Privacy Statement BMW Financial Services Nederland B.V.

BMW Financial Services Nederland B.V. (trading under the name Alphabet) is a service provider in mobility solutions. In that capacity, we process personal data. Most of the data we process concerns the provision of our mobility solutions to customers. For example, the option to lease a car, LCV or even a bicycle, but also to provide a mobility card and car rental. As part of this process, we receive and process personal data. This includes, for example, data of customers (employers), their employees and company directors and/or representatives of (potential) business partners. In the case of B2E (Business to Employee) and private lease, we also process data of our customers. This Privacy Statement applies to personal data we receive from and about these individuals.

The processing of your personal data starts as early as the acquisition process for the leased vehicle, the issuing of an offer for the leased vehicle and the decision to order/accept the relevant leased vehicle. We obtain personal data for this purpose from your employer or from yourself as an employee/private lease customer. This is followed by numerous other moments in which personal data is processed. For example, if your vehicle is involved in an accident, if damage needs to be repaired or if we receive traffic fines for your vehicle. We also process your personal data for our additional services, such as providing a fuel card, mobility card, breakdown assistance and car rental.

We understand that the use of your personal data requires your trust. That is why we will use the highest possible data privacy standard and we will only use your data for clearly described purposes and in accordance with your data privacy rights.

In the sections below, this Privacy Statement describes how Alphabet collects, processes, and uses the personal data of its (potential) customers and users of our mobility solutions.

Changes to the Privacy Statement

Alphabet may change this Privacy Statement (last update 1st January 2022). We recommend that you consult this Privacy Statement periodically, and whenever you provide personal data to Alphabet (again). When Alphabet makes an important change that has consequences for the processing of personal data by Alphabet, Alphabet will inform you of this by means of a notification on our website.

BMW Financial Services Nederland B.V. (trading under the name Alphabet) has its registered office at Takkebijsters 59, 4802 HW Breda is the data controller of your personal data.

Alphabet has second-hand car branches in Breda, Zwolle, and Amsterdam (Alphabet Occasions). Alphabet also has several rental branches in Amsterdam, Breda, Den Bosch, The Hague, Eindhoven, Nieuwegein, Rotterdam and Zwolle. Furthermore, Alphabet operates a collection centre in Breda for the collection of all leased vehicles for which the lease term has ended.

Alphabet is part of the BMW Group AG. We may share your personal data within the BMW Group. Alphabet International is the parent company of Alphabet. We can also share your data with this entity.

Alphabet is responsible for all your personal data processed through the website www.alphabet.com/nl-nl / www.alphabet.com/en-nl / www.alphabetonline.nl / www.alphabetprivatelease.nl/ / www.alphabetprivatelease.nl/autoweek / www.alphabetoccasions.nl / www.hoeomtegaanmetdewltp.nl / https://www.alpharent.com/nl / www.mijnschademelding.nl / www.alphabet.career.emply.com, corporate carsharing websites, our customer portal My Alphabet and our mobile application AlphaGuide.

Alphabet will process your personal data if it is transferred by Sales Partners and Service Partners such as service stations, breakdown assistance, dealerships. The Sales Partners and Service Partners are responsible for the processing of personal data provided by you in connection with the provision of services. Alphabet may also provide your personal data to a Sales Partner or Service Partner. In addition, a Sales Partner or Service Partner may collect other personal data. We recommend that you consult the Privacy Statement of the relevant Sale Partner or Service Partner before providing your personal data.

Alphabet may collect the following data from you:

