Privacy Policy

A. Controller

Thank you for choosing to visit a Volkswagen AG web page. Volkswagen AG, Berliner Ring 2, 38440 Wolfsburg, vw@volkswagen.de, is listed in the register of companies of the District Court of Braunschweig under HRB 100484 ("Volkswagen AG"). In the following, we will provide you with information on how Volkswagen AG processes the personal data which is collected when you visit the web page.

B. Processing of your personal data

I. Public part of ONE Group Business Platform VWGroupSupply.com

If you visit the public part (accessible without registering) of Volkswagen AG’s ONE.Group Business Platform (ONE.KBP), we will automatically receive the following log data:

• An anonymous cookie ID

• The operating system and web browser you are using, and your selected screen resolution

• The date and time of your visit

• The pages you visit on our website

• The website from which you came to us

• The IP address of the device you are using to access the web page

We process this data on the basis of Article 6(1)(f) of the General Data Protection Regulation (GDPR) if you are acting as an employee of a Group company or as an employee of a business partner/third party and, if you are acting on your own behalf, on the basis of Article 6(1)(1)(b) GDPR, in order for us to provide ONE.KBP, ensure its technical operation and identify and eliminate malfunctions. In doing so, we are pursuing our interest in enabling the use of ONE.KBP and ensuring its long-term technical functionality. When you access ONE.KBP, this data is processed automatically. If you do not provide us with this data, you cannot use our services. We do not use this data to draw conclusions about you or your identity.

Volkswagen Group IT Services GmbH is based in Wolfsburg and assists us as a processor when processing your personal data.

The personal data we collect from you will remain in our data centre in Braunschweig during the processing and will be erased after 28 or 90 days.

The data processing described above is carried out in the Procurement division under joint control with the Group companies. Volkswagen AG and the Group companies have concluded agreements within the meaning of Article 26 GDPR with regard to their joint control. We shall make the principal content of these agreements available on request. To do so, please use the contact options listed in the "Contact persons" section. A list of Group companies that are parties to the agreement on the joint control in the Procurement division can be found here.

II. Registering on the ONE Group Business Platform VWGroupSupply.com

During supplier self-registration, the registering party, as an employee of a partner company, registers their company in 6 steps in order to enable the company to participate in electronic business transactions with Volkswagen AG and the Group companies using ONE.KBP and the systems located there. Once registration is complete, the partner company is ready to go online and is granted access to the protected part of ONE.KBP, which can only be accessed using login details.

The personal data provided during registration for the protected area will be processed. These include your name, gender and professional contact details (address, email, phone, fax, division, department, responsibility). After the fourth step of registration, we will also process your user ID, login and logout times.

We process this data on the basis of Article 6(1)(f) GDPR if you are acting as an employee of a Group company or as an employee of a business partner/third party and, if you are acting on your own behalf, on the basis of Article 6(1)(1)(b) GDPR, in order for us to enable electronic business transactions between your company or you, if you are acting on your own behalf, and Volkswagen AG and the Group companies. This includes the purposes of unambiguous identification and establishing contact during the registration process, sending the password link, unambiguous identification during permissions management and business communication in subsequent registration processes. IT usage data is processed in order to ensure the confidentiality, integrity and availability of the data. The aim is to prevent potential security risks.

In the processing of your personal data, the following companies support us as processors:

• Volkswagen Group IT Services GmbH, Wolfsburg

• Volkswagen Group Services GmbH, Wolfsburg

• Volkswagen India Pvt. Ltd., Pune

• Volkswagen Servicios de Administración de Personal, S.A. de C.V., Puebla

• i3systems GmbH, Braunschweig

During registration, your personal data will also be transmitted to Volkswagen Group companies outside the European Union or the European Economic Area.

We have concluded a processing contract with each of our processors, including the corresponding EU standard contractual clauses for the transfer of personal data to processors in third countries (as an appropriate guarantee for data processing in non-European countries).

In addition, within the scope of the jointly controlled data processing operations described above, we will pass on your personal data to other Group companies which interact with us as part of your professional activity or business activities.

