Data privacy notice on the collection of video, image and audio data as part of the project “Automated Driving Alliance” between Robert Bosch GmbH and CARIAD SE

The protection of personal data has the highest priority for Robert Bosch GmbH and CARIAD SE (hereinafter "cooperation partners") and is taken into account in all our business processes. The following data protection information provides an overview of the processing of personal data by the cooperation partners as joint data controllers. Personal data means any information relating to an identified or identifiable natural person.

Please review our “California and U.S. State Privacy Addendum” (available at the end of this page) for disclosures related to the above data as well as data related to our website(s).

With this data protection information, we provide information about the type, scope and purpose of the processing of personal data from the cooperation partners in the context of research and development on driving assistance systems, automated and autonomous driving, driving functions and other services, as well as the handling of this data. In addition, the page explains which data subject rights exist with regard to the processing of personal data and which essential processes with regard to the processing of personal data are established in the cooperation partners organizations.

1. Scope of application and addressees of this data privacy notice

This data privacy notice applies to the collection and processing of personal data within research and development projects related to driving assistance systems, automated and autonomous driving, driving functions and other services.

Potential addressees of this data privacy notice and data subjects to the data processing described herein, are all road users which are in the vicinity of one of the marked test vehicles during their operation.

2. Which types of personal data are processed by the cooperation partners?

Within the scope of the above-mentioned research and development purposes, marked test vehicles move in public traffic areas and - insofar as permitted by other laws - on private factory, test and other premises.

The vehicles are equipped with camera systems with different angles of coverage, focal lengths and sensor technologies, and in some cases with external microphones and other sensor systems. These systems collect, process and store video, image and audio data from the vehicle environment for the purposes described in Section 4 of this privacy notice.

This data may - depending on the individual use-case - also include the following personal information:

photos and video sequences showing humans (including facial- and other features) and surroundings of road users in the vicinity of the test vehicles.
license plates, other characteristics and surroundings of vehicles and other objects in the vicinity of the test vehicles.
acoustic information from the vicinity of the test vehicles
additional data from other sensor systems (such as radar, LIDAR) as well as GPS position and time stamp

3. Who is the responsible controller for the processing of the data and who can be contacted about data protection?

Within the scope of the “Automated Driving Alliance” project, the cooperation partners are jointly responsible pursuant to Art. 26 (1) GDPR for the data processing activities described below.

For these specific data processing activities, the legally required joint controllership agreement has been concluded between the cooperation partners.

For more information on the joint controllership, please see Section 9.

Joint Controllers:

Robert Bosch GmbH
Robert-Bosch-Platz 1
70839 Gerlingen- Schillerhöhe
Germany

and

CARIAD SE
Major-Hirst-Straße 7
38442 Wolfsburg
Germany

If you would like to contact us, please use the following contact options:

E-Mail: privacy@automated-driving-alliance.com

To exercise your data subject rights and to report data protection incidents, you can contact both cooperation partners Data Protection Departments:

Data Protection Officer - Robert Bosch GmbH:

Abteilung Informationssicherheit und Datenschutz Bosch-Gruppe (C/ISP)
Postfach 300220
70442 Stuttgart
Germany

E-Mail: DPO@bosch.com

Data Protection Officer - CARIAD SE::

Major-Hirst-Straße 7
38442 Wolfsburg
Germany

E-Mail: privacy@cariad.technology

4. What is the data used for (purpose of processing) and on what basis (legal basis) does this happen?

The purposes of the data processing are research, development and testing in the areas of driving assistance systems, automated driving, driving functions and other services, including the documentation of these processes and fulfilment of other downstream obligations.

Research, development and testing of such systems require their use in test vehicles under real environmental and traffic conditions - also in public traffic areas - including the acquisition, processing and storage of video, image and audio recordings during and after these operations.

These data sets are used to research, develop and test technical systems for the perception and classification of road users, vehicles, infrastructure and other objects in the context of traffic and environmental situations.