  • Contact details: Last name, first name, address, telephone number, email address (and if applicable employer);
  • Interests: Information you have provided about interests, e.g. in vehicles;
  • Other personal data: Information you have provided, such as date of birth, gender, education, household size or professional situation;
  • Contractual data: Customer number, contract number, lease amount, VIN number, registration number, start and end date of contract;
  • Data related to your online account: Account information in customer portal (My Alphabet) and payment details you have set up (e.g. bank account number);
  • Use of website and communication: Information about how you use the website and whether you open or forward our messages, including data collected through cookies. You can find more information about Cookies in our Cookie Statement.
  • Transaction and interaction data: Maintenance data, fuel consumption (in case of a fuel card), damage data, information about purchases of products and services, interaction with the drivers desk and/or sales support (your requests and complaints) and (sales) partners and dealerships, as well as participation in market surveys;
  • Data related to the verification of your creditworthiness and identity[1]: Data to determine your identity (e.g. driver’s license), regarding creditworthiness data such as a pay slip, IBAN data; information about fraud, criminal offences, suspicious transactions, information about PEPs and sanction lists containing your data.
  • Data related to the use of Alphabet Apps and services: Data about your use of Alphabet apps (on your mobile phone) AlphaGuide/AlphaCity
  • Technical data of the vehicle: Data created and/or processed in the vehicle used by you. To protect the privacy of our customers, the processing of technical data is generally specific, with no direct reference to the customer.
  • Online (third-party) services: If your vehicle is connected to a mobile phone network, data may be exchanged between your vehicle and other systems. The connection to the mobile phone network is facilitated by the vehicle’s own transmitter and receiver or a mobile device (such as a smartphone) that you take with you in the vehicle. Online functions may be used over this mobile telephone network. This includes online services and applications/apps provided by the manufacturer or other providers. If you use these services, they are the responsibility of the respective provider and are subject to this provider’s data protection conditions and terms of use. Alphabet has no influence on the content exchanged via these services. Information about the nature, scope and purpose of the collection and use of personal data in the context of the third-party service must be obtained from the third party from whom you purchase the service.
  • Data for vehicle location determination: Data about the location of your vehicle or mobile device. If applicable, Alphabet may receive this personal data and use this personal data in accordance with the detailed descriptions of the respective services and the security measures for location data.

Alphabet does not have access to the operational data in the vehicle, data related to comfort (e.g. seat and steering wheel position) and infotainment. If you would like to consult this information, please contact your vehicle’s make. For contact details, please refer to the respective Privacy Statement of the car makes in question.

[1] For our mobility solution Private Lease we use EDR Credit Services B.V. for financial check and acceptance; for more information about data collection by EDR see Alphabet Private Lease.

Alphabet may collect the following data from you:

  • Contact details: Last name, first name, address, telephone number, email address (and if applicable employer);
  • Interests: Information you have provided about interests, e.g. in vehicles;
  • Other personal data: Information you have provided, such as date of birth, gender, education, household size or professional situation;
  • Contractual data: Customer number, contract number, lease amount, VIN number, registration number, start and end date of contract;
  • Data related to your online account: Account information in customer portal (My Alphabet) and payment details you have set up (e.g. bank account number);
  • Use of website and communication: Information about how you use the website and whether you open or forward our messages, including data collected through cookies. You can find more information about Cookies in our Cookie Statement.
  • Transaction and interaction data: Maintenance data, fuel consumption (in case of a fuel card), damage data, information about purchases of products and services, interaction with the drivers desk and/or sales support (your requests and complaints) and (sales) partners and dealerships, as well as participation in market surveys;
  • Data related to the verification of your creditworthiness and identity[1]: Data to determine your identity (e.g. driver’s license), regarding creditworthiness data such as a pay slip, IBAN data; information about fraud, criminal offences, suspicious transactions, information about PEPs and sanction lists containing your data.
  • Data related to the use of Alphabet Apps and services: Data about your use of Alphabet apps (on your mobile phone) AlphaGuide/AlphaCity
  • Technical data of the vehicle: Data created and/or processed in the vehicle used by you. To protect the privacy of our customers, the processing of technical data is generally specific, with no direct reference to the customer.
  • Online (third-party) services: If your vehicle is connected to a mobile phone network, data may be exchanged between your vehicle and other systems. The connection to the mobile phone network is facilitated by the vehicle’s own transmitter and receiver or a mobile device (such as a smartphone) that you take with you in the vehicle. Online functions may be used over this mobile telephone network. This includes online services and applications/apps provided by the manufacturer or other providers. If you use these services, they are the responsibility of the respective provider and are subject to this provider’s data protection conditions and terms of use. Alphabet has no influence on the content exchanged via these services. Information about the nature, scope and purpose of the collection and use of personal data in the context of the third-party service must be obtained from the third party from whom you purchase the service.
  • Data for vehicle location determination: Data about the location of your vehicle or mobile device. If applicable, Alphabet may receive this personal data and use this personal data in accordance with the detailed descriptions of the respective services and the security measures for location data.