Within the framework of the agreements between Volkswagen AG and the Group companies relating to the joint control in the Procurement division within the meaning of Article 26 GDPR, an appropriate, uniform data protection level is guaranteed by the European Commission’s standard data protection clauses, in the same way as the processing contracts.

You can access these EU standard contractual clauses at EUR-Lex - 32021D0914 - EN - EUR-Lex (europa.eu).

Your personal IT usage data in log files will be erased 28 or 90 days after the creation of these files. The personal data of the registering party will be completely anonymised 2 years after registration has been completed. Your contact data that is stored in the supplier database will be erased if it is deleted by the responsible administrator in your company or is not confirmed by your administrator as part of the annual review cycle.

The data processing described above is carried out under joint control with the Group companies. Volkswagen AG and the Group companies have concluded agreements within the meaning of Article 26 GDPR with regard to their joint control. We shall make the principal content of these agreements available on request. To do so, please use the contact options listed in the "Contact persons" section. A list of Group companies that are parties to the agreement on the joint control in the Procurement division can be found here.

III. Protected part of ONE Group Business Platform VWGroupSupply.com

After logging into ONE.KBP, the protected area will allow you to access information pages and tasks and messages according to your permissions, and launch systems located on ONE.KBP. In addition, the protected area gives you the option of adjusting your personal settings so that you can configure your preferred applications and tools, as well as your email notification settings.

For this purpose, we process your user ID, name, permissions, and login and logout times.

We process this data on the basis of Article 6(1)(f) GDPR if you are acting as an employee of a Group company or as an employee of a business partner/third party and, if you are acting on your own behalf, on the basis of Article 6(1)(1)(b) GDPR, in order for us to safeguard electronic business transactions via ONE.KBP. We have a legitimate interest in using your data in the settings to enable you to adjust your personal settings. The legitimate interest in providing information pages, systems, tasks and messages is to provide you with the necessary information based on your permissions in relation to all of the work steps required for electronic business transactions.

We process your IT usage data such as permissions and login and logout times to ensure secure permission-based access to content and to safeguard the confidentiality, integrity and availability of data. The aim is to prevent potential security risks.

Volkswagen Group IT Services GmbH is based in Wolfsburg and assists us as a processor when processing your personal data.

The personal IT usage data in log files that we collect from you will remain in our data centre in Braunschweig during the processing and will be erased after 28 or 90 days. The data stored in the settings will be erased no later than 28 days after your user ID has been deleted as part of the permissions management.

The data processing described above is carried out under joint control with the Group companies. Volkswagen AG and the Group companies have concluded agreements within the meaning of Article 26 GDPR with regard to their joint control. We shall make the principal content of these agreements available on request. To do so, please use the contact options listed in the "Contact persons" section. A list of Group companies that are parties to the agreement on the joint control in the Procurement division can be found here.

IV. Connected applications

In the protected area of ONE.KBP, you will be able to access systems that are assigned to different business processes (e.g. finance, quality, logistics, procurement), depending on your permissions. The following section will provide you with a basic overview of these applications; for more detailed information, please refer to the privacy policies for the individual systems.

  • 1. What data do we process and what sources does it come from?

When you use IT systems on ONE.KBP, we process personal data that we obtain from you with your permission or that we collect about you in a permissible manner as part of our business relationship with you as a business partner or as an employee of a business partner, and as part of your interaction with us.

Relevant personal data includes the following:

Professional contact and (employment-related) organisational data (e.g. surname, first name, title, academic degree, gender, address, date and place of birth (for identification purposes, in particular for requesting user rights for IT systems), nationality (in order to take specific national legislation into account), name of the company that you work for along with the department and occupation, professional email address, phone number, address)

Information about private/professional relationships & characteristics (e.g. professional title, duties, roles, qualifications, training and further education details, data privacy declarations such as declarations of consent for the processing of personal data, language skills, activity-based assessments)

IT usage data (e.g. user ID, roles and rights, (system) permissions, login times, computer name, IP address, user-specific settings, change documentation, log data pertaining to the use of the One.Group Business Platform (anonymous cookie ID, operating system, web browser, screen resolution, date and time of visit, web pages accessed, referrer URL), etc.)

  • 2. For which purposes do we process your data and what is the legal basis for this?

