The present information pursuant to Art. 13 et seq. DSGVO on data protection serve the information obligation for the collection and processing of personal data in connection with our internal reporting system according to the German Whistleblower Protection Act (HinSchG).
Our reporting system basically comprises the following reporting channels:
Verbal notification (e.g. by telephone)
Written notification (e.g. by mail or web form)
Personal notification (at the request of the person providing the information)
Please read this privacy notice carefully before submitting a report.
1. Name and contact details of the responsible person
CARFAX Europe GmbH
Barth Street 2-10
80339 Munich
E-mail: info@carfax.eu
(hereinafter “CARFAX”, “we”, “us”).
2. Contact details of the data protection officer:
Holzhofer Consulting GmbH
Martin Holzhofer
Lochhamer Str. 31
82152 Planegg
Tel.: (0 89) 1 25 01 56 00
E-mail: privacy@carfax.eu
3. Purposes for which the personal data are to be processed and the legal basis for the processing
3.1 General
The reporting channels we provide allow you to contact us in a secure and confidential way to report suspected compliance and regulatory violations.
We generally process the personal data contained in a report, if any, in order to process the report and to investigate and resolve the alleged compliance and legal violations.
It may also happen that we have questions for you. For this purpose, we usually use the communication via the reporting channel that you used to submit the report.
The confidentiality of the information you provide will be maintained at all times. This includes, in particular, the confidentiality of your identity as the person providing the information and of the persons who are the subject of the report or are affected by it (confidentiality obligation). All persons authorized by CARFAX to view the information are also expressly bound to confidentiality.
In addition, the need-to-know principle is strictly adhered to, i.e. the identity of the above-mentioned persons is only disclosed to the following group of persons:
Persons who are responsible for receiving reports, or
Persons responsible for taking follow-up action, and
Persons who assist them in the performance of these duties.
If the notification you submit contains personal data of third parties to which you refer in your notification, the data subjects will be given the opportunity to comment on the notifications as well as any allegations made against them and investigations carried out. In such cases, we must generally inform the data subjects about the notice within one month pursuant to Art. 14 (3) (a) of the GDPR. However, the information may be postponed if necessary on the basis of Art. 14 (5) (b) of the GDPR. As soon as the reason for the postponement no longer applies, the information of the data subjects will be made up for.
In this case, too, your confidentiality is protected, since no information about your identity is provided to the data subject – as far as legally possible – and your report is used in such a way that your anonymity is not jeopardized.
3.2 Receipt, (initial) verification and documentation of a message
The use of the reporting system is always on a voluntary basis. If you submit a report via one of the reporting channels, we may process and store the following personal data or data categories for the purpose of accepting, verifying and documenting the report received and for the necessary communication with you as the person providing the information:
First and last name of the person providing the information (if this data is provided.
Title, first and last name and other personal data of the persons who are the subject of the report or affected by it (e.g. accused persons).
Contact information such as phone number or email address (if this data is provided).
The fact that the whistleblower has made a report through the whistleblowing system.
Whether the person making the report or other persons affected by the report are employed by CARFAX or have a relationship with CARFAX (e.g., customer, supplier, service provider).
Timing, content, and other relevant circumstances (e.g., locations of witnesses and documents) related to the report submitted by whistleblowers.
The legal basis for the processing is usually Art. 6. para. 1 lit. c DSGVO in conjunction with the relevant provisions of the HinSchG:
§ Section 12 HinSchG contains the obligation to establish and operate an internal reporting office.
§ Section 10 HinSchG permits the processing of personal data by the reporting offices insofar as this is necessary for the fulfillment of their tasks specified in Section 13 HinSchG.
§ Section 11 HinSchG contains the obligation to document all incoming reports.
If a tip received relates to an employee of CARFAX, the processing may serve to prevent and detect criminal offences or other legal violations that are related to the employee relationship (Section 26 (1) sentence 2 BDSG).
If you as a whistleblower voluntarily wish to disclose your identity to CARFAX or an external body, this will be done on the basis of your consent pursuant to Art. 6 para. 1 lit. a DSGVO. The consent to be given is given by the fact that the notice can also be given completely anonymously.
With your consent as the person providing the information, the personal notification can also be made by means of video and audio transmission (e.g. by means of a video conferencing system). In this case, the legal basis is the voluntary and informed consent according to Art. 6 para. 1 lit. a DSGVO, § 16 para. 3 HinSchG.
In the case of telephone reports or reports by means of another type of voice transmission, a permanently retrievable audio recording of the conversation or its complete and accurate transcript (verbatim record) will only be made with your consent as the person providing the information. The same applies to the complete and accurate recording of the meeting as part of a personal notification. Here, too, the legal basis is the voluntary and informed consent in accordance with Art. 6 Para. 1 lit. a DSGVO, § 11 Para. 2 and 3 HinSchG.
