Data Privacy is a fundamental principle within a modern society. Data privacy is not - unlike the term may first suggest - all about data, but about the people, of whom information (data) is processed. Data privacy is a fundamental right, which refers to the protection of the personal rights of natural, living people. Every person should have the opportunity to decide, who gets which information about him on which occasion (informational self-determination).
BMW India Private Limited and BMW India Financial Services Private Limited (“BMW Group India”) has created this Policy to demonstrate its commitment towards the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (“Rules”) and also towards the BMW’s global policy for data privacy and protection.
BMW Group India recognizes the importance of "Personal Information" including "Sensitive Personal Information" provided by natural persons, under lawful contract. BMW Group India intends to take reasonable measures to keep such information confidential and may share it with its affiliates and third parties under appropriate arrangements and under the applicable laws and policies.
2.1 "Personal Data" means any information concerning the personal or material circumstances of an identified or identifiable individual, e.g. name, address, bank details etc. It can be with reference to employees, customers, suppliers, shareholders, etc.
A person is considered to be identifiable if they can be identified directly or indirectly.
2.2 Employees are identified or identifiable persons, who are employed by respective BMW Group India Companies including partners associated with.
2.3 "Customers" are identified or identifiable natural persons, who show BMW Group India that they have an obvious interest in concluding a contract for the purpose of acquiring a product or a service or, as the case may be, that they are the recipient of a product or service provided by BMW Group India.
2.4 "Processing" is any operation or set of connected operations performed using the Personal Data, whether with or without the help of automatic means. This includes collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2.5 "Rendering Anonymous" means the alteration of Personal Data so that the details about personal or material circumstances can no longer be matched to an identified or identifiable natural person or could be so matched only by expending a disproportionate amount of time, expense and effort.
2.6 “Pseudonymising” means replacing identifying features by a code in order to make identification of the Data Subject impossible or considerably more difficult.
2.7 "Sensitive Personal Data", for the purposes of this Policy, refers to such personal information about a natural person, which consists of information relating to:
b) Financial information such as Bank account or credit card or debit card or other payment instrument details;
c) Physical, physiological and mental health condition;
d) Sexual orientation;
e) Medical records and history;
f) Biometric information;
g) Any detail relating to the above clauses as provided to us for providing services; and
h) Any of the information received under any of the above clauses by us for processing, storing or processing under lawful contract or otherwise.
Any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as Sensitive Personal Information for the purposes of this Policy.
2.8 "Provider” for the purpose of this Policy, refers to a natural person or individual who, provides Personal Information or Sensitive Personal data or information, directly under lawful contract to BMW Group India.
3. Purpose and usage
Provider’s Personal Information/ Sensitive Personal Data is collected and used /processed for lawful, legitimate, contractual and administrative purposes of BMW Group India.
Generally the Personal Information/Sensitive Personal Data collected pertains to the Provider that may be used for the purposes such as administration and facilitation of relationship with customers, employees, suppliers etc. for internal operational purposes, for marketing surveys and customer research and feedback, warranty services, to update with information about BMW Group India and the products and services, to provide information about special offers, from time to time and to satisfy the legal and regulatory obligations.
The Personal Information/Sensitive Personal Data collected pertaining to the staff/employee may be used for human resource management, technology support/updates, management planning, administration and management of the internal processes, services and operations to enable it to perform BMW Group India’s proper functions and to satisfy the legal and regulatory obligations.
The Personal Information/Sensitive Personal Data (as per Rules) can be collected /or retained either directly by BMW Group India or through an affiliate or third party, as per the procedure prescribed by Rules.
4. Disclosure to Third Parties
The Personal Information/Sensitive Personal Data collected would only be used, processed and/or shared within the affiliates and/or group companies, authorized BMW and MINI dealers and other authorized business partners.
BMW Group India would not disclose any Personal Information/Sensitive Personal Data to any external organization unless it has the consent of the provider, or are required by law or have previously informed the Provider.
Notwithstanding anything in Article 4 to the contrary, if BMW Group India is, in the opinion that it is required by applicable law or government authority, to disclose any Personal Information/Sensitive Personal Data to any Person, then it may disclose such information only to the extent so required.
5. Security practices and procedures
BMW Group India has in place a security system, to ensure that the personal information is protected from unauthorised access, use, disclosure or alteration by anyone including the employees of BMW Group India.
BMW Group India undertakes a number of security measures to maintain the safety of the Provider’s personal information, which includes the use of: physical secure data centres and premises; internal security policies and procedures; defined internal segregation of duties; and electronic access controls such as passwords and encryption technology. Our Information Security Management System follows international standard ISO 27001.
- Data economy – Access to personal data is granted only to personnel on need to know basis. Redundant data may not be stored and personal data from concerned Department shall not be exported to other applications unless absolutely necessary. Where it is not necessary to know the identity of the Data Subject there the personal data shall be processed in pseudonymised form or a form that has been rendered anonymous.
- Purpose Limitation – Data collected for a particular purpose shall be used for that purpose only and shall not be used for any other purpose without the consent of the Data Subject or other legal permission.
- Deleting/Archiving Data - Once the purpose of the processing of Personal Data is fulfilled then such Data must immediately be deleted or, as the case may be, access thereto blocked in compliance with the obligations to retain records prescribed by law or agreed within the BMW Group India. This obligation to delete data does not apply to data that has been rendered anonymous. In exceptional cases where required such information shall be dealt with on case to case basis of the concerned Department and as per applicable laws.
6. No Obligation to provide personal information
The Provider is under no obligation to provide any personal information requested by BMW Group India and a Provider can withhold any personal information as he/she may choose, but in such a case BMW Group India may not be able to provide all products and services as this will depend on the kind of information withheld.
The Provider can opt-out at any time online by accessing the unsubscribe form. A minimum period of ten business days is required to process the requests.
The Provider may review the Personal Information/Sensitive Personal Data provided to BMW Group India for the purpose of ensuring that the said information is accurate. BMW Group India shall not be responsible for the authenticity of the information supplied to BMW Group India or to any person acting on behalf of BMW Group India.
BMW Group India strives to maintain the Provider’s personal information on the records as accurately and updated as reasonably possible. On request, the details on record, the purpose for which it is used, and to whom has it been disclosed can be provided. Access to personal information in the possession of BMW Group India shall be subject to certain exceptions and reasonable costs.
If the personal information that an entity of BMW Group India hold about the Provider is incorrect or changed then the Provider can notify the respective entity of BMW Group India of such changes. Additionally any discrepancy or grievance of the Provider of information with regard to processing of information can be addressed to the following contact (Grievance Officer) as below:
BMW India Private Limited
BMW India Financial Services Private Limited:
Mr. Vikas Arora
BMW Group India reserves the right to modify, cancel, add, or amend this Policy.