Data privacy statement
Thank you for your interest in our company and for visiting our website www.auto1-group.com (hereinafter the “Website”). AUTO1 Group AG (hereinafter “AUTO1 Group” or “we”) takes the protection of your personal data very seriously.
Should personal data (e.g. the name, address, e-mail address or telephone number of a person affected [such person hereinafter the “Data Subject”]) be processed, then this is done exclusively in accordance with the EU General Data Protection Regulation (hereinafter “GDPR”) and the country-specific data protection provisions applicable to AUTO1 Group (German Data Protection Act in the version in force from 25 May 2018 [Bundesdatenschutzgesetz], hereinafter “GDPA”).
Any processing of personal data for which there is no statutory legal basis will occur (if at all) only with the Data Subject’s consent.
This data privacy statement provides information to you on the nature, scope and purpose of the personal data processed by AUTO1 Group as well as the rights to which you are entitled.
1. The controller responsible for the processing of your personal data
AUTO1 Group AG
Phone: +49 (0)30 / 201 638 360
2. Data protection officer
Should you have any questions and/or suggestions with regard to data protection, you may contact our data protection officer directly at any time. Our data protection officer can be contacted at:
AUTO1 Group AG
Phone: +49 (0)30 / 201 638 360
3. Processing of usage data
Every time this Website is accessed by a user, this Website collects general data and information. This general data and information is stored in the log files of the server. This concerns the following data:
- browser types and versions used,
- the operating system used by the accessing system,
- the webpage from which an accessing system arrived on this Website (known as a referrer),
- the sub-websites that are accessed on this Website via an accessing system,
- the date and time of an access to the Website,
- the IP address,
- the internet service provider of the accessing system
- other similar data and information aimed at averting danger in the event of attacks directed at our IT systems.
When processing this usage data, AUTO1 Group does not draw any conclusions as to the Data Subject. AUTO1 Group needs this data in order to
- correctly deliver the content of this Website,
- optimize the content of and the advertising for this Website,
- ensure the permanent functionality of our IT systems and the technology underlying this Website as well as
- provide to law-enforcement authorities the information necessary for purposes of conducting criminal proceedings in the event of a cyberattack.
The legal basis for this processing activity is Art. 6(1)(f) GDPR. This data in anonymised form is analyzed by AUTO1 Group statistically, on the one hand, and with the aim of increasing data protection and data security, on the other.
The anonymous data of the server log files is stored separately from all personal data provided by a Data Subject.
4. Applications / application process
AUTO1 Group is the parent company of a number of subsidiaries. Via the Website you can apply to the following subsidiaries of AUTO1 Group:
AUTO1 Sales Services GmbH & Co. KG,
AUTO1 Operation Services GmbH & Co. KG,
AUTO1 Marketing Services GmbH & Co. KG,
AUTO1 IT Services GmbH & Co. KG,
AUTO1 Global Services GmbH & Co. KG,
WKDA Booking Services GmbH & Co. KG
WKDA Automobile DE GmbH & Co. KG
(hereinafter the ”AUTO1 Subsidiaries“).
a. Processing of Applicants’ Data
AUTO1 Group collects the personal data that the applicant has provided via the online applicants’ portal (hereinafter the “Applicants’ Data”).
Responsibility for carrying out the application process as well as processing the application lies with AUTO1 Global Services GmbH & Co. KG, a subsidiary of AUTO1 Group, (hereinafter “AUTO1 Global“). For this purpose AUTO1 Group transmits the Applicants’ Data to AUTO1 Global. The Applicants’ Data is only used for purposes of the application process. In addition, AUTO1 Group may forward the Applicants’ Data to the AUTO1 Subsidiary to which the applicant is applying.
