I confirm to have read and understood the Privacy Policy.

 

* * * *

 

Information on the processing of personal data ("Privacy Policy")

 

This Privacy Policy has been prepared pursuant to art. 13 of EU Regulation 679/2016 (hereinafter "GDPR") and provides you with some examples of how we process your Personal Data. For any clarification regarding this Privacy Policy or the methods of processing your Personal Data, please send your request to: dataprotectionofficer@stellantis.com. If you are located in the United Kingdom, you can also send your request to your local representative at dataprotectionuk@stellantis.com. The information and Data provided by you or otherwise acquired will be processed in compliance with the provisions of the GDPR and the confidentiality obligations that inspire the activity of the Data Controller.

 

1. Who we are

Stellantis Europe S.p.A. with registered office in C.so Agnelli 200 - Turin – Italy (hereinafter also "we" or "us") is the Data Controller of your Personal Data (hereinafter "Data").

 

2. What Data we collect and process

When you interact with us and/or Our Network, we may collect the following Personal Data. Provision of your Personal Data is always free and without consequences except for certain purposes where we would not be able to fulfil those purposes without this information. Where that is the case and any Data are mandatory, we will make this clear in our in our forms and documents.

 

a) Data provided by you

We collect Personal Data, either directly from you (e.g. via web site) or indirectly via Our Network. These are mostly contact details and identification data such as name, surname, date of birth, e-mail address, place of residence, telephone number and details about vehicle ownership. Sometimes the data you provide may concern third parties. If you provide us with the data relating to third parties, you are responsible for sharing such information with us and confirm that you are legally authorized to do so (i.e. you are authorized by the third party to share their information, or it is necessary for a legitimate reason). You also agree to fully indemnify us against any complaints, claims or demands for compensation or damages which may arise as a result of, or in connection with, our processing of such third-party Personal Data in violation of applicable data protection law.

 

To the extent permissible under applicable data protection law, we may collect further information about you, if we need to in order to perform a Product Safety Recall.

 

b) Vehicle data associated with you

The data identifying your vehicle (for example, the Vehicle Identification Number or VIN, the license plate, etc.) (together referred to as “Vehicle Data”) will be linked to your Personal Data.

 

3. Why we collect and process your Data and legal basis

 

Your Data is used by us to: -

a) Perform a Product Safety Recall. When necessary, we may use your Data to perform product safety recalls. The legal basis of that processing is the need to comply with a legal obligation pursuant to Article 6(1)(c) GDPR, i.e. Article 37 of Regulation (EU) 2023/988.

b) Complying with legal obligations. We may use your Data to comply with legal obligations and orders to which we are subject, which are the legal basis for the processing of your Data. Some such legislation may require us to share your Data with public authorities.

c) Defend our rights: When necessary, we may use your Data to defend our rights before a competent judicial, administrative or other kind of authority. The legal basis for this processing is our legitimate interest pursuant to art. 6(1)(f) GDPR.

4. How we use your Data (processing methods)

Data collected for the purposes indicated above are processed both manually and via automated processing.

 

5. How We May Disclose Your Data

We may disclose your Data to the following recipients and/or categories of recipients ("Recipients"):

- Persons authorized by us to perform any of data-related activities described in this document: our employees and collaborators who have undertaken an obligation of confidentiality and abide by specific rules concerning the processing of your Data;

- Our Data Processors: external subjects to whom we delegate some processing activities.  For example, security system providers, accounting and other consultants, data hosting providers, banks, insurance, etc.  We have signed agreements with each of our Data Processors to ensure that your Data is processed with appropriate safeguards and only according to our instructions;

- Companies in the STELLANTIS group: This might happen for a number of reasons including enabling us to make use of the group’s IT infrastructure, for reporting purposes and to otherwise ensure that we run our business effectively.

- System administrators: our employees or those of Data Processors to whom we have delegated the management of our IT systems and are therefore able to access, modify, suspend or limit the processing of your Data. These subjects have been selected, adequately trained and their activities are tracked by systems that they cannot modify, as required by the provisions of our competent Control Authority;

- Law enforcement or any other authority whose provisions are binding on us: this is the case when we have to comply with a judicial order or the law or defend ourselves in legal proceedings.