We always process your personal data for a certain purpose and only to the extent that this is necessary for the fulfilment of this purpose.

a.The following outlines provide a more specific definition of the legal grounds on which – and the purpose for which – the personal data stated under Clause 2 may be processed. The data processing operations stipulated under b. are under the sole control of Volkswagen AG in terms of data protection. The data processing operations stipulated under c. are under the joint control of Volkswagen AG and other Group companies in terms of data protection.

b. Data processing under the sole control of Volkswagen AG

Purpose Examples Legal basis Legal basis Legitimate interest
in the balancing of interests
Establishing contact for the preparation, execution and termination of a business relationship between Volkswagen AG and the business partner for whom you work or, if applicable, with yourself outside of the context of the processes named under c. General communication

Processing of orders and acquisitions based on contracts (e.g. nomination agreement, framework agreement, order)

Enquiries pertaining to current orders (change requests, changes in capacity etc.)

Appointment scheduling, event/participant management

Invoicing between Volkswagen AG and the business partner, invoicing of service periods or settlement of expenses or costs

Contact person for the business relationship, divisions, departments, projects, cooperation between the business partners

Cooperation as part of the business relationship, projects
Contract initiation and performance (if you are acting on your own behalf, Article 6(1)(b) GDPR), balancing of interests (Article 6(1)(f) GDPR) Collaboration with business partners, practicable process organisation within the business relationship by making contact persons available, controlling and invoicing of contractual services
Execution and processing of Volkswagen AG procurement processes and internal processes for the execution of the business relationship outside of the context of the processes stated under c. Processing of orders and acquisitions based on contracts (e.g. nomination agreement, framework agreement, order)

Reporting

Administration

Compliance with control and reporting obligations under tax law, data archiving

Accounting, debt collection
Compliance with legal obligations (Article 6(1)(c) GDPR), performance of a contract (if you are acting on your own behalf Article 6(1)(b) GDPR), and balancing of interests (Article 6(1)(f) GDPR) Organisation of the processes within the business relationship, compliance with legal and regulatory requirements
IT administration not covered in the processes specified in c. User management (allocation of access rights, IT support, system access, permissions management)

Verification of changes to information in applications

Unambiguous identification of the user for the secure operation of applications

Identification of errors and guarantee of system security, including exposure and tracking of unauthorised access attempts and access to our web server
Compliance with our legal obligations in the area of data security (Article 6(1)(c) GDPR), performance of a contract (if you are acting on your own behalf, Article 6(1)(b) GDPR), balancing of interests (Article 6(1)(f) GDPR) Guarantee of security and integrity of processes when using our systems, rectification of errors and exposure and tracking of unauthorised access and/or access attempts
Project organisation and management Participation in projects

Exchanging information on projects with other business partners
Performance of a contract (if you are acting on your own behalf, Article 6(1)(b) GDPR), balancing of interests (Article 6(1)(f) GDPR) Cooperation with business partners
Taxes Identification and reporting of monetary benefits from benefits in kind

Legal documentation regarding recipients of hospitality and gifts
Compliance with our legal obligations in the area of taxes (Article 6(1)(c) GDPR)  
Internal Audit Regular and special audits

Internal investigations
Balancing of interests (Article 6(1)(f) GDPR) Checking compliance with the contractual and statutory obligations of Volkswagen AG, business partners and employees
Protection and defence of our rights or disclosure as part of official/judicial measures Exercise and assertion of rights and claims

Disclosure within the scope of official/judicial measures for the purposes of obtaining evidence, criminal prosecutions and the assertion of civil claims

Processing of requests of data subjects according to the GDPR, providing this data processing is under our sole control
Compliance with legal obligations (Article 6(1)(c) GDPR), balancing of interests (Article 6(1)(f) GDPR) Assertion and defence of our rights and compliance with legal and regulatory requirements
Prevention, combat and investigation of terrorist financing and criminal offences that endanger assets, checking European and international anti-terror lists
Checking anti-terror lists Compliance with legal obligations (Article 6(1)(c) GDPR), balancing of interests (Article 6(1)(f) GDPR) Compliance with legal and regulatory requirements
Retention and archiving Archiving based on retention obligations under tax and commercial law Compliance with legal obligations (Article 6(1)(c) GDPR), balancing of interests (Article 6(1)(f) GDPR)
Compliance with legal and regulatory requirements, internal guidelines and industrial standards
Prevention of fraud and money laundering   Compliance with legal and regulatory requirements (Article 6(1)(c) GDPR)
Compliance with legal and regulatory requirements
Conducting surveys and marketing campaigns Conducting surveys and market analyses Balancing of interests (Article 6(1)(f) GDPR), consent (Article 6(1)(a) GDPR)
Organisation of the processes within the business relationship

c. Data processing under the joint control of Volkswagen AG and Group companies belonging to the Volkswagen Group