Persons, vehicles, other objects and audio information are only analyzed, classified and processed as "objects" in the context of traffic and environmental situations, e.g. as

pedestrian on the right-hand side of the road
car at an intersection
siren signal behind the vehicle

Typically, it is not possible to identify persons by name or otherwise personally or to assign detected vehicles or objects to specific persons in this way from the video, image and audio material, and the detection mostly only takes place very briefly as the vehicle passes by.

However, identifiability and identification of natural persons cannot be completely precluded in special situations (e.g. traffic lights, traffic jams, pedestrian crossings), so that the cooperation partners consider the processed data to be personal data according to Art. 4 (1) GDPR.

The primary legal basis of the processing is Art. 6 (1) lit. f) GDPR, a so called "legitimate interest". The legitimate interest of the controller is to carry out research, development and testing on driving assistance systems, automated driving, driving functions and other services.

The conflicting interests, fundamental rights and freedoms of the data subjects do not outweigh this, as identification by name or other personal identification of individual data subjects is neither necessary nor envisaged. In addition, technical and organizational measures are taken to ensure that the data collected is processed in accordance with data protection requirements.

5. Transfer of personal data to other recipients

The data is only shared with other companies affiliated with the BOSCH or CARIAD group, with cooperation partners, development partners, data processors or other third parties within purposes described above.

Data will only be disclosed if it is legally permissible due to legal provisions and / or official or judicial orders or if the third party has a legitimate interest.

Categories of recipients to whom data may be disclosed within the scope of the purposes described above are in particular:

Internal and external cooperation partners as well as development partners of the persons responsible within the framework of the research and development processes.
Suppliers within the scope of the research and development processes.
Other service providers (in particular IT service providers as well as service providers for data processing / data evaluation).

If data is transferred to recipients in third countries as part of the research, development and testing processes or downstream processing, this will only be done if an adequacy decision has been taken in accordance with Art. 45 GDPR, on the basis of suitable guarantees within the meaning of Art. 46 GDPR or if permitted under other applicable law.

6. Automated decisionmaking

There is no automated decision making, nor a “profiling” subsequent to Art. 22 GDPR taking place.

7. Retention of personal data

The video and image data is processed and stored for as long as is necessary for the research, development and testing processes mentioned. If, on a case-by-case basis, there is a further legal basis or a further legitimate interest for continued storage and processing (for example, for the proper documentation of the aforementioned processes, due to legal retention obligations or other legal requirements), the data will be stored for a correspondingly longer period.

8. Data subjects’ rights towards the joint controllers

The GDPR sets out the following data subjects’ rights, that can be exercised against any of the joint controllers.

Additional information on the exercise of data subjects' rights:

This is a "processing activity for which the identification of the data subject is not necessary" according to Art. 11 GDPR. No additional identification features of data subjects are processed beyond the video, image and audio data collected.

Exercising and fulfilling data subject rights will therefore - depending on the individual case - often require further information from the data subject, in particular information on the LOCATION and TIME at which he or she may have been affected by the joint processing (i.e. information on when and where you were specifically in the vicinity of one of the trial vehicles). This additional information may be necessary, in order to determine whether a specific person is affected by the joint processing at all and to actually be able to fulfil the rights mentioned below, such as access, erasure, etc.

Right of access: Data subjects have the right to request information on whether personal data in question are being processed. If data are processed, data subjects have the right to be informed about these data as well as about the modalities of the processing in accordance with Art. 15 GDPR.
Right to rectify inaccurate data: Data subjects have the right to request the correction of personal data in question.
Right to erasure: Data subjects have the right to request the erasure of personal data concerning them.
Right to restriction of processing: Data subjects have the right to request restriction of the processing of their data.
Right to object: Data subjects have the right to object to the processing of their personal data.
Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a data protection authority. To do so, you can contact the data protection authority responsible for your place of residence or federal state or the data protection authority responsible for each of the cooperation partners.
Data protection authority responsible for Robert Bosch GmbH::

