Menu
User

Data Privacy Information for Connect Services

Privacy Policy  Porsche Connect

We, Porsche Sales & Marketplace GmbH (hereinafter referred to as “we” or “PSM GmbH”), are pleased about your use of the Porsche Digital Service Infrastructure and other of our digital offers (hereinafter individually or jointly also referred to as “services” and jointly “Porsche Digital Service Infrastructure”). This Privacy Policy provides information about the processing of your personal data and your privacy rights as a data subject in connection with your use of the Porsche Digital Service Infrastructure and our services. For information on the individual services, please refer to the further Special Data Protection Notices of the respective service. 

1. Data controller and data protection officer 

Unless otherwise expressly stated in this Privacy Policy and, if applicable, in the further Special Data Protection Notices of the respective service, the entity responsible for data processing is:  

 Porsche Sales & Marketplace GmbH 

Porscheplatz 1 

70435 Stuttgart 

Germany 

E-mail: smartmobility@de.porsche.com  

You can reach our data protection officer at the above address with the addition “Data Protection Officer” or at dataprotection.salesandmarketplace@porsche.de 

This privacy policy for Porsche Connect Services in the vehicle describes not only processing under the responsibility of PSM GmbH, but also processing which (also) falls under the responsibility of Dr. Ing. h.c. F. Porsche AG (hereinafter: Porsche AG) as the manufacturer of the vehicle. Where this is the case, reference is made to this in the relevant sections.  

 The entity responsible for this data processing is: 

 Dr. Ing. h.c. F. Porsche AG 

Porscheplatz 1 

70435 Stuttgart 

Germany 

Tel: +49 (0) 711 911-0 

E-mail: info@porsche.de  

You can reach the data protection officer of Porsche AG at the above address with the addition “Data Protection Officer” or at https://www.porsche.com/privacy-contact/  

In relation to certain processing operations, we may be joint controllers with Porsche AG, its group companies and/or third parties (“we” then also stands for these joint controllers). In relation to such joint processes, we jointly determine the purposes and means of processing personal data. In such cases, in an agreement on joint responsibility pursuant to Article 26 of the GDPR, we accordingly also define the respective tasks and responsibilities in the processing of personal data and the responsible parties to fulfil data protection obligations. In particular, we define how an appropriate level of security and your rights as a data subject can be ensured, how we can jointly comply with information obligations under data protection law and how we can monitor potential data protection incidents. This also includes ensuring that we can fulfil our reporting and notification obligations. Insofar as you contact us, we will come to an agreement in accordance with the aforementioned agreement pursuant to Article 26 of the GDPR in order to answer your enquiry and guarantee your data subject rights. We will provide information on the existence and circumstances of joint responsibility on a case-by-case basis in the relevant section of this Privacy Policy or in the Special Data Protection Notices for each service. 

2. Object of data protection 

The object of data protection is the protection of personal data. This is any information that relates to an identified or identifiable natural person (so-called data subject). This includes, for example, information such as the name, postal address, e-mail address or telephone number, but also other information that is generated in the course of using the online offer, in particular information about the start, end and scope of its use as well as the transmission of your IP address. 

3. Purposes and legal bases 

This Privacy Policy hereinafter provides you with an overview of the purposes and legal bases of data processing in the context of registering, creating and using your Porsche ID user account as well as of other data processing during your customer relationship. We process your personal data in particular if this is necessary for the performance of a contract to which you are a party or for the performance of pre-contractual measures that take place at your request. In these cases, data is usually processed on the basis of Article 6 Paragraph 1 (b) of the GDPR.  

We also process your personal data, insofar as this is necessary, to comply with legal obligations to which we are subject. The data processing takes place on the basis of Article 6 Paragraph 1 (c) of the GDPR. The obligations may result, for example, from commercial, tax, money laundering, financial or criminal law. The processing generally serves the purpose of complying with state obligations with regard to monitoring and duty of disclosure.  

The provision of personal data by you may be required by law or contract when using the services or may be necessary for the conclusion of a contract. We will inform you separately if you are obliged to provide personal data and what the possible consequences of not doing so would be (e.g. a loss of claims, or we might have to inform you that we cannot provide the requested service without being provided with certain details). 

3.1 Porsche ID user account  

Registration and creation of a Porsche ID user account on My Porsche are required for full use of the Porsche Digital Service Infrastructure and the services offered under it. Here, personal data is processed and, if necessary, transmitted to third parties as described below in order to fulfil our contractual obligations in this context. Unless otherwise stated, we carry out all processing operations described in this section in order to fulfil our contract with you on the basis of Article 6 Paragraph 1 (b) of the GDPR. 

3.1.1 Registration for Porsche ID  

You can choose to register and create your Porsche ID user account either through your authorised dealer or as part of the self-registration process.  

 (a) Mandatory data when registering and creating a Porsche ID user account 

Both in the case of self-registration and of registration through an authorised dealer, your e-mail address, a password, your name and name suffixes, contact and address data, mobile phone number, e-mail address and, if applicable, the language in which you want to communicate with us are processed. This personal data is required to set up and manage your Porsche ID user account for you so that you can use the full range of our services as part of the Porsche Digital Service Infrastructure. In selected countries, you can also use our offer as an interested party. In this case, you only need to provide your name, e-mail address and a password. Last but not least, we also need this and possibly other personal data in order to be able to respond to requests, questions and criticism. We also save the time of your last log-in. When you register and create your Porsche ID user account, we check your name and address data by means of a plausibility check.  

 If you want to use services that require vehicle ownership, you must also submit a copy of an identification document and proof of ownership and, in case you are not the owner of the vehicle, a power of attorney from the vehicle owner after entering your vehicle identification number. These documents are forwarded to Porsche Connect Support or, in countries where the official language is not supported by Porsche Connect Support, directly to the dealer selected by you and are then checked locally using our verification criteria. As proof of successful verification, we also save the names, dates and places of birth and addresses shown in the relevant identification documents along with the validity dates of the documents, as well as the vehicle identification numbers, owner names and addresses shown in the proof of ownership. After verification is complete, the copies of the documents will be deleted. Alternatively, you can use the video identification procedure for verification by our Porsche Connect Support. 

