General Data Protection Notice for Customers and Business Partners
I. Introduction and scope
This General Data Protection Notice (the “Notice”) applies to the processing of personal data by ZF Friedrichshafen AG and its affiliates in the EU, UK and Switzerland as part of the worldwide ZF Group (“ZF Group”). For purposes of this Notice, affiliates means any company with respect to which ZF Friedrichshafen AG owns, directly or indirectly, more than 50% of the shares, together ZF (“ZF”).
ZF considers protecting the personal data of all customers and business partners to be an important priority. This includes consumers as end-use customers and employees of our business partners in their role as contact persons and representatives in the context of a business relationship.
ZF is committed to processing Personal Data responsibly and in compliance with the applicable data protection laws in all countries in which ZF operates. This Notice describes the types of Personal Data ZF collects, how ZF uses that Personal Data, with whom ZF shares your Personal Data, and the rights you, as a Data Subject, have regarding ZF’s use of the Personal Data. This Notice also describes the measures ZF takes to protect the security of the data and how you can contact us about our data protection practices.
II. Contact details of the Data Controllers
The legal entities responsible for the collection and use of your Personal Data (the “Data Controllers”) in your home country for the purposes described in this Notice are contained in the attached Annex 1.
III. Contact details of the Data Protection Officer
A Data Protection Officer (“DPO”) is designated for each legal entity where required by applicable law. The DPO is involved in all issues related to the protection of your Personal Data. In particular, the DPO is in charge of monitoring and ensuring compliance with this Notice and the applicable data protection laws. For any comments or questions you may have regarding this Notice, please contact the ZF Group Coordinator for data protection, who is also the DPO of ZF Friedrichshafen AG, Ms. Silke Wolf, at the following address:
ZF Friedrichshafen AG
Corporate Headquarters / ZF Forum
Löwentaler Straße 20
You may also contact the ZF Group Coordinator for data protection by e-mail under email@example.com
IV. Categories of Personal Data processed
We process the following Personal Data for a number of business purposes that we list further below:
- General identification information – ZF may process your name, contact information (including home address, home phone number and mobile phone number), citizenship and country of residence, date of birth, gender and languages spoken.
- Professional information – ZF may process information related to your profession including (without limitation) your job title, professional email address and phone number and your role/responsibility.
- Financial information – ZF may process financial information including (without limitation) your bank account number, credit card number, bank details and VAT number.
- Visitor information – ZF may process your name, contact details and car license plate when you visit ZF premises.
- Information you choose to share with ZF – ZF may process Personal Data you choose to share with ZF, including (without limitation) information you share when you contact our customer support service.
- Information relating to sourcing and procurement – when you provide services or sell products to ZF or when ZF provides services or sells products to you, ZF may process information necessary for the provision of the services or the selling of the products including (without limitation) your contact details and financial details.
- Warranty information – ZF may process your name, contact details, financial information and information on the product(s) purchased when you submit a warranty request.
- CCTV footage – ZF may process footage of you obtained through our use of CCTV surveillance systems at our premises. For more information, please consult the specific data protection notices displayed at our premises.
- Survey results – ZF may process your responses to questions in our customer surveys.
- Information collected through your use of ZF apps – ZF may process Personal Data relating to your use of ZF apps. For more information, please consult the specific data protection notices of the respective ZF app.
- Passwords or other personal identifiers – ZF may process the password or other personal identifier that you use when you register on a ZF website, platform or device and help you register if you forget such password or personal identifier. For more information, please consult the specific data protection notices of the respective ZF website, platform or device.
- Proof of identity – ZF may, in certain circumstances, ask for a copy of your identity card or other proof of your identity (e.g. driver’s license) when you send a data privacy request to ZF.
- Website information – ZF may process information related to your use of ZF websites including (without limitation) your browser type and version, your browsing history and the pages you accessed on a ZF website. For more information, please consult the specific data protection notices of the respective ZF website.
- Data from an end-use customer’s vehicle consisting of the vehicle identification number (VIN), the license plate number, as well as transmission records and other vehicle-generated data related to an individual person’s driving style.
The Personal Data processed is limited to the data necessary for carrying out the business purpose for which such Personal Data is collected. ZF will maintain Personal Data in a manner that ensures it is accurate, complete and up-to-date.
