Topics of this page
2. Who is responsible for the processing of personal data?
The data controller is:
(“Vay”; “We” “Us” “Our”)
The contact person for your data protection questions is our data protection officer. You can contact our data protection officer at the above address or by emailing to email@example.com and/or firstname.lastname@example.org.
3. Which data is processed and where does it come from?
Vay is a technology company developing teledriven and automated vehicles as well as next generation mobility services. Our vehicles are operated by so-called teledrivers who control the vehicle remotely from our teledrive stations located in our Berlin headquarters and/or our local offices (“teledrive centers”).
Our vehicles are equipped with sensors (i.a. radar, ultrasound, GPS/location sensors) and cameras on every side of the vehicle. These cameras collect a 360°-live stream of video footage which is on average buffered for a duration of under 1 second. The video recordings are used by our teledrivers to participate in road traffic in any given operational terrain. For this purpose, pedestrians, road markings, cars, motorcycles, bicycles and other objects in the surroundings of the test vehicle as well as their position and movement in relation to our test vehicles are processed.
Our vehicles are also equipped with microphones, providing our teledrivers with audio recordings (e.g. sirens) to hear what is happening in the surrounding of the vehicle. We recreate an equal audio environment of a traditional driver located inside a vehicle in order to participate safely and legally compliant in road traffic in any given operational design domain . Audio Recordings help our teledrivers to recognize the approach of an emergency vehicle and to clear the roadway for such vehicles or to respond to other road users and traffic situations.
Personal Data we process may contain the following personal information, depending on the individual position to and interaction with the test vehicle:
- Behavior and characteristics (e.g. faces) of other road users, e.g. vehicle drivers, cyclists, pedestrians and other persons in the proximity of the test vehicles
- Behavior and characteristics (e.g. license plates) of vehicles and other objects in the proximity of the test vehicles
- Acoustic information from the vicinity of the test vehicles
- Additional data from other sensor systems (e.g. GPS position, timestamps)
4. For which purposes is the data processed and what is the legal basis for this processing?
Most importantly Vay is not interested in identifying individuals on the basis of the collected data and none of our systems is configured to do so. However, due to the technical nature of the described processing, we cannot rule out that a natural person might become theoretically identifiable through our processing activities.
Vay uses its marked test vehicles for research, development, testing and validation of its services on private and public grounds. The test vehicles are equipped with cameras, sensors (i.a. radar, ultrasound, GPS/location sensors) and microphones. The purposes for which Vay processes personal data may include:
- Ensuring and improving safety and security of our teledriven and automated driving functions, systems and technologies:
- The main purpose of processing of data is to ensure the safe movement of the test vehicle in road traffic.
- Additionally, this serves to continuously ensure quality, improvement and monitoring of our products.
- Development, continuous improvement and testing of teledriven and automated driving functions, systems and technologies (e.g. algorithms for machine learning):
- For our systems to function properly and in compliance with applicable road traffic rules as well as to define proper operational terrain for our vehicles, we study and evaluate the roads and surroundings in which our vehicles are operated.
- This includes for example data regarding applicable speed limits or network availability and reliability.
- Fulfilling legal and other obligations or interests in case of incidents and accidents:
- In case our vehicles are involved in any incident or accident, we process data in order to determine legal responsibilities and liability as well as for the purposes of accident research and product improvement.
The primary legal basis for the collection, processing and storing of the above-mentioned data by Vay is the protection of legitimate interests pursuant to Article 6 (1) lit. f GDPR:
- Our legitimate interests consist of carrying out research, development, validation and testing of our teledriven and automated vehicles, systems and technologies.
- Most importantly, we want to keep road users, vehicles and other objects safe and to ensure and improve safety and security of our teledriven and automated driving functions, systems and technologies in our as well as in their interest.
- In case of incident- or accident management, it is in our and the public’s interest for a safe road traffic (“allgemeines Verkehrssicherheitsinteresse”) to process data in order to determine legal responsibilities and liability as well as improving incident and accident research capabilities.
Additionally, we may be obliged to process certain data due to statutory obligations under national or European law. In these cases, the legal basis for the collection, processing and storing of the above-mentioned data is Art. 6 (1) lit. c GDPR.
5. How is the data secured at rest and in transfer?
Vay secures your data utilizing state-of-the-art technologies, consisting of but not limited to the following security measures which are applied to protect your personal data from misuse or other unauthorized processing:
- The data is transferred via an encrypted way so that exchanged messages cannot be read, modified or manipulated by third parties (hacking).