Self-registration requires the upload of images from the terminal. You will therefore be asked to grant permission for the app to access your device's camera or photo library. The permissions can be revoked at any time by changing the respective system settings. 

Processing of the aforementioned personal data takes place within the framework of a (pre-)contractual relationship on the basis of Art. 6 Paragraph 1 (b) of the GDPR. 

 (b) Voluntary data when registering and creating a Porsche ID user account 

When registering and creating your Porsche ID user account, you also have the option of entering additional voluntary details such as additional name information (e.g. academic title, etc.), company contact details, date of birth, additional telephone numbers, credit card information (this is only stored by the payment service provider), your vehicle registration number and a personal vehicle name. In addition, you can provide information about your interests, preferences and the contact channels you would like to use. Please note that this information is not required when registering and creating your Porsche ID user account and that you alone decide whether you want to disclose this personal data to us. If you decide to provide voluntary information, we will process it on the basis of our legitimate interest in accordance with Art. 6 Paragraph 1 (f) of the GDPR. Our interest lies in achieving the best possible alignment of our offers with your preferences and interests, as well as in providing the most comprehensive range of functions possible for our offers. 

3.1.2 Use of the Porsche ID 

After registering for a Porsche ID, you have the option of using various services that require a Porsche ID, such as our online portal or functions within your vehicle. For authentication within the framework of these services, you must always log in with your Porsche ID and your password. We process this data in order to be able to provide you with the services you desire. The legal basis for this is Art. 6 Paragraph 1 (b) GDPR. 

3.1.3 Integration of the Porsche ID into third-party offers 

In some cases, we also enable cooperation partners to offer a registration and login procedure involving the Porsche ID. This means that you do not have to remember any new login data for the third-party offer. If you decide to use the registration and login procedure involving the Porsche ID as part of the third-party offer, you will be redirected to the PSM GmbH login/registration screen for the Porsche ID. Here you log in with your user name and password for the Porsche ID. We will then send a message to our cooperation partner that you have successfully registered. As part of the registration and login process, you can confirm to us that the cooperation partner may access the profile data of your Porsche ID user account. This then also applies to the payment data stored there, if applicable. This means that you do not have to re-enter or maintain your profile data and, if applicable, payment data (e.g. if your address changes) in order to create your user profile for the third-party offer. Conversely, changes to the profile data in the user account of the third-party offer are then also synchronised accordingly in your user account for the Porsche ID.   

Data processing within the scope of the registration and login procedure involving the Porsche ID is carried out on the basis of Article 6 Paragraph 1 (b) and (f) GDPR in order to register you for the third-party offer using your user account or to identify you when you register. In addition to carrying out your desired procedure, we are interested in making the registration and application process efficient and convenient. We and our cooperation partner are jointly responsible for this. 

3.2 Use of the individual services in the vehicle 

In the following, we provide general information on data processing in connection with the use of individual features within our vehicles. Detailed information about individual services can be found in the additional Special Data Protection Notices for the relevant services. .

3.2.1 Booking and handling of payment information  

You can book individual or several My Porsche Services and Porsche Connect Services and activate service licences. When selecting the respective service or service package, you can also view the respective information on the processing of personal data within the scope of the services concerned under the offer details. In order to carry out and fulfil a booking and the associated contractual relationship, we process, in addition to the respective booking information, your personal data collected during registration and creation of your Porsche ID user account as well as data that you provide in the course of booking the service (for example your date of birth, a security question for verification in the event of theft, your vehicle's colour or your licence plate). You can change your billing address before completing the booking process. In this case, we use the address data provided by you for invoicing and processing.  

We use a payment service provider to process payments for our paid services and products within the framework of My Porsche, Porsche Connect and the Online Marketplace. For this purpose, we and the payment service provider used will process your credit card information and the respective payment information.  The payment service provider's systems are used to manage your credit card information and to process payments. When you enter your credit card information, it is done directly via an input field from the payment service provider, which encrypts, stores and uses this information independently for your payments. The encrypted information is then transferred from Porsche / from us to the payment service provider, where it is stored and used for your payment. Our legal basis for processing your personal data in order to process the payment is the fulfilment of the contract pursuant to Article 6 Paragraph 1(b) GDPR. 

The payment service provider commissioned will process your customer and contact information (for example name, address, email address, Porsche Connect customer number, and if applicable, company and affiliates) and the vehicle identification number shown in the proof of ownership for the sole purpose of accounts receivable management (including compliance checks, where legally required) and to carry out credit checks. The legal basis for processing the named personal data for the aforementioned purposes, in accordance with Article 6 Paragraph 1 (c) of the GDPR, is the fulfilment of a legal obligation incumbent on us and, in accordance with Article 6 Paragraph 1 (f) of the GDPR, our legitimate interest in appropriate accounts receivable management and credit controls, provided we are not subject to any legal obligation. 

When purchasing through online shops, our payment service provider determines the fraud risk using customer data (e.g. name and identifier, sales history, etc.). The transaction data is checked and examined for abnormalities (e.g. frequency of password changes, delivery address differing from the invoicing address). The legal basis for the processing of the mentioned personal data for the aforementioned purposes is, in accordance with Article 6 Paragraph 1 (b) GDPR, the fulfilment of a contract, or, pursuant to Article 6 Paragraph 1 (f) GDPR, our legitimate interest in preventing fraud. 

After completing the booking, you can activate the services. This saves the authorisation for use on the system side and updates the list of available services accordingly. 

Unless stated otherwise, we carry out the processing described in this section for fulfilment of our contract with you on the basis of Article 6 Paragraph 1 (b) GDPR. 

3.2.2 Proof of identity  

The laws in some countries may require an identity check based on identification documents in order to book certain telecommunications services. In relation to data processing when carrying out such identity checks, we are jointly responsible with  IDnow GmbH, Auenstr. 100, 80469 Munich, Germany.  

You can view the privacy policy of our cooperation partner IDnow GmbH via the following link: https://idnow.io/privacy/  

There are two methods available for performing identity verification. One method is that, as part of the service booking procedure, you can be redirected to the external page or app of the above-mentioned service provider, who supports us in performing the person verification. As part of the process, we will, at your request, transmit the information to be verified (your name, your address and your date of birth) as well as a reference number to the service provider that will allow us to assign the test result at a later point. As part of the identity check, the service provider will compare the aforementioned data with your identification document and store the data, as well as an optoelectronic copy of the identification document, a photo of the verified person and an audio record of the session. The service provider will then inform us of the result of the identity check, using the reference number. 

Your other option is to have identity verification performed at a participating Porsche Centre. This involves staff at the Porsche Centre verifying your identity on the basis of an identification document and sending the verified information (your name, address and date of birth) and a reference number to the service provider via a Porsche system. By entering this reference number, you can use the service provider's app to submit an optoelectronic copy of your identification document to the service provider at your convenience. The service provider will then inform us of the result of the identity check, using the reference number. 

Personal data resulting from this identity check will only be shared with third parties if we are legally obliged to do so. Only in such cases will we obtain access to a copy of your identification document from the service provider, for the purpose of fulfilling our legal obligations.  

The legal basis for our processing of your personal data in order to carry out an identity check is Article 6 [1] (c) and/or (f) GDPR, as the identity check is the fulfilment of a legal obligation by which we are bound, or reflects to our legitimate interest in complying with legal requirements.  


3.2.3 Use of the services in the vehicle 

In order to be able to activate Porsche Connect Services and functions in your vehicle for the first time, you first have to create a Porsche ID user account and then register your vehicle in your Porsche ID user account (see Section 3.1 Porsche ID user account). To create your vehicle, it is necessary for you to enter the vehicle identification number shown in the proof of ownership in My Porsche, or to have this done for you by your authorised dealer in accordance with the registration process described in Section 3.1, and to create a Porsche ID user account.  

We will process your vehicle identification number for the purpose of verification, to establish a vehicle connection and to identify the vehicle in the context of the use of services, as well as to activate and provide such services and for the purposes defined and explained in detail in the respective place. The regular legal basis for this data processing is Article 6 Paragraph 1(b) GDPR. 

Depending on the service, you can use your booked My Porsche Services and Porsche Connect Services in your vehicle (if available for your vehicle) via a radio network connection or via other terminal devices in My Porsche or in your Porsche Connect app. For this purpose, your vehicle or the respective end device connects to the Porsche Digital Service Infrastructure. 

A separate 4-digit pin code must be entered in order to use particularly safety-critical services. You can also access your personal PIN code in My Porsche and change it at any time. The PIN code is stored in encrypted form. When the PIN code is entered in the vehicle, it will also be encrypted and transmitted to our system for the purposes of authorisation checks. 

Personal settings for the Porsche Connect Services or vehicle functions (for example, favourite radio stations, navigation destinations, favourite weather stations) will also be saved after you log onto My Porsche. After the user has been identified by means of the Porsche ID, these personal settings are called up at the start of the journey and set in the PCM. Settings made during the trip are also saved and can be recalled the next time a vehicle is used (also available in other vehicles). 

Some services require you to pair an end device with your vehicle. In this case, personal data (e.g. the Porsche ID you used to log into the app as well as the vehicle identification number of your vehicle) can be transmitted to us during initial pairing in order to enable the connection (e.g. Bluetooth connection) between the device and the vehicle. If personal data is processed over and above the pairing, we will inform you accordingly in the data protection information for the respective services. 

Whenever you start or finish a journey and when you select some services, your vehicle first logs in to the Porsche Digital Service Infrastructure with the vehicle identification number. We process this personal data in order to assign your vehicle to your Porsche ID user account and to allow us to check that you are entitled to use the services. When you log in at the start or end of a journey, an up-to-date list of the available services will also be sent to your vehicle.  

When you use the services booked via My Porsche or the Porsche Connect Store in your vehicle or on other devices, your personal data will be processed by us for the purpose of enabling the use of services, for support purposes and for other individually defined purposes. Unless otherwise stated here or in the further Special Data Protection Notices, we will only process your personal data to the extent necessary to enable the relevant My Porsche Service or Porsche Connect Service to be used, in accordance with Article 6 Paragraph 1 (b) GDPR. 

3.2.4 Use of the services in the vehicle by unregistered drivers 

If you also use the vehicle services activated by the main user as a secondary or guest user, we process the aforementioned personal data on the basis of a legitimate interest in ensuring the cross-customer provision of central services for non-registered users of the respective vehicle in accordance with Article 6 paragraph 1 (f) GDPR. 

If the vehicle functions are used by people who have not been authenticated via a Porsche ID (guest users), information from the use of certain services is technically collected and stored under the Porsche ID user account of the linked main user.  

3.2.5 Use of third-party services 

If you use the services of a third-party provider with whom you have your own contractual relationship, the content of these services may be displayed in your vehicle or on your terminal device and information may be exchanged between your vehicle or your end device and the respective service provider.  

We have no influence over data processing by this third-party provider or over the location of the data processing. Therefore, please consult the respective third-party provider about the type, scope and purpose of the processing of personal data with regard to the respective service in their separate Data Protection Notices. 

We transfer the necessary personal data to the relevant third-party provider on the basis of Article 6 Paragraph 1 (b) GDPR in order to fulfil the contract between you and us. 