Alphabet does not have access to the operational data in the vehicle, data related to comfort (e.g. seat and steering wheel position) and infotainment. If you would like to consult this information, please contact your vehicle’s make. For contact details, please refer to the respective Privacy Statement of the car makes in question.

[1] For our mobility solution Private Lease we use EDR Credit Services B.V. for financial check and acceptance; for more information about data collection by EDR see Alphabet Private Lease.

Alphabet will only process your personal data if this is necessary for our services. We are processing your personal data in the following cases:

  • To enter into or perform the agreement with you or your employer;
  • Because we have obtained your consent to do so;
  • Because we (or a third party) have a legitimate interest for doing so; (only applicable if your interests do not outweigh ours in individual cases);
  • Because we are legally obliged to do so;
  • Because this is necessary for your vital interests.

The personal data collected to enter into or perform an agreement or to provide services are processed for the following purposes:

Processing purposes (include)

Contract

  • To assess your creditworthiness[1];
  • To deliver a mobility solution;
  • For the correct handling of repairs, maintenance and tyre changes in accordance with the agreement.
  • Research and development of our products and services to provide even better services;

Consent

  • Marketing use – to promote Alphabet services and to share news and offers with you and to adjust them to your profile;
  • Research and development of our products and services to provide even better services through surveys;
  • All uses for which we need your consent are listed in your dashboard in My Alphabet; you can change your preferences there as well.

Legitimate interest

  • To prevent fraud and criminal activity - to protect our organisation and society from crime and its consequences.
  • Research and development of our products and services to provide even better services through surveys;

Legal obligation

  • To respond to binding requests from authorities or regulatory parties.

Vital interest

  • In the context of breakdown assistance.

Below we indicate for each mobility solution or service which personal data is processed and which third parties may be involved:

Alphabet’s mobility solutions and your personal data

Operational Lease (general)

This may concern the operational leasing of a car, but also an LCV, an Alphabet Bike (folding bike) or scooter or motorbike. The customer pays an agreed monthly amount (which includes the lease period and the number of kilometres driven). A full operational lease includes operational costs, such as maintenance, repairs, insurance, replacement/change of tyres, etc.

If you purchase this mobility solution, we will process the following personal data about you:

About the customer (employer): Name and address of the company, telephone number of the company, email address of the company, Chamber of Commerce number and bank account number, initials and last name, email address and telephone number of contact persons, board members and/or authorised signatories: Name, date of birth, address and place of residence, telephone number, driver’s licence number; we use the personal data to contact you about our agreement with you, about the underlying individual lease contracts and to verify signing authority.

About the driver of the vehicle: Initials and last name of the driver, gender (optional), date of birth, address and place of residence, mobile phone number, email address (business and/or private), cost centre, personnel number, business or private use, lease category, date of entry into service and date of termination of employment, start date of the lease scheme, distribution of annual kilometrage, as well as the registration number of your leased vehicle.

Sharing with third parties:

Personal data such as name, address and place of residence, mobile phone number, email address, employer, registration number and lease contract are shared with dealers/vendors for the delivery of your vehicle/LCV/bicycle.

Basis for processing:

We use this personal data for the performance of our lease contract with you, to submit reports to your employer, as well as to comply with our statutory reporting obligations to the tax authorities.

Alphabet Share

"Alphabet Share" is Alphabet’s Corporate Car sharing product, which makes car sharing for your company simple and efficient. Employees can book an "Alphabet Share" car at any time and can access the car via an application of our partner, Skopei, through the platform called "Topology". Key registration and other administrative actions associated with this process have been automated. All activities are fully managed by Alphabet.

If you use this mobility solution, we will process the following personal data about you:

About the customer (employer): Contact details of the company, telephone number of the company, email address of the company, VAT number and bank account number, first and last name, email address and telephone number of contact persons.



About board members and/or authorised signatories: Name, email address, telephone number and ID data; we use the personal data to contact you about our collaboration and to verify signing authority.

About the driver of the vehicle: Name, first name, date of birth, address details, mobile phone number, email address (business), cost centre, personnel number, photo, driver’s licence number, as well as vehicle data such as registration number and VIN number.

During the use of an AlphaCity vehicle, the time of departure, arrival and kilometres driven are recorded. Location data can be retrieved and can only be requested by the user for rides registration purposes.

