Privacy Policy

We, Dr. Ing. h.c. F. Porsche AG (hereinafter "we" or "Porsche AG"), appreciate your usage of the Porsche Skyway Platform (Skyway) and your interest in our company and our products. Your privacy is important to us. We therefore take the protection of your personal data and its confidentiality very seriously. Your personal data is processed only within the scope of the statutory provisions of data protection law, in particular the EU General Data Protection Regulation (hereinafter "GDPR"). In this Privacy Policy we provide you with information about the processing of your personal data and your rights as a data subject within the scope of the use of Skyway. If you wish to obtain information on other products and services offered by other Porsche group companies, please refer to the respective privacy policy for these services or Porsche group companies.

If we link from external social media sites to this Privacy Policy, the following provisions shall only apply as far as data processing in connection with those social media sites is actually within our sphere of responsibility and if no more specific and, thus, prevailing privacy policy is provided in connection with those social media sites.

1. Data controller and data protection officer; contact data

The controller within the meaning of data protection legislation is:

Dr. Ing. h.c. F. Porsche AG
Porscheplatz 1
70435 Stuttgart
Germany
Phone: (+49) 0711 911-0
E-Mail: info@porsche.de

Please do not hesitate to contact us if you have questions or suggestions relating to data protection.

You can reach our data protection officer via:

Dr. Ing. h.c. F. Porsche AG
Data Protection Officer
Porscheplatz 1
70435 Stuttgart
Germany

Contact: https://www.porsche.com/international/privacy/contact/

2. Subject matter of data protection

The subject matter of data protection is the protection of personal data. This is all the information that relates to an identified or identifiable natural person ("data subject"). This covers, for example, information such as name, postal address, e-mail address or telephone number as well as information that is necessarily generated during your use of Skyway, such as details about the start, end and scope of use and the transmission of your IP address.

3. Type, scope, purposes and legal bases for automated data processing

Certain parts of Skyway can be used without registering. Even if you use Skyway without registering, personal data may still be processed.

An overview of the type, scope, purposes and legal bases for automated data processing within the scope of Skyway is provided below. Please refer to Section 4 below for information on the processing of personal data when specific services and functions are used.

3.1 Provision of the Skyway

When you access Skyway with your device, we will process the following information:

• preferred language
• date and time of access
• the functions / systems that you use
• browser (http user agent)
• content of access cookie
• username
• referrer-URL
• loadbalancer IP-address
• date of joining
• date of last activity

We process this data based on Article 6 (1) (f) GDPR to provide the Skyway, to ensure its technical operation and to identify and remedy errors. In this regard, we pursue the interest of enabling the use of Skyway and its uninterrupted technical operability. When Skyway is accessed, this information will be automatically processed. You cannot use Skyway, unless this information is provided. We do not use this data for the purpose of drawing conclusions on you or your identity.

3.2 Cookies

When you visit Skyway, "cookies", which are usually small files, may be stored on your device in order to provide you with a comprehensive scope of functionality, to enhance the user experience and to optimize our services. If you do not wish to allow the use of cookies, you can prevent them from being stored on your device by configuring the relevant settings in your device and/or internet browser or using the specific opt-out options. Please note that the operability and functionality of our service may be constrained as a result. Please refer to our Cookie Policy for details on the type, scope, purposes, legal bases and opt-out options for data processing in connection with cookies (see document below).

4. Specific services and functions

To register a user account for Skyway only the mandatory fields mentioned in 4.1 are necessary. It may occur that you are able to enter optional personal data in other systems that are integrated into Skyway. When you register for and use the services and functions below, we capture, process and use the personal data outlined below.

In order to use the services and functions specified below, we capture, process and use the personal data as follows:

4.1 Creating and editing the user profile

In order to use Skyway and to login via Single-Sign-On (SSO) to all the integrated subsystems, you have to register an individual user account. Based on the information that you have provided, your Skyway Manager or Skyway Coordinator has triggered the creation of your user account.

Mandatory registration data

When registering and creating a user profile, the following mandatory information is required:

• email address
• first name
• last name
• username

It is not possible to register and create a user profile, unless this mandatory data is provided.

The creation and processing of personal data in your user profile is necessary in order to uniquely identify you in the system and to be able to perform administrative actions on your user profile. We process this data on the basis of Article 6 (1) (f) GDPR for the purposes of safeguarding our legitimate interests or the legitimate interests of third parties. These legitimate interests include, in particular, ensuring actions are lawful, preventing and protecting against legal violations (in particular criminal offenses), asserting and defending against legal claims when using the Skyway as well as guaranteeing the availability, operation and safety of technical systems as well as technical data management. Please note that all voluntary information is not required to use the Skyway and you alone must decide whether you wish to provide us with this data.