3.2.6 Online remote update (ORU) 

If you have activated online software updates in My Porsche, data may be exchanged between our systems and your vehicle for the purpose of updating the software of your vehicle systems and for troubleshooting software bugs as part of service activities. Insofar as the updates do not affect the Connect Services but the vehicle itself, Porsche AG shall be responsible for the data exchange. PSM GmbH may then be involved as a processor bound by instructions.  

For the purpose of preparing and conducting updates, the vehicle identification number shown in the proof of ownership, device identifications and their current software version, your Porsche ID and authorisation information are exchanged with our systems at regular intervals. In individual cases (e.g. update actions, as when updating the battery management system), information about the vehicle equipment as well as information about the technical condition of your vehicle are transferred to our systems. You can terminate the online software update and the associated processing of personal data by deactivating the function in My Porsche. 

The legal basis for our processing of your personal data for the above purposes is implementation of the contract between you and us in accordance with Article 6 Paragraph 1 (b) GDPR. Insofar as Porsche AG is responsible and it concerns updates relating to the vehicle, the legal basis is Article 6 Paragraph 1(b), (c) or (f) GDPR. In this respect, the purpose is to ensure the operational capability of the vehicle in order to fulfil legal and contractual requirements for the manufacturer. 

3.2.7 Swarm services 

Individual services, such as Real-time Traffic or Porsche2X, rely on the provision of information, for example about the location, environment and movement of your vehicle, and combines it with the data from additional vehicles to derive new and more accurate information, such as current traffic and road conditions as well as dangerous situations. These services are called swarm services. For this purpose, the location, vehicle and environmental data and movement information from your vehicle may be transferred as part of vehicle use. We provide the aforementioned data to third parties in aggregated form only, and without reference to you or your vehicle. 

Personal data is processed for the aforementioned purposes on the legal basis of Article 6 Paragraph 1 (a) or (b) GDPR, depending on whether you have given your consent or whether the provision of more precise content as part of swarm services is part of the contractual services. 

You can deactivate the transfer of data for these purposes at any time in the settings of the PCM of your vehicle under the “Porsche Connect” menu item. Here you can deactivate individual services or service groups. It is also possible to deactivate all data transfers. Please note that such deactivation may limit the functionality of individual services, in particular swarm services such as Real-time Traffic or Porsche2X. The exchange of data can also be prevented by using “privacy mode” in accordance with Section 5. 

3.2.8 Data processing in the context of connectivity services  

Depending on the equipment installed in your vehicle, connectivity may be established by dialling into the vehicle interfaces using a WiFi connection provided by an external end device or by means of one or more wireless modules in your vehicle. Depending on the equipment installed in your vehicle, the wireless network modules in your vehicle may be operated with a user-supplied or pre-assigned plug-in SIM card, or a permanently installed SIM card. 

Unless otherwise stated, we carry out all processing operations described in this section in order to fulfil our contract with you on the legal basis of Article 6 Paragraph 1 (b) GDPR. 

Data storage during vehicle production 

In the context of vehicle production, we link the SIM card numbers (ICCID, IMSI, MSISDN) with the relevant device number and the vehicle identification number shown on the proof of ownership. The data is stored for the purpose of managing the SIM card numbers and assigning the vehicle to a SIM card number on the basis of Article 6 Paragraph 1 (b) GDPR in order to implement the contract between you and us and on the basis of Article 6 Paragraph 1 (c) GDPR, e.g. so that we can disclose information if required to do so by law. 

Exchange of data with permanently installed SIM cards 

Active wireless modules in Porsche vehicles with permanently installed SIM cards tune into the mobile service networks of the respective network operator, if available — regardless of whether you are registered for Porsche Connect or have booked Porsche Connect Services. In this case, telecommunications data (data processed in order to provide telecommunications services or to establish connectivity) can be exchanged via the wireless networks of the respective network operator, e.g. with wireless cells, for the purpose of wireless connections or establishing connectivity and, where appropriate, for the purpose of implementing the corresponding online functions of the Porsche Connect Services you booked for your vehicle. 

Within the context of the wireless network connection, during signal transmission using public telecommunications networks outside your vehicle, it is not possible to prevent third parties, in particular network operators, from accessing certain information and, possibly, from identifying your location. In addition to the relevant network operator, virtual network operators may also have access to this information. 

Connectivity is provided by the respective network operators and virtual network operators via permanently installed SIM cards. 

Please refer to your network operator and/or virtual network operator for information regarding the type, scope and purpose of data processing and its legal basis, data security while the signal is being transferred and your rights as a data subject. 

Data processing in the context of telecommunication services 

We shall process the stock data you provide when you register for My Porsche or Porsche Connect Store or when you book a telecommunications service in My Porsche or in the Porsche Connect Store (such as your name, address and date of birth) in order to establish, organise, modify or terminate a contract for telecommunications services in accordance with Article 6 Paragraph 1 (b) GDPR.  

With the exception of SIM card and device numbers and the volume of data consumed, traffic data (such as the beginning and end of each connection) generated by the activity of the radio network connections, location data of the mobile connection, the end points of the connection and dynamic IP addresses are not processed within the Porsche Digital Service Infrastructure. Please consult the relevant network operator for information regarding the type, scope and purpose of data processing. 

Data processing in the context of other connectivity services  

When you book or have booked advanced connectivity services, such as vehicle hotspot data packages, activation and/or deactivation information (such as the vehicle identification number shown in the proof of ownership) will be exchanged between our system, the wireless network interface of your vehicle and the respective network operators and/or virtual network operators for the purpose of activating and deactivating the data packets of the permanently installed SIM card in your Porsche vehicle.  In order to manage the SIM card permanently installed in your Porsche vehicle and in order to invoice the data volume provided and used in the context of a data package you may have booked, the vehicle identification number shown in the proof of ownership, your SIM card numbers, the associated SIM card status and, where appropriate, the data volume used and remaining in the relevant period will be exchanged between our system, the wireless network interface of your vehicle and the virtual network operators and stored by us for the duration of the contractual relationship.  The legal basis for our processing of your personal data for the above purposes is implementation of the contract between you and us in accordance with Article 6 Paragraph 1 (b) GDPR.  