As a matter of principle, we do not collect and process special categories of personal data within the meaning of Art. 9(1) DSGVO (e.g. information on racial and/or ethnic origin, religious and/or philosophical beliefs, trade union membership or sexual orientation). However, due to free text fields in the registration form, such special categories of personal data can in principle be transmitted. In this case, the data will be processed in accordance with § 10 S. 2 HinSchG and only if this is absolutely necessary for the processing of the notification. Otherwise, this data will be deleted immediately in accordance with data protection regulations.
3.3 Initiation and implementation of follow-up measures
In the course of necessary follow-up actions, such as internal audit and investigation, contacting the individuals and work units concerned, closing the case for lack of evidence or other reasons, and handing over the case for further investigation to the work unit responsible for internal investigations or a competent authority, we may process and store the following data or categories of data:
Personal information within the scope of reconnaissance measures (e.g. first and last name, private address, private telephone number, private e-mail address)
Business details (e.g. function in the company, job title, possible supervisor position, business e-mail address, business telephone number).
Business-related documents (e.g. travel expense reports, time sheets or time statements, contracts, performance records, driver’s logs, invoices)
Information on relevant facts: Internal intelligence measures often relate to specific facts. The identification and evaluation of relevant information on the respective facts may allow conclusions to be drawn about the behavior or actions of the persons concerned.
The legal basis for the processing is usually Art. 6. para. 1 lit. c DSGVO in conjunction with the relevant provisions of the HinSchG:
§ Section 12 HinSchG contains the obligation to establish and operate an internal reporting office.
§ Section 10 HinSchG permits the processing of personal data by the reporting offices insofar as this is necessary for the fulfillment of their tasks specified in Section 13 HinSchG.
4. Automated decision making including profiling
Automated individual case decisions including profiling according to Art. 22 (1) and (4) DSGVO do not take place on the part of CARFAX.
5. Data transfer to a third country
Data transfers to countries outside the EU and the European Economic Area (“Third Countries”) arise in the context of the administration, development and operation of IT systems. The transfer takes place only on the basis:
of an adequacy decision of the European Commission within the meaning of Art. 45 GDPR.
of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country.
of standard data protection clauses adopted by the Commission in accordance with the review procedure under Article 93(2) of the GDPR.
Currently, in connection with the use of our internal reporting system, a transfer of personal data to third countries takes place in the following cases:
Transfer of data to S&P Global Inc., 55 Water Street, New York, New York, 10041, USA
Transfer of data to NAVEX Global Inc, 5500 Meadows Road, Suite 500 Lake Oswego, OR 97035, USA.
For the USA, the European Commission has issued an adequacy decision according to Art. 45 (3) GDPR, which applies to the EU-US Data Privacy Framework (DPF). For data exports to recipients in the USA that are certified according to the DPF, the level of data protection is thus considered adequate. The service provider NAVEX is certified under the DPF and thus committing to comply with European data protection principles.
6. Categories of recipients of data
For the processing of personal data for the purposes stated here, we use the following categories of recipients as processors within the meaning of Art. 28 DSGVO:
NAVEX Global Inc. for the purpose of providing and technically implementing the reporting system.
Provider of servers for the purpose of hosting the websites
Service provider for hosting and operation of the online video conferencing system
TC service provider to operate the telephone system
…
These service providers process information about you on our behalf and on the basis of our instructions and are contractually bound by an AV agreement to comply with applicable data protection laws.
To the extent permitted by law, we may share personal data with the following external recipients:
Lawyers in case of legal advice
Law enforcement authorities, antitrust authorities, other administrative authorities, courts (in the case of a corresponding legal obligation or necessity for the clarification of information)
Affiliates of CARFAX (where required for internal audit and investigation and in connection with the provision and operation of the reporting system at the corporate level )
Other third parties in the course of transferring functions (e.g. data protection officer)
We always ensure that the relevant data protection regulations are complied with whenever information is passed on.
7. Storage period and criteria for determining the duration
Personal data is generally only stored for as long as is necessary to fulfill the purposes stated here (e.g., for processing a report and conclusively clarifying a violation) or as required by the retention periods stipulated by law. After the respective purpose ceases to apply or after the retention periods have expired, the data is deleted in accordance with the statutory provisions.
The specific duration of storage depends in particular on the severity of the suspicion and the reported compliance and legal violations.
The documentation of notifications within the meaning of § 11 HinSchG is deleted three years after the conclusion of the procedure .
Personal data that is obviously irrelevant for the processing of a report will not be collected or will be deleted immediately after receipt of the report.
8. Information on your data subject rights
CARFAX Europe GmbH is responsible for the processing of your data, unless otherwise stated.
