Data protection

Who is responsible for data processing operations?

Alphabet Fleet Management (Switzerland) Ltd (hereinafter referred to as “Alphabet” or “we”), Industriestrasse 20, 8157 Dielsdorf, is the data controller for the processing of your personal data. Alphabet is based in Dielsdorf and is part of the BMW Group, whose parent company is BMW AG. It will process certain personal data for your leasing and leased products and services as well as in connection with the provision of the Alphabet websites for the purposes stated in this data protection information. Unless stated otherwise, Alphabet partners are legally and economically independent companies and not part of Alphabet. This Privacy Policy also describes instances when your data may be processed by Alphabet partners. However, it is possible that Alphabet partners may collect other personal data and apply their own privacy policies. If applicable, please refer to the privacy policies of the respective Alphabet partners to learn more about how your data are used in such a case.

What data do we process?

Personal data means information relating to an identified or identifiable natural person (hereinafter referred to as “data”). In the course of your use of the Alphabet websites, we process data about you to the extent permitted by law, in particular taking into account the principle of data minimisation. In particular, this concerns the following information:

  • Information you provide to us: you provide us with various information about you when using the offers on our Alphabet customer portal. The various categories of your data that you provide to us depend on the type of use of the portal offers by you and your specific contractual relationship with us. For example, you may provide us with the following information (list not exhaustive, but only for illustrative purposes): name, contact details including your address, your email address and telephone numbers, as well as other data to identify you. In addition, we may process audiovisual data, such as details from the video authentication procedure or recordings of your calls.
  • Information we collect about you: while you use Alphabet’s websites, we collect further data about you. For example, this includes details on how you used our websites or our portal offers, the date and time of your requests, your IP address, data about the device through which you interact with the customer portal (e.g., hardware or browser settings; browser type, operating system, device ID).
  • Data collected by third parties: in the course of the contract initiation and application review, we will also use data that third parties provide to us about you. This includes, for example, records of certain credit agencies, authorised dealers of Alphabet and other third parties.

In this context, we will process in particular the following categories of personal data: 

  • Information about your creditworthiness, such as for credit bureaus known performance disruptions in other contracts.
  • Information used to form customer associations includes, for example, investments in companies and ownership relationships.
  • In order to prevent criminal acts within the meaning of the Consumer Credit Act, we receive certain information from credit agencies with regard to known anomalies. This will be taken into account in the course of the loan application process.
  • Information about your address in the context of a comparison of addresses with Swiss Post for updating postal addresses (this includes, for example, addresses that you have provided to Swiss Post in the context of forwarding and to the disclosure of which you have consented.
  • Information from publicly available sources if necessary for the provision of our services. For example, annual financial statements, debtor directories or trade and association registers are eligible.
  • Information about the use of your vehicle with our partners in the context of personalised services such as fuel management.
  • Special categories of personal data: in principle, we avoid the collection and processing of special categories of personal data. Depending on the products booked by the lessee (e.g., damage assessment), we may also collect health data, e.g. personal injury in the event of an accident or vehicle damage. In these cases or if we collect or otherwise process special categories of personal data for the purposes described below, we will always process it in accordance with the legal requirements and the requirements set out in this data protection information.

On what legal basis will we process your data?

We only process your data if an applicable legal provision allows us to do so. In particular, we will process your data on the basis of Articles 6, 30 and 31 FADP. The processing of your data will be based, among other things, on the following legal bases. Please note that this is not a complete or exhaustive list of the legal bases. These are only examples intended to make the legal bases more transparent.

Consent: we will only process certain data on the basis of your previously given express and voluntary consent. You have the right to revoke your consent at any time with effect for the future.

Performance of a contract/contractual measures: to initiate or execute your contract with Alphabet and Alphabet partners, we need access to certain data.

Compliance with a legal obligation: Alphabet is subject to a series of legal requirements. In order to comply with these specifications, we need to process certain data.

Safeguarding legitimate interests: Alphabet will process certain data to protect your interests or the interests of third parties. However, this only applies if your interests are not outweighed in individual cases.

For what purposes are your data processed?

We will only process your data for purposes permitted by data protection law. This applies in particular to the purposes listed below:

  • Purposes for which you have given us prior consent;
  • Processing for the performance of our contract with you;
  • Implementation of pre-contractual measures at your request;
  • Compliance with legal obligations to which we are subject;
  • Protection of our legitimate interests or the legitimate interests of third parties, unless your interests prevail;
  • Establishment, exercise or defence of legal claims;
  • Marketing and advertising, in particular direct marketing.