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg

Visitor Adress:
Lautenschlagerstraße 20
70173 Stuttgart
Germany

Postal Adress:
Postbox 102932
70025 Stuttgart
Germany

Tel.: +49 (711)/615541-0
FAX: +49 (711)/615541-15
E-Mail: poststelle@lfdi.bwl.de

Data protection authority responsible for CARIAD SE::

Die Landesbeauftragte für den Datenschutz Niedersachsen

Visitor Adress:
Prinzenstraße 5
30159 Hannover
Germany

Postal Adresse:
Postbox 221
30002 Hannover
DEUTSCHLAND

Tel.: +49 (511)/120 4500
FAX: +49 (511)/120 4599
E-Mail: poststelle@lfd.niedersachsen.de

Special remarks on the restrictability of data subjects' rights:

We would also like to point out that, in the context of the present processing, your rights under Art. 15 GDPR (right of access), Art. 16 GDPR (right to rectification), Art. 17 GDPR (right to erasure), Art. 18 GDPR (right to restriction of processing) and Art. 21 GDPR (right to object) may be subject to special additional restrictions. These special restrictions apply if the exercise and fulfilment of these rights in the specific case would probably make the realisation of research purposes impossible or seriously impair them and the restriction is therefore necessary for the fulfilment of these research purposes.

This special restrictability and its requirements result in particular from Art. 89 GDPR in conjunction with § 27 BDSG and from Art 17 GDPR.

Contact persons are listed in Section 3.

9. Information on joint controllership according to Art. 26 GDPR

What is the reason for the joint controllership of the cooperation partners?

Robert Bosch GmbH and CARIAD SE work closely together in function and vehicle development as part of the “Automated Driving Alliance” project. This also applies to the processing of personal data, insofar as this has been collected by corresponding development vehicles. The cooperation partners have jointly defined the processing phases of this data in the individual process stages. They are therefore jointly responsible for the protection of your personal data within the process steps described below (Art. 26 GDPR).

For which process stages is there joint controllership?

The joint controllership of the cooperation partners includes the collection, storage and further processing of video, image and audio data. The cooperation partners collect data on test vehicles and transmit it to a common IT system where the data is stored and can be accessed or processed by both cooperation partners for research, (further) development and testing purposes.

Outside the project, the cooperation partners can process data under separate responsibility, provided this is legally permissible.

What have the parties agreed?

As part of their joint controllership under the GDPR, the cooperation partners have also agreed that the collection of data also fulfils the information obligations under Art. 13 and 14 of the GDPR with regard to joint controllership.

What does this mean for data subjects?

Data protection rights can be asserted both with Robert Bosch GmbH and with CARIAD SE through the contact data provided in Section 3. The cooperation partners will inform each other without delay about requests from data subjects. They will provide each other with all information necessary to respond to such requests in a timely manner.

Addendum of Privacy Rights For Residents of California and Other U.S. States (“California and U.S. State Privacy Addendum”).

Last Updated: December 11 ^th 2024

The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together the “CCPA”) provides California residents with specific rights regarding their personal information. A number of additional U.S. states have passed similar (state-specific) privacy laws that grant residents of their respective states particular privacy rights. These states include (in addition to California) Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia, and other states as their own states’ laws become effective over time (each an “Applicable U.S. State”). We refer to residents of California along with residents of such Applicable U.S. States collectively as “Applicable Consumers.” A useful privacy “tracker” as to what these U.S. states are, and when each privacy law becomes effective, is provided by the “IAPP,” an industry association devoted to privacy issues, at https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ . If you live in one of these Applicable U.S. States, you may have all or some the rights discussed below with respect to your “personal information” or “personal data” (as such terms are defined under applicable l aw, and collectively referred to herein as “Personal Information”).

We provide this Addendum to supplement the information contained in our Privacy Polic(ies). It sets forth our privacy practices as required by the California Consumer Privacy Act and California Privacy Rights Act and related regulations (together the "CCPA").