You can request information (Art. 15 GDPR) about the data stored about you and its correction (Art. 16 GDPR) in case of errors at any time. Furthermore, you can request the restriction of processing (Art. 18 DSGVO), the portability (Art. 20 DSGVO) of the data provided to us by you in a machine-readable format or the deletion of your data (Art. 17 DSGVO) – insofar as they are no longer needed.
You also have the right to object at any time to the use of your data based on public or legitimate interests (Art. 21 DSGVO).
If we process your data on the basis of your consent, you can revoke this consent at any time with effect for the future (Art. 7 (3) DSGVO). From the receipt of your revocation, we will no longer process your data for the purposes specified in the consent.
If you wish to exercise your data protection rights, please send your request by e-mail to privacy@carfax.eu or by mail to the above address.
9. Right of appeal to a supervisory authority
In addition, you can contact a supervisory authority with a complaint at any time in accordance with Art. 77 (1) DSGVO. For us is basically the
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
PO Box 1349
E-mail: poststelle@lda.bayern.de
Phone: +49 (0) 981 180093-0, responsible.
Alternatively, you can approach your local supervisory authority.
10. Technical implementation and security of your data
The web form contains the option for anonymous communication via an encrypted connection. When using it, your IP address and your current location are not stored at any time.
We have implemented sufficient technical and organizational measures to ensure compliance with applicable data protection regulations and confidentiality. The data you provide is stored on a specially secured database. All data stored on the database is encrypted by us according to the current state of the art.
Status: January 2024
Contact Details of the Data Protection Officer
Martin Holzhofer
Holzhofer Consulting GmbH
Lochhamer Str. 31
82152 Planegg, Germany
Tel.: +49 89 125 01 56 00
Email: privacy@carfax.eu
Website: https://www.holzhofer-consulting.de
Purposes for Which Personal Data Is to Be Processed and the Legal Basis for Processing the Data
Purposes for Data Processing
CARFAX processes personal data pursuant to Article 5 GDPR.
In particular, CARFAX processes vehicle identification numbers (VINs) to identify specific vehicles and provide interested parties with information about the vehicle history of used vehicles. In some countries, a vehicle retains the same license plate throughout its life cycle — in this case, the license plate can also be used to identify a vehicle.
Data Processing on the Basis of Legitimate Interest
In consideration of the rights and freedoms of vehicle keepers and owners, processing will be carried out if this is necessary for the purposes of a legitimate interest of CARFAX Europe GmbH or a third party and this is not overridden by the interests, fundamental rights, and fundamental freedoms that require protection of personal data. Article 6(1)(f) GDPR provides the legal basis in these cases.
CARFAX also processes data so that its services can contribute to the general improvement of fraud prevention measures and to the fight against organized crime in the international trade of used vehicles. Increased transparency relating to used vehicles leads to increased road safety, which is in the public interest. Finally, CARFAX has a legitimate economic interest in data processing in relation to the sale of its products and services.
CARFAX will provide information regarding any changes to the purposes of data processing pursuant to Article 14(4) GDPR.
Data Recipients and Data Sources
Categories of Recipients of Personal Data (“Third Parties”)
To the extent permitted by law, we share personal data with third parties:
“Third parties” may be any individual or institution interested in receiving information about the life cycle of a used vehicle, including: Individuals and companies who want to buy or sell a used vehicle; companies such as insurance companies who want to insure a used vehicle and therefore need to evaluate the vehicle, or insurance companies dealing with traffic accidents; investigating authorities; law enforcement agencies; and other third parties.
We also share data with associated companies, in particular our parent company CARFAX Inc. and with subsidiaries within the EU, on a case-by-case basis and subject to certain conditions.
In order to process the personal data for the purposes mentioned above, we appoint the following categories of recipients as data processors as defined in Article 28 GDPR:
Service providers for hosting servers in order to provide web-based services
Software service providers for hosting and operating various software (e.g. for the support ticket system and document management system)
Data Sources
CARFAX currently has a database comprising over four billion data records collected from various sources, including government departments, regulatory authorities, service and repair workshops, inspection companies, car dealers, online marketplaces, and many others.
Categories of Personal Data That are Processed
The specific categories of personal data are the vehicle identification number (VIN) and license plate, which can be traced to an identifiable individual. Pursuant to GDPR, an identifiable natural person is one who can be identified, directly or indirectly, “in particular by reference to … an identification number…” — see Article 4(1) GDPR. Using the 17-digit VIN or the license plate, it is possible in principle to identify the keeper and/or the owner of a vehicle — but only if a request is submitted to the competent authority and if the request is related to traffic law issues. CARFAX never collects or processes identification and contact information of keepers, owners, possessors, drivers or passengers of vehicles. Furthermore, CARFAX does not process any special categories of personal data.