Among other things, we will process your data for the specific purposes mentioned below. Please note that this is not a complete or exhaustive list of individual purposes, but merely examples intended to make the aforementioned purposes more transparent.

Contract-related processing purposes

We need to process your data precisely for the implementation of the contractual relationship concluded with you. In the context of our contractual relationship, we will process your data in particular in the context of the following tasks and activities:

  • Decision on the conclusion of a contract: in order to make a decision as to whether we can enter into a contract with you and under which conditions we can do so, we need to review and process data about you. As part of the decision on lending, we need to check your credit score. In this context, we also transmit your data to credit agencies.
  • Contract-related contact: during the course of the contractual relationship or in order to initiate a further contractual relationship, there will always be times when we want and/or need to contact you for contractual purposes. For this purpose, we need personal information about you, which you provide to us, for example, via the customer service or, if necessary, via the Alphabet websites.
  • Contract management: contract management includes the management, adaptation, processing and continuation of our contracts in general. In doing so, we process personal information about you.
  • Customer service: as part of customer service, we regularly process your data, for example, in order to advise you on any necessary adjustments or changes.
  • Accounts receivable management: in the course of the leasing and rental business, we are entitled to claims from the contractual relationship with you. In order to manage these claims, we process your data (e.g., payment behaviour, outstanding claims). If necessary, we will contact you via various communication channels (post, telephone, SMS, email, on-site contact) to clarify any outstanding claims. The type of contact may vary depending on the level of dunning and default risk. In individual cases, we reserve the right to include external lawyers. In the end, only such information would be transmitted that is absolutely necessary for the collection of the outstanding claim. If you actively contact your dealer regarding open claims or reminders, we reserve the right to share such information with the dealer. In principle, however, no personal data on outstanding claims is to be transmitted to dealers.
  • Claims management: if your vehicle is a leasing or rental vehicle, you are obliged to report any damage to the vehicle to us. In this context and for the settlement of vehicle damage claims, we and cooperation partners commissioned by Alphabet may process your data. In addition, the data you provide to us will be passed on and stored for the purpose of asserting claims for damages with involved litigation partners such as insurance companies, lawyers or experts.
  • Contract termination management: we will continue to process your data even if our contractual relationship is terminated on a regular or extraordinary basis. As part of this process, we will also contact you if necessary to discuss the arrangements for the end of the agreement with you.
  • Cooperation with dealers: Alphabet will work with the relevant dealer who may be servicing you as part of the contracting process, contract management and support for you. In addition, your dealer may also accompany you as part of the contract termination (end of term). You may be contacted by your dealer. The dealer will attend to you independently. To ensure optimal customer service, Alphabet shares the necessary data with the dealer as part of the cooperation.
  • Transfer to third parties in the course of contract initiation: if you use the option of authentication via the so-called video identification procedure or digitally sign your application for a financial product, we will transmit the necessary personal data to the operators of the platforms used for these processes.
  • Transmission to cooperation partners for optional contract components: for certain optional contract modules such as fuel management, workshop service, tyre service, Alphabet works with cooperation partners. For example, for customers with the “fuel management” contract module, data is transferred to our cooperation partners (these are named in the application for your leasing product when booking the individual contract module) in order to be able to provide the fuel card required for fuel invoicing. In addition, for example, there are also cooperations with insurance partners (these are specifically named in the application for your leasing product in the case of an insurance package) to whom we transfer personal data to the extent necessary for this purpose for the implementation of the selected contract modules. If you are unable to identify the cooperation partners to whom we transfer data in your specific case, we will be happy to help you if you contact us.

Consent-based processing purposes

In some areas, we process your data on the basis of your given consent to the processing.

  • Market research: in order to be able to offer our customers interesting and sought-after offers, we conduct research on the requirements of our customers. For example, this also includes studies on the satisfaction of our customers with our services. In the course of these market research activities, we only process anonymised and aggregated data as far as possible, unless you have explicitly consented to a personal evaluation.
  • Advertising and marketing: if we have your express prior consent, we will process your data for direct marketing purposes, which require consent.
  • Transfer of personal and contractual data to Group companies for marketing purposes: in the event that you have consented to the transfer of personal and contractual data, we will transfer such data to the Group companies listed in the declaration of consent to the extent specified there. Based on this consent, the companies mentioned may contact you for marketing purposes and send you product information.