Basis for processing:

We use this personal data to record your booking in the system, to process our contractual agreements with the customer (your employer) and to generate management reports. In doing so, we will, of course, handle privacy-sensitive data such as location data with care (see also Security measures and location data).

AlphaElectric

AlphaElectric is an all-round eMobility solution. Alphabet analyses the profile of the customer’s fleet and advises which electric vehicles and charging stations/infrastructure are most suitable. In addition, Alphabet defines various options for implementing eMobility. Customers may opt for a flexible combination of additional mobility solutions such as a charging card (for public charging stations), workshop service, tyre service, a practical app to find charging stations and a 24-hour eMobility hotline.

If you use this mobility solution, we will process the following personal data about you:

About the customer (employer): Contact details of the company, telephone number of the company, email address of the company, VAT number and bank account number, email address and telephone number of contact persons, board members and/or authorised signatories: Name, email address, telephone number. We use this personal data to contact you and to verify signing authority.

About the driver of the vehicle: Name, gender (optional), date of birth, address details, mobile phone number, email address (business and/or private), cost centre, personnel number, as well as vehicle data such as registration number and VIN number.

Sharing with third parties:

We may share personal data such as name and email address (if applicable) with a third party who will install a charging station at your site. We have concluded an agreement with them to this effect.

Basis for processing:

We use this personal data for the performance of our contract with you.

AlphaFlex

This mobility solution gives you (via your employer) the flexibility of a monthly budget. It allows you to select how you want to travel, e.g. by public transport, bicycle or, if you prefer, in a leased vehicle. The mobility budget shifts along with the need for transportation, ensuring flexibility and efficient use of vehicles. Moreover, charges are only paid for the actual use.

If you use this mobility solution, we will process the following personal data about you:

About the customer (employer): Contact details of the company, telephone number of the company, email address of the company, VAT number and bank account number, first and last name, email address and telephone number of contact persons. About board members and/or signatories: Name, email address, and phone number. We will use this personal data to contact you and to verify signing authority.

About the mobility user: First and last name, gender (optional), date of birth, address and place of residence, mobile phone number, email address (business and/or private), cost centre, personnel number. Vehicle data such as the registration number and VIN number will also be added in case of use of a leased vehicle.

Sharing with third parties:

We may share certain personal data such as company contact details and first and last names with external suppliers of mobility cards engaged by us. For more information about this, please contact the relevant mobility card issuers.

Basis for processing:

We process this personal data for the performance of our contract with you.

AlphaRent

Alphabet also offers the possibility of renting a leased vehicle, in combination with other products or otherwise.

If you use this mobility solution, we will process the following personal data about you:

About the customer (employer): Contact details of the company, telephone number of the company, email address of the company, VAT number and bank account number, email address and telephone number of contact persons, board members and/or authorised signatories: Name, email address, telephone number. We use this personal data to contact you and to verify signing authority.

About the driver of the vehicle: Name, gender (optional), date of birth, mobile phone number, email address (business and/or private), cost centre, personnel number, as well as vehicle data such as registration number and VIN number.

Sharing with third parties:

We may share personal data such as customer contact details (employer), first and last name and address details of the driver of the vehicle with external rental companies that are engaged by us for rental (and possibly to be able to deliver a rental vehicle).

Basis for processing:

We process this personal data for the performance of our contract with you.

AlphaGuide

AlphaGuide is a smartphone app for Alphabet leased car drivers or users of other Alphabet services. The app provides a number of useful services related to their mobility, such as a digital green card, kilometrage registration, helping to find service partners, access to contract data as well as direct access to the 24/7 driver helpdesk.

If you use this mobility solution, we will process the following personal data about you:

About the user: Contact details - Name, first name, email address, mobile phone number, Contract data - registration number, VIN number; Location details - your location of the accident in case of damage reports and SOS notifications; Other data - such as app identification, usage behaviour (page visit, clicks) collected by Flurry Analytics on behalf of AlphaGuide.

Basis for processing

The basis for this processing is performance of a contract, consent, legitimate interest and vital interest.

Alphabet Occasions

You can view the used cars offered by Alphabet on the website Alphabet Occasions. Personal data is used as part of sales processes to manage purchasing agreements and to transfer information to you relating to the purchase of your vehicle.