ZF will collect the Personal Data as a general rule directly from the Data Subject. However, in line with legal provisions, data may also be collected from third parties. In particular, this applies to data regarding an end-use customer’s vehicle in the event that automotive manufacturers return to ZF products that have been sold to them to be incorporated in their vehicles.
V. Purposes of data processing and legal bases
ZF processes Personal Data in accordance with applicable data protection laws and regulations and only for limited, explicit and legitimate purposes. ZF will not use Personal Data for any purpose that is incompatible with the original purpose for which it was collected unless you provide your prior explicit consent for further use.
Personal Data relating to customers and business partners may be processed for the purposes of:
- Development and management of customer/business partner relationship
- Internal administration purposes (including maintenance of accurate accounts payable and receivable records)
- Customer support service
- Corporate housekeeping
- Contract management
- Product, warranty and claims administration
- Order processing and order fulfilment
- Demand planning and production
- Dispute management and litigation
- Training and certification
- Sourcing and procurement
- Business development
- Compliance with labor, tax and social security laws and other legal or regulatory requirements (e.g. meeting governmental reporting and records requirements)
- Research, development and improvement of ZF products and services (including sales and market research (e. g. through surveys))
- IT support
- Public relations
- Direct marketing
- Facilities, security and contingency planning purposes
- Network and device usage optimization and related security controls (including access to myWABCO)
- Preventing, detecting and investigating fraud To monitor and enforce compliance with ZF policies and procedures
- To monitor and enforce compliance with legal requirements applicable to ZF or contractual obligations (including the requirements set out in your contract with ZF)
- To perform internal and external audits
- To conduct corporate transactions (including mergers, acquisitions and divestments)
- Managing product research and development (“R&D”)
- Product support and maintenance, failure diagnostic and identification of fault patterns.
The Personal Data is being collected and processed on the following legal basis:
- if it is necessary for performing a contract you have concluded with ZF (e.g. if you sell a product to ZF, ZF needs your bank account number in order to pay for the product);
- if it is necessary for complying with a legal obligation that applies to ZF (e.g. ZF may need to collect your VAT number to meet its tax obligations);
- if it is necessary for pursuing ZF’s legitimate interests, considering these interests are not overridden by your fundamental rights and freedoms (e.g. if ZF needs certain of your Personal Data for internal administrative purposes, for ensuring network and information security and to improve its products and services);
- when you consented to this (e.g. when you consented to receiving a ZF newsletter).
VI. Data Security
ZF has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, such risk analysis includes an analysis of the risk of compromising the rights of the Data Subject, costs of implementation, and the nature, scope, context and purposes for data processing.
The measures include
(i) encryption of personal data where applicable/appropriate;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
VII. Recipients of Personal Data
ZF Friedrichshafen AG is the corporate headquarter of the ZF Group. Due to shared corporate IT systems within the ZF Group and because of the international nature of our business, Personal Data collected and processed by ZF Friedrichshafen AG and its subsidiaries (“ZF legal entities”) can be shared with or accessed by other ZF legal entities of the ZF Group for the purposes above. A data transfer to ZF legal entities outside of the EU and the UK will only occur under the provisions for international data transfers laid out in Section VIII of this Notice (see below). An overview of the ZF legal entities that are part of the ZF Group can be found at:
Further, ZF may share your Personal Data with:
- Suppliers of IT and collaboration related services;
- Banks and insurers;
- Providers of sales related services;
- Providers of marketing, research and communications related services;
- Providers of training related services;
- Professional advisers;
- Law enforcement authorities (including police and judicial authorities);
- Other public authorities (including social security and tax authorities).
ZF will also disclose your Personal Data to third parties:
- in the event that ZF sells or buys any business or assets, in which case ZF may disclose your Personal Data to the prospective seller or buyer of such business or assets;
- if ZF or substantially all of its assets are acquired by a third party, in which case the Personal Data ZF holds about you may be one of the transferred assets;
- if ZF is under a duty to disclose or share your Personal Data in order to comply with any legal obligation or to protect the rights, property or safety of ZF, its customers or others. This includes exchanging Personal Data with public authorities (including judicial and police authorities) in the event of, for example, a cyber security incident; and
- if you specifically consented thereto.