In addition to the VIN and the license plate, CARFAX processes event-based data about the vehicle (e.g. registration, change of ownership, damage, repairs, mileage, residual value and service data, type of usage) as well as technical and non-technical vehicle features, and provides third parties with requested information about a used vehicle.
Retention Period and Criteria for Determining Such a Period
Pursuant to Article 5(1)(e) GDPR, personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
CARFAX stores information relevant to the vehicle and the personal data mentioned above for an indefinite period. It is necessary to store this data indefinitely in order to prevent the crime of transferring the VIN of a vehicle that is to be scrapped (for example) to another vehicle which has been involved in an accident and is no longer deemed roadworthy, but is being repaired in order to be illegally returned to the used vehicle trade.
Only by storing this data indefinitely can competent authorities detect this crime and prevent these vehicles from returning to circulation as seemingly roadworthy vehicles. The purpose of storing this data is therefore considered not to be fulfilled, meaning the data may be stored for an indefinite period.
CARFAX also provides used car histories for vintage vehicles. Vehicles that are over 30 years old are considered to be vintage vehicles.
Data Transfer to a Third Country
Data is transferred to countries outside the EU and the European Economic Area (“third countries”) as part of administering, developing and operating IT systems. Data will only be transferred on the basis of:
An adequacy decision by the European Commission as defined in Article 45 GDPR.
An approved certification mechanism pursuant to Article 42 GDPR together with legally binding and enforceable obligations on the part of the controller or the processor in the third country.
Standard data protection clauses issued by the European Commission in accordance with the examination procedure referred to in Article 93(2) GDPR.
At present, in the context of purchasing a CARFAX service, data will be transferred to countries outside the EU and the European Economic Area (“third countries”) in the following cases:
Transfer of VIN to our parent company CARFAX Inc., 5860 Trinity Parkway, Suite 600, Centreville, VA 20120, USA, only when there is no data in our European database available related to a requested VIN and thereby to give the inquiring party total access to the global database.
Data transfer to Egnyte Inc., 1350 W. Middlefield Road, Mountain View, CA 94043, USA in conjunction with the provision and use of our document management system.
Data transfer to Atlassian Pty Ltd, Level 6, 341 George Street, Sydney, NSW 2000, Australia (Global HQ) in conjunction with the provision of web applications for project management, exchange of knowledge and collaboration.
Data transfer to AWS Inc., 410 Terry Avenue North, Seattle, WA 98109, USA in conjunction with the provision of server hosting and cloud services (although our data is located on servers in Europe, our contractual partner has a parent company based in the USA, meaning the transfer of data cannot be safely ruled out).
Data transfer to MongoDB, Inc., 229 West 43rd Street, New York City, NY 10036, USA in conjunction with support for the open source database MongoDB, a NoSQL database that stores data in JSON-like documents with flexible schemas (although our data is located on servers in Europe, our contractual partner has a parent company based in the USA, meaning the transfer of data cannot be safely ruled out).
For the USA, the European Commission has issued an adequacy decision according to Article 45(3) GDPR, which applies to the EU-US Data Privacy Framework (DPF). For data exports to recipients in the USA that are certified according to the DPF, the level of data protection is thus considered adequate. Slack, Microsoft and Atlassian are certified under the DPF and thus committed to complying with European data protection principles.
Automated Decision-Making including Profiling
CARFAX Europe GmbH does not employ automated individual decision-making, including profiling, pursuant to Article 22(1) and (4) GDPR.
Information about Data Subjects’ Rights
Unless otherwise specified, CARFAX Europe GmbH, Barthstraße 2-10, 80339 Munich, Germany, is the data controller.
You can obtain information from us at any time, provided that the legal requirements are met (Article 15 GDPR) about the data stored about you and request that it be rectified (Article 16 GDPR) where there are errors. You can also request that processing be restricted (Article 18 GDPR), that the data you have given us be provided in a machine-readable format (data portability) (Article 20 GDPR) or that your data be erased (Article 17 GDPR) if it is no longer required.
Furthermore, you have the right to object to the use of your data based on public or legitimate interest (Article 21 GDPR) at any time.
If you wish to exercise your rights as a data subject, please contact:
CARFAX Europe GmbH Barthstraße 2-10 80339 Munich Germany privacy@carfax.eu
Right to Lodge a Complaint with a Supervisory Authority
You can also contact a supervisory authority at any time to lodge a complaint. The Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision), P.O. Box 1349, 91504 Ansbach, Germany, is the competent authority for CARFAX Europe GmbH. Alternatively, you can contact your local supervisory authority.
Version dated: January 2024
When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites. Targeting cookies uniquely identify your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