- Access to personal data is restricted to a limited number of authorized persons for their stated intentions.
- The IT systems for processing the data are technically isolated from other systems to prevent unauthorized access, e.g., through hacking.
- In addition, access to these IT systems is permanently monitored in order to detect and prevent misuse at an early stage.
- The data is stored on servers located in Germany or if not otherwise possible, on servers located in the European Union.
6. With whom will the data be shared?
Vay treats personal data with care and confidentiality. We only pass data to third parties to the extent described here and within the scope of the purpose limitation under data protection law.
Categories of recipients to whom data may be disclosed in the context of this processing are in particular:
- Vay affiliates: Vay affiliates run the teledrive centers in cities where we offer our service and/or perform test drives. Our local affiliates also administer local support to the respective fleet as well as local incident and accident reporting and management.
- IT service providers: For technical reasons, we use external IT service providers who provide server infrastructure, IT maintenance tasks or extensive IT solutions (such as cloud services) and software solutions on behalf of Vay.
- External service providers: We use external service providers for labeling and querying the data collected from test fleet activities. This happens in preparation of using data sets for machine learning in order to continuously research, develop, and test our teledriven and automated driving functions, systems and technologies. If using personal data for labelling, we pseudonymize the data used as far as possible.
- Insurance companies, public authorities and criminal prosecution agencies: We may be obliged to share data related to damages, accidents, public and criminal offenses with insurance companies, public authorities and criminal prosecution agencies if one of our vehicles is involved in a traffic accident or similar event.
We do not share, sell, rent, or trade personal data for any promotional purposes. All of these service providers are carefully selected and contractually committed to process data only in accordance with our instructions and the GDPR as well as to ensure the protection of the rights of the data subjects.
7. How long is the data stored?
We store the data only for the duration of the aforementioned research, development, testing and safety purposes.
The data collected for the safe operation of the vehicle as described in Section 3 above is streamed in real-time (with a buffer of under 1 second) and may be stored for later analysis, research and development purposes as described under Section 4 of this policy in a pseudonymized form or as clear data, in case the data is required for incident- or accident management as described in Section 4 above. In some cases, legal provisions (e.g. our exemption permits for test operations granted by the respective authorities) or other (legal) obligations and requirements may require us to store the data for a longer period. After this duration, your personal data will be deleted or stored in an anonymized form that cannot be traced back to you.
8. What rights do data subjects have?
In the context of the processing of personal data, data subjects are entitled to the following rights under GDPR:
- Right of access: Pursuant to Art. 15 GDPR, data subjects have the right to request information whether their personal data is processed by us. In particular, they may obtain information about the processing purposes, the category of personal data, the categories of recipients to whom the personal data have been or will be disclosed, the planned storage period, the existence of a right to correction, deletion, restriction of processing or opposition, the existence of a right to lodge a complaint, the origin of the personal data, unless it was collected by us, and the existence of automated decision-making, including profiling and, if necessary, meaningful information about its details.
- Right to rectification of inaccurate data: Pursuant to Art. 16 GDPR, data subjects have the right to request the correction of incorrect or incomplete personal data stored by us without delay. For video, image and audio data this right can usually only be implemented by deletion.
- Right to erasure: Pursuant to Art. 17 GDPR, data subjects have the right to request the erasure of the personal data stored by us, unless the processing for exercising the right to freedom of expression and information, for fulfilling a legal obligation, for reasons of public interest or for establishing, exercising or defending legal claims is required.
- Right to restriction of processing: Pursuant to Art. 18 GDPR, data subjects have the right to request the restriction of the processing of the personal data, provided that the accuracy of the data is disputed by the data subject, the processing is unlawful and the data subject refuses the erasure of the personal data, we no longer need the data, but the data is required by the data subject to establish, exercise or defend legal claims or you have objected to processing in accordance with Art. 21 GDPR.
- Right to data portability: Pursuant to Art. 20 GDPR, data subjects have the right to receive the personal data provided to us in a structured, commonly used and machine-readable format and to request the transmission to another person responsible.
- Right to lodge a complaint to a supervisory authority: Pursuant to Art. 77 GDPR, data subjects have the right to lodge a complaint with the competent data protection supervisory authority, the Berlin Commissioner for Data Protection and Freedom of Information, in the EU Member State of the data subject’s habitual residence, place of work or place of the alleged infringement. The data protection supervisory authority, which is responsible for us, is the Berlin Commissioner for Data Protection and Freedom of Information.
