Data Protection Notice
Bosch respects your privacy
The protection of your privacy throughout the course of processing personally identifiable information, like the security of all business data, is a very important concern for us that we take into consideration in all of our business processes. We process personal data, when you report a data protection incident (personal data breach) or submit a data subject request, confidentially and only in accordance with statutory regulations.
Controller
The controller as defined by the European General Data Protection Regulation ("GDPR") for the BKMS® System used for your data protection incident notification or data subject request (available at https://www.bkms-system.net/bosch-datenschutz) is Robert Bosch GmbH, Post Office Box 30 02 20, 70442 Stuttgart as the parent company (Robert Bosch GmbH "Bosch", "we" or "us" in the following).
Our contact details are:
Robert Bosch GmbH
Department Information Security and Privacy Bosch-Group (C/ISP)
Post Office Box 30 02 20
70442 Stuttgart
GERMANY
Email: DPO@bosch.com
Processing of personal data
The term personal data means all information related to an identified or identifiable natural person, thus – for example – names, addresses, telephone numbers, e-mail addresses, contractual master data, contract accounting and payment data, which is an expression of a person's identity.
We process personal data only when there is either a statutory legal basis to do so or you have given your consent to the processing of personal data.
Processed categories of data
The use of the BKMS® System for the data protection incident notification and data subject requests is voluntary. When you use the system, we will ask you to provide data related to the following data categories:
- Communication data (e.g. name, telephone, email, address)
- Employee data of Bosch employees and
- Where applicable, names of persons and other personal data relating to the persons you name in your notification
If you answer all the questions asked in the context of the data protection incident notification or the submitted data subject request completely, this will help us to process your request. If you provide incomplete data, we might not be able to process your request or might be able to process it only with delay.
Purposes of processing and legal bases
The aim of the BKMS® System is to provide a communication channel for your data protection requests and to ensure that your request is handled by Robert Bosch GmbH in accordance with the statutory data protection regulations.
Your personal data is processed for the following purposes, in particular:
-
Notification of a data protection incident: indications and tracking of notifications concerning a potential personal data breach (Article 33 GDPR). You can report personal data breaches to the responsible Bosch employee using your name or anonymously and securely via the BKMS® System.
Legal basis: processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) GDPR).
-
Data subject request: tracking and providing information regarding a submitted data subject request (Articles 12 to 21 GDPR). It is not possible to submit data subject requests anonymously, because we need to know your identity without doubt for this.
Legal basis: processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) GDPR).
-
Data protection management: central administration and handling of group-wide data protection processes.
Legal basis: legitimate interest of Robert Bosch GmbH in obtaining a central overview of data subject requests and data protection incident notifications (Article 6(1)(f) GDPR) and for exercising and defending our rights.
Storage of log files/ use of cookies
In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that contains only the session ID (a session cookie). This cookie is valid only until the end of your session and will be invalid when you close your browser.
It is possible to set up a postbox within the system that is secured with an individually chosen pseudonym/ user name and password to report data protection incidents and submit data subject requests.
Transfer of data to Bosch employees and to other controllers
When processing a data protection incident notification or a data subject request, it is necessary to share the notification or the request in whole or in part with the Robert Bosch GmbH employees responsible for the processing or employees of those subsidiaries to which the notification or request refers. Your information is made available only to those employees who have to have it in order to process your notification or request.
Your personal data are transferred to other controllers only to the extent this is necessary to satisfy a legal obligation.
In addition, data can be transferred to other controllers (e.g. supervisory authorities or data subjects in the event of notifications of data protection incidents) if we should be required to do so due to statutory regulations or enforceable orders given by authorities or courts.
Service providers (general)
Robert Bosch GmbH has commissioned the company EQS Group AG, Bayreuther Str. 35, 10789 Berlin (the "Service Provider") to operate the system for data protection incident notifications and data subject requests on behalf of Robert Bosch GmbH; the data entered into this system are stored in a database operated by EQS Group AG in a high-security data center located in the European Union.
Robert Bosch GmbH has chosen the Service Provider with care and monitors it on a regular basis, particularly its careful handling and securing of the data it stores. Only selected Bosch employees have access to the data (see above "Transfer of data to Bosch employees and to other controllers"). The Service Provider has no access to the data. This is warranted by a certified procedure by means of extensive technical and organizational measures.