Data processing in connection with legal obligations  

In addition to the data processing described, we shall only process telecommunications data (personal data processed for the purpose of providing the telecommunication service or for establishing connectivity) on the basis of and in accordance with the legal provisions to which we are subject — for example to fulfil our statutory obligations to store personal information and to disclose this to security and judicial authorities and/or on the basis of security regulations.  The legal basis for processing your personal data for the aforementioned purposes is the fulfilment of a legal obligation incumbent on us in accordance with Article 6 Paragraph 1 (c) GDPR, protection of our vital interests in accordance with Article 6 Paragraph 1 (d), and our legitimate interest in complying with legal requirements in accordance with Article 6 Paragraph 1 (f) GDPR. 

3.3 Data transmission from vehicle  

Depending on the equipment installed in your vehicle, radio interfaces may be used to transfer data to our systems, for example data from your infotainment system, data from your vehicle's control systems, or technical vehicle and environmental data gathered by means of sensors. This includes the following information in particular:  

  • IDs and identification data  

  • Basic data 

  • Usage and operating data 

  • Connection and transaction data. 

  • Status data 

  • Analysis data 

  • Data on vehicle history, maintenance and repair 

  • Location and movement data 

  • Location-based environmental and traffic data  

3.3.1. Data transmission for service provision

We transfer such vehicle, service and product data in particular for the provision and delivery of services and other support, as well as for the fulfilment of legal obligations. In addition, the transfer takes place if you have given the appropriate consent. With regard to the transmission of vehicle, service and product data, this concerns not only the processing of personal data, but also the storage of information in the end devices of the end user, or access to information already stored in the end devices. In this respect, the German Act on the Regulation of Data Protection and the Protection of Privacy in Telecommunications and Telemedia (TTDSG) applies in addition to the GDPR.   

Whenever vehicle, service and product data is transferred and processed for service-related purposes, PSM GmbH is responsible. Whenever the vehicle, service and product data is transferred and processed for vehicle-related purposes, Porsche AG is responsible. Whenever the vehicle, service and product data is transferred and processed for both service-related and vehicle-related purposes, PSM GmbH and Porsche AG are jointly responsible. Vehicle, service and product data may be transferred between PSM GmbH and Porsche AG in order to pursue the respective purposes.   

Further information on the processing of personal data in the context of the provision of services can be found in Section 3.2 of this Privacy Policy and in the respective Special Data Protection Notices for the individual services.  

3.3.2. Data transmission for product improvement purposes, for error analysis and troubleshooting  

We, or Porsche AG, process vehicle, service and product data described below for further development and improvement of products and services, as well as error analysis and troubleshooting. For these purposes, the vehicle, service and product data is in some cases also shared with service providers and other bodies, in particular with other affiliated companies of Porsche AG or Volkswagen AG and with manufacturers of components and product parts.  

In general, we or Porsche AG only process the transmitted vehicle, service and product data in such a way as to prevent the identification of natural persons or specific vehicles from the processed data itself or in combination with the other processed data. The purpose of this data processing is to gain knowledge about Porsche products, components, services and their use. This knowledge is then used for further development and improvement of products and services, as well as error analysis and troubleshooting.

To enable certain processing operations, vehicle, service and product data from vehicles selected by us on the basis of previously defined criteria is transferred to the systems (data collection campaigns). In order to select vehicles for such data collection campaigns, vehicle master data relating to your vehicle is used, which Porsche AG has saved during vehicle production, among other cases, as well as vehicle, service and product data from previous data transfers, and your vehicle identification number.  

The data processed in this way does not contain any information about you, your specific location or the vehicle identification number. In some cases, the vehicle, service and product data processed contain temporary identification numbers that can be identified as belonging to a specific source within a limited period of time and can thus be linked. In this way, technical information about how components behave can be analysed not only statically, but also in relation to a progression over the temporary period. In these cases, it is not possible to identify the vehicle identification number from the temporary identification number.   

If necessary to achieve the specific purposes, the vehicle, service and product data is also processed together with the location of your vehicle or the vehicle identification number, as well as other data stored about your product at Porsche AG or PSM GmbH (e.g. about your vehicle model and its equipment features). As part of the development of our mobility offer, we or Porsche AG also process personal data from electric vehicles and their charging operations in connection with your vehicle identification number and the location of the charging operation, for the purposes of product and service development, improvement, troubleshooting, error analysis and repair in Porsche vehicles and the charging infrastructure. More specifically, the following data is processed: your vehicle identification number, the geographic position of your vehicle, the time of parking and charging and other technical data, such as status data of the charge and your vehicle (current mileage, battery and ambient temperature, etc.).  

The purpose of transferring and processing the vehicle, service and product data is to ensure the operational capability of the service or the vehicle and the entire vehicle fleet and thus to fulfil contractual and/or legal obligations to the provider or the manufacturer pursuant to Article 6(1)(b) and/or (c) GDPR. In the context of fulfilling legal obligations, vehicle, service and product data is in some cases also shared with other bodies, in particular authorities. As far as processing operations beyond the transmission of the vehicle, service and product data to the systems are concerned, such data may also be processed in accordance with Art. 6(1)(f) GDPR, in particular insofar as this is necessary to safeguard the interest in the assertion, exercise or defence of legal claims.   

With your consent, the vehicle, service and product data will also be processed for general product improvement (development/improvement of products and services, error analysis and troubleshooting, product monitoring). If you give your consent, vehicle, service and product data that has already been processed for other purposes described in this chapter, in accordance with the mentioned legal bases, may also be processed for this purpose. This also applies in cases in which you once again give your consent that was revoked at an earlier point in time, provided that the data has been saved for other purposes in the interim period. The legal basis for the processing of personal data is Article 6(1)(a) GDPR.  

