VW GIS AG is the controller for the general provision of the Data Act Portal as a secure and user-friendly platform for exercising data provision requests within the meaning of Articles 4 and 5 of the EU Data Act. This includes, in particular, the operation of the platform, including the management of cookies for website visits and the fundamental guarantee of the integrity, confidentiality, and availability of the Data Act Portal. In this privacy notice, we inform you about the data processing for which we are responsible:

Volkswagen Group Info Services AG, 
 Berliner Ring 2, 38440 Wolfsburg,

gis-privacy@cariad.technology, 
 registered in the commercial register of the Braunschweig Local Court under no. HRB 207876.

In contrast to this, the Volkswagen group brands mentioned above are each separate data controllers for data processing in connection with the provision of data relating to their vehicles in accordance with Articles 4 and 5 of the EU Data Act via the Data Act Portal. This includes, in particular, the registration of vehicles, the receipt and processing of requests from authorized users for the provision of data in accordance with Articles 4 and 5 of the EU Data Act, the provision and, if necessary, preparation of the relevant data, and the subsequent transmission of this data to the user. Further information on the processing of your data in this context can be found in the privacy notice of the respective group brand, which will be provided to you prior to testing:

·       Privacy notice for AUDI brand vehicles

·       Privacy notice for Volkswagen brand vehicles

·       Privacy notice for SEAT/Cupra brand vehicles

·       Privacy notice for Skoda brand vehicles

·       Privacy notice for Bentley vehicles

·       Privacy notice for MAN vehicles

Privacy notice for Elli brand products

We collect and process your data when you simply use the Data Act Portal website without being logged in (I.), when you are registered and logged in to the Data Act Portal (II.), when you contact our support team (III.), or when you exercise your rights as a data subject (IV.).

I. Website (visitors)

When you visit the website without logging in, we collect the technical data necessary for the secure provision of the website (see the table below in section C. for this purpose), and also uses cookies on our website. For more information about our cookies, please refer to section D.

II. Data Act Portal (users)

To log in to the Data Act Portal website and use it effectively, you need an account as a customer of the respective group brand (e.g., a Volkswagen ID) as a sign-on solution. In this context, you have the following options for successfully logging in with this account:

·       You already have an account as a customer of the respective brand and log in to the Data Act Portal of VW GIS AG with this account data; or

·       You create a new account as a customer of the respective brand. You can then log in to the Data Act Portal with these access data.

We process your login data to enable you to access the Data Act Portal. For more information about the cookies used during your visit to our website, please refer to Section D. With regard to the creation, use, and management of your account with the respective group brand, this group brand acts as an independent, separate controller within the meaning of the GDPR. You can obtain data privacy information about your account from the respective group brand with which you have your account.

III. Contacting our support team

If you contact us regarding the website (see I. above) or the Data Act Portal (see II. above) (by telephone, email, or contact form), we will use the contact details provided by you to assist you with your request, forward the information provided to the relevant departments where necessary, and document the proper handling of your request (see the table below in Section C. for this purpose).

IV. Contacting us to exercise your rights as a data subject

If you exercise your rights as a data subject, we will process the data necessary to fulfill your request and document the process (see the table below in Section C. for this purpose).

C. How do we process your data?

The data we process falls into the following categories:

·       Website data, such as your IP address, the name of your Internet service provider, the operating system and browser you are using, and your browser language;

·       Location data, such as general location data (e.g., city/state and/or postal code associated with your IP address).

·       Identification data (if you contact us regarding the Data Act Portal), such as your first name and last name;

·       Necessary login details for your account or account with a group brand for successful access to the Data Act Portal;

·       Contact details (if you contact us regarding support requests or register your company as a potential data supplier or customer), such as your email address, telephone number, and address (including postal code, city, state, country), job title.

·       Message details, i.e., data contained in messages you send to us, such as the area to which your message relates and the content of your message;

·       You are generally not required to provide us with your personal data. However, in order to enable and facilitate your access to the website and the functions offered via the website or the Data Act Portal, we require certain personal data (e.g., contact details if you contact us, as we will otherwise be unable to respond to you). If you do not provide this personal data, we may not be able to provide you with all the features available on the website (e.g., contacting us). Without registering for a group brand account, you cannot log in to the Data Act Portal.

As indicated in the table below, we also store website data, including log files, for the purpose of detecting malfunctions and ensuring the security of the website, the Data Hub, and our systems.