Robert Bosch GmbH has imposed an obligation on the Service Provider to keep the data confidential and to comply with the statutory regulations.
Transfer to recipients outside the EU and/ or the EEA
We can transfer personal data also to Bosch legal entities or authorities located outside the European Union or the European Economic Area in third countries. In such cases, we make sure prior to the transfer either that the data recipient provides an appropriate level of data protection (e.g. due to a decision of adequacy by the European Commission for the respective country or due to an agreement on EU standard clauses with the recipient) or that you have consented to the transfer.
You can obtain a list of the recipients in third countries and a copy of the specifically agreed provisions securing the appropriate level of data protection from us. To request a list, please use the statements made in the Contact section.
Duration of storage; retention periods
In principle, we store your data for as long as this is necessary in order to investigate the data protection incident or to process your request.
After completing the processing of the data protection incident or the data subject request, we delete your personal data, except for the data that must be stored and processed further so that we can exercise and defend our rights.
When we delete personal data that we store and process further so that we can exercise and defend our rights depends when the maximum limitation period for regulatory offenses ends (§§ 31 (2), 33 (3) German Regulatory Offenses Act (OWiG). The data are deleted at the latest six years after the completion of the processing of the data protection incident notification or the data subject request.
Security
Our employees and our service providers have an obligation to keep our dealings confidential and to comply with the application data protection laws.
Any incoming reports are received by a small selection of explicitly authorized and especially trained Bosch employees and are always handled confidentially. The Bosch employees examine the facts and perform any further investigation required by the specific case.
All persons who are given access to the data are required to maintain confidentiality.
We implement all necessary technical and organizational measures to warrant an appropriate level of security and to protect your data that are administrated by us especially against the risks of unintended or unlawful destruction, manipulation, loss, change or unauthorized disclosure or unauthorized access. Our security measures are regularly improved in accordance with technological developments. The communication between your computer and the BKMS® System for the notification of data protection incidents and data subject requests takes place via an encrypted connection (SSL).
Users' rights
Please use this link to exercise your rights. In doing so, please ensure it is possible to identify you clearly.
Right to information and access
You have the right to obtain information from us about whether or not your data is being processed and, if this is the case, to access your personal information that we process.
Right of rectification and erasure/ deletion
You can demand that we rectify inaccurate data and complete or erase your data if the statutory requirements are met. This does not apply to any data required for payroll and accounting purposes or subject to a statutory retention duty. If access to such data is not required, however, the processing of such data is restricted (see below).
Restriction of processing
You can demand that we restrict the processing of your data if the statutory requirements are met.
Objection to data processing
In addition, you have the right to object to the data processing by us at any time, as long as this processing is carried out on the legal basis of legitimate interest. We will then terminate the processing of your data unless we are able – in accordance with the statutory requirements – to demonstrate compelling legitimate grounds for further processing which override your rights or for the establishment, exercise or defense of legal claims (Article 21 GDPR).
Right to lodge complaint with supervisory authority
You have the right to lodge a complaint with a data protection authority. In this context, you may approach the data protection authority competent for your place of residence or your German state or the data protection authority competent for us. The latter is:
- Der Landesbeauftragte für Datenschutz und Informationsfreiheit
- Postal address:
- Post Office Box 10 29 32
- 70025 Stuttgart
- GERMANY
- Phone: +49711/61 55 41 – 0
- Fax: +49711/61 55 41 – 15
- E-Mail: poststelle@lfdi.bwl.de
Changes to the Data Protection Notice
We reserve the right to change our security and data protection measures. In such cases, we will also adjust our information on data protection accordingly. Therefore, please take note of the latest version of our data protection notice, as this is subject to changes.
Contact
You can contact us at the address given in the "Controller" section.
To assert your rights and to report data protection incidents, use the following link: https://www.bkms-system.net/bosch-datenschutz.
If you have any suggestions or complaints regarding the processing of your personal data, we recommend that you contact our data protection officer:
- Data Protection Officer
- Department Information Security and Privacy Bosch-Group (C/ISP)
- Post Office Box 30 02 20
- 70442 Stuttgart
- GERMANY
- Email: DPO@bosch.com
Effective date: 20 May 2018