Prior to any transmission of the Applicants’ Data, the applicants’ attention is explicitly drawn to the processing of the Applicants’ Data by AUTO1 Global and the forwarding of their Applicants’ Data to AUTO1 Global and to the respective responsible AUTO1 Subsidiary, whereupon the applicants give their express consent in that regard. This consent is the legal basis for this processing according to Art. 6(1)(a) GDPR. Without that express consent by the applicants the application process cannot be started.
Applicants may revoke their consent at any time with effect for the future by sending an e mail to firstname.lastname@example.org. Such revocation of consent constitutes a withdrawal of an applicant’s application.
b. Storage of Applicants’ Data at SmartRecruiters
For purposes of the application process, we use the software of SmartRecruiters Europe Ltd, 59–60 Thames Street, Windsor, Berkshire SL4 1TX, United Kingdom (hereinafter “SmartRecruiters“).
For this purpose, Applicants’ Data is stored and processed on the servers of SmartRecruiters in Germany and the EU. AUTO1 Group has carefully chosen SmartRecruiters. The protection of the Applicants’ Data has been ensured by way of a contract with SmartRecruiters regarding contract data processing, under which SmartRecruiters processes the personal data only when commissioned to do so by AUTO1 Group and according to its instructions. The legal basis for this is Art. 28 GDPR.
SmartRecruiters relies on the services provided by SendGrid Inc., 1801 California Street, Suite 500 Denver, CO 80202, USA (hereinafter “SendGrid“) in order to facilitate the sending and receipt of e mails to and from applicants via the software of SmartRecruiters. In that context, Applicants’ Data is transmitted to servers of SendGrid in the US and thus to a country outside the EU or the European Economic Area.
The transmission is permissible pursuant to art. 45 GDPR because SendGrid has been certified under the Private Shield framework and, therefore, an appropriate level of data protection exists in accordance with the Commission Implementing Decision (EU) 2016/1250. The certification can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000TRktAAG&status=Active.
c. Erasure of Applicants’ Data
Applicants’ Data is usually erased automatically at the latest 6 months after the application process has been concluded. Between the completion of the application and recruitment process and the erasure, the data is stored for evidentiary purposes. The legal basis for this processing activity is Art. 6(1)(f) GDPR. The overriding legitimate interest follows from the aforementioned processing purpose.
Applicants can sign up for a newsletter to receive regular information about vacancies and other topics. If an applicant signs up for a newsletter and thereby becomes a member of the AUTO1 Talent Pool, AUTO1 Group will use the applicant's e-mail address to send the respective newsletter. AUTO1 Group uses a so-called double-opt-in procedure for newsletter registration in order to prevent unauthorized sign-ups on behalf of third parties and to ensure proper sign-ups to the newsletter. That means AUTO1 Group will send to the applicants a confirmation e-mail asking them to confirm their registration after they initially have signed-up in the registration form. AUTO1 Group will store the email address provided in order to send the newsletter until the applicants unsubscribe or AUTO1 Group stops sending the newsletter. The legal basis for this processing activity is a consent according to Art. 6(1)(a) GDPR. Applicants can withdraw the consent at any time with effect for the future. In this case AUTO1 Group will no longer send the newsletter. If AUTO1 Group receives a withdrawal from an applicant, the corresponding personal contact data will be added to a blocking list. This ensures that AUTO1 no longer sends unwanted advertising to applicants.. The legal basis for this processing activity is Art. 6(1)(f) GDPR.
5. Transfer of personal data to external service providers
AUTO1 Group receives assistance from outside service providers for certain technical data analysis, processing or storage processes (e.g. to obtain aggregated, non-personal statistics from data bases or for the storage of backup copies). These service providers are carefully selected and meet high data protection and data security standards. They are obligated to maintain strict confidentiality and process personal data only when commissioned to do so by AUTO1 Group and according to AUTO1 Group’s instructions. The legal basis for the involvement of such service providers is Article 28 GDPR.
AUTO1 Group cooperates with companies and other entities which provide specialized expertise with regard to special areas (e.g. tax consultants, legal counsel, accounting firms, logistics companies). These entities are either legally or contractually obliged to maintain confidentiality. If a transmission of personal data to these entities is necessary, the legal basis is, depending on the respective kind of cooperation, Article 6(1)(b) or, (f) GDPR.
Cookies are text files that are placed and stored on a computer system via an internet browser. Cookies are stored on the hard drive of the user’s computer and do not cause any damage there. The cookies of the Website contain personal data about the user. Cookies save the user of the Website the trouble of, for example, having to re-enter data, simplify the transmission of specific content and help AUTO1 Group in identifying particularly popular areas of the Website. This enables AUTO1 Group, among other things, to adjust the contents of the Website exactly to the needs of its users. The legal basis for this processing activity is Art. 6(1)(f) GDPR.
The user may, at any time, prevent this Website from placing any cookies by making a corresponding adjustment to the settings of the internet browser used, and thereby permanently objecting to the placing of cookies. Furthermore, any cookies that have already been placed may be deleted at any time via an internet browser or other software programs. This is possible in all the commonly-used internet browsers.
If the user deactivates the placing of cookies in the internet browser used, potentially not all functions of this Website will be usable to their full extent.
7. Google Tag Manager
This Website uses Google Tag Manager.
This service allows website tags to be managed via an interface. Tags are small code elements which serve, among other things, to measure traffic and visitor behavior. Google Tag Manager only implements tags. No cookies are used, and hence no personal data is collected, as part of that process.
Google Tag Manager triggers other tags, which in turn potentially collect data. Google Tag Manager does not, however, access this data. If a deactivation was effected at the level of the domain or cookie, it remains in place for all tracking tags provided that they are implemented with Google Tag Manager.
This Website uses the tracking tool CrazyEgg.com in order to record randomly selected individual visits (only with an anonymized IP address). Using cookies, this tracking tool allows an analysis of the way in which you use the Website (e.g. what content is being clicked on). To that end, a user profile is displayed visually. The tool creates user profiles using pseudonyms. The legal basis for this processing activity is your consent according to Art. 6(1)(a) GDPR/Art. 6(1)(f) GDPR.
You may at any time object to the processing of the data generated by CrazyEgg.com by following the instructions at http://www.crazyegg.com/opt-out.
For further information on data protection at CrazyEgg.com please see http://www.crazyegg.com/privacy.
9. Google Analytics
This Website uses Google Analytics.
Google Analytics is a web-analytics service. Web analytics is the collection, compilation and analysis of data regarding the behavior of visitors to webpages. A web-analysis service collects, among other things, data as to the question from which webpage a Data Subject has arrived on a webpage (known as a referrer), which sub-sites of the website were accessed or how often and for which length of stay a sub-site was viewed. A web analysis is primarily used to optimize a webpage and to carry out a cost-benefit analysis of internet advertising.
The operating company of the Google-Analytics component is Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Google LLC has been certified under the Privacy-Shield frame-work and thereby offers a guarantee that it is in compliance with European data protec-tion law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
For web analysis via Google Analytics AUTO1 Group uses the suffix “_gat._anonymizeIp”. By means of this suffix, the IP address of the internet connection of the Data Subject is truncated and anonymized by Google if our Website is accessed from a member state of the European Union or from another contracting state of the Agreement on the European Economic Area.
The purpose of the Google-Analytics component is the analysis of the flow of visitors on the Website. Google uses the data and information collected, among other things, to analyze the use of the Website in order to compile online reports for us that show the activities on the Website and to provide additional services connected to the use of the Website.
Google Analytics uses what is known as “cookies”, i.e. text files that are stored on your computer and enable an analysis of how you have used the website.
Each time that one of the individual pages of this Website — which is operated by the controller responsible for the processing and on which a Google-Analytics component has been integrated — is accessed, the internet browser on the IT system of the Data Subject is automatically induced by the respective Google-Analytics component to transmit data to Google for purposes of online analysis. In the context of this technical process, Google will learn of personal data — such as the IP address of the Data Subject —, which enables Google, among other things, to trace the provenance of the visitors and clicks and as a result to allow commissions to be invoiced.
By means of the cookie, personal data — for example the time of access, the place from which our Website was accessed, and the number of times that the Data Subject visited our Website — is stored. Each time our Website is visited, this personal data, including the IP address of the internet connection used by the Data Subject, is transferred to Google in the US. This personal data is stored by Google in the US. Google potentially transmits this personal data, which was collected via the technical process, to third parties.
As has already been set out above, the Data Subject may, at any time, prevent our Website from placing any cookies by making a corresponding adjustment to the settings of the internet browser used, and thereby permanently object to the placing of cookies. Such an adjustment to the settings of the internet browser used would also prevent Google from placing a cookie on the IT system of the Data Subject. In addition, a cookie that has already been placed by Google Analytics can be deleted at any time via the internet browser or other software programs.
For more information and the applicable data protection provisions of Google please see https://www.google.de/intl/de/policies/privacy/ and http://www.google.com/analytics/terms/de.html.
Google Analytics is explained in more detail at https://www.google.com/intl/de_de/analytics/.
The legal basis for this processing activity is Art. 6(1)(f) GDPR.
10. Erasure and blocking of personal data
AUTO1 Group processes and stores other personal data only for such period of time as is required in order to achieve the purpose of the storage.
Once the purpose of the storage has ceased to exist, the personal data is erased or anonymised as a matter of routine and in accordance with legal provisions. Usage data is generally erased after 30 days.
11. Rights of the Data Subject
Should you wish to exercise any of the rights listed in this clause, you may at any time send a message using the contact details referred to in clause 1 or clause 2 (e.g. by e-mail or letter).
a. Right to confirmation
You have the right to request confirmation whether personal data concerning you is being processed.
b. Right of access
You have the right to obtain information about the following in particular:
- the personal data stored on you;
- the purposes of the processing;
- the categories of personal data that is being processed;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed;
- the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
- the right to lodge a complaint with a supervisory authority;
- the existence of automated decision-making;
- whether personal data has been transferred to a third country or to an international organization.
c. Right to rectification
You have the right to demand
- the rectification of inaccurate personal data concerning you
- the completion of incomplete personal data concerning you.
d. Right to erasure
You have the right for any personal data concerning you to be erased without undue delay in particular if
- the purpose for which personal data was collected or otherwise processed has ceased to exist;
- you withdraw your consent on which the processing was based and there is no other legal basis for the processing;
- you object to the processing and there are no overriding legitimate grounds for the processing;
- the personal data has been unlawfully processed.
and / or
e. Right to restriction of processing
You have the right to demand a restriction of the processing if
- you contest the accuracy of the personal data, namely for a period which enables AUTO1 Group to verify the accuracy of the personal data;
- the processing is unlawful and instead of the erasure of the personal data you demand the restriction of the use of the personal data;
- the personal data is no longer needed for the purposes of the processing, but you require the personal data for the establishment, exercise or defense of legal claims;
- you have objected to the processing and it has not yet been clarified whether your objection will lead to the data processing being stopped.
f. Right to data portability
You have the right to receive the personal data concerning you in a structured, commonly-used and machine-readable format.
In addition, you have the right to have the personal data transmitted directly to another controller to the extent that this is technically feasible and if this does not adversely affect the rights and freedoms of others.
g. Right to object
You have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you, if the processing is based on the following ground:
- processing is necessary for the purposes of the legitimate interests pursued by AUTO1 Group or by a third party.
In the event of an objection, AUTO1 Group will no longer process the personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or the aim of the processing is to establish, exercise or defend against legal claims.
Should you wish to exercise a right of objection, you may at any time send a message using the contact details referred to in clause 1 or clause 2 (e.g. by e-mail, fax, letter).