Data protection information for customers and prospects
(Status May 2018, Version No 1)
I. Information on data protection regarding our processing under Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)
We take data protection very seriously and inform you herein how we process your data and what are your corresponding claims and rights under the respective data protection regulations.
1. Data Controller and contact details related thereto
||Our data-protection officer:
|Mazda Motors Europe GmbH
||Mazda Motors Europe GmbH
|Hitdorfer Straße 73
||Hitdorfer Straße 73
|Telephone: +49 2173-943 121
|Fax: + 49 2173-943 388
2. Purposes and legal basis for processing your data
We process personal data in accordance with the stipulations of the General Data-Protection Regulation (GDPR), under national law of data protection and other applicable data-protection provisions (details are provided in the following). The details of which data are processed and how they are used depends largely on the services requested or agreed in each case. Further details or additions for the purposes of data processing can be found in the respective contract documents, forms, a declaration of consent and/or other information provided to you (e. g. in the context of the use of our website or our terms and conditions). In addition, this data protection information may be updated from time to time, as you may find out from our website
2.1 Purposes pursuant to fulfilment of an agreement or pre-contractual measures (Art. 6, section 1 b of the GDPR)
The processing of personal data is carried out in order to carry out our contracts with you and the execution of your orders In particular, the processing thus serves to provide manufacturer warranty, optional extended warranty, roadside assistance, Mazda Care Service, maintenance of the Digital Service Record, good will processes, bonus programs for handicapped people, subsidies for vehicle financing etc. The processing of personal data is carried out as well as to carry out measures and activities within the framework of pre-contractual relations, e. g. with prospects asking for a test drive. According to your orders we provide the necessary services, measures and activities. This essentially includes contract-related communication with you, the verifiability of transactions, orders and other agreements as well as quality control by means of appropriate documentation, complaints, warranty and goodwill procedures, measures to control and optimize business processes as well as the fulfilment of general duties of care, control and supervision by affiliated companies (e. g. Parent company); product monitoring , maintaining product - and road traffic safety ( e.g. by recall and service campaigns) as well as product development –and improvement, statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, accounting and tax assessment of operational services, risk management, assertion of legal claims and defence in the event of legal disputes; ensuring IT security ((inter alia system and plausibility tests) and general security, including building and plant security, securing and exercising domestic authority (e. g. by means of access controls); guaranteeing the integrity, authenticity and availability of data, preventing and investigating criminal offences; control by supervisory bodies or supervisory authorities (e. g. auditing).
2.2 Purposes within the framework of a legitimate interest on our part or of third parties (Art. 6, section 1 f of the GDPR)
Above and beyond the actual fulfilment of the (pre-) agreement, we process your data whenever this is necessary to protect legitimate interests of our own or of third parties, in particular for the following purposes:
- Advertising or market and opinion research, as far as you have not objected to the use of your data;
- obtaining information and exchanging data with credit agencies where this goes beyond our economic risk;
- the examination and optimization of processes for needs analysis;
- the further development of services and products as well as existing systems and processes;
- the disclosure of personal data within the framework of due diligence in the course of company sale negotiations;
- for comparison with European and international anti-terrorist lists, insofar as this goes beyond the legal obligations;
- the enrichment of our data, e. g. by using or researching publicly accessible data;
- statistical evaluations or market analysis;
- of benchmarking;
- the assertion of legal claims and defence in legal disputes which are not directly attributable to the contractual relationship;
- the restricted processing of data, if a deletion is not possible or only possible with disproportionately high effort due to the special type of storage;
- the development of scoring systems or automated decision-making processes;
- the prevention and investigation of criminal offences, if not exclusively for the fulfilment of legal requirements;
- building and plant security (e. g. by means of access control and video surveillance), insofar as this goes beyond the general duties of care;
- internal and external investigations, safety reviews;
- any monitoring or recording of telephone conversations for quality control and training purposes;
- Preservation and maintenance of certifications of a private-law or official government nature;
- the seizure and exercise of domestic authority by means of appropriate measures as well as video surveillance for the protection of our customers and employees as well as for securing evidence in the event of criminal offences and their prevention.