When disclosing your Personal Data to third parties that will process your Personal Data on ZF’s behalf, your Personal Data will only be disclosed to carefully selected data processors acting on the basis of ZF’s instructions to comply with the applicable legal and contractual obligations.
VIII. International data transfers
International data transfers refer to transfers of Personal Data outside of the European Economic Area (“EEA”) and the UK. The international footprint of ZF involves the transfer of Personal Data to and from other group companies or third parties, which may be located outside the EEA and the UK, including the United States of America.
In case your Personal Data is transferred outside of the EEA and the UK, ZF will make sure that your Personal Data is protected by the following safeguards:
- the laws of the country to which your Personal Data is transferred ensure an adequate level of data protection (Article 45 of the EU General Data Protection Regulation (2016/679)(GDPR));
- the transfer is subject to data protection clauses approved by the European Commission (Article 46.2 GDPR) or is subject to the EU-US Privacy Shield (Article 45.1 of the GDPR); or
- any other appropriate safeguards under article 46 GDPR.
If you wish to receive more information relating to the transfers of your Personal Data outside the EEA and the UK and/or the safeguards that have been implemented (including on how to receive a copy of these), you can contact the ZF Group Coordinator for Data Protection (see Section III. above).
IX. Retention of Personal Data
ZF will not retain your Personal Data for longer than is allowed under the applicable data protection laws and regulations or for longer than is justified for the purposes for which it was originally collected. As a general rule, collected data will be deleted as soon as there no longer exists a business relationship with the customer/business partner or in the event of communication inactivity for the duration of a period of 2 years. However, collected data may be subject to retention requirements pursuant to applicable legal provisions. In other cases, Personal Data may be stored and retained for as long as the statutory period of limitations with regards to legal claims against ZF has not expired.
X. Data protection rights
Depending on and subject to applicable laws, you have certain rights regarding the Personal Data ZF holds about you:
- you have the right to access the Personal Data ZF keeps about you – this is because ZF wants you to be aware of the Personal Data ZF has about you and to enable you to verify whether ZF processes your Personal Data in accordance with the applicable data protection laws and regulations;
- you have the right, under certain circumstances, to block or suppress further use of your Personal Data. When the processing is restricted, ZF can still store your Personal Data, but can no longer use it;
- if your Personal Data is inaccurate or incomplete, you have the right to request the rectification of your Personal Data;
- you have the right, under certain circumstances, to request the deletion or removal of your Personal Data from ZF systems;
- if ZF’s processing of your Personal Data is based specifically on your consent, you have the right to withdraw that consent at any time. This includes your right to withdraw consent to ZF’s use of your Personal Data for direct marketing purposes;
- you have the right to obtain from ZF, under certain circumstances, your Personal Data in a structured, commonly used and machine-readable form so you can reuse it for your own purposes across different services;
- you also have the right to object to certain types of processing, including processing for direct marketing purposes.
However, note that ZF may need to retain certain Personal Data, for example for legal or administrative purposes (e.g. keeping of accounting records).
You can exercise these rights at any time by contacting the ZF Group Coordinator for data protection (see Section III. above). For all requests set out above, please send us a letter or email with “Data Subject Request” in the subject line. You also have the right to lodge a complaint about the way ZF handles or processes your Personal Data with your national data protection authority.
XI. Notice Compliance and Contact Information
Monitoring and ensuring compliance of the Personal Data processing within ZF with this Notice and applicable data protection laws and regulations is the responsibility of the ZF Group Coordinator for data protection and of your local DPO, where applicable.
You may contact the ZF Group Coordinator for data protection with regard to any issue related to processing of your Personal Data and to exercise your rights as mentioned above.
This Notice will be effective as of 15 March 2020 and will be applicable to ZF (see Section I. above for a precise definition of the scope).
This Notice may be revised and amended from time to time and appropriate notice about any amendments will be given.
ZF is allowed to adapt the text of this Notice only in order to be compliant with local legislation by means of an addendum attached to this Notice. In case of any discrepancies between this Notice and a specific local addendum made in accordance with local law, the terms of the latter will prevail.