offers, car purchase data including model, configuration, date of purchase, date of registration, license plate number, date of order, date of delivery, car holder, purchase price, warranty information, residual value, purchase details of parts, accessories and lifestyle products, data collected during Dealer visits (e.g. requests, consultation information, responsible sales consultant, service history), campaign history/ campaign responses, optional customer data on owned vehicles from other manufacturers through e.g. BMW used car platform, participation in events (location, company), complaint history, service history;

(g)  Device and Service Usage ► how you use your device (mobile or vehicle) and service offered on the device;

(h)  Vehicle Configuration Details ► information about the features and current settings of your vehicle (identified by the Vehicle Identification Number).

(i)  Vehicle Technical Information ► information about how the engine and systems within the vehicle are, or have been, performing, tank fill level, remaining (cruising) range, RTTI-data (input navigation data), outside temperature, mileage, average speed;

(j)  Vehicle/ Device Location Information ► your vehicle’s or mobile device’s location;

(k)  Data relating to health, in the context of the sale of vehicles to persons with disabilities, as required by law. 

We may receive information about you amongst others in the following occasions:

(a)  When you contact us directly, via our call center or our website, to request information about our products or services;

(b)  If you buy a product or service directly from us;

(c)  When you submit to us an application for the conclusion of a vehicle long-term lease, together with all required documentation;

(d)  If you reply to our direct marketing campaigns, e.g. filling out a response card or entering data online at our website;

(e)  If your personal data are transferred to us from Dealers or other third parties;

(f)  If your vehicle data (incl. vehicle identification number) are transferred to BMW AG while you’re having your vehicle serviced or repaired at e.g. authorized workshops;

(g)  If other BMW Group legal entities or business partners permissibly transfer your personal data to us;

(h)  From the company "TEIRESIAS BANK INFORMATION SYSTEMS A.E." and the distinctive title "TEIRESIAS A.E." (2 Alamanas Str. & Premetis, 15125 Maroussi, tel. 210-3676700) (hereinafter "TEIRESIAS A.E."), to establish your creditworthiness, through access by BMW Hellas to the "TEIRESIAS RISK MONITORING SYSTEM" (TSEK) exclusively in the case of an application by you to conclude a vehicle long-term lease with BMW Hellas.

(i)  Occasionally from third parties who may lawfully pass to us information about you or in the filing systems of which we may lawfully have access.

If you give information on behalf of a third person, you must ensure that he/she has been previously provided with this Policy.

If you are below the age of 16 years, please do not provide us with any of your information unless you have the consent of the person having parental responsibility for you.

Please help us to keep your information up to date by informing us of any changes to your personal information.

Use of personal data under EU data protection laws must be justified under one of "legal grounds" and we are required to set out the grounds in respect of each use in this Policy. An explanation of the scope of the grounds available can be found [here] [link to legal grounds for processing of personal data]. We note the grounds we use to justify each use of your information next to the use.

(i)  Vehicle Sales & Service - to process your sale, configure and service your vehicle [Article 6(1)(b) and 6(1)(f) GDPR]

► Dealers will obtain Contact Details, Vehicle Configuration Details, Vehicle Technical Information and Sales and Services Information as well as Customer History Information when you purchase, service or repair a vehicle from or with them as part of the sale or service, including warranty claims and checks, and will use it to provide the services you request and notify you of issues in relation to your vehicle. This information may be accessed by BMW Hellas and BMW AG to troubleshoot technical or other issues relating to the delivery of these services.

The above mentioned controllers may also receive limited Vehicle Location Information during the repair process which will be used only in accordance with the Location Information Safeguards [link: Location Information Safeguards]

Providing personal data for Vehicle Sales and Service purpose is a contractual requirement and failure to provide them will affect correct performance of the contract or even make it impossible.

(ii)  Customer Support and Marketing - to respond to enquiries and bring you news and offers [Article 6(1)(a) and 6(1)(f) GDPR]

► BMW Hellas collects Contact Details, Personal Details, Interests, Site & Communications Usage and Customer History Information as well as Device and Service Usage and may use Sales and Service Information, Vehicle Configuration Details and Vehicle Technical Information that it receives from you through the BMW/MINI website and the ConnectedDrive service or via Dealers and information about when your current finance product expires to determine what news and offers are most likely to interest you and to contact you in relation to those offers in accordance with your marketing preferences. BMW Hellas may share this information with Dealers to follow up on your requests and to make more specific offers to you. If you give us your consent, we will create your individual profile by means of statistical procedure to provide you with personalised offers.

Marketing consent may at any time be withdrawn with the effect for the future.

(iii)  ConnectedDrive - to provide digital services in the vehicle [Article 6(1)(b) and 6(1)(c) GDPR]

► BMW Hellas and BMW AG receive Contact Information, Vehicle Location Information as well as Device and Service Usage Information which they use in accordance with the detailed service descriptions for each element of the services set out [here] [link: BMW & MINI ConnectedDrive privacy notice] and the Location Information Safeguards [link: Location Information Safeguards]. The detailed service descriptions also set out any disclosures to third parties which only use the information to provide the service.