Purpose Examples Legal basis Legitimate interest in the balancing of interests
Establishing contact for the preparation, execution and termination of a business relationship between Volkswagen AG or a Group company and the business partner for whom you work or, if applicable, with yourself within the context of the procurement processes developed across the Group
General communication

Processing of orders and acquisitions based on contacts (e.g. framework agreement, order)

Enquiries pertaining to current orders (change requests, changes in capacity etc.)
Contract initiation and performance (if you are acting on your own behalf, Article 6(1)(b) GDPR), balancing of interests (Article 6(1)(f) GDPR) Collaboration with business partners, practicable process organisation within the business relationship by making contact persons available, controlling and invoicing of contractual services
Execution and processing of Volkswagen AG procurement processes and internal processes for the execution of the business relationship within the context of the procurement processes developed across the Group
Processing of orders and acquisitions based on contacts (e.g. framework agreement, order)

Reporting

Administration

Compliance with control and reporting obligations under tax law, data archiving

Accounting, debt collection

Service activities within the processes and systems used
Compliance with legal obligations (Article 6(1)(c) GDPR), performance of a contract (if you are acting on your own behalf, Article 6(1)(b) GDPR) and balancing of interests (Article 6(1)(f) GDPR) Organisation of the processes within the business relationship and creation of Group-wide synergies, compliance with legal and regulatory requirements
IT administration outside of the procurement processes implemented across the Group User management (allocation of access rights, IT support, system access, permissions management)

Verification of changes to information in applications

Unambiguous identification of the user for the secure operation of applications

Identification of errors and guarantee of system security, including exposure and tracking of unauthorised access attempts and access to our web server
Compliance with our legal obligations in the area of data security (Article 6(1)(c) GDPR), performance of a contract (if you are acting on your own behalf, Article 6(1)(b) GDPR), balancing of interests (Article 6(1)(f) GDPR) Guarantee of security and integrity of processes when using our systems, rectification of errors and exposure and tracking of unauthorised access and/or access attempts

The list of participating Group companies is available to view and download here:

Documents (1)

Title Version/ Date Language
2.2 / 23.10.2023

3. Is there an obligation to provide personal data?

In the context of the business relationship and/or our interactions with you, you only have to provide the personal data that is necessary for those interactions or that we are required by law to collect. If you have to provide us with personal data due to a legal or contractual obligation, we draw your attention to this when collecting the data with reference to the respective obligation. If you do not provide us with the respective data, certain services may not be provided.

4. Who receives my data?

Within Volkswagen AG and the Group companies, those bodies receive your data that need it for their work (e.g. Sales Germany, IT).

Service providers we commission that act on our behalf (known as processors) may also receive data for these purposes. These service providers include:

- Group companies of the Volkswagen Group that provide services (e.g. IT services)

- Printing service providers

- Media service providers and shipping agencies

- Archiving service providers

- Hosting service providers

- IT service providers (e.g. support, maintenance)

- Development service providers that are acting on our behalf

- Event service providers

- Logistics/warehouse companies

- Consulting service providers

In addition, we may pass on your personal data to the extent necessary to achieve the aforementioned purposes to the following categories of recipients who act as data controllers in the sense of data protection law:

- Other Group companies within the scope of the data processing operations for which they are joint controllers as described in Clause 3, as well as customers, other business partners (e.g. development partners, consulting service providers, lawyers, tax consultants, auditors) and suppliers of the Group companies with whom you interact in the course of the professional activities or business activities you conduct with us

- Authorities within the scope of their responsibility (e.g. tax offices, police, public authorities, social security bodies)

- Courts

- Other third parties insofar as you instruct us to pass on data or give your consent

5. Is data transferred to third countries?

As a rule, we do not send your data to third countries (countries that are neither members of the European Union nor the European Economic Area).

As part of the data processing operations described in Clause 3 for which Volkswagen AG and other Group companies are joint controllers, we will also transfer your data within the Group to recipients outside the European Union or the European Economic Area. In individual cases, our processors will also process personal data in countries outside the European Union or European Economic Area. In both cases, an appropriate, uniform data protection level is guaranteed by the European Commission’s standard data protection clauses. You can access these EU standard contractual clauses at EUR-Lex - 32021D0914 - EN - EUR-Lex (europa.eu).

C. Use of cookies

Volkswagen AG uses various cookies on its web pages. Cookies are small files containing configuration information that are saved on your terminal device. Cookies can essentially be divided into three categories. There are cookies that are essential for the functionality of the website (functional cookies), cookies that make it easier to use a website and, for example by saving your language settings (convenience cookies), and cookies on the basis of which a pseudonymised user profile is created (tracking cookies).

Processing of the functional cookies is necessary to enable you to visit the web page (see Article 6(1)(b) GDPR).

The legal basis for the use of convenience cookies is a legitimate interest (Article 6(1)(f) GDPR). The provision of a certain level of convenience when you visit a web page constitutes legitimate interest in this regard. You can object to the data processing at any time with effect for the future by preventing the storage of cookies in your browser settings.

Tracking cookies will only be placed on the device if the web page visitor has consented to this (Article 6(1)(a) GDPR). Consent is given via the cookie banner, which has to be actively clicked.

More information on cookies is available in our cookie guidelines.

D. Your rights

You may exercise the following rights vis-à-vis Volkswagen AG at any time, free of charge. Please see section F for further information about exercising your rights.

Right of access/information: You are entitled to information (Article 15 GDPR) from us relating to the processing of your personal data.

Right to rectification: You have the right to request that we rectify (Article 16 GDPR) any inaccurate or incomplete personal data concerning yourself.

Right to erasure: You have the right to have your data erased if the conditions set out in Article 17 of the GDPR are met. According to this, you can demand, for example, that your data is erased if it is no longer necessary for the purposes for which it was collected. In addition, you can demand erasure if we process your data on the basis of your consent and you withdraw this consent.

Right to restriction of processing: You have the right to ask for a restriction of the processing of your data if the conditions set out in Article 18 of the GDPR are met. This is the case, for example, if you dispute the accuracy of your data. You can demand restriction of processing for the period during which the data is being checked.

Right to object: If processing is based on an overriding legitimate interest, you have the right to object to the processing of your data. If you object to the processing of your data, please notify us of the grounds for your objection. Furthermore, you have the right to object to data processing for the purposes of direct marketing. This also applies to profiling where this is connected to direct marketing.

Right to data portability: If data processing is based on consent or performance of a contract and the processing is performed by automated means, you have the right to receive your data in a structured, commonly used and machine-readable format and to transmit this data to another data processor.

Right to withdraw consent: Where data processing is based on consent, you have the right to withdraw your consent to data processing, with future effect, at any time free of charge.

Right of complaint: You also have the right to lodge a complaint about our processing of your data with a supervisory authority (such as the Data Protection Commissioner for the State of Lower Saxony [Landesbeauftragte für den Datenschutz Niedersachsen]).

E. Contact persons for providing information

You can contact us at any time for information about your personal data using the following web form. You can easily view documents relating to you (e.g. a copy of your personal data) online in the download portal.

To Webform

Downloadportal-Login for affected persons

Support GDPR

Department of data subject rights for Supplier and Contractor´s Employees

Service time
Monday to Friday between 8 AM and 4 PM (CET)

Contact
Phone: +49 5361 - 9 - 46290
datenschutz@VWGroupSupply.com

F. Contact person

You may contact our data protection officer as contact for all data protection related matters and for exercising your rights. Please direct your enquires to:

Data Protection Officer, Volkswagen AG
Berliner Ring 2
38440 Wolfsburg, Germany

Mail: dataprivacy@volkswagen.de

Version dated: June 2021