2. Who is responsible for the processing of personal data?
The data controller is:
Vay Technology GmbH
c/o The Drivery, Mariendorfer Damm 1
(“Vay”; “We” “Us” “Our”)
The contact person for your data protection questions is our data protection officer. You can contact our data protection officer at the above address or by emailing to firstname.lastname@example.org and/or email@example.com.
3. Which data is processed and where does it come from?
Vay is a technology company developing teledriven and automated vehicles as well as next generation mobility services. Our vehicles are operated by so-called teledrivers who control the vehicle remotely from our teledrive stations located in our Berlin headquarters and/or our local offices (“teledrive centers”).
Our vehicles are equipped with sensors (i.a. radar, ultrasound, GPS/location sensors) and cameras on every side of the vehicle. These cameras collect a 360°-live stream of video footage which is on average buffered for a duration of under 1 second. The video recordings are used by our teledrivers to participate in road traffic in any given operational terrain. For this purpose, pedestrians, road markings, cars, motorcycles, bicycles and other objects in the surroundings of the test vehicle as well as their position and movement in relation to our test vehicles are processed.
Our vehicles are also equipped with microphones, providing our teledrivers with audio recordings (e.g. sirens) to hear what is happening in the surrounding of the vehicle. We recreate an equal audio environment of a traditional driver located inside a vehicle in order to participate safely and legally compliant in road traffic in any given operational design domain. Audio Recordings help our teledrivers to recognize the approach of an emergency vehicle and to clear the roadway for such vehicles or to respond to other road users and traffic situations.
Personal Data we process may contain the following personal information, depending on the individual position to and interaction with the test vehicle:
- Behavior and characteristics (e.g. faces) of other road users, e.g. vehicle drivers, cyclists, pedestrians and other persons in the proximity of the test vehicles
- Behavior and characteristics (e.g. license plates) of vehicles and other objects in the proximity of the test vehicles
- Acoustic information from the vicinity of the test vehicles
- Additional data from other sensor systems (e.g. GPS position, timestamps)
4. For which purposes is the data processed and what is the legal basis for this processing?
Most importantly Vay is not interested in identifying individuals on the basis of the collected data and none of our systems is configured to do so. However, due to the technical nature of the described processing, we cannot rule out that a natural person might become theoretically identifiable through our processing activities.
Vay uses its marked test vehicles for research, development, testing and validation of its services on private and public grounds. The test vehicles are equipped with cameras, sensors (i.a. radar, ultrasound, GPS/location sensors) and microphones. The purposes for which Vay processes personal data may include:
- Ensuring and improving safety and security of our teledriven and automated driving functions, systems and technologies:
- The main purpose of processing of data is to ensure the safe movement of the test vehicle in road traffic.
- Additionally, this serves to continuously ensure quality, improvement and monitoring of our products.
- Development, continuous improvement and testing of teledriven and automated driving functions, systems and technologies (e.g. algorithms for machine learning):
- For our systems to function properly and in compliance with applicable road traffic rules as well as to define proper operational terrain for our vehicles, we study and evaluate the roads and surroundings in which our vehicles are operated.
- This includes for example data regarding applicable speed limits or network availability and reliability.
- Fulfilling legal and other obligations or interests in case of incidents and accidents:
- In case our vehicles are involved in any incident or accident, we process data in order to determine legal responsibilities and liability as well as for the purposes of accident research and product improvement.
The primary legal basis for the collection, processing and storing of the above-mentioned data by Vay is the protection of legitimate interests pursuant to Article 6 (1) f) GDPR:
- Our legitimate interests consist of carrying out research, development, validation and testing of our teledriven and automated vehicles, systems and technologies.
- Most importantly, we want to keep road users, vehicles and other objects safe and to ensure and improve safety and security of our teledriven and automated driving functions, systems and technologies in our as well as in their interest.
- In case of incident- or accident management, it is in our and the public’s interest for a safe road traffic (“allgemeines Verkehrssicherheitsinteresse”) to process data in order to determine legal responsibilities and liability as well as improving incident and accident research capabilities.
Additionally, we may be obliged to process certain data due to statutory obligations under national or European law. In these cases, the legal basis for the collection, processing and storing of the above-mentioned data is Art. 6 (1)c) GDPR.
5. How is the data secured at rest and in transfer?
Vay secures your data utilizing state-of-the-art technologies, consisting of but not limited to the following security measures which are applied to protect your personal data from misuse or other unauthorized processing:
- The data is transferred via an encrypted way so that exchanged messages cannot be read, modified or manipulated by third parties (hacking).
- Access to personal data is restricted to a limited number of authorized persons for their stated intentions.
- The IT systems for processing the data are technically isolated from other systems to prevent unauthorized access, e.g., through hacking.
- In addition, access to these IT systems is permanently monitored in order to detect and prevent misuse at an early stage.