Where you use a third party application, for example Spotify in conjunction with BMW Online entertainment, you will be presented with their terms of service and privacy policy before you are able to use that application. The operator of that third party application will be the data controller of any of your information that is accessed or input through that application. It will set out how it uses your information in its privacy policy and other notices as well as consents that it provides or obtains through the application. We are not responsible for that use.

Providing personal data for ConnectedDrive purpose is a contractual requirement and failure to provide them will affect correct performance of the contract or even make it impossible. To some extent, providing personal data may be a statutory requirement (EU eCall service).

(iv)  Connected App - to provide digital services relating to the vehicle through a mobile device [Article 6(1)(a) and 6(1)(b)GDPR]

► BMW AG will obtain Contact Information, Device and Vehicle Location Information as well as Device and Service Usage Information through the provision of these services which it uses in accordance with the detailed service descriptions for each element of the services set out [here] [link: BMW & MINI connected privacy notice] and the Location Information Safeguards [link: Location Information Safeguards].

Where you use a third party application, for example Amazon Echo or Spotify, you will be presented with their terms of service and privacy policy before you are able to use that application. The operator of that third party application will be the data controller of any of your information that is accessed or input through that application. It will set out how it uses your information in its privacy policy and other notices as well as consents that it provides or obtains through the application. We are not responsible for that use.

Providing personal data for Connected App purpose is a contractual requirement and failure to provide them will affect correct performance of the contract or even make it impossible.

(v)  Quality Assurance, Research and Development - to improve our products and services [Artice 6(1)(f) GDPR]

► BMW AG may use any of the information that it receives through the provision of services to BMW Hellas, Dealers and other BMW Group entities (including BMW Austria Bank GmbH - Athens Branch) (including Location Information) in de-personalised (anonymised) form for product and service quality assurance and development purposes. Before any such use is undertaken, your information will be de-personalized (anonymised) so it can’t be directly linked back to you.

(vi)  Compliance with binding requests for your information - to comply with our legal obligations to law enforcement, regulators and the court service [Article 6(1)(c) GDPR]

► All the controllers are subject to the laws in the countries in which they operate and must comply with those laws. This includes to provide your information to law enforcement agencies, regulators and courts and third party litigants in connection with proceedings or investigations anywhere in the world, where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.

Providing personal data for compliance with binding requests for your information purpose is a statutory requirement which depends on particular request.

(vii)  Product recall - in the event of necessity to recall BMW/MINI products from the market [Article 6(1)(c) and 6(1)(f) GDPR]

► In the event that a BMW/MINI product must be recalled from the market due to e.g. safety considerations, BMW Hellas will process your personal data to contact you and enable this process.

(viii)  Vehicle Long-Term Leasing Services - to assess your application, conclude and perform the vehicle long-term lease with BMW Hellas, as well as fulfil, monitor, service and support your transactions and relations with BMW Hellas [Article 6(1)(b) and 6(1)(f) GDPR]

► BMW Hellas collects Personal Details and Sales and Service Information to assess an application for a vehicle long-term lease, conclude and perform the contract and support the customer.

Providing personal data in the context of Vehicle Long-Term Leasing Services is a contractual requirement and failure to provide them will affect correct performance of the contract or even make it impossible.

Personal data which we collect, e.g. to provide ConnectedDrive Services, may be transferred to third parties, ensuring that a legal ground for the transfer exists. Further details can be found below.

In addition, provided that a legal ground for the transfer exists your personal data may be shared with the following categories of recipients:

(a)  Any person who may process your personal data under our instructions and on our behalf;

(b)  Companies from BMW Group, including BMW AG (München Petuelring 130, 80788 Munich Germany), BMW Vertriebs GmbH, BMW Austria Leasing GmbH, BMW Austria Bank GmbH, Siegfried-Marcus-Straße 24, 5021 Salzburg, Austria and other companies of the BMW Group, in the context of their responsibilities and pursuant to the statutory provisions on international personal data transfers, if applicable;

(c)  BMW Austria Bank GmbH - Athens Branch, including data about you in relation to the conclusion of a vehicle long-term lease with BMW Hellas, in the context of which BMW Austria Bank GmbH - Athens Branch acts as data processor on behalf of BMW Hellas;

(d)  Dealers and other contract partners;

(e)  Companies providing services to BMW Hellas, such as IT maintenance, IT hosting, Customer Interaction Centre provider;

(f)  Αny supervising authority, as may be required on a per case basis under the applicable from time to time supervisory framework;

(g)  Αny public or court authority, if so dictated by the law or by court order.

BMW Hellas and BMW AG use a range of service providers to assist them to provide the services and uses listed. BMW AG provides IT and storage services to BMW Hellas in respect of the majority of these uses described above and therefore stores the majority of your information detailed above on BMW Hellas' behalf.