3.4 Fulfilment of regulatory obligations   

3.4.1 EU e-Call  

The “EU eCall” is a legally required emergency call service that can be triggered automatically, e.g. by the airbag or Emergency Assist, as well as manually. Porsche AG is responsible for implementing the corresponding processing operations. 

When this function is used, the following categories of personal data will be processed:  

  • Vehicle identification number, 

  • (Technical) vehicle data, 

  • Vehicle interior and vehicle environment information, 

  • Vehicle status and vehicle analysis data, 

  • Location data (such as GPS position, position obtained using radio network location, movement information, vehicle direction). 

The legal basis for processing your personal data is the fulfilment of a legal obligation incumbent on Porsche AG as manufacturer in accordance with Article 6 Paragraph 1 (c) GDPR, the protection of vital interests in accordance with Article 6 Paragraph 1 (d), and the legitimate interest in complying with legal requirements in accordance with Article 6 Paragraph 1 (f) GDPR.   The recipients are the relevant control centres. There is no intention to transfer personal data to third countries outside the European Economic Area.  

3.4.2 Obligations of the manufacturer  

In certain countries, in order to prevent tampering with odometers, for example, vehicles with the appropriate technical capability are required to report vehicle data regularly to the responsible registration authorities.  The following categories of personal data will be processed to fulfil this obligation:  

  • Vehicle identification number, 

  • Current mileage. 

In order to record real consumption values, so-called onboard fuel consumption monitoring (OBFCM) data must be read from the vehicle and transmitted to government agencies for certain vehicles with internal combustion engines (incl. plug-in hybrids) in certain countries. Data processing, transmission and storage are carried out within the framework of this legal obligation and can be refused prior to the readout process at the contract workshop.  

The following categories of personal data will be processed to fulfil this obligation:  

  • Vehicle identification number, 

  • Fuel consumption and mileage driven (OBFCM data). 

Porsche AG is responsible for implementing the corresponding processing operations. Pursuant to Article 6 Paragraph 1 (c) of the GDPR, the legal basis for the processing of your personal data is the fulfilment of a legal obligation that applies to Porsche AG as manufacturer.  Where applicable, the recipients are Porsche Sales & Marketplace GmbH as processor, as well as the respective responsible institutions, e.g. importers, authorised bodies. There is no intention to transfer personal data to third countries outside the European Economic Area.  

3.4.3 Cyber security obligations  

In complying with European regulations on monitoring obligations in the field of cyber security (UNECE No. 155), there is an obligation to monitor the individual functions of the vehicle in order to ensure early detection of any attempts to manipulate or attack the integrity of the systems.  Warnings indicating a possible attack or unusual behaviour are triggered by the vehicle and automatically processed by the Intrusion Detection System backend (aka IEP: IDS Engineering Platform). In particular, this requires the following data to be processed:  

  • Vehicle identification number and identification numbers of built-in control units, 

  • Analysis data (sensor data from the control units), 

  • Event memory, 

  • Time stamp of the anomaly, 

  • On-board network data, 

  • Type and kind of external devices used (e.g. USB devices). 

  • Open port data of the infotainment system 

Porsche AG is responsible for implementing the corresponding processing operations. The legal basis is our legitimate interest in recognising and eliminating existing or potential weaknesses in the vehicle systems and in complying with legal regulations in accordance with Article 6 (1) (f) GDPR. This enables us to identify and treat weaknesses in our products, make future attacks more difficult and improve the security of our vehicle systems in the long term.   

If a security threat should be identified, the data collected will be forwarded to our Incident Response Team for further processing. Insofar as this is necessary for the analysis and/or containment of a security risk, the data will also be forwarded to other companies in the VW Group.   

Porsche AG, Audi AG (Auto-Union-Strasse 1, 85045 Ingolstadt) and Volkswagen AG (Berliner Ring 2, 38440 Wolfsburg) are jointly responsible for collaboratively processing and preventing security incidents across the VW Group. The parties have defined their respective obligations and tasks in an agreement pursuant to Art. 26 of the GDPR. In particular, they have agreed that applications from data subjects that fall within the aforementioned scope can be asserted against any of the parties involved. As part of this cooperation, it is possible for Audi AG and Volkswagen AG also to have access to threat data in order to effectively detect cross-group security incidents.  

As part of the treatment of specific abnormalities, the above-mentioned data can be transmitted in pseudonymised form to a specialised security service provider based in Israel.  

3.5 Customer and prospect management  

3.5.1 Contact  

You can use various communication channels to contact us, in particular the service hotline if you wish to contact us by telephone, but also e-mail or live chat. If you contact our contact centre, we process personal data to the extent necessary to provide the contact centre service and to process your request. We may ask you to provide personal data that is necessary for the preparation and implementation of the contact to process your respective request. Without this data, we will not be able to process your request or fulfil your request. The purposes of processing arise specifically from your request and the services you have booked. These encompass, in particular, the processing of requests from interested parties, customers and dealers in relation to products and services from Porsche Sales & Marketplace GmbH. This includes, for example,   

  • Technical support services  

  • Assistance when purchasing services or products  

  • Answering general questions about Sales & Marketplace  

  • Technical support for customers and dealers, in particular through the provision of a service hotline for telephone contact. 

Data is processed on the basis of Article 6 Paragraph 1 (b) GDPR for the purpose of fulfilling the contract with you and implementing pre-contractual measures.  

We also process your personal data to comply with legal obligations to which we are subject. Obligations may arise, for example, from commercial, tax, telecommunications, money laundering, financial or criminal law. The purposes of processing arise from the respective statutory obligation; the processing generally serves the purpose of complying with state obligations with regard to monitoring and duty of disclosure.  

Data is processed on the basis of Article 6 Paragraph 1 (c) or (e) GDPR. If we collect data on the basis of a legal obligation or in the public interest, you need to provide the personal data that is required to comply with the legal obligation. Without this, we might not be able to process your request or fulfil these obligations. 