4.2 Controlling access rights

In the Skyway, you obtain access to other Skyway online systems through membership of authorization groups and system access. For the unique assignment of your Skyway user profile to an authorization group, your user profile must be linked with this group. Please note that this information can be accessed by group administrators. We process this data on the basis of Article 6 (1) (f) GDPR for the purposes of safeguarding our legitimate interests or the legitimate interests of third parties. These legitimate interests include, in particular, ensuring actions are lawful, preventing and protecting against legal violations (in particular criminal offenses), asserting and defending against legal claims when using the Skyway as well as guaranteeing the availability, operation and safety of technical systems as well as technical data management.

4.3 Viewing rights and search function

Based on the existing viewing rights concept within the Skyway, users can find their own as well as subordinate (e.g. on the basis of a contract) organizations and view their profiles.

This is necessary for execution of the available administrative functions. These include, primarily:

• authorization management
• organizational management
• user management and, specifically, certificate management, master data management, task management

We process this data on the basis of Article 6 (1) (f) GDPR for the purposes of safeguarding our legitimate interests or the legitimate interests of third parties. These legitimate interests include, in particular, ensuring actions are lawful, preventing and protecting against legal violations (in particular criminal offenses), asserting and defending against legal claims when using the Skyway as well as guaranteeing the availability, operation and safety of technical systems as well as technical data management.

4.4 Reporting

Every administrative action within the Skyway can still be traced after execution by administrators. Details of which administrator performed which action on which user and at which time can be viewed in a report.

We process this data on the basis of Article 6 (1) (f) GDPR for the purposes of safeguarding our legitimate interests or the legitimate interests of third parties. These legitimate interests include, in particular, ensuring actions are lawful, preventing and protecting against legal violations (in particular criminal offenses), asserting and defending against legal claims when using the Skyway as well as guaranteeing the availability, operation and safety of technical systems as well as technical data management.

4.5 Transmission and processing in subsystems

On the basis of the authorization groups assigned to you, you have access to various Skyway online systems. The data specified in 4.1 is sent to the respective system, where it is processed. In your user profile, you can see which systems you have authorization for and request changes from the respective system administrators at any time.

However, the system administrator is responsible for the processing of personal data within these Skyway online systems.

We process this data on the basis of Article 6 (1) (f) GDPR in order to enable you to work on the respective subsystems.

5. Safeguarding legitimate interests

We process your personal data for safeguarding our legitimate interests. In addition to our interests specified in the description of the specific services and functions under Section 4 above, data processing in connection with our Skyway and/or following your registration will be based particularly on the following interests:

• Further development of products, services, professional services and support services and any other measures for controlling business transactions and processes;
• Improvement of product quality, rectification of errors and defects,
• Risk management and coordination of recall actions;
• Ensuring legally compliant actions, prevention of and protection against violations of the law (in particular, criminal offences), exercise or defense of legal claims;
• Ensuring the availability, operation and security of technical systems and technical data management.

Your data will be processed pursuant to Article 6 (1) (f) GDPR in each of these cases. However, the system owner of each Skyway subsystem is responsible for the processing of the specific personal data.

This data is being processed based on Article 6 (1) (f) GDPR, in order to allow you to work in each subsystem.

6. Recipients of personal data

Internal recipients: Within Porsche AG, the only individuals who have access are those who need it for the specified purposes.

External recipients: We only disclose your personal data to external recipients outside Porsche AG if this is necessary for administering or processing your enquiry, if another legal authorization exists or if we have obtained your consent.

External recipients may include:

• Processors
  Group companies of Porsche AG or external service providers that we use to provide services, for example, in the areas of technical infrastructure and maintenance for the Porsche AG service or the provision of content. We carefully select and inspect these processors on a regular basis to make sure that your privacy is safeguarded. The service providers may use the data only for the purposes we have specified and in accordance with our instructions.
• Public bodies
  Public authorities and governmental institutions such as fiscal authorities, public prosecutors or courts to which we (are required to) transfer personal data for compelling legal reasons or for safeguarding legitimate interests. In that case, the transfer will be based on Article 6 (1) (c) and/or (f) GDPR.
• Private bodies
  Porsche dealers and service centers, cooperation partners, service providers or parties to whom data is transferred based on your consent to fulfill a contract with you or to safeguard legitimate interests, for example, Porsche centers and Porsche service centers, lending institutions, transport service providers or providers of comparable services. The data is transferred based on Article 6 (1) (a), (b) and/or (f) GDPR.