6. Where is the data stored?
The data is stored on servers located in Germany or if not otherwise possible, on servers located in the European Union.
In exceptional cases some personal data may be accessed from third countries (e.g. for support purposes).In these cases, we ensure an appropriate level of data protection through standard data protection clauses approved by the EU Commission (which we can provide you with on request) and other technical or organisational measures.
7. With whom will the data be shared?
Vay treats personal data with care and confidentiality. We only pass data to third parties to the extent described here and within the scope of the purpose limitation under data protection law.
Categories of recipients to whom data may be disclosed in the context of this processing are in particular:
- Vay affiliates: Vay affiliates run the teledrive centers in cities where we offer our service and/or perform test drives. Our local affiliates also administer local support to the respective fleet as well as local incident and accident reporting and management.
- IT service providers: For technical reasons, we use external IT service providers who provide server infrastructure, IT maintenance tasks or extensive IT solutions (such as cloud services) and software solutions on behalf of Vay.
- External service providers: We use external service providers for labeling and querying the data collected from test fleet activities. This happens in preparation of using data sets for machine learning in order to continuously research, develop, and test our teledriven and automated driving functions, systems and technologies. If using personal data for labelling, we pseudonymize the data used as far as possible.
- Insurance companies, public authorities and criminal prosecution agencies: We may be obliged to share data related to damages, accidents, public and criminal offenses with insurance companies, public authorities and criminal prosecution agencies if one of our vehicles is involved in a traffic accident or similar event.
We do not share, sell, rent, or trade personal data for any promotional purposes. All of these service providers are carefully selected and contractually committed to process data only in accordance with our instructions and the GDPR as well as to ensure the protection of the rights of the data subjects.
8. How long is the data stored?
We store the data only for the duration of the aforementioned research, development, testing and safety purposes.
The data collected for the safe operation of the vehicle as described in Section 3 above is streamed in real-time (with a buffer of under 1 second) and may be stored for later analysis, research and development purposes as described under Section 4 of this policy in a pseudonymized form or as clear data, in case the data is required for incident- or accident management as described in Section 4 above. In some cases, legal provisions (e.g. our exemption permits for test operations granted by the respective authorities) or other (legal) obligations and requirements may require us to store the data for a longer period. After this duration, your personal data will be deleted or stored in an anonymized form that cannot be traced back to you.
9. What rights do data subjects have?
In the context of the processing of personal data, data subjects are entitled to the following rights under GDPR:
- Right of access: Pursuant to Art. 15 GDPR, data subjects have the right to request information whether their personal data is processed by us. In particular, they may obtain information about the processing purposes, the category of personal data, the categories of recipients to whom the personal data have been or will be disclosed, the planned storage period, the existence of a right to correction, deletion, restriction of processing or opposition, the existence of a right to lodge a complaint, the origin of the personal data, unless it was collected by us, and the existence of automated decision-making, including profiling and, if necessary, meaningful information about its details.
- Right to rectification of inaccurate data: Pursuant to Art. 16 GDPR, data subjects have the right to request the correction of incorrect or incomplete personal data stored by us without delay. For video, image and audio data this right can usually only be implemented by deletion.
- Right to erasure: Pursuant to Art. 17 GDPR, data subjects have the right to request the erasure of the personal data stored by us, unless the processing for exercising the right to freedom of expression and information, for fulfilling a legal obligation, for reasons of public interest or for establishing, exercising or defending legal claims is required.
- Right to restriction of processing: Pursuant to Art. 18 GDPR, data subjects have the right to request the restriction of the processing of the personal data, provided that the accuracy of the data is disputed by the data subject, the processing is unlawful and the data subject refuses the erasure of the personal data, we no longer need the data, but the data is required by the data subject to establish, exercise or defend legal claims or you have objected to processing in accordance with Art. 21 GDPR.
- Right to data portability: Pursuant to Art. 20 GDPR, data subjects have the right to receive the personal data provided to us in a structured, commonly used and machine-readable format and to request the transmission to another person responsible.
- Right to lodge a complaint to a supervisory authority: Pursuant to Art. 77 GDPR, data subjects have the right to lodge a complaint with the competent data protection supervisory authority, in the EU Member State of the data subject’s habitual residence, place of work or place of the alleged infringement. The data protection supervisory authority, which is responsible for us, is the Berlin Commissioner for Data Protection and Freedom of Information.
Information about your Right of Objection under Article 21 of the GDPR
You have the right, for reasons arising from your particular situation to object to the processing of your personal data, that we process based on legitimate interests as described in Section 4 above. If you file an objection, we will, based on the information provided re-evaluate the grounds for the processing and whether they outweigh your interests, rights and freedoms or the processing, e.g. where the processing is necessary to assert, exercise, or defend legal claims or to fulfill a legal obligation, and, if possible, stop further processing and delete your data if this is not the case.