Processing purposes for the fulfilment of legal obligations

We are subject to a wide range of legal obligations. In order to comply with them, we process your personal data where necessary. 

  • Credit check: in the course of the application and monitoring of lease agreements, we need to process personal data to determine creditworthiness for the purpose of risk management. Different methods are used to determine the creditworthiness. When scoring, we use relevant information that we have about you or that you have provided to us, taking into account the statutory provisions. Important data generally taken into account in our scoring procedures as well as in different ways depending on the legal form of the customer are:
    • Economic situation, e.g., income and expenditure
    • Experience gained from a previous business relationship, e.g., your payment behaviour
    • Information from credit institutions, e.g., your other payment obligations
    • Contractual data, e.g., leasing rate

       
  • We evaluate the above information and other information and incorporate such information with different weightings into a common numerical value. The numerical value is called a “score” and indicates how likely it is that payment obligations can be complied with. The score is partly determined in an automated process. This score helps us in deciding whether to agree to the lease application and how it can be structured. In scoring, no decision is made based on individual pieces of information; rather, it is always the combination of all the underlying factors that is decisive. Scoring enables us to make an objective credit rating decision. It ensures that we assess each leasing request according to the same standards. In order for the scoring criteria to remain meaningful, accurate and up-to-date, we constantly review and improve the procedures. Thus, scoring is a living system that enables us to make a neutral and reliable decision. If customers receive a rental vehicle in individual cases within the framework of the lease agreement, it is in the legitimate interest of Alphabet to check the creditworthiness of its customers in advance. Alphabet therefore uses the creditworthiness information already determined in the course of the leasing transaction.
  • Prevention of and defence against criminal acts: Alphabet is also required by law to take internal security measures to prevent criminal acts within the meaning of the Consumer Credit Act and to carry out sanctions list checks. In this context, we process personal data and, if necessary, transmit it to public authorities.
  • Purpose of data security: our legal obligations to ensure the security of your data are very important to us. If necessary, we also process your data as part of measures to verify and ensure data security, for example as part of a simulated hacker attack.
  • Legal obligations and legal defence: Alphabet is subject to a variety of other legal obligations, such as with respect to financial market supervision. In order to comply with these obligations, we process your data to the extent required and, if necessary, disclose such data to the responsible authorities as part of legal reporting requirements. If necessary, we process your data in the event of a legal dispute if the legal dispute requires the processing of your data.

Processing purposes on the basis of legitimate interest

We process some of your data to safeguard legitimate interests, unless your interests take precedence.

  • Advertising and marketing: we use your data for direct advertising purposes that do not require explicit prior consent, as well as for marketing measures. In this context, we also process your data to inform you about our offers that may be of interest to you and to contact you via various communication channels.
  • Business intelligence and reporting: in order to continuously improve our products and services, we carry out certain automated analyses based on contract information and create reports. On the basis of these evaluations, we, for example, derive new products or measures to improve customer processes. In line with sales management, we generally create the previously described evaluations and reports in aggregated and anonymised form.
  • Administrative tasks within the BMW Group: Alphabet is a BMW Group company. We process some of your data in order to keep the administration of the various companies within the BMW Group as efficient and successful as possible. This applies, for example, to joint consolidated accounting according to international accounting regulations for companies (such as the International Financial Reporting Standards – IFRS) or the subsidisation of some lease agreements by BMW AG.
  • Incentives management for salespeople and dealers: to offer the BMW dealer and the dealer’s sales staff a certain incentive to sell products from Alphabet and its partners, such as for the conclusion of leasing or rental services or additional products, Alphabet uses the incentive platform operated by BMW Financial Services. It primarily serves to incentivise the salesperson at the dealer on the basis of a defined points system as well as in the form of non-cash rewards or prizes for this sales performance, i.e. to set sales incentives for the salespeople. The incentives are based, among other things, on contract information on active customer contracts to the extent necessary for this purpose.
  • Use in the course of the IT change management process: we are constantly improving our system landscape. On the one hand, we do this in order to meet new regulatory requirements and, on the other hand, to make the contractual relationship as comfortable as possible for you by continuously optimising our systems for you. In this context, we may process your personal data in the course of cross-functional integration tests in order to ensure data integrity within our application.
  • Provision of positive data to credit agencies: positive data is also transmitted to credit agencies during the contractual relationship. Among other things, this includes personal data concerning the modification, proper implementation and termination of a contractual relationship with a financial risk of default.
  • Provision of negative data to credit agencies: if the legal requirements for the transmission of claims-related data are met, we may transfer personal data to credit agencies in the event of an expected default in payment.
  • Vehicle location of BMW and Mini: in the cases described below, we reserve the right to obtain and process technical data from the vehicle and BMW AG data for the purpose of vehicle location and to use such data for the purpose of executing the contract. In the case of lease agreements, a vehicle location may take place if the lease agreement has been terminated and the vehicle has not been released to Alphabet Fleet Management Ltd after unsuccessfully setting a deadline. In addition, any vehicle location requires evidence of criminally relevant conduct. This also serves our legitimate interest in seizing vehicles that are our property and for which there are indications of criminal conduct.