The data we process falls into the following categories:

·       Website data, such as your IP address, the name of your Internet service provider, the operating system and browser you are using, and your browser language;

·       Location data, such as general location data (e.g., city/state and/or postal code associated with your IP address).

·       Identification data (if you contact us regarding the Data Act Portal), such as your first name and last name;

·       Necessary login details for your account or account with a group brand for successful access to the Data Act Portal;

·       Contact details (if you contact us regarding support requests or register your company as a potential data supplier or customer), such as your email address, telephone number, and address (including postal code, city, state, country), job title.

·       Message details, i.e., data contained in messages you send to us, such as the area to which your message relates and the content of your message;

·       You are generally not required to provide us with your personal data. However, in order to enable and facilitate your access to the website and the functions offered via the website or the Data Act Portal, we require certain personal data (e.g., contact details if you contact us, as we will otherwise be unable to respond to you). If you do not provide this personal data, we may not be able to provide you with all the features available on the website (e.g., contacting us). Without registering for a group brand account, you cannot log in to the Data Act Portal.

As indicated in the table below, we also store website data, including log files, for the purpose of detecting malfunctions and ensuring the security of the website, the Data Hub, and our systems.

We use various cookies on our website and in the Data Act Portal. Cookies are small files containing configuration information that are stored on your device and enable the website operator to recognize your device.

I. General information

There are basically three categories of cookies: cookies that are necessary for the functionality of the website ("functional cookies"), cookies that increase the convenience of a website visit and, e.g., store your language settings ("comfort cookies"), and cookies that are used to create a pseudonymized user profile ("tracking cookies").

The processing of functional cookies is necessary to enable your visit to the website (Art. 6 (1)(b) GDPR).

The legal basis for convenience cookies is a legitimate interest (Art. 6 (1)(f) GDPR). The legitimate interest lies in providing convenience when visiting the website. You can object to the processing of data at any time with effect for the future.

Tracking cookies are only set if the website visitor has given their consent (Art. 6 (1)(a) GDPR). Consent is given via the cookie banner, which must be actively clicked. You can revoke your consent to the data processing described above at any time with future effect by changing your current preferences in our cookie consent manager.

There are different types of cookies within the above categories of cookies. Below you will find the most common types of cookies for your information:

·       Session cookies: While you are active on a website, a session cookie is temporarily stored in your computer's memory, in which a session ID is stored. This means, for example, that you do not have to log in again each time you change pages. Session cookies are deleted when you log out or lose their validity as soon as your session expires automatically.

·       Persistent cookies or log cookies: A persistent cookie or log cookie stores a file on your computer for the period specified in the expiration time. These cookies enable websites to remember your information and settings when you visit them again. This results in faster and more convenient access. For example, you do not have to change your language settings for our portal again. After the expiration time, the cookie is automatically deleted when you visit the website that created it.

·       Third-party cookies: Third-party cookies come from providers other than the website operator. They can be used, for example, to collect information for advertising, personalized content, and web statistics.

·       Flash cookies: Flash cookies are stored as data elements from websites on your computer when they are operated with Adobe Flash. Flash cookies have no time limit.

Our website also uses the web analytics tool Adobe Analytics to evaluate the use of the website. Data processing is carried out on the basis of your consent (Art. 6 (1)(a) GDPR).

For evaluation purposes, cookies are stored on your device and information is collected, which is also stored on servers of our processor Adobe Systems Software Ireland Limited ("Adobe"). Access to the information by Adobe Systems Incorporated, a company based in the USA, cannot be ruled out. EU standard contractual clauses have been concluded to ensure adequate data protection for processing in non-EU countries. You have the right to be informed about these standard contractual clauses within the scope of the information provided.

A direct link between the information stored on Adobe's servers and you as an individual is excluded, as Adobe Analytics is used with the settings "Before Geo-Lookup: Replace visitor's last IP octet with 0" and "Obfuscate IP-Removed." The setting "Before Geo-Lookup: Replace visitor's last IP octet with 0" ensures that the IP address is anonymized by replacing the last octet of the IP address with zeros before this so-called geolocation. The approximate location of the user is added to the tracking package, which still contains the complete IP address, for statistical evaluation. Before the tracking package is saved, the IP address is replaced by a single fixed IP address – this is referred to as a generic IP address – if the setting "IP obfuscation – removed" is configured. This means that the IP address is no longer contained in a stored data record.