- Our Network: Your data may be shared with our network, depending on the type of Remedy we need to provide you with. This ensures that we can efficiently address your concerns and offer you the most suitable solution. Rest assured that any sharing of your data will be done in accordance with applicable data protection laws and regulations.

 

6. Where your Data is located

We are a global company, and our services are available in multiple jurisdictions around the world. This means that your Data may be stored, accessed, used, processed and disclosed outside your jurisdiction, including within the European Union, the United States of America or any other country where our Data Processors and sub-processors are located, or where their servers or cloud computing infrastructure may be hosted. We take steps to ensure that the processing of your Data by our Recipients is compliant with applicable data protection laws, including EU legislation to which we are subject.  Where required by EU data protection law, transfers of your Data to Recipients outside the EU will be subject to appropriate safeguards (such as EU Standard Contractual Clauses for data transfers between EU countries and non-EU countries), and/or other legal basis according to the EU legislation. For more information about the safeguards implemented by us to protect Data transferred to third countries outside the EU, you can write to us at: dataprotectionofficer@stellantis.com (or if you are located in the United Kingdom, dataprotectionuk@stellantis.com.

 

 

7. How long we keep your Data

The Data processed for the purposes of providing the product safety recalls (Section 3.a) will be kept for the time strictly necessary to achieve those same purposes. However, the Data might be stored for a longer period in case of potential and/or actual claims and liabilities and/or in case of other mandatory legal retention requirement and/or storage obligations.

The Data processed to comply with legal obligations (see section 3.b) will be retained for the period necessary to comply with those legal obligations.

The Data processed to protect our rights (see Section 3.c) will be retained for the period necessary to protect them, depending on the duration of each specific proceeding or the complexity of each case.

 

You can ask us for more information on our data retention criteria and policy by writing us here: dataprotectionofficer@stellantis.com.

 

8. How to control your Data and manage your choices

At any time, you can ask to:

- Access your Data (right of access): depending on your use of our Services, we will provide the Data we hold about you;

- Exercise your right to portability of your Personal Data (right to data portability): depending on your use of our Services, we will, where applicable, provide you with an interoperable file containing the Data we have about you;

- Correct your Data (right to rectification): for example, you can ask us to modify your e-mail address or phone number if they are incorrect;

- Limit the processing of your Data (right to restriction of processing): for example, when you think that the processing of your Data is unlawful or that processing based on our legitimate interest is not acceptable;

- Delete your Data (right to erasure): for example, when you do not want us to retain your Data any longer and we do not have a lawful basis upon which to continue processing it;

- Object to processing activities (right to object): for example if you consider that our processing is unlawful;

- Withdraw your consent (right to withdrawal): where we process your personal data based on your consent, you can withdraw your consent at any time.

You can exercise the above rights or express any concern or make a complaint regarding our use of your Data directly at: https://privacyportal.stellantis.com.

 

At any time, you can also:

- contact our Data Protection Officer (DPO), here: dataprotectionofficer@stellantis.com;

- contact the competent Supervisory Authority, here you can find the list of all Supervisory Authorities by country: https://edpb.europa.eu/about-edpb/board/members_en.

 

9. What this Privacy Policy does not cover

This Privacy Policy does not cover processing carried out by third parties.

We are not responsible for any processing of your Data that is not covered by this Privacy Policy.

 

10. Usage of Data for Other Purposes

If we should need to process your Data for purposes other than those indicated herein, we will notify you in advance.

 

11. Changes to the Privacy Policy

We reserve the right to adapt and/or modify this Privacy Policy at any time. We will inform you of any relevant adaptations/changes.

 

12. Definitions

Data Controller: refers to the legal person, public authority, service or other entity which, individually or jointly, determines the purposes and means for the processing of your Personal Data.

Our Network: these are retailers and/or dealers and/or repairers with whom Stellantis’ car manufacturer has/have signed commercial agreements for the sale of the Vehicles and/or for providing services/products assistance.

Personal Data: means any information relating to an identified or identifiable natural person whether directly or indirectly, as well as any information that is linked or reasonably linkable to a particular individual or household.  For example, an email address (if it refers to one or more aspects of an individual) and VIN are considered Personal Data.  For your convenience, we will collectively refer to all Personal Data mentioned also as "Data".

Processor: refers to an entity engaged by us to process your Personal Data solely on behalf of the Data Controller and according to its written instructions.

Services: collectively, means all Services provided by the Data Controller.