How long do we keep your data?

In accordance with Article 6 FADP, we will keep your data only for as long as necessary for the respective purposes for which we process your data. If we process data for multiple purposes, such data will be automatically erased or stored in a format that does not allow for direct conclusions about your person once the final specific purpose has been completed. To ensure the erasure of all your data in accordance with the principle of data minimisation, BMW has put in place an internal erasure concept.

How do we protect your personal data? (Articles 7 and 8 FADP)

We use a variety of security measures, including state-of-the-art encryption and authentication tools, to protect and maintain the security, integrity and availability of your data. Full protection against unauthorised access cannot be guaranteed for data transmissions over the Internet or a website, but we and our service providers and business partners make every effort to safeguard your personal data in accordance with applicable data protection regulations through state-of-the-art physical, electronic and procedural security measures. Among other things, we use the following measures:

  • Strict criteria for the right to access your data according to the need-to-know principle (limited to as few people as possible) and only for the stated purpose
  • Transfer of collected data exclusively in encrypted form
  • Storage of confidential data, such as credit card data, exclusively in encrypted form
  • Firewall protection of IT systems for protection against unauthorised access, e.g., by hackers
  • Permanent monitoring of access to IT systems to detect and prevent the misuse of personal data

If you have obtained a password from us or have created one yourself that gives you access to certain areas of our website or to other portals, apps or services that we operate, you are responsible for keeping this password secret and for following all other security procedures, about which we will keep you informed. In particular, we ask that you do not share your password with anyone.

Who will we share your data with?

For the purposes described in this data protection information, we will share your data with third parties outside Alphabet. When transferring your data, we will always take appropriate steps to ensure the processing, protection and transfer of your data in accordance with the applicable legal requirements.

Data transfer within BMW Group Financial Services

In principle, your personal data will remain with Alphabet wherever possible. In this respect, we also observe the principle of data economy. However, Alphabet is part of BMW Group Financial Services (hereinafter referred to as “BMW FS”) that has more than 50 companies worldwide. Your data will therefore be transmitted in individual cases to one or more subsidiaries of BMW FS or the BMW Group. Such a transfer is considered in particular in the context of the facts described below:

  • If you have previously given us your explicit consent to share your data with other BMW FS or BMW Group companies for advertising or marketing purposes.
  • As a matter of principle, we only report anonymised or aggregated data to BMW AG and BMW FS. However, it may happen that individual contract-related information and/or chassis numbers are transmitted in such an internal report.

Data transfer within the BMW Group

Alphabet, as part of BMW FS, is also part of the BMW Group. In some cases, we will send your data to other companies of the BMW Group, which process your data completely on our behalf and according to our instructions. Such cases of order processing exist, for example, with BMW Group IT of BMW AG. If necessary, we will also transfer your data to other companies of the BMW Group that process such data in their own capacity as data controllers. Such data transmission may occur, for example, under the following circumstances and for the following purposes:

  • If you have previously given us your explicit consent to share your data with other BMW Group companies for advertising or marketing purposes.
  • In the course of Group reporting, we transmit data to BMW AG where applicable, e.g. in the case of leased vehicles, we transmit accounting-relevant information on the respective chassis numbers to BMW AG when assessing the residual values.

Data transfer to authorised dealers of Alphabet

Alphabet will provide access to certain data over the term of the contract to your authorised dealer through whom you are transacting the end user contract. Your dealer receives an access right, in particular for the purposes of your personal support as a customer and for the execution of your contract until the end of the relationship. In this context, the authorised dealer assumes the following tasks in particular, but not exclusively: please note that this is not a complete or exhaustive list of the data transmission processes within the BMW Group, but merely lists examples that are intended to make data transmissions more transparent.

