1. INTRODUCTION

Data privacy is a fundamental principle in modern society. Data privacy is not—unlike the term may first suggest—all about data but about the people of whom information (data) is processed. Data privacy is a fundamental right that refers to the protection of the personal rights of natural, living people. Every person should have the opportunity to decide who gets which information about him on which occasion (informational self-determination). 

 

BMW India Private Limited and BMW India Financial Services Private Limited (“BMW Group India”) have created this policy to demonstrate their commitment to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Rules”) and also to BMW’s global policy for data privacy and protection. 

 

BMW Group India recognises the importance of “personal information,” including “sensitive personal information,” provided by natural persons under a lawful contract. BMW Group India intends to take reasonable measures to keep such information confidential and may share it with its affiliates and third parties under appropriate arrangements and under the applicable laws and policies.

 

 

2. DEFINITION

2.1 “Personal Data” means any information concerning the personal or material circumstances of an identified or identifiable individual, e.g., name, address, bank details, etc. It can be with reference to employees, customers, suppliers, shareholders, etc. 

A person is considered to be identifiable if they can be identified directly or indirectly. 

2.2 Employees are identified or identifiable persons who are employed by respective BMW Group India companies, including partners associated with them. 

2.3 “Customers” are identified or identifiable natural persons who show BMW Group India that they have an obvious interest in concluding a contract for the purpose of acquiring a product or a service or, as the case may be, that they are the recipient of a product or service provided by BMW Group India. 

2.4 “Processing” is any operation or set of connected operations performed using personal data, whether with or without the help of automatic means. This includes collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure, or destruction. 

2.5 “Rendering Anonymous” means the alteration of personal data so that the details about personal or material circumstances can no longer be matched to an identified or identifiable natural person or could be so matched only by expending a disproportionate amount of time, expense, and effort. 

2.6 “Pseudonymizing” means replacing identifying features with a code in order to make identification of the data subject impossible or considerably more difficult. 

2.7 “Sensitive Personal Data”, for the purposes of this policy, refers to such personal information about a natural person, which consists of information relating to:

1. 
   a) password; b) financial information such as bank account, credit card, debit card, or other payment instrument details; c) physical, physiological, and mental health condition; d) sexual orientation; e) medical records and history; f) biometric information; g) any detail relating to the above clauses as provided to us for providing services; and h) any of the information received under any of the above clauses by us for processing, storing, or processing under a lawful contract or otherwise. 

Any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005, or any other law for the time being in force shall not be regarded as sensitive personal information for the purposes of this policy. 

2.8 “Provider” for the purpose of this policy refers to a natural person or individual who provides personal information or sensitive personal data or information directly under a lawful contract to BMW Group India.

3. PURPOSE AND USAGE

The provider’s personal information or sensitive personal data is collected, used, and processed for lawful, legitimate, contractual, and administrative purposes by BMW Group India. 

Generally, the personal information or sensitive personal data collected pertains to the provider and may be used for purposes such as administration and facilitation of relationships with customers, employees, suppliers, etc. for internal operational purposes, for marketing surveys and customer research and feedback, warranty services, to update with information about BMW Group India and the products and services, to provide information about special offers from time to time, and to satisfy legal and regulatory obligations. 

The personal information and sensitive personal data collected pertaining to the staff or employee may be used for human resource management, technology support and updates, management planning, administration, and management of the internal processes, services, and operations to enable BMW Group India to perform its proper functions and satisfy its legal and regulatory obligations. 

The personal information or sensitive personal data (as per the rules) can be collected or retained either directly by BMW Group India or through an affiliate or third party, as per the procedure prescribed by the rules.

4. DISCLOSURE TO THIRD PARTIES

The personal information and sensitive personal data collected would only be used, processed, and/or shared within the affiliates and/or group companies, authorised BMW and MINI dealers, and other authorised business partners. 

BMW Group India would not disclose any personal information or sensitive personal data to any external organisation unless it has the consent of the provider, is required by law, or has previously informed the provider. 

Notwithstanding anything in Article 4 to the contrary, if BMW Group India is, in the opinion that it is required by applicable law or government authority, to disclose any personal information or sensitive personal data to any person, then it may disclose such information only to the extent so required.

5. SECURITY PRACTICES AND PROCEDURES

BMW Group India has in place a security system to ensure that personal information is protected from unauthorised access, use, disclosure, or alteration by anyone, including the employees of BMW Group India. 

BMW Group India undertakes a number of security measures to maintain the safety of the provider’s personal information, which include the use of: physical secure data centres and premises; internal security policies and procedures; defined internal segregation of duties; and electronic access controls such as passwords and encryption technology. Our information security management system follows the international standard ISO 27001.

SECURITY PRACTICES:

Data economy: access to personal data is granted only to personnel on a need-to-know basis. Redundant data may not be stored, and personal data from the concerned department shall not be exported to other applications unless absolutely necessary. Where it is not necessary to know the identity of the data subject, the personal data shall be processed in pseudonymized form or in a form that has been rendered anonymous. 

Purpose Limitation: Data collected for a particular purpose shall be used for that purpose only and shall not be used for any other purpose without the consent of the data subject or other legal permission. 

Deleting/Archiving Data: Once the purpose of the processing of personal data is fulfilled, such data must immediately be deleted or, as the case may be, access thereto blocked in compliance with the obligations to retain records prescribed by law or agreed within the BMW Group India. This obligation to delete data does not apply to data that has been rendered anonymous. In exceptional cases where required, such information shall be dealt with on a case-by-case basis by the concerned department and as per applicable laws.

6. NO OBLIGATION TO PROVIDE PERSONAL INFORMATION

The Provider is under no obligation to provide any personal information requested by BMW Group India, and a Provider can withhold any personal information as he or she may choose, but in such a case, BMW Group India may not be able to provide all products and services as this will depend on the kind of information withheld. 

The provider can opt out at any time online by accessing the unsubscribe form. A minimum period of ten business days is required to process the requests. 

The provider may review the personal information and sensitive personal data provided to BMW Group India for the purpose of ensuring that the said information is accurate. BMW Group India shall not be responsible for the authenticity of the information supplied to BMW Group India or to any person acting on behalf of BMW Group India.

CONTACT US

BMW Group India strives to maintain the provider’s personal information on the records as accurately and reasonably as possible. On request, the details on record, the purpose for which it is used, and to whom it has been disclosed can be provided. Access to personal information in the possession of BMW Group India shall be subject to certain exceptions and reasonable costs. 

If the personal information that an entity of BMW Group India holds about the provider is incorrect or changed, then the provider can notify the respective entity of BMW Group India of such changes. Additionally, any discrepancy or grievance of the provider of information with regard to the processing of information can be addressed to the following contact: 

BMW India Private Limited 

info.blr@mini-kunexclusive.in

BMW Group India reserves the right to modify, cancel, add, or amend this policy.