If you use support services in a Porsche Centre, your dealer can also retrieve this data. To facilitate this service, we also transmit the aforementioned data to the relevant dealer. In this case, we will process your personal data in accordance with Article 6 Paragraph 1 (f) GDPR on the basis of our legitimate interest in facilitating customer service at your preferred point of contact or through your preferred dealer. 

3.5.2 Joint customer and prospect management at Porsche  

In the following, we would like to provide you with further information on data protection in the context of the implementation of customer and prospect management at Porsche. The purpose of the measures is to safeguard customer- and interest-oriented management. 

Joint customer and prospect management at Porsche  

The measures mentioned in this section within the framework of customer and prospect management (in particular service and support, implementation of legal requirements, needs analyses, individual support via the desired communication channels) are not, in principle, carried out by the person responsible alone. In addition to PSM GmbH, the parties involved in customer and prospect management under the Porsche brand include Dr. Ing. hc F. Porsche AG as manufacturer, the responsible Porsche centres, the responsible importer – in particular Porsche Deutschland GmbH – and other companies affiliated with Porsche in the areas of financial and mobility services, digital services and lifestyle products.  

By using a central platform, we avoid situations in which information about your products, contact details and interests is not available to your contact person at Porsche, which would resulting in your being referred to another company involved. This also applies if the operating company of your respective Porsche Centre changes. By exchanging and comparing data, we ensure that you receive optimal support and advice. Of course, only the companies involved have access to your data, which they also need for operational purposes. Data is processed on the basis of Article 6 Paragraph 1 (f) GDPR.  

In certain cases, joint customer and prospect management can lead to joint responsibility. In an agreement pursuant to Article 26 of the GDPR, the participating companies have therefore defined the respective tasks and responsibilities in the processing of personal data and the parties responsible for fulfilling data protection obligations. In particular, stipulations have been made as to how an appropriate level of security can be achieved and how your data subject rights and data protection information obligations can be guaranteed. Alongside the other companies involved, Porsche Sales & Marketplace GmbH is available to you as a central point of contact.  

Individual customer and prospect management  

Insofar as you have given voluntary consent to the individual customer and prospect management, your data – contact data, support and contract data (e.g. on purchase, leasing or financing), service information and data on interests, vehicles and the services and products that you use of the companies participating in the joint customer and prospect management – is used to send you personally tailored information and offers about vehicles, services and other products from Porsche, invitations to events and surveys on satisfaction and expectations via the desired communication channels and to create an individual customer profile. 

Which data is actually used for this depends on which data was collected on the basis of assignments, orders and consultations or made available by you (e.g. in the consultation at the Porsche Centre or as part of your activities under your Porsche ID at My Porsche). The data can also come from assignments or orders that are processed in collaboration with cooperation partners (e.g. insurance companies) and from whom we may then receive the information. If appropriate approvals have been granted, other data sources may also be included. This can be data from the vehicle (e.g. on your driving behaviour) or on the use of digital media (e.g. on website use). You will receive further information on the merging of the data with the corresponding release. 

To offer you an inspiring brand and support experience with Porsche and to make our communication and interaction with you as personal and as relevant as possible, the data mentioned is used for needs analyses and customer segmentation. On this basis, it is possible to determine affinities, preferences and potentials within the framework of the individual customer and prospect management by the participating companies. Key figures regarding your probable product interests and your level of satisfaction are examples of such measures to individualise support. The corresponding information and analysis results are stored in your customer profile and are then available for designing the customer and prospect management. The personal evaluation and assignment in a customer profile only takes place if you have given your voluntary consent to the individual customer and prospect management. We do not offer individual customer and prospect management without these optimisation and personalisation measures. 

If you do not give your consent, we only use the data mentioned in the context of customer and prospect management to carry out general evaluations on the basis of aggregated data from customers and prospects, with the aim of optimising our offers and systems and aligning them with overarching interests. Please note that your data may also be evaluated outside the scope of customer and prospect management; this is then based on your specific consent or another legal basis. 

When we send e-mails within the context of the individual customer and prospect management, we may use commercially available technologies such as tracking pixels or click-through links. This allows us to analyse which or how many e-mails are delivered and/or rejected and/or opened. The latter is carried out in particular by tracking pixels. If you have deactivated the display of images in your e-mail program, it is not possible to measure the opening rate of our e-mails in full using tracking pixels. In this case, the e-mail will not be displayed completely. It is nevertheless still possible for us to determine whether an e-mail has been opened if you click on the text or graphic link in the e-mail. Using click-through links, we can analyse which links have been clicked in our e-mails and determine the interest in certain topics. If you click on the corresponding link, you will be guided through our separate analysis server before accessing the target page. Based on the analysis results, we can make e-mails more relevant within the scope of the individual customer and prospect management, send them in a more targeted manner or prevent e-mails from being sent. We only send e-mails to you and evaluate their use if you have given your voluntary consent to the individual customer and prospect management. We do not offer individual customer and prospect management without the described evaluation for optimisation. 

4. Change of purpose 

In principle, we only process your data for the purposes for which we collect it from you. In individual cases, however, it may be necessary to process data that has already been collected for other purposes at an earlier stage. Of course, this is only done if you have given your consent or there is another legal basis that applies. 

Where we process your personal data for a purpose other than that for which it was collected, beyond appropriate consent or a compelling legal basis, we will take into account, in accordance with Article 6 Paragraph 4 of the GDPR, the compatibility of the original purpose and the purpose now pursued, the nature of the personal data, the possible consequences for you of further processing and the guarantee of the protection of the personal data. 

5. Device access permissions and private mode 

Some functions of our online offer require you to grant access to your end device (e.g. access to location data). Granting permissions is voluntary. However, if you wish to use the corresponding functions, you must grant the corresponding authorisations, otherwise you will not be able to use these functions. Permissions remain active unless you revoke them in your device by deactivating the relevant setting.  