  • Financial product brokerage and application preparation (leasing, financing, insurance);
  • Legitimation in accordance with the Anti-Money Laundering Act;
  • Support for claims management (vehicle);
  • End-of-term (vehicle return, vehicle sales).

Data transfer to other third parties

In the context of legal information and reporting obligations, we may also transfer your data to other third parties such as external service or IT providers, payment service providers, external consultants or cooperation partners. Alphabet will ensure that these third parties guarantee the confidentiality of your data.

Data transfer to countries outside Switzerland/EU

If the data processing described in this Privacy Policy are processed in countries outside the EU or the European Economic Area (“EEA”), Alphabet will ensure the processing of your data in accordance with European data protection standards. Where necessary, we will use data transfer agreements based on the EU standard contractual clauses or other data protection permission schemes, including appropriate technical and organisational measures to protect the transferred data, to ensure the security of data transfers to recipients in third countries outside the EU or EEA.

Contacting us and your data protection rights

If you have any questions regarding the use of your personal data by us, it is best to first contact Alphabet Customer Service – either by sending an email to contact@alphabet.ch or by calling +41 058 269 65 67 (Monday to Friday from 8.00 a.m. to 12 noon/1.00 p.m. to 5.30 p.m.).

Alphabet Customer Service can also forward your request to the responsible data protection officer.

As the data subject affected by the processing of your data, you may assert certain rights against us under the FADP and other relevant data protection regulations. The following section contains explanations about your rights under the FADP. Depending on the nature and scope of your request, we will ask you to address it to us in writing.

Data subject rights

According to the FADP, you are entitled to the following rights vis-à-vis BMW in particular as the data subject:

Right to information (Article 25 FADP): you may request information from us about your data that we keep about you at any time. This information includes, among other things, the categories of data we process, the purposes for which we process them, the origin of the data if we have not collected them directly from you and, if applicable, the recipients to whom we have transferred your data. You can obtain a free copy of your data from us. If you are interested in further copies, we reserve the right to charge you for further copies.

Right to data disclosure (Article 28(1) FADP): you can request that we hand over your personal data that you have disclosed to us in a standard electronic format if the data is processed automatically; and the data is processed with your consent or in direct connection with the conclusion or performance of a contract between BMW (Switzerland) and you.

Right to object (Article 28(2) FADP): in addition, you may request that we transfer your personal data to another controller if the conditions referred to in paragraph 1 are met and that this does not require disproportionate effort.

Right to rectification (Article 32(1) FADP): you may request that we correct your data. We will take reasonable steps to ensure that your data that we have about you and process continuously are accurate, complete and up to date, based on the most up-to-date information we have.

Right to erasure (Article 6(5) and/or Article 32(2)(c) FADP): you may request that we erase your data, provided that the legal requirements for this are met. This may be the case, for example, if:

  • the data are no longer required for the purposes for which they were collected or otherwise processed;
  • you withdraw your consent, which is the basis of data processing, and there is no other legal basis for the processing;
  • you object to the processing of your data and there are no overriding legitimate reasons for the processing, or you object to the processing of data for direct marketing purposes;
  • the data processing has been unlawful; unless processing is necessary
  • to ensure compliance with a legal obligation that requires us to process your data;
  • in particular with regard to statutory retention periods;
  • to assert, exercise or defend against legal claims.

Right to object (Article 30(2)(b) FADP): you may object to the processing of your data at any time for reasons that arise from your particular situation, insofar as the data processing is based on your consent or on our legitimate interests or those of a third party. In this case, we will no longer process your data. The latter does not apply if we can prove compelling legitimate reasons for the processing that override your interests or if we need your data to assert, exercise or defend against legal claims.

Deadlines for complying with data subject rights

We endeavour to comply with all enquiries within 30 days. However, this period may be extended for reasons relating to the specific data subject right or due to the complexity of your request.

Restriction of information when satisfying data subject rights (Article 26 FADP)

In certain situations, we may be unable to provide you with information about all of your data due to legal requirements. If we have to reject your request for information in such a case, we will also inform you about the reasons for the rejection.

Complaint

Alphabet takes your concerns and rights very seriously. However, if you believe that we have not adequately complied with your requests or concerns, you have the right to lodge a complaint with the company data protection officer of Alphabet.