2.3 Purposes within the framework of your consent (Art. 6, section 1 a of the GDPR)
Your personal data can also be processed for certain purposes (e.g. use of company communication systems for private purposes; photographs/videos of you for publication in the Intranet/Internet) including as a result of your consent. As a rule, you can revoke this consent at any time. This also applies to the revoking of declarations of consent that were issued to us before the GDPR went into effect, i.e. prior to 25 May 2018. You shall be separately informed about the consequences of revocation or refusal to provide consent in the respective text of the consent. Generally speaking, revocation of consent only applies to the future. Processing that takes place prior to consent being issued is not affected by such and remains lawful
2.4 Purposes relating to adherence to statutory requirements (Art. 6, section 1 c of the GDPR) or in the public interest (Art. 6, section 1 e of the GDPR)
Just like any actor which takes part in business life, we are also subject to a large number of legal obligations. These are primarily statutory requirements (e.g. commercial and tax laws), but also if applicable supervisory law or other requirements set out by government authorities. The purposes of processing may also include identity and age checks, prevention of fraud and money laundering (e.g. comparisons with European and international anti-terror lists), compliance with control and notification obligations under tax law as well as the archiving of data for the purposes of data protection and data security as well as for purposes of audits by tax advisors/auditors, fiscal and other government authorities. In addition, it may be necessary to disclose personal data within the framework of official government/court measures for the purposes of collecting evidence, law enforcement and criminal prosecution or the satisfaction of civil law claims.
3. The categories of data that we process as long as we do not receive data directly from you, and its origin
If necessary for the contractual relationship with you and the activities performed by you, we may process data which we lawfully receive from our authorised Mazda Network, or other companies (e.g. Insurance Companies, Financing Providers) or other third parties (Credit Agencies, Address Publishers). In addition, we process personal data that we have lawfully collected, received or acquired from publicly accessible sources (such as, for example, commercial registers and association registers, civil registers, the press, internet and other media) if such is necessary and we are allowed to process this data in accordance with statutory provisions.
Relevant personal data categories may in particular be:
- personal data (name, date of birth, place of birth, nationality, marital status, occupation/trade and comparable data, contact person, driver and similar data)
- contact data (address, e-mail address, telephone number and similar data)
- Lessors and Lessees - Address data (population register data and comparable data)´
- Driving License or Identity Card Data,
- payment confirmation/confirmation of cover for bank and credit cards
- information about your financial situation (creditworthiness data including scoring, i. e. data for assessing the economic risk)
- customer history
- Technical vehicle data including diagnostic data
- Maintenance and repair information
- data about your use of the telemedia offered by us (e. g. time of access to our websites, apps or newsletter, clicked pages/links of us or entries and comparable data)
- Video data
4. Recipients or categories of recipients of your data
At our company, your data is received by those internal offices or organisational units that need such to fulfil our contractual and statutory obligations or that require such data within the framework of processing and implementing our legitimate interests.
Your data is disclosed/passed on to external offices and persons solely
- in connection with the execution of the contract;
- for purposes where we are obligated or entitled to give information, notification or forward data (e.g. employer's liability insurance association, health insurance schemes, fiscal authorities) in order to meet statutory requirements or where the forwarding of data is in the public interest (see number 2.4);
- to the extent that external service-provider companies commissioned by us process data as contract processors or parties that assume certain functions (e.g. service providers for roadside assistance, optional extended warranty, Mazda Care Service, as well as Leasing and Financing Providers) external data centers, support and maintenance of IT applications, archiving, document processing, call center services, compliance services, controlling, data screening for anti-money laundering purposes, data validation and data protection. plausibility check, data destruction, purchasing/procurement, customer administration, lettershops, marketing, media technology, research, risk controlling, billing, telephony, website management, auditing services, credit institutions, printing plants or companies for data disposal, courier services, logistics);
- as a result of our legitimate interest or the legitimate interest of the third party within the framework of the purposes cited under number 2.2 (e.g. to government authorities, credit agencies, collection agencies, attorneys, courts of law, appraisers, companies belonging to company groups and bodies and control instances) ;
- if you have given us consent to transmit data to third parties.