Although data transmission over the Internet or website cannot be guaranteed to be free from cyberattacks, we and our subcontractors and business partners work hard to maintain physical, electronic and procedural safeguards to protect your information in accordance with applicable data protection requirements.

All your information is stored on our or our subcontractors' or business partners' secure servers (or secure hard copies) and accessed and used subject to our security policies and standards (or equivalent standards of our subcontractors or business partners).

Your personal data is processed preferably within the EU. If data concerning you is processed in countries outside the EU, we will ensure that your personal data is processed subject to appropriate safeguards.

For some countries outside the EU, such as Canada and Switzerland, the EU has already officially considered these countries as countries providing an adequate and comparable level of data protection. As a result, data transfers to these countries do not require any specific authorization or agreement.

In countries which have not had such approval, such as India or Japan, we will either ask for your consent to the transfer or transfer it subject to European Commission approved contractual terms that impose equivalent data protection obligations directly on the recipient, unless we are permitted under applicable data protection law to make such transfers without such formalities.

We store your personal data for as long as it is required for the purpose for which we obtained them and any other permitted linked purpose (for example, where relevant to the defense of claim against us). So if information is used for two purposes, we will retain it until the purpose with the latest period expires but we will stop using it for the purpose with a shorter period once that period expires. Information that is no longer needed is either irreversibly anonymized (and the anonymized information may be retained) or securely destroyed.

In particular, your data are kept during the entire period of your transactional relationship with BMW Hellas and, after that, for as long as a claim may be raised by the parties under applicable law or, if a claim is raised, until the claim is finally and irrevocably settled. Specifically as regards your data which we process on the basis of your consent (e.g. for marketing purposes), these are kept from when the relevant consent has been obtained from you and until you withdraw your consent.

We restrict access to your information to those persons who need to use it for the relevant purpose.

We secure your data according to the state-of-the-art technology. For example, the following security measures are used to protect your personal data against misuse or any other form of unauthorized processing:

·   Access to personal data is restricted to only a limited number of authorized persons for the specified purposes;

·  Collected data is transferred only in encrypted form;

·  Furthermore, sensitive data is stored only in encrypted form;

·  The IT systems used for the processing of the data are technically isolated from other systems to prevent unauthorized access, e.g. by hacking;

·  Additionally, access to these IT systems is monitored permanently, in order to detect and avert misuse at an early stage.

Where we provide you (or where you have chosen) a password which enables you to access certain parts of our website or any other portal, apps or services we operate, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share a password with anyone.

Certain services can only be offered where you disclose your location or the location of your vehicle. We take the confidentiality of that location information very seriously.

The following safeguards are applied to Location Information (including information accessed as part of the vehicle service process):

·  It is only kept in a form associated to you or your vehicle for as long as necessary to fulfil the purpose consented to.

·  It is only obtained or accessed in that form where necessary to provide the service requested or where we are obliged to retain and/or provide the information by law (and where we are required to provide the information to law enforcement or any other third party, we will notify you unless to do so would prejudice the prevention or detection of a crime or we are not permitted to do so).

·  Vehicle Location Information and Device Location Information are not linked unless necessary to provide the service requested.

·  Any other use of Location Information for analytics purposes will be undertaken on irreversibly anonymised data sets.

We and members of our network may have access to Vehicle Location Information and BMW AG may have access to Device Location Information through the services they provide (e.g. ConnectedDrive).

You will have been provided with a detailed description of the location information obtained to provide a location information dependent service when you initially purchased the vehicle or activated or configured the service or application (e.g. ConnectedDrive or Connected App). Please note that we may not be able to provide certain features of our services to you if you limit the collection of your location information. 

You are entitled to request access to your personal data, rectification/erasure of your personal data, restriction of processing, objection to the processing and/or to exercise your right to data portability.

If data processing is based on your consent, you can withdraw your consent at any time with effect for the future.

BMW Hellas will examine your request and will respond to you within one month of receipt of the request or within two months, taking into account of the complexity and number of requests.

If you are dissatisfied with our use of your data or our response to any exercise of your above rights, you have the right to lodge a complaint with the supervisory authority.

You may exercise your rights described above by contacting BMW Hellas at the contact details listed below.

For any issue regarding the processing of your personal data and for any of the above rights, you may contact BMW Hellas, via telephone: + 30 210 9118000 (Monday to Friday from 09:00 to 18:00), by e-mail: bmwcustomercare@bmw.gr, or by writing to us at Kimis Avenue & 10 Seneka Str., Kifissia, 14564.

The use of your information set out above is permitted under EU data protection law on the basis of these principal legal grounds:

·  where you have consented to the use (you will have been presented with a consent form in relation to any such use and may withdraw your consent);

·  where necessary to enter into or perform our contract with you;

·  where we need to use it to comply with our legal obligations;

·  where we use it to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights (our legitimate interests include research and development of vehicle related products and services);

·  where necessary for us to defend, prosecute or make a claim against you or a third party.

There may be uses that are permitted on the basis of other grounds; where this is the case we will identify the ground and communicate it to you as soon as possible after becoming aware of the new basis.