The CCPA Privacy Notice applies only to individuals residing in the State of California who are considered "Consumers" under the CCPA and from whom we may collect "Personal Information" as described in the CCPA ("California Consumers").

In the below tables and sections, we describe the following (as required by the CCPA and certain other Applicable U.S. States):

Our Collection and Use of Personal Information – the types of Personal Information (which the CCPA defines broadly) that we collect or may at times collect, the types of sources we may collect it from, and generally how we may use it.
Our Business Purposes – our business purposes for (a) collecting and (b) sharing Personal Information, which are generally the same.
Our Sharing or Sale of Personal Information – the types of recipients to whom we may share or sell Personal Information.
Your Privacy Rights and Choices – what rights California and other Applicable U.S. States’ Consumers have under the CCPA and other privacy laws with respect to their Personal Information.

The following sets forth the categories of information we collect and purposes for which we may use the Personal Information of residents of California and other Applicable U.S. States.

1. Information We Collect and Associated Purposes

More specifically, the cooperation partners Robert Bosch GmbH and CARIAD SE (“we” “us” “our”) may collect the following categories of Personal Information from and about consumers, which will depend on the particular Business Purpose for which we collect it. Please note that we do not necessarily create all identifiers or types of information listed below: rather, the descriptions of information are stated for purposes of statutory definitions and compliance.

Categories of information	Purpose of use	Categories of other parties to whom we disclose the information for business and operational purposes
Identifiers such as certain information we collect, which may include (at various times) name, address, and email address, and telephone number	Operate our research, development and related testing operations related to driver assist systems and automated driving functions Legal Compliance	Affiliates and subsidiaries Vendors and service providers
Geolocation information such as your approximate location	Operate our research, development and related testing operations related to driver assist systems and automated driving functions Legal Compliance	Principally, for research and development pertaining to our test vehicles. Affiliates and subsidiaries Vendors and service providers Entities for legal and security purposes
Audio or visual information such audio or visual information that we collect related to research and development we do related to vehicle testing.	Research and development. Compliance and risk management	Affiliates and subsidiaries Vendors and service providers Entities for legal and security purposes Others with your consent
Other information any other information you provide to us that directly or indirectly identifies you, such as information you include in emails or other communications to us	Purposes of use will depend on the additional information you provide	Disclosure will depend on the additional information you provide

Personal Information does not include deidentified or aggregated consumer information.

The cooperation partners Robert Bosch GmbH and CARIAD SE obtain the categories of Personal Information listed above from the following categories of sources:

Directly from you. for example, from account sign-ups, forms you complete, or products and Services you purchase.
Indirectly from you. For example, from observing your actions on our website or from information your devices transmit when interacting with our mobile applications, among other things.
When you are in or near or associated with a vehicle from which we collect audio, visual or location information.
From third parties such as business partners and, if you choose to connect or sign in through a Third Party Account, certain Third Party Account providers (e.g., Instagram, Twitter, and/or Facebook).

2. How We Use Personal Information/Business Purposes

We use the Personal Information we collect for the purposes set out in the above table. Please also note that we may provide any Personal Information we collect to vendors or service providers for any purposes we have described. We may also provide any such Personal Information in response to valid law enforcement requests or as required by applicable law, court order, civil process or governmental regulations. Likewise, we may provide any such Personal Information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding.

3. How We Disclose, Sell or Share Personal Information

We disclose, sell or share your Personal Information with the categories of third parties set forth in the above table. We do not generally “sell” Personal Information that we collect (except, potentially, in the limited manner described in this policy, related to behavioral advertising). We may or may in the future “share” Personal Information for purposes of behavioral advertising, namely, should we ever engage in delivering targeted ads to consumer or prospective consumers, such as those that have visited our website(s).

4. Your Consumer Rights and Choices

Without being discriminated against for exercising these rights, the CCPA (and certain other states’ laws) provide residents of Applicable Consumers with specific rights regarding their Personal Information.