Unless you choose another setting, your vehicle is always in so-called private mode. This option prevents data transmission for most vehicle services, especially for the services from the Connect portfolio. You have the option at any time to deactivate private mode in whole or in part in order to unlock the full range of functions of your Connect Services.  

Certain services remain active even if you choose to activate private mode. This includes services that we are obliged to use due to legal regulations. Private mode also has no effect on the functionality of security-related functions. If, during vehicle setup, you have activated the implementation of updates, these will be downloaded and prepared for installation despite private mode being activated. 

6. Sources and data categories in the collection of data by third parties 

We also process personal data that we receive from third parties or from publicly available sources. Below is an overview of the relevant sources and the categories of data obtained from these sources.  

  • Group companies, Porsche sales companies, Porsche centres and service companies: information about your products, services and interests 

  • Cooperation partners and service providers: for example, creditworthiness data from credit agencies. 

7. Data recipients  

Within our company, the only people who have access to your personal data are those who need this for the purposes named above. We only pass on your personal data to external recipients if a legal licence exists or if we have your consent. Below you will find an overview of the corresponding recipients:  

Porsche AG and PSM GmbH are part of the Porsche group of companies. Within the scope of our business, we have outsourced certain processing operations within the group of companies. In certain circumstances, data may therefore be transferred within our group of companies, for example in the context of customer relationships, for analysis and market research purposes or in the area of marketing. This is always done on the basis of an order processing relationship or within the framework of joint responsibility.    This also applies to the exchange of data with the Porsche Centres, insofar as this is necessary for maintaining active customer relationships as part of customer and prospect management or for processing support cases.  We transmit data from our customer relationship to the following recipients in particular:   

  • Processors: Porsche AG and its group companies or external service providers, for example in the areas of technical infrastructure and maintenance, who are carefully selected and checked. The processors may only use the data in accordance with our instructions.  

  • Public bodies: authorities and public institutions, such as public prosecutors, courts or tax authorities to which we (must) transfer personal data, e.g. to fulfil legal requirements or to safeguard legitimate interests.  

  • Private entities: Porsche AG and its group companies, Porsche sales companies, dealerships and service companies, cooperation partners, service providers (not bound by instructions) or authorised persons such as Porsche Centres and Porsche Service Centres, financing banks, credit agencies or transport service providers. 

8. Transfer to a third country 

If data is transferred to bodies whose headquarters or place of data processing is not located in a member state of the European Union, another country outside of the European Union that is a signatory to the Agreement on the European Economic Area or a state for which an appropriate level of data protection has been determined through a decision of the European Commission, we will ensure, before disclosure, that the data transfer is either covered by a legal authorisation, that there are guarantees for an adequate level of data protection with regard to the data transfer (e.g. through the agreement of contractual warranties, officially recognised regulations or binding internal data protection regulations applied by the recipient) or that you have given your  consent to the data transfer. 

Insofar as data is transferred on the basis of Articles 46, 47 or 49, Paragraph 1, Subparagraph 2 GDPR, you can obtain from us a copy of the guarantees for the existence of an adequate level of data protection with regard to the data transfer or information on the availability of a copy of the guarantees. For this purpose, please use the information in Section 1. 

9. Storage duration and deletion 

The following shall apply if the description of the individual services does not provide information about the specific duration of storage or the deletion of the personal data:  

We store your personal data, if a legal permission exists for this, only as long as necessary to achieve the purposes pursued or as long as you have not revoked your consent. In the event that you object to the processing, we will delete your personal data unless further processing is permitted by the legal provisions. We will also delete your personal data if we are obligated to do so for other legal reasons. Pursuant to these general principles, we will usually erase your personal information immediately  

  • after the legal basis ceases to exist and unless another legal basis (e.g. commercial and tax retention periods) applies. If the latter is the case, we will erase the data once that other legal basis ceases to apply; 

  • if your personal data is no longer required for our purposes, and if no other legal basis (for example, commercial and tax retention periods) is applicable. If the latter is the case, we will delete the data once that other legal basis ceases to apply. 

10. Rights of data subjects  

Right of access: you have the right to receive information about your personal data stored by us.  

Permission and deletion right: you may request us to correct incorrect data and – insofar as the legal requirements are fulfilled – to delete your data.  

Limitation of processing: you may require us to restrict the processing of your data, provided that the legal requirements are met.  

Data transferability: if you have provided us with data based on a contract or consent, you may, if the statutory requirements are met, obtain from us the data provided by you in a structured, commonly used and machine-readable format, or require us to transmit it to another controller. 

Right to object: you have the right to object at any time, on grounds relating to your particular situation, to our processing of your data, provided this objection is based on the safeguarding of legitimate interests. If you make use of your right to object, we will stop processing your data, unless we can prove compelling legitimate reasons for further processing that outweigh your rights and interests. 

Objection to direct marketing: if we process your personal data for the purpose of direct marketing, you have the right to object to our processing of your data for this purpose at any time. If you exercise your right to object, we will stop processing for this purpose. 

Withdrawal of consent: if you have given us consent to the processing of your personal data, you can revoke this at any time with effect for the future. The withdrawal of consent will not affect the lawfulness of processing before its withdrawal. 

Right of appeal to the supervisory authority: you can also lodge a complaint with the competent supervisory authority if you believe that the processing of your data violates applicable law. You can contact the supervisory authority responsible for your place of residence or country or the supervisory authority responsible for us.  

Your contact with us and exercising your rights: furthermore, you can contact us free of charge with questions about the processing of your personal data and about your rights as a data subject. Please contact us by e-mail at dataprotection.salesandmarketplace@porsche.de, via the website at http://www.porsche.com/international/privacy/contact/ or by post at the address provided in Section 1 above.  

When doing so, please make sure that we can clearly identify you. If you wish to withdraw your consent, you can alternatively use the method of contact that you used when you gave your consent. 

Status: 01.07.2024