II. Use of cookies on this website

Below is a list of all cookies used on this website and in the Data Act Portal:

Privacy notice for the use of the EU Data Act Portal in the test phase

Below, we inform you about the processing of your personal data ("data," "your data") by Volkswagen Group Info Services AG ("VW GIS AG") and your claims and rights under data protection law, in particular under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

This privacy notice applies to the processing of your data in connection with the platform operated by VW GIS AG (the "Data Act Portal") for the provision of product data and related service data by the brands of the Volkswagen Group (AUDI, Volkswagen, SEAT/Cupra, Skoda, Bentley, MAN, and Elli) in accordance with Articles 4 and 5 of the EU Data Act (Regulation (EU) 2023/2854 ("EU Data Act")).

This privacy notice applies exclusively to the so-called test phase, during which the functionalities of the Data Act Portal will be tested by employees of the Volkswagen group brands prior to its go-live on September 12, 2025.

Within VW GIS AG, only those departments that need your data to fulfill the above-mentioned purposes will have access to it.

Data will only be transferred to third parties if this is necessary for the aforementioned purposes and there is a legal basis for doing so or you have given your prior consent. If VW GIS AG has commissioned service providers to process data or provide related services, the data will generally be transferred on the basis of a data processing agreement in accordance with Art. 28 GDPR or professional obligations that guarantee an adequate level of data protection. We select our processors carefully; they process personal data exclusively for the purpose of fulfilling their assignments and are contractually bound to our instructions, have appropriate technical and organizational measures in place to protect personal data, and are regularly monitored by us.  

The following categories of recipients may receive data:

·     Service providers/suppliers

o   Hosting service providers

o   Technical support service providers

o   Consulting companies/service providers

o   Technical development service providers

·     Government

o   Supervisory authorities

o   Police/investigative authorities/courts

·     Legal, economic, and financial representatives

o   Auditing companies/tax advisors

o   Lawyers/notaries

·     Group companies

As a rule, your data will only be processed within the European Union or the European Economic Area. If processing takes place in third countries (i.e. countries that are neither members of the European Union nor the European Economic Area) for which the European Commission has not determined an adequate level of data protection, e.g. in the case of data processing by our (sub-)processors, we ensure that contractual, technical, and/or organizational measures are taken that are appropriate and necessary to ensure an adequate level of data protection when processing your data. This can be done in particular by concluding so-called EU standard contractual clauses, which you can access here. If processors or sub-processors based in the US are certified under the EU-US data protection framework, the EU-US adequacy decision applies and the US is considered a safe third country in this respect.

You can obtain a copy of the specific measures we have taken to ensure an adequate level of data protection from us. Please use the contact details in section H for this purpose.

We process and store your data for the purposes specified above for as long as necessary. Once the purpose has been fulfilled and there are no retention obligations, the data is generally deleted. Cookies that you do not delete expire after the period specified in Section D.

In addition, we are subject to various storage and documentation obligations, which arise from the German Commercial Code (HGB) and the German Fiscal Code (AO), among other sources. The storage and documentation periods specified therein are up to 15 years for VW AG for the purposes at hand.

Finally, the storage period is also determined by the statutory limitation periods, which, for example, according to Sec. 195 et seq. of the German Civil Code (BGB), can generally be three years, so that we store the relevant data for up to four years, taking into account the year in which the claim may have arisen.

H. Data protection officer and rights of data subjects

If you have any general questions about this privacy notice or the processing of your data by VW GIS AG, you can contact our data protection officer:

·       Post: Volkswagen Group Info Services AG, Data Protection Officer, Berliner Ring 2, 38440 Wolfsburg, Germany,

·       Email: gis-privacy@cariad.technology .

Please note that when using the above email address, your request may not only be seen by the data protection officer. If you wish to contact the data protection officer confidentially, please send a separate email in advance.

I. What are your rights?

Under the respective legal conditions, you have the following rights vis-à-vis us:

·       Right of access (Art. 15 GDPR)

·       Right to rectification (Art. 16 GDPR)

·       Right to erasure or "right to be forgotten" (Art. 17 GDPR)

·       Right to restriction of processing (Art. 18 GDPR)

·       Right to data portability (Art. 20 GDPR).