If you use this mobility solution, we will process the following personal data about you:

If you want to buy a used car/take a test drive: First name, last name, contact details, telephone number and mobile phone number and driver’s licence number.

If you use the financing option: Name, telephone number and/or email address. We transfer this personal data to Alphera Financial Services (www.alpherafs.nl), so they can contact you. Alphera Financial Services, just like Alphabet, is 100% part of the BMW Group.

If you want to enter a specific search query on the Alphabet Occasions website: First name, last name, email address and the vehicle requirements you specified. We will use this to help you find the used car you want.

Basis for processing:

The basis for this processing is performance of a contract, consent.

Alphabet Private Lease

Private lease allows you to use a new car for a fixed amount per month. This monthly amount includes most of the costs associated with a car, such as depreciation, repairs, maintenance, tyres, insurance, motor vehicle tax, breakdown assistance and optional replacement transport.

If you use this mobility solution, we will process the following personal data about you:

About the customer/driver of the vehicle: First of all, information about the desired vehicle, your first and last name, address and place of residence, telephone number and email address;

We use this personal data to create an email message in which we confirm your request for a private lease request and explain the next steps.

We then forward the personal data to EDR Credit Services B.V., along with a lease price/lease term calculated by us based on the car selected in the application form.

EDR Credit Services B.V. carries out the financial check and acceptance for us. EDR uses the personal data we transfer to send an email message with a link to the EDR lease portal - in order to upload personal data for this financial check. This testing is subject to final acceptance by Alphabet.

EDR needs the following personal data for the financial check:

  • A copy of the driver’s licence;
  • A copy of registered bank statements of the last 2 months (stating income and living expenses);
  • A copy of two most recent pay slips (in case of paid employment);
  • A positive letter of intent/employer’s declaration in case of temporary employment;
  • A copy of the benefit/pension specification in case of a benefit and/or pension,
  • Recent annual financial statements if self-employed;
  • Proof of other monthly income, if any;
  • Family situation;
  • Financial obligations not reflected in the credit rating (Bureau Krediet Registratie, BKR).

Relevant personal data will be stored in Alphabet’s customer portal at EDR and will not be forwarded to Alphabet.

Subsequently, we will collect the following personal data returned by EDR: Driver’s licence number, date of birth, credit score with the credit registration office (BKR), application status, date of status change, credit score from EDR, advice EDR, disposable income. In addition, we are processing data about your type of contract (make, type of car and lease term) as well as, after entering into a lease contract, vehicle data such as the registration number and VIN number.

About your partner (as cosignatory) / guarantor (if applicable): First name and last name, gender (optional), date of birth, address and place of residence. We process these personal data before final acceptance following the EDR testing and before concluding the lease contract with you.

Sharing with third parties:

Personal data such as information about the desired vehicle and pre-calculated lease price, your first and last name, address and place of residence, telephone number and email address are shared with EDR Credit Services B.V. as described above;

Personal data such as name, registration and vehicle data from the lease contract are shared with dealers/vendors for the delivery of your vehicle.

As a leasing company, we are required to register the lease contract and your personal data as well as those of your partner and/or guarantor (if applicable) with the credit registration office (BKR) when entering into a private lease contract.

Basis for processing:

The basis for this processing is the performance of our agreement with you and a legitimate interest.

Additional services associated with Operational lease:

Fuel card

If you conclude a lease contract including fuel with Alphabet, you will receive a fuel card. For this, we use brand-specific and non-brand-specific cards.

If you use this product, we will process the following data about you:

About the customer (employer): Contact details of the company

About the driver of the vehicle: First and last name, email address, contract number, personnel number, number of your fuel card, the registration number of your vehicle, date of refuelling, information about the type of fuel, the location of your refuelling, the kilometrage and the associated costs.

We may share this personal data with our customer (your employer) in our customer portal / My Alphabet CRM system. In My Alphabet, reports are made available to your employer detailing the use of these services (except for location data - see ‘How we protect your personal data’); you will also be able to consult the data relating to your refuelling in My Alphabet.

Sharing with third parties:

We share data such as company contact details, first and last name mobility user with external suppliers of fuel cards. They are responsible for processing transaction data via the fuel card. For more information, please refer to the relevant fuel card suppliers.