7. Data processing in third countries

If data is transferred to bodies whose headquarters or place of data processing is not located within a member state of the European Union or within a country that is a signatory to the treaty on the European Economic Area, we will ensure prior to such transfer – unless any of the legally permissible exceptions applies – that the recipient maintains an adequate level of data protection (e.g. based on an adequacy decision by the European Commission, through sufficient guarantees such as a self-certification of the recipient under the EU–U.S. Privacy Shield or the use of EU Standard Contractual Clauses) or that you give your consent prior to such data transfer.

We can provide you with an overview of the recipients in third countries and a copy of the specifically agreed safeguards to ensure the adequate level of data protection. To obtain these, please use the contact details specified in Section 1.

8. Storage period, deletion

Unless information on the specific storage period and/or deletion of data is given in the description of the specific services and functions, the following will apply:

We will store your personal data only as long as required for the intended purposes or – if consent was given – as long as you do not withdraw your consent. If you should object to data processing, we will erase your personal data, unless its further processing is permissible under the applicable statutory provisions. We will also erase your personal data if we are obligated to do so subject to other statutory requirements.

Based on these general principles, we will usually delete your personal data without undue delay,

• if the legal basis ceases to apply and provided that no other legal basis (e.g. commercial law and tax law retention periods) applies. In the latter case, we will delete the data once other legal basis ceases to apply.
• if we no longer need the data for the purposes of entering into or performance of a contract or for legitimate interests and if no other legal basis (e.g. commercial law or tax law retention periods) applies. In the latter case, we will delete the data once the other legal basis ceases to apply.
• if the purpose of data collection ceases to apply and if no other legal basis (e.g. commercial law or tax law retention periods) applies. In the latter case, we will delete the data once the other legal basis ceases to apply.

9. Rights of data subjects

As a data subject you have numerous rights. Specifically:

Right of access:

You have the right to obtain information from us about the data that we have stored about you.

Right to rectification and erasure:

You have the right to demand that we rectify incorrect data and – provided the legal requirements are met – that we erase your data.

Restriction of processing:

You have the right – provided the legal requirements are met – to demand that we restrict the processing of your data.

Data portability:

If you have provided us with data based on a contract or consent and if the statutory requirements are met, you have the right to obtain the data provided by you in a structured, commonly used and machine-readable format or you may demand that we transfer this data to another controller.

Objection to the processing of data on the legal basis of "legitimate interest":

If reasons exist that are based on grounds relating to your particular situation, you may object at any time to the processing of personal data by us, to the extent that the "legitimate interest" is the legal basis for this objection. If you exercise your right to object, we will discontinue the processing of your data unless we can – pursuant to the legal requirements – prove compelling legitimate reasons for further processing overriding your rights.

Objection to cookies:

You may also object to the use of cookies and cookie-like tracking technologies at any time. For details on how to object, please refer to our Cookie Policy.

Withdrawal of consent:

If you have given us consent to process your data, you may withdraw this consent at any time with effect for the future. The lawfulness of the processing of your data prior to the withdrawal remains unaffected.

Right to lodge complaints with the supervisory authority:

You may also lodge a complaint with the competent supervisory authority if you believe the processing of your data to breach applicable laws. To do so, you may contact the data protection authority that is competent for your habitual residence or country or the data protection authority that has competence over us.

Contacting us:

Furthermore, if you should have any questions on the processing of your personal data, your rights as a data subject or any consent that may have been granted, you may contact us free of charge. If you wish to exercise any or all of your rights mentioned above, please use our contact form or write a letter to the postal address specified in Section 1 above. In that case, please ensure that we will be able to identify you.

10. Links to third-party services

Websites and services delivered by other providers that are linked to by Skyway have been and are designed and provided by third parties. We have no control over the design, contents and functionality of these third-party services. We expressly distance ourselves from all content in linked third-party services. Please note that the third-party services linked to from Skyway may install their own cookies on your device or collect personal data. This is beyond our control. If necessary, please contact the providers of these third-party services for further information.

11. Version

This Privacy Policy shall apply as amended or revised. Last revised: [2020/03/24].