We shall moreover refrain from transmitting your data to third parties if we have not informed you of such separately. If we commission service providers within the framework of processing an order, your data will be subject there to the security standards stipulated by us in order to adequately protect your data. In all other cases, recipients may only use the data for purposes for which the data has been sent to them.
5. Length of time your data is stored
We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
Above and beyond this, we are subject to various retention and documentation obligations that emanate inter alia from the Commercial or Tax Law. The periods and deadlines for retention and/or documentation stipulated therein are up to ten years beyond the end of the contractual relationship or the pre-contractual legal relationship.
Furthermore, special statutory provisions may require longer retention. (e.g. our obligation to monitor our products to the end of vehicle life to be able to initiate recall or service campaigns if necessary.)
If the data is no longer required to meet contractual or statutory obligations and rights, it is regularly deleted unless its further processing - for a limited period - is necessary to fulfil the purposes listed under number 2.2 due to an overriding legitimate interest. Such an overriding legitimate interest is deemed to be the case, for example, if it is not possible to delete the data as a result of the special type of storage or such is only possible at an unreasonably great expense and processing for other purposes is excluded by appropriate technical and organisational measures.
6. Processing data in a Third Country or by an international organisation
Data is transmitted to offices in countries outside the European Economic Area EU/EEA (so-called third states) whenever such is necessary to meet a contractual obligation towards you (e.g. if you are despatched to another country), such is required by law (e.g. notification obligations under tax law), such is in the legitimate interest of us or a third party or you have issued us your consent to such. At the same time, your data may be processed in a third country including in connection with the involvement of service providers within the framework of the processing of the order. If no decision has been issued by the EU Commission regarding the presence of a reasonable level of data protection for the respective country, we warrant that your rights and freedoms will be reasonably protected and guarantied in accordance with EU data-protection requirements through contractual agreements to this effect. We will provide you with detailed information on request. You can request information on the suitable or reasonable guarantees and the possibility, how and where to receive a copy of these from the company data-protection officer or the human resources department in charge of you.
7. Data Storage in the Vehicle
Electronic control units are installed in your vehicle. These control units process data they, for example, receive from vehicle sensors, generate themselves or exchange with each other. Some control units are required for the safe operation of your vehicle, others provide you with support while driving (driver assistance systems) or enable comfort or infotainment functions.
General information on in-vehicle data processing is provided below. Further information regarding which specific data is collected and stored in your vehicle and transmitted to third parties, and for what purpose, can be found under the heading 'data protection' in the respective operating instructions where direct links are made to the affected functional specifications. These operating instructions are also available online and, depending on the vehicle configurations, in digital format on the vehicle.
Personal references Every vehicle is identified by means of a unique vehicle identification number. This vehicle identification number is traceable to the current and former owners of the vehicle. Data collected from the vehicle also can be traced back to the owner or driver of the vehicle by other means, e.g., the license plate.
The data generated or processed by the control units therefore may be personal data or may, under certain circumstances, be personally identifiable data. Depending on what vehicle data is available, it may be possible to draw conclusions with regard to, for example, your driving behaviour, your location or your route, or consumption patterns.
Your rights with regard to data protection Under current data protection law, you have certain rights with regard to companies which process your personal data.
Accordingly, you are entitled to request the comprehensive disclosure of information, free of charge, vis-a-vis the manufacturer and third parties (e.g., commissioned breakdown services or workshops, providers of online services on the vehicle), provided that these have stored personal data relating to you. You may request information regarding what data is stored about you, for what purpose and the origination of that data. Your right to information also extends to the transfer of data to other third parties.
Data, which is exclusively stored locally on the vehicle, may be viewed with expert assistance, e.g., in a vehicle workshop, in return for payment if appropriate.
Legal requirements regarding the disclosure of data To the extent that legal regulations exist, manufacturers are obliged to release information stored by them, at the request of public authorities, to the extent required on a case-by-case basis (e.g., when a criminal offence is being investigated).
Public authorities are also permitted to read the data from vehicles in specific cases, within the scope of applicable law. For example, in the event of an accident, information can be read from the air bag control unit to help clarify the circumstances of the accident.