Basis for processing:

The basis for this processing is performance of a contract.

Mobility Card

The Alphabet Mobility Card allows your employer to enable you to use public transport (train, taxi, aircraft). This card also serves as a fuel card. The Alphabet Mobility Card is offered by Alphabet in collaboration with third parties. By using the card, all mobility costs are made transparent. A budget can be set per employee and services on the card can be switched on or off in a modular way. All transactions are made with the Alphabet Mobility Card and declarations/receipts are no longer required.

If you use this mobility solution, we will process the following personal data about you:

About the customer (employer): Contact details of the company, telephone number of the company, email address of the company, VAT number and bank account number, first and last name, email address and telephone number of contact persons. About board members and/or signatories: Name, email address, and phone number. We will use this personal data to contact you and to verify signing authority.

About the mobility user: First and last name, gender (optional), date of birth, address and place of residence, mobile phone number, email address (business and/or private), cost centre, personnel number.

We use this personal information (with the exception of privacy-sensitive information such as location and check-in and check-out times) to process our contractual agreements with your employer. This data will also be processed in management reports for your employer. You can consult this information as a user of My Alphabet.

Sharing with third parties:

We share data such as company contact details, first and last name mobility user with external suppliers of mobility cards. They are responsible for processing transaction data via the mobility card. For more information about this, please refer to the relevant mobility card issuers.

Basis for processing:

The basis for this processing is performance of a contract.

NS Business Card

The NS Business Card allows you to use the public transport facilities of Netherlands Railways (NS).

If you use this mobility solution, we will process the following personal data about you:

About the customer (employer): Contact details of the company, telephone number of the company, email address of the company, VAT number and bank account number, email address and telephone number of contact persons, board members and/or authorised signatories: Name, email address, telephone number. We will use this personal data to contact you and to verify signing authority.

The mobility user: Name, address, place of residence, date of birth, passport photo, location data, check-in and check-out times and other travel information.

We process this personal data so that we are able to order the card for you from NS and in order to report on our contractual agreements with your employer regarding the use of this card. In the reports to our client (your employer) we take the processing of privacy-sensitive personal data such as location data and times into account (if possible).

Basis for processing:

The basis for this processing is performance of a contract.

Maintenance and repair

We also use your personal data to inform you about the maintenance and repair of your vehicle.

When performing this mobility solution, we will process the following personal data about you:

About the driver of the vehicle: First and last name, address, email address, account details (customer number, registration number, bank details)

Service partners who service your vehicle can access the registration number, first name and last name on a secure portal. It is possible that you provide further information (personal data) to a service partner (service station/bodyshop) during your visit. Alphabet has no access or control over this personal data.

As part of maintenance and/or repair work and/or services at service stations and dealerships authorised by Alphabet, special diagnostic units are used to read out technical data relating to vehicle servicing from the electronic control units with which the vehicle is equipped. This personal data is processed in the service station and used by technicians trained in diagnostics and repair of any faults. This technical data with regard to the vehicle mainly consists of:

  • Basic data of the vehicle (such as vehicle identification number, type of vehicle, year of manufacture, vehicle equipment);
  • Data about the condition of the vehicle (measured values, such as kilometrage);
  • Entry into the error memory (such as failure of the turn signal indicator);
  • Maintenance and workshop data (such as maintenance requirements, work performed, parts installed, warranty cases, workshop reports).

Basis for processing

The basis for this processing is performance of a contract and legitimate interest.

Damage and accident reports/Insurance

In the event of damage to your vehicle as a result of a collision or otherwise, or when reporting an accident in which your leased vehicle is involved, you can contact us (or we will contact you) to arrange for the repair of this damage or any alternative transport and the related settlement with the insurance company or repairer.

When performing this mobility solution, we will process the following personal data about you:

About the customer (employer): Name and address of the company, telephone number of the company, email address of the company, Chamber of Commerce number and bank account number, initials and last name, email address and telephone number of contact persons.

About the driver of the vehicle: Your initials and last name, contact details, date of birth, vehicle details (registration number, make, model, etc.), details of the accident, any photographs of the damage/accident, number of occupants (if relevant), any information from witnesses (if applicable) and any other information we receive from you about the damage and/or accident (information about injured persons).