This section describes your rights under the CCPA and other applicable state laws, and explains how to exercise those rights. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.

a. Right to Opt-out of the sale or sharing of your personal information

Under the CCPA, “sharing” is defined as the targeting of advertising to a consumer based on that consumer’s personal information obtained from the consumer’s activity across distinct online services, and “selling” is defined as the disclosure of personal information to third parties in exchange for monetary or other valuable consideration. We may or may in the future “share” information with our advertising partners to provide more relevant and tailored advertising to you regarding our Services. Our use of third-party analytics services and online advertising services may result in the sharing of online identifiers (e.g., cookie data, IP addresses, device identifiers, and usage information) in a way that may be considered a “sale” under the CCPA (or certain other privacy laws). Should we engage in these activities, we will provide a cookie management tool readily accessible on our website, to enable such opt-outs.

b. Right to correct your personal information

Applicable Consumers have the right to request that we correct inaccuracies about your Personal Information that we collect, use, or sell. As set forth below, you may also request the correction of specific pieces of personal information that we have collected from you. However, we may withhold the correction of some Personal Information where the risk to you or our business is too great to correct the Personal Information.

c. Access to Specific Information and Data Portability Rights

Applicable Consumers have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

The categories of Personal Information we collected about you.
The categories of sources for the Personal Information we collected about you.
Our business or commercial purpose for collecting that Personal Information.
The categories of third parties with whom we share that Personal Information.
The specific pieces of Personal Information we collected about you.
If we disclosed your Personal Information for a business purpose, a list disclosing our disclosures for a business purpose that identifies the Personal Information categories that each category of recipient obtained.

d. Deletion Request Rights

You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see the above sections) we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

We may deny your deletion request under certain circumstances, and will inform you of the basis for the denial, which may include, but is not limited to, if retaining the information is necessary for us or our service provider(s) to:

Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
In addition, certain information may be retained in an unstructured manner that makes it practically impossible or burdensome to identify or associate with any individual, and thus to delete; we may thus be unable to delete such information.

e. Information About Persons Under 16 Years of Age

We do not knowingly collect Personal Information from minors under 16 years of age unless we have received legal consent to do so. If we learn that Personal Information from such Applicable Consumers has been collected, we will take reasonable steps to remove their information from our database (or to obtain legally required consent).

f. Exercising Your Rights

To exercise these rights, you may use the tools that we make available through our website (also described in this Policy) or you may submit your request by sending an email to privacy@automated-driving-alliance.com (as to requests related to data collected for automated driving research and products) or DPO@bosch.com or privacy@cariad.technology (as to requests related to data collected related to our website(s), in which case we may request additional information and/or provide further instructions).

You may make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.

Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

g. Authorized Agents

You may designate an agent to make requests to exercise your rights (where permitted by law) and certain other state laws, as described above. As appropriate, we will take steps both to verify the identity of the person seeking to exercise their rights as listed above, and to verify that your agent has been authorized to make a request on your behalf through providing us with a signed written authorization or (if required by law) a copy of a power of attorney.

h. Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to an additional 45 days), we will inform you of the reason and extension period in writing.

We will deliver our written response by mail or electronically, at your option.

If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

5. Retention of Personal Information

We will keep Personal Information for as long as it is necessary to fulfill the purposes described above, unless a longer retention is required or permitted by law. For purposes of our services, we retain Personal Information so long as it is potentially useful to effectuate features, functions, intelligence, inferences or analysis within our database – for instance, to establish whether an email address is current or no longer in use, or whether other information is outdated or incorrect. We will delete or de-identify your information sooner if we receive a verifiable deletion request, subject to exemptions under applicable law.

6. Changes to Our CCPA Privacy Notice

The cooperation partners Robert Bosch GmbH and CARIAD SE reserves the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on our website and update the “Last Updated" (or similarly designated) date above.

7. Contact Information

If you have any questions or comments about this Privacy Addendum, please email us at privacy@automated-driving-alliance.com .