Operational data on the vehicle Control units process data in order to operate the vehicle.
These include, for example:
- vehicle status information (e.g., speed, deceleration, lateral acceleration, wheel speed, seatbelt usage indicator),
- environmental conditions (e.g., temperature, rain sensor, distance sensor).
These data are generally volatile and are not stored beyond the operating time, and only processed on the vehicle itself. Control units frequently contain data storage media. These can be used to document, either temporarily or permanently, information about the condition of the vehicle, component stress, maintenance requirements and technical events and failures.
The following information may be stored, depending on the technical configuration:
- operating conditions of system components (e.g., fill levels, tyre pressures and battery status),
- malfunctions and defects in important system components (e.g., lighting and brakes),
- response of the system to extraordinary driving situations (e.g., deployment of an air bag, activation of stability control systems),
- information on events in which the vehicle is damaged,
- for electric vehicles, the state of charge of the high-voltage battery and the vehicle's estimated range.
In particular cases (e.g., if the vehicle has detected a malfunction), it may be necessary to store data which would normally be volatile.
If you make use of services (e.g., repair and maintenance services), it may be possible, if necessary, to read out and use the stored operating data together with the vehicle identification number. The data from the vehicle may be read out by employees of the Mazda Network (e.g. authorised workshops, manufacturer) or by third parties (e.g., breakdown services, independent repair shops). The same applies in the case of warranty cases and quality assurance measures.
The data is usually read out via the mandatory OBD (on-board diagnostics) connection on the vehicle. The operating data read out document the technical conditions of the vehicle or individual components and help with fault diagnostics, compliance with warranty obligations and quality improvement. These data, in particular information regarding component stress, technical events, operating errors and other errors are transmitted to the manufacturer, if necessary, together with the vehicle identification number. In addition, product liability falls under the responsibility of the manufacturer. For this purpose, the manufacturer uses operating data external to the vehicles, for example, recall campaigns. These data also may be used to verify the customer's statutory warranty and manufacturer warranty claims.
Error memory on the vehicle can be reset by a service operator within the course of repair and maintenance work or at your request.
Comfort and infotainment functions You can store comfort settings and customisations on the vehicle, and change/reset these at any time.
Depending on the particular vehicle configurations, these may include:
- seat and steering wheel position settings,
- chassis adjustments and air-conditioning settings,
- customisations such as interior lighting.
You are also able to incorporate data into the vehicle's infotainment functions yourself within the context of the selected configuration.
Depending on the particular vehicle configurations, these may include:
- multimedia data, e.g., music, films or photos for playback in an integrated multimedia system,
- address book data for use in conjunction with an integrated hands-free system or integrated navigation system,
- navigation destinations entered,
- data relating to the use of internet services.
This data for comfort and infotainment functions may be stored locally on the vehicle or it may be located on a device that you have connected to your vehicle (e.g., smartphone, USB stick or MP3 player). Provided that you have entered this data yourself, you will be able to delete it at any time.
Transmission of this data from the vehicle is exclusively at your request, in particular, relating to the settings you have selected when using online services.
Smartphone integration, for example, Android Auto or Apple car play
If your vehicle is equipped accordingly, you will be able to connect your smartphone or another mobile device to the vehicle so that you can control it using the integrated control elements within the vehicle. Smartphone images and sounds can be output via the vehicle's multimedia system. At the same time, specific information is transferred to your smartphone. Depending on the type of integration, this may include location data, day/night mode and other general vehicle information. Please familiarise yourself with the operating instructions for the vehicle/infotainment system.
Integration enables selected smartphone apps to be used, for example, navigation or music playback. Further interaction between the smartphone and the vehicle does not take place, in particular, active access to vehicle data. The nature of any further data processing is determined by the app provider. Whether and which settings can be used depends on the particular app and the operating system of your smartphone.
Online services If your vehicle is equipped with a wireless network connection, this enables the exchange of data between your vehicle and other systems. The wireless connection is enabled by means of a transmission and receiving unit which is specific to the vehicle or via a mobile terminal (e.g., smartphone) that you have installed. Online functions can be used via this network connection. These include online services and applications (apps) provided to you by the manufacturer or another provider.