We share this personal data with the insurance companies concerned, subject to the agreements made with the customer about the applicable insurance.

We may also process personal data from third parties involved in the damage or accident, such as the identity of these third parties. We may also process information about witnesses, passengers involved, personal data from the police (such as official reports and witness statements) and insurance data about the damage and/or accident, including information and damage claims from third parties.

We share this personal data with our customer (your employer) in reports. We also share this personal data with body repair companies, insurance companies (both our own insurance company and those of third parties) and, if necessary, with (damage) experts involved in the settlement of the damage and/or accident.

Basis for processing:

The basis for the processing of this personal data is performance of a contract, legal obligation and legitimate interest.

Breakdown Assistance

When your vehicle breaks down during your journey, including a flat tyre or other technical problem, you can contact us for help.

For the performance of this mobility solution, we will process the following personal data about you:

About the driver of the vehicle: Your name and address, the registration number and VIN number, car make and model, the location of the breakdown and where assistance was provided.

Use of third parties:

For the performance of this service, we use third parties (such as emergency services, towing services or roadside assistance services), with whom we will share the necessary information about your situation. We have made contractual agreements with these third parties to adequately protect your personal data.

Basis for processing

The basis for this processing is performance of a contract and legitimate interest.

Traffic and parking fines

In the case of an operational lease, Alphabet may be registered as the owner of the vehicle. As a result, traffic and/or parking fines (both at home and abroad) will be directed directly to Alphabet by the authorities that imposed these fines (police, judicial authorities or the municipality).

In order to process and manage the payment of these fines, we process the following personal data and, if necessary, arrange for a refund from our customer (your employer):

Information stated on the fines: Personal data we receive from the Central Fine Collection Agency (CJIB), the police, municipality or foreign authority, such as the registration number, nature of the violation, location and time of the violation and the amount of the fine imposed.

About the driver: First and last name, date of birth and registration number of the vehicle.

We will not report privacy-sensitive personal data (such as the nature, location and time of the violation) in the invoice and statements to the customer (your employer).

However, we will have to share this personal data with our customer (your employer) in certain situations, i.e. in the event of car sharing (several drivers per leased vehicle) or if we do not know who the driver is at the time of the violation.

Basis for processing

The basis for this processing is legal obligation, legitimate interest

Driver training / Fleet management training

At the customer’s request, Alphabet is able to offer driver training or Fleet management training. This is in combination with existing product purchase.

If you use this mobility solution, we will process the following personal data about you:

About the driver of the vehicle: Your name, your e-mail address and possibly your date of birth.

Sharing with third parties:

We share this personal data with the training agency that provides the relevant training.

Basis for processing

The basis for this processing is performance of a contract

Other moments relating to Alphabet/your leased vehicle where Alphabet may process personal data:

My Alphabet

My Alphabet is the Customer Relation Management (CRM) system in which our customer, employees (drivers) and fleet managers can find their personal data. It also contains claim forms, forms to report your damage. Access to this system is obtained with an authorisation login code provided to you. My Alphabet is managed by Alphabet; this site meets the requirements as explained in the section ‘How do we protect your personal data?’.

If you purchase this mobility service, we will process the following personal data about you:

About the customer (employer): Contact details of the company, telephone number of the company, email address of the company, first and last name, email address and telephone number of contact persons.

About the driver of the vehicle: First and last name, gender (optional), date of birth, address details, (mobile) phone number, email address (business and/or private), cost centre, personnel number.

All vehicle-related data such as registration number and VIN number, make and model of car are also recorded here, as well as data that may arise during the course of the contract, such as maintenance data, damage and refuelling.

Basis for processing

The basis for this processing is performance of a contract.

Drivers Desk / Customer Care:

We use your personal data for contract management (such as ordering vehicles, submitting workshop/repair requests and booking certain services) or to handle a request you have submitted (such as a request for a price quote).

With regard to all aspects of contract management or handling a problem, we will contact you without permission, for example, in writing, by telephone, by text message or by email, depending on the preference you indicated.

We will also contact you if your vehicle is affected by a so-called technical campaign or recall (usually measures of great importance to prevent danger to occupants or the vehicle, for example), so that we can comply with our legal obligation to provide information.