Information about your Right of Objection under Article 21 of the GDPR
You have the right, for reasons arising from your particular situation to object to the processing of your personal data, that we process based on legitimate interests as described in Section 4 above. If you file an objection, we will, based on the information provided re-evaluate the grounds for the processing and whether they outweigh your interests, rights and freedoms or the processing, e.g. where the processing is necessary to assert, exercise, or defend legal claims or to fulfill a legal obligation, and, if possible, stop further processing and delete your data if this is not the case.
If you have any questions regarding your data or if you would like to exercise your rights as a data subject, please do not hesitate to contact us via email@example.com and/or firstname.lastname@example.org.
This Privacy Statement also describes our information practices and the choices available to you under EU data protection laws regarding our use of information of your personal data, including under the EU General Data Protection Regulation (“GDPR”).
You can contact our Data Protection Officer at the above address or by emailing to email@example.com.
Depending on how you interact with us, we process different kinds of data and in different ways. Accordingly, the extent and purpose of the data processing will vary depending on the situation:
Some data is automatically processed if you visit our Website (see Section 1. below). Other data is only processed if you actively submit it to us, like using our web forms to get in touch with us or apply for an open role at our company (see Section 2. below) or, when registering for our newsletters (see Section 3. below).
- Personal Data We Process on Our Website:
When we provide our Website to you, for technical reasons, it will be necessary for us to process personal data. These are data that we automatically process for every visitor when the Website is accessed.
Data that we automatically collect when you use our Website:
- As soon as you visit the Website, you send technical information to our web servers where it is stored in so-called server log files. Once you access the Website, we collect the following “Website Usage Data”:
- Date and time of the visit and the duration of the use of the Website;
- the IP address or the ID of your device;
- the referral URL (the Website from which you may have been referred);
- the browser used and your operating system;
- the visited sub-pages of the Website.
We process Website Usage Data to allow you to surf the Website and to ensure its functionality. We also process aggregated Website Usage Data to perform analyses on the performance of the Website, to continuously improve the Website and correct errors, to ensure IT security and operation of our systems, as well as to prevent or uncover abuse. We further process this data to improve the user experience on our Website and guarantee the safety of our IT systems. We are not able to identify you as an individual, based on such Website Usage Data (data processing will remain pseudonymous at all times).
The abovementioned processing purposes represent our legitimate interests. The legal basis for processing Website Usage Data in server log files is, hence, Art. 6 (1) lit. f) of the GDPR.
- Personal Data We Process If You Decide to Contact Us:
We offer interested parties the possibility to contact us through our website forms or by emailing us. You might contact us either because you have a sales or customer support inquiry or because you’d like to apply for an open position with our company. In both cases we will process your personal data only for the purpose of complying with your request.
Personal data includes, in particular, information about you (e.g. first and last name) and contact information (e.g. address, telephone number, e-mail address) including the data resulting from any attachments you send along (e.g. CV, cover letter, certificates, data on qualifications and school and university degrees, professional experience, language skills, etc.).
Certain personal data to be provided on the contact form, which we need to process your application, are mandatory fields. Nevertheless, the provision of this data is voluntary. However, if you do not provide us with these mandatory fields, we may not be able to process your application. All other information that is not marked as mandatory fields can be filled in voluntarily.
Our legal basis for this is Art. 6 (1) lit. a) of the GDPR (your consent). We seek the best applicants regardless of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual identity (collectively “sensitive data”). If you nevertheless disclose sensitive data without being asked and voluntarily, we may also process this data for the purpose of processing your application.
- Personal Data We Process When You sign up for our Newsletters
When you register for our newsletter, we process your e-mail address for the purpose of sending it. You will receive a registration notification by e-mail, which you must confirm in order to receive the newsletter (so-called double opt-in). This serves as proof for us that the registration was actually initiated by you.
The legal basis is your consent, Art. 6 (1) lit. a) of the GDPR. You can revoke your consent at any time, e.g. via the unsubscribe link at the end of each newsletter.
- With Whom We Share Personal Data:
We treat your personal data with care and confidentially and will only pass it on to third parties to the extent described below and not beyond. We do not share, sell, rent, or trade personal data with third parties for any promotional purposes. For technical reasons, however, we share personal data with our service providers (such as Amazon Web Services who host our online and cloud resources). We have chosen Europe as our server location. Where our service providers process personal data, they will do so solely on our instructions or under our common joint control and have undertaken to comply with strict contractual requirements for the security of your data (including, but not limited to, complying with this Privacy Statement). This includes the service provider hosting the Website.