Services provided by the manufacturer For our online services, the respective functions are described by Mazda in an appropriate place (e.g., in the operating instructions and/or on the country-specific Mazda website) and provided together with the associated data protection information. Personal data may be used to provide online services. The exchange of data for this purpose takes place via a protected connection, for example, using the IT systems intended for this. In addition to the provision of services, the collection, processing and use of personal data takes place exclusively on the basis of a legal permission, for example, in the case of emergency call systems required by law, by means of a contractual agreement or approval.
You can activate or deactivate the (sometimes chargeable) services and functions in the vehicle, and sometimes even the entire wireless connection. Functions and services required by law, such as emergency call systems, are excluded from this.
Please inform yourself about the nature, scope and purpose with regard to the collection and use of personal data within the context of third-party services by the respective service provider.
8. Your data-protection rights
If certain conditions are met, you can assert your data-protection rights against us
- Thus, you have the right to receive information from us on the data stored on you in accordance with the rules of Art. 15 of the GDPR (if applicable with restrictions in accordance with § 34 of the German Federal Data-Protection Act (BDSG))
- If you so request, we shall correct data stored on you in accordance with Art. 16 of the GDPR if such data is incorrect or flawed.
- If you so desire, we shall delete your data in accordance with the principles of Art. 17 of the GDPR if such is not prevented by other statutory provisions (e.g. statutory retention obligations or the restrictions laid down in § 35 of the German Federal Data-Protection Act (BDSG)) or an overriding interest on our part (for example, to defend our rights and claims)
- Taking into account the preconditions laid down in Art. 18 of the GDPR, you can demand that we restrict the processing of your data.
- Furthermore, you can file an objection to the processing of your data in accordance with Art. 21 of the GDPR, as a result of which we have to stop processing your data. This right of objection only applies, however, if very special circumstances characterise your personal situation, whereby the rights of our company may run counter to your right of objection.
- You also have the right to receive your data in accordance with the arrangements laid down in Art. 20 of the GDPR in a structured, commonplace and machine-readable formator transmit such data to a third party.
- You furthermore have the right to revoke consent that has been issued to us to process personal data at any time effective into the future (see number 2.3).
- You are in addition entitled to file a complaint with a data-protection supervisory authority (Art. 77 of the GDPR). We recommend, however, to first always send a complaint to our data-protection officer.
Whenever possible, your applications for the exercise of your rights should be sent in writing to the address stated above or addressed directly to our data-protection officer.
9. Scope of your obligations to provide us your data
You only need to provide data that is necessary for the commencement and performance of the business relationship or for a pre-contractual relationship with us or the collection of which we are required by law. Without this data, we are generally not able to conclude the agreement or continue to perform such. This may also relate to data that is required later within the framework of the contractual relationship. If we request data from you above and beyond this, you shall be informed about the voluntary nature of the information separately.
10. Presence of an automated decision made in individual cases (including profiling)
We do not use any purely automated decision-making procedure as set out in Article 22 of the GDPR. If we do institute such a procedure in individual cases in the future, we shall inform you pursuant hereto separately if this is required by law.
Under certain circumstances, we may process your data in part with the aim of evaluating certain personal aspects (profiling). In order to provide you with targeted information and advice on products, we may use evaluation tools. These enable a needs-oriented product design, communication and advertising including market and opinion research.
Such procedures can also be used to assess your solvency and creditworthiness as well as to combat money laundering and fraud. "Score values" can be used to assess your creditworthiness and creditworthiness. In the case of scoring, the probability is calculated using mathematical methods with which a customer will meet his payment obligations in accordance with the contract. Such score values thus support us, for example, in assessing our creditworthiness, decision-making in the context of product deals and are incorporated into our risk management. The calculation is based on mathematically and statistically recognised and proven methods and is based on your data, in particular income, expenditure, existing liabilities, profession, employer, length of service, experience from the previous business relationship, repayment of previous loans in accordance with the contract and information from credit agencies.
Information on nationality and special categories of personal data according to Art. 9 GDPR are not processed.
11. Your right of objection
Information on your right of objection under Art. 21 of the GDPR
You have the right to file an objection at any time against processing of your data which is performed on the basis of Art. 6, section 1 f of the GDPR (data-processing on the basis of a weighing out of interests) or Art. 6, section 1 e of the GDPR (data-processing in the public interest). The precondition for this, however, is that there are grounds for your objection emanating from your special personal situation. This also applies to profiling that is based on this purpose in the meaning of Art. 4, no. 4 of the GDPR.
If you file an objection, we shall no longer process your personal data unless we can demonstrate compelling reasons warranting protection for the processing that outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims
We will also use your personal data in order to perform direct advertising. If you do not want to receive any advertising, you have the right to file an objection to such at any time. This also applies to the profiling to the extent that it is connected with such direct advertising. We shall respect this objection with effect into the future.
We shall no longer process your data for the purpose of direct advertising if you object to processing for this purpose.
The objection can be filed without adhering to any form requirements and should if possible be sent to
Mazda Motors (Europe) GmbH
Hitdorfer Straße 73
II. Supplementary Privacy Statement for our Website
We want you to know if and what data we save and how we use such data. We have taken technical and organisational measures to ensure that these data protection regulations are met.
1. Anonymous data acquisition
In principle, you can visit the web pages of Mazda Motor Europe that have not been personalised without notifying us who you are. We will only learn the name of your Internet Service Provider (your IP address), the websites from which you visited us, the date, time and the web pages you visited. This information is analysed for statistical purposes. You will remain an anonymous single user.
2. Personal data
Personal information is information that relates to your person. This includes information like your name, address, postal address, telephone number. But this does not include information that cannot be linked directly to your true identity (such as length of stay on website or number of users of the website). Personal data are only collected at Mazda Motors Europe, if you communicate your personal data to us, for example, when filling out a registration form or when registering for personalized services. Your entered data is stored only in relation to the purpose.
We use your information for advertising, market research and/or opinion research only to the extent permitted by law or in accordance with your consent. A transfer of data to other third parties is excluded.
3. Use of "Cookies"
"Cookies" can be used on our pages. A cookie is a small data file that can be stored on your hard drive. This data file is generated by the web-server that you used to create a link to your web browser (e.g. Internet Explorer, Netscape Navigator) and is then sent to you. You can be identified by the cookie when you revisit the website without having to re-enter the data that you already entered previously. Most browsers are currently set up as standard to accept cookies automatically. However, you do have the option to set your browser to reject cookies or have them displayed in advance. You are also able to delete cookies at any time from your system (e.g. in Windows Explorer). Please use the help function on your operating system for this. We point that in case of rejection of cookies the website could be malfunctioning.
4. Visitor statistics
To ensure that this website has tailored design and optimum performance anonymous data is recorded and saved using solutions and technologies by Sophus3 Ltd. (www. sophus3.de), but also utilize these data to compile usage profiles by means of pseudonyms. Cookies may be used to this purpose, which make recognition of an Internet browser possible. However, user profiles are only provided with data about the bearer of the pseudonym following specific approval of the visitor, especially, IP-addresses are made unreadable immediately upon entry, so that an allocation of user profiles and IP-addresses is not possible. Visitors of this website can always object to this data registration and-storage at [http://web.auto.sophus3.com/s3optout.html].
Furthermore you can prevent Google’s collection and use of data (cookies and IP address) by downloading and installing the browser plug-in available under https://tools.google.com/dlpage/gaoptout/. Further information concerning the terms and conditions of use and data privacy can be found at https://www.google.com/analytics/terms/.
Please click on the following link to set an opt-out cookie, when using browsers on mobile devices or as an alternative to the browser plug-in. This will prevent the collection of your data through Google Analytics when using this website (This Opt-Out-Cookie only functions in this browser and for this specific domain, if you delete all cookies in this browser, the opt-out cookie will also be deleted and you would need to click on the link again): deactivate Google Analytics.
5. Links to other websites
III. Supplementary Privacy Statement on Mazda Ethics Committee
The following is an overview of how we handle your data on Mazda Ethics Committee ( hereinafter “ Mazda Global Hotline”)
1. Processing Framework
Where does the data originate from and which data categories are processed?
We process data from whistle-blowers as part of the Mazda Global Hotline, insofar as we have received that data from you. Notifications may be submitted anonymously on a regular basis. Insofar as the whistle-blower wishes to submit a notification and at the same time intentionally or consciously reveal his/her identity, measures are taken to ensure that their identity is handled confidentially. The accused person shall, however, always be informed of the identity of the whistle-blower no later than one month after the notification is submitted.
Where anonymous notifications are submitted, we only process the content of the notification.
We receive data from whistle-blowers and third parties involved with the investigation (e.g. legal professionals, advisers, witnesses, respondents).
A notification may also involve the processing of the data of third parties (e.g. witnesses, respondents).
Personal data includes, in particular, your identity data (e.g. name), contact details and the content of the notification.
In addition, we store your personal data for the content and process of the procedure, as well as for the measures taken.
2. For what purposes and on what legal basis is my data processed?
Processing on the basis of a legitimate interest (Art. 6(1)(f) GDPR)
All (personal) information that we process as part of the whistle-blower system is used for the prevention and clarification of irregularities and ultimately, to comply with the law.
Violations in the areas of corruption and bribery, accounting rules, tax evasion and illegal practices in relation to banks, such as money laundering and bank fraud and falsification of financial documents or balance sheets, are treated as being of particular severity.
Processing on the basis of consent (Art. 6(1)(a) GDPR)
Whistle-blowers are entitled to submit notifications anonymously or to reveal their identity. In order to minimise the risk of misuse, identification of the whistle-blower is preferred. We process the personal data of the whistle-blower, insofar as that person has intentionally or consciously revealed his/her identity with knowledge of the procedure referred to in point 1
3. Is provision of the data legally or contractually stipulated or required for conclusion of a contract?
All Mazda Group Companies, as well as our employees, have undertaken to comply with the law. Without the provision of certain personal data, we are unable/would be unable to exercise our duty of care towards our employees and to follow up on notifications of irregularities.
For the sake of completeness, we would like to point out that you remain able to contact your line manager, the HR department or Works Council in the usual way.
4. Transfer of personal data
Who receives my data?
The Mazda Global Hotline is operated by Mazda Motor Europe, which carries out this duty for the entire Europe region. In order to achieve its intended objectives it may, on occasion, be necessary for us to transfer, disclose or provide access to your data to other recipients, such as the (public) authorities, courts, legal professionals, external advisers and insurance companies.
IT infrastructure, maintenance and technical support are provided by an external service provider, currently NAVEX Global.
We work only with service providers who are able to offer a sufficient contractual guarantee that your data will be processed in the same secure way.
5. Is data ever transmitted to a third country or international organisation?
Your personal data will be transmitted to countries outside of the EEA if required for the purpose of legal proceedings in a third country and only for the exercise of legal claims.
Anonymised reports are sent to Mazda Motor Corporation, Japan.
Personal data provided as part of a notification by the whistle-blower is collected and processed by the external service provider of Mazda Global Hotline, currently NAVEX Global (USA), and then transmitted to the Compliance Team at Mazda Motor Europe.
6. How long is my data stored for?
Your data, the notification and any information collected as part of an investigation shall be deleted two months following the end of the investigation.
To the extent that the information is required for legal assertion of or defence of claims or for criminal prosecution of offences, it shall be stored for the period of time required.
Personal data relating to a notification that is considered to be baseless shall be deleted immediately.
7. Rights of the data subject
What data protection rights am I entitled to?
You have the right to withdraw consent that you have given to the processing of personal data at any time with effect for the future. The withdrawal of the consent of a whistle-blower who has revealed his/her identity shall only become effective up to one month of notifying us of his/her personal data.
Further rights of the data subject can be found under point 7 ‘Your data protection rights’.
8. Does automatic decision making take place, including profiling?
Mazda Global Hotline does not engage in any form of automatic decision making or profiling.
9. Is data used for other purposes?
Finally, we would like to inform you that your data is not used for any purpose other than those listed. Further processing for other purposes shall not take place under any circumstances.
10. General privacy information of our service provider NAVEX Global
The NAVEX Global privacy information can be found at:
11. Question and comments