We will also contact you in carefully considered cases of promotional communications (e.g. to send the welcome package or to communicate around the end of the lease term and an associated offer) if and to the extent that the requirements set out in applicable privacy legislation are met and if you have not objected to the use of your personal data for these promotional purposes.

Alphabet also processes your personal data on this basis in order to optimise our customer service, e.g. to correctly identify you when you contact us.

Basis for processing

The basis for this processing is performance of an agreement/consent.

Management reports

For the preparation of management reports, we can process personal data for statistical and scientific purposes, in order to improve the quality of our products and services. This processing takes place on an anonymous basis and cannot be traced back to individual persons.

We also supply our customer with basic reports to give the customer insight into the vehicle fleet and possibly generate control information from it; in these reports we will treat privacy-sensitive personal data such as location details and nature of violations in accordance with what is stated in the section ‘How do we protect your personal data?’.

Basis for processing:

The basis for this processing is performance of a contract and legitimate interest.

Compliance with legal obligations imposed on Alphabet

Alphabet will also process personal data if this is a legal obligation. This may be the case, e.g. if we contact you when your vehicle is the subject of a technical campaign or recall.

Personal data collected is also processed for internal management and compliance monitoring purposes, such as checking that our selected service partners meet the requirements set by us.

If required by law, we will transfer your personal data to the authorities (in accordance with the legal obligations to notify).

We will also process your personal data in the event of a legal conflict if that legal conflict requires the processing of personal data.

Basis for processing

The basis for processing this personal data is a legal obligation

Visiting Alphabet sites - Entry check and security

If you visit one of our sites, we may use your personal data to provide you with an access badge, for access checks and to ensure the security of our sites.

The following personal data about you may be processed: Your name, your contact details and the name of the person you are visiting at Alphabet.

Alphabet also relies on camera surveillance; the cameras in question have only been installed for the security of the sites in question; personal data will be used for this purpose only and images from the cameras in question will not be stored for longer than is strictly necessary and in accordance with legal regulations.

Basis for processing:

The basis for processing this personal data is a legitimate interest.

Telephone communication with Alphabet

Alphabet may record telephone conversations and/or store electronic communication.

The following personal data about you may be processed for this purpose: Your name, contact details, telephone number, mobile number, data about your vehicle (including your registration number), other personal data such as data about a dispute, or claim.

Alphabet uses this personal data to evaluate the quality of the service provision, for training, coaching and assessment purposes; for the collection of evidence in disputes and for the investigation and detection of crimes.

Recorded electronic communications may be made available by Alphabet to the authorities or to specific departments within the BMW Group responsible for security matters and/or special employees involved in the enforcement of company rules.

Basis for processing:

The basis for this processing is legal obligation and/or legitimate interest

Communication via email or contact forms

Personal data entered in contact forms, chatbot or via our info e-mail address, or via messages or forms on our official social media channels, are transferred to the competent departments within Alphabet.

Marketing communication and market research

We prefer informing you personally and when it is relevant to you. This information may consist of newsletters, offers, customer satisfaction surveys, or other types of information. There may possibly be benefits for you; that is why we would like to draw your attention to these benefits.

If you have given permission to use your personal data for direct marketing purposes, we can only use your personal data for those specific purposes.

We may ask for your consent to provide information about the following activities:

  • Alphabet events;
  • Discounts or other offers at Alphabet;
  • Alphabet customer satisfaction surveys;
  • New Alphabet products and services;
  • Alphabet newsletter.

You can give your consent in My Alphabet by ticking the appropriate box next to the product information you would like to receive from us. You can also revoke your consent just as easily.

Basis for processing:

The basis for processing your personal data here is legitimate interest and/or consent.

Social media (personalized content)

We process personal data (IP address, social ID and cookie ID) and browsing behaviour in order to be able to offer relevant content based on this data. We also personalize ads via social media, such as Facebook, Instagram, Linkedin and Pinterest. We use custom audiences within social media to do this. These audiences are built based on browsing behaviour on our website and/or interactions with certain previously shown advertisements. We do this to best serve you and provide you with relevant content that suits your interests.

Transfer of personal data within the BMW Group

Alphabet is part of BMW Group. In some cases, after careful verification, we forward your personal data to the BMW Group, which is then responsible for further processing. Such data transfer may occur under the following circumstances and for the following purposes:

  • If you have previously given your explