Version 1. June 2019
Unless specified otherwise in a specific case, AMAG Group Ltd (Data Protection – Utoquai 49, CH-8008 Zürich) is responsible for the data processing that we describe here. If you have any privacy concerns, you may notify us at the above contact address; this applies for all of the AMAG Group companies. Where possible, however, please provide the name of the company of the AMAG Group to which you are referring and, in the event of concerns respecting erasures and access to information, enclose a copy of an identification card. You may also send your concern to us by e-mail at firstname.lastname@example.org.
Our representative in the EEA region pursuant to Article 27 of the EU General Data Protection Regulation (GDPR) is: AMAG (Vaduz) AG, Austrasse 37, LI-9490 Vaduz.
2. Collecting and processing personal data
We mainly process personal data that we receive from our customers and other business partners as part of our business relationship with them and from other persons involved, or that we collect through operation of our websites, apps and other applications of the users of them.
To the extent allowed, we also gather certain data from publicly accessible sources (e.g. debt collection registers, land registers, commercial registers, the press or the Internet) or receive such data from other companies within the AMAG Group, from public authorities and other third parties (such as credit bureaus or mailing list brokers). In addition to the data that you give us directly, the categories of personal data that we receive about you from third parties, including but not limited to information from public registers, information that we learn in relation to official and court proceedings, information in connection with your professional duties and activities (so that we may, e.g., conclude and complete transactions with your employer with your assistance), information about you in correspondence and discussions with third parties, credit rating information (if we complete any transactions with you personally), information about you given to us by persons in your personal environment (e.g. family, advisors, legal representatives) so that we may conclude or complete contracts with you or with your involvement (e.g. references, your address for deliveries or powers of attorney), information regarding compliance with legal requirements such as those relating to the combat of money laundering and export restrictions, information from banks, insurance companies, our distribution and other contractual partners so that you can claim or render services (e.g. payments or purchases made), information from the media and the Internet relating to you (if appropriate in a specific case, as part of an application, press review, marketing/sale, etc.), your addresses and possibly your interests and other socio-demographic data (for marketing), or data relating to use of websites (e.g. IP address, MAC address of the smartphone or computer, information on your device and settings, cookies, date and time of your visit, pages accessed and their contents, functions used, referring website or location details).
3. Purpose of data processing and legal bases
We use the personal data collected by us mainly to conclude and execute contracts with our customers and business partners, in particular as part of the car dealership, in the context of the repair, financing and leasing of vehicles and the purchase of products and provision of services by our suppliers and their subcontractors, and to comply with our legal obligations in Switzerland and abroad. If you work for one of these customers or business partners, you may also become a data subject in this capacity with your personal data.
In addition, we process personal data from you and other persons, to the extent that this is allowed and seems appropriate to us, for the following purposes in which we (and sometimes third parties as well) have a legitimate interest that corresponds to the purpose:
offering and developing our products, services and websites, apps, and additional platforms on which we have a presence;
communicating with third parties and processing their enquiries (e.g. applications or media enquiries);
reviewing and optimising procedures to conduct needs analyses for the purpose of approaching customers directly as well as collecting personal data from publicly accessible sources for the purpose of customer acquisition;
advertising and marketing (including holding events) provided that you have not objected to the use of your data (if we send advertising to you as an existing customer, you may object to receiving such advertising at any time, in which case we would place you on the list of customers to whom advertising should not be sent);
market and opinion research, media monitoring;
asserting legal claims and defences in connection with legal disputes and official proceedings;
preventing and clarifying criminal acts and other misconduct (e.g. conducting internal investigations or data analyses for the prevention of fraud);
assuring our operation, in particular IT, our websites, apps and other platforms;
video surveillance to safeguard rights to control who can enter and stay at the premises and other measures for IT, building and system security, and protection of our employees and other persons and assets belonging or entrusted to us (through, e.g., access controls, visitor lists, network and mail scanners or telephone recordings);
purchasing and selling business areas, companies or parts of companies and other corporate law transactions and the transfer of personal data related to this; business management measures and compliance with statutory and regulatory obligations; internal rules of the AMAG Group.
If you have given us consent to process your personal data for specific purposes (e.g. when you signed up to receive newsletters or for conducting a background check), we process your personal data within the scope of and based on this consent if we do not have any other legal basis and we require such a basis. Any consent given may be withdrawn at any time, although this will not have any effect on data processing that has already been completed.
4. Cookies/tracking and other technologies in relation to the use of our website
In our newsletter and other marketing e-mails, we incorporate partly, and to the extent permitted, visible and invisible visual elements which, when retrieved from our servers, allow us to determine if and when you opened the e-mail so that we are able to gauge and better understand how you use our offers so we can tailor them to you. You may block this in your e-mail program (most programs are set to do this by default).
By using our websites, apps and consenting to receive newsletters and other marketing e-mails, you agree to the use of these technologies. If you do not want this, you must set your browser and your e-mail program accordingly, uninstall the app (if this cannot be modified in the settings) or have your name removed from the list of newsletter recipients.
5. Data disclosure and data transfer in Switzerland and/or abroad
We depend on the forwarding of personal data internally with our Group and externally in order to provide our services. This means that we also disclose data to third parties within the scope of our business activities where this is permitted for the purpose set out in section 4 and where it seems appropriate to us; either because they are processing the data for us or because they wish to use the data for their own purposes. This involves, in particular, the following parties:
our service providers (within the AMAG Group data as permitted by law and externally, such as banks or insurance companies), including parties processing orders (such as IT providers);
dealers, service partners, suppliers, subcontractors and other business partners;
authorities, official agencies or courts in Switzerland and abroad;
the general public, including the visitors to websites and social media;
competitors, organisations in the industry, associations, other organisations and other bodies;
purchasers of or parties interested in purchasing business areas, companies or other parts of the AMAG Group;
other parties in potential or actual legal proceedings;
other companies and holdings of the AMAG Group;
all hereinafter collectively referred to as the “recipients”.
Where necessary for the provision of our services and taking into account the specific purpose, personal data is transmitted to the instances referred to above in Switzerland and the EU as well as to other countries. You must, in particular, expect that your data will be transferred to all countries in which the AMAG Group is represented by Group companies, branches or other offices (this is Switzerland and Liechtenstein), as well as to other countries in Europe and to the USA where our service providers (such as Microsoft, SAP, Amazon or Salesforce) are located. If we transfer data to a country that does not have adequate statutory data protection, we will provide an adequate level of protection, as prescribed by law, through use of the appropriate contracts and/or measures (based in particular on the standard contractual clauses of the European Commission which may be accessed here, here and here) or the EU Binding Corporate Rules for an adequate level of protection, or will base our actions on the statutory legal exceptions of consent, contract execution, the establishment, exercise or enforcement of legal claims, overriding public interests, the publication of personal data, or because it is required to protect the integrity of the data subjects. However, we reserve the right to redact copies for data protection reasons or on grounds of confidentiality, or to provide extracts only.
6. Retention period for personal data
We process and store your personal data for as long as it is required to meet our contractual and statutory obligations or as long as it is required for the purposes pursued by the processing, i.e. e.g. for the entire duration of the business relationship (from the initiation and execution of a contract to its termination and the warranty period, as well as a subsequent service phase) and apart from that in accordance with the statutory obligations regarding retention and documentation. It is possible in this regard that personal data will be retained for the period during which claims may be asserted against us, or if we are otherwise obliged by law to retain such personal data, or legitimate business interests require that the personal data be retained (e.g. for evidentiary and documentation purposes). In principle, as soon as your personal data are no longer required for the purposes indicated above, they will be deleted to the extent possible or rendered anonymous. Generally, shorter retention periods apply in respect of operating data (e.g. system protocols or logs).
7. Data security
To protect your personal data against unauthorised access and misuse, we take appropriate technical and organisational security precautions such as issuing directives and providing training, IT and network security solutions, access monitoring and restrictions, pseudonymisation and controls.
8. Obligation to provide personal data
In the course of our business relationship, you must provide us with the personal data required to enter into and conduct a business relationship, and to perform the related contractual obligations (as a rule, you do not have a statutory obligation to provide us with data). Without these data, we will generally not be in a position to conclude a contract with you (or with the body or person you represent) or to execute it. In addition, our websites can only be used if certain information to ensure the free flow of data (e.g. IP address) is disclosed.
9. Profiling and automated decision-making
Our processing of your personal data is partially automated with the aim of assessing (profiling) certain personal aspects. We use profiling, in particular, to be able to inform and advise you about products in a targeted manner. For this, we use evaluation tools which facilitate needs-based communication and advertising, including market and opinion research.
To establish and conduct the business relationship and also otherwise, we do not, as a rule, use any automated decision-making (such as is governed by Article 22 of the General Data Protection Regulation of the European Union (GDPR)). In the event that we use such procedures in individual cases, we will inform you about this separately if this is prescribed by law, and will inform you about the related rights.
10. Rights of the data subject
Within the scope of the data protection law which applies to you, and insofar as the law provides for it (as in the case of the GDPR), you have the right of access to information, the right to rectification or erasure of your personal data, the right to restrict data processing, the right to object to our data processing, and the right to the provision of certain personal data for the purpose of the transmission of it to another body (the right to data portability). Please note, however, that for our part, we reserve the right to enforce the restrictions prescribed by law, such as if we are obliged to retain or process certain data, if we have an overriding interest in such data (insofar as we may invoke this interest) or need the data to assert claims. A request for access to information is generally free of charge. A fee may be charged where the request entails a particularly extensive amount of work, the request for access to information is excessive or notorious, unless there is a legitimate interest. If you will incur costs, we will notify you in advance. Regarding the option to withdraw your consent we refer you to section 4. Please note that the exercise of these rights may be in conflict with contractual agreements, and that this may have consequences such as early termination of the contract or costs. In this case, we will inform you in advance if this is not already governed by contract.
The exercise of these rights requires that you provide clear proof of your identity (e.g. by means of a copy of an identification card if your identity is otherwise unclear or cannot be verified). To assert your rights, you may contact us at the address indicated in section 2.
Furthermore, every data subject has the right to assert his or her claims in a court of law or to lodge a complaint with the responsible data protection authority. The responsible data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch). In Liechtenstein, it is the Liechtenstein Data Protection Commission (Liechtensteinische Datenschutzkommission) (www.datenschutzkommission.li).