- Data Transfers to Countries Outside the European Economic Area (“EEA”)
We do not transfer your personal data to countries outside the EEA (so-called “Third Countries”) without implementing appropriate safeguards to guarantee the security of processing and an adequate level of data protection at all times.
Some of our service providers (see above) are affiliates of companies based in Third Countries. Hence, legally speaking, personal data may be transferred to Third Countries, even where the actual storage capacities/serves are located inside the territory of the EEA. However, we will ensure that an adequate level of data protection is maintained at all times. We will only transfer your personal data if
- The Commission has adopted a so-called adequacy decision for the third country or the recipient in that third country,
- Sufficient safeguards are provided by the recipient in accordance with Article 46 of the GDPR for the protection of the personal data (including any additional measures required),
- You have expressly consented to the transfer, after we have informed you about the risks, in accordance with Article 49 (1) lit. a) of the GDPR,
- The transfer is necessary for the performance of contractual obligations between you and us
- Or another exception from Article 49 of the GDPR applies.
Guarantees according to Article 46 of the GDPR can be so-called standard contractual clauses. In these standard contractual clauses, the recipient assures to protect the data sufficiently and thus to ensure a level of protection comparable to the GDPR.
- For How Long We Keep Your Data:
We delete Website Usage Data as soon as it is no longer required for the purposes we collect them for. Provided that the data is no longer required for the fulfilment of legal obligations (e.g. tax or commercial law), it will be deleted, unless the subsequent processing is necessary for the preservation of evidence or for the defence of legal claims against us. Server log files will be deleted after 30 days. If you contact us, we will delete the data you have provided after the request has been processed, unless you give us your consent to store this data for a longer period of time.
- User profiles:
We do not use your personal data to identify you as an individual or create a profile of your interests and/or interactions.
- Your Legal Rights Under The GDPR:
You, as a data subject (i.e. the person whose data are processed), have the following statutory rights under the GDPR:
- to withdraw your consent given to us at any time in accordance with Article 7 para. 3 of the GDPR. As a result, we are no longer allowed to continue processing data based on this consent in the future;
- to request information about your personal data processed by us in accordance with Article 15 of the GDPR. In particular, you can obtain information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to correction, deletion, restriction of processing or opposition, the existence of a right to lodge a complaint, the origin of your data, unless it was collected by us, and the existence of automated decision-making, including profiling and, if necessary, meaningful information about its details;
- to request the correction of incorrect or incomplete personal data stored by us without delay in accordance with Article 16 of the GDPR;
- to request the deletion of your personal data stored by us, in accordance with Article 17 of the GDPR, unless the processing for exercising the right to freedom of expression and information, for fulfilling a legal obligation, for reasons of public interest or for asserting, exercising or defending Legal claims is required;
- To request the restriction of the processing of your personal data in accordance with Article 18 of the GDPR, provided that the accuracy of the data is disputed by you, the processing is unlawful, but you refuse to delete it and we no longer need the data, but you need this to assert, you need to exercise or defend legal claims or you have objected to processing in accordance with Article 21 of the GDPR;
- according to Article 20 of the GDPR, to receive your personal data, which you have provided to us, in a structured, common and machine-readable format or to request the transmission to another person responsible and
You also have a right to lodge a complaint with the competent data protection supervisory authority, the Berlin Commissioner for Data Protection and Freedom of Information, in the EU Member State of your habitual residence, place of work or place of the alleged infringement.
If you would like to exercise your data subject rights, please contact firstname.lastname@example.org.
Information about your Right of Objection under Article 21 of the GDPR
- Right of objection in individual cases
In addition to the rights already mentioned, you have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, where it is processed on the basis of Article 6 (1) lit. f) of the GDPR (data processing on the basis of a balance of interests). If you file an objection, we will no longer process your personal data unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise, or defend legal claims. Please also note that, if we terminate the processing due to your objection, the Website may no longer be available to you or only to a limited extent.
- Your right to object to the processing of data for direct marketing purposes
You also have the right to object at any time to the processing of your personal data for the purpose of direct marketing, including any subscription to our newsletters or personalized ads; this also applies to profiling, insofar as it is associated with such direct marketing. If you object, we will no longer process your personal data in the future.
The objection can be filed informally and should be sent to: email@example.com
Information on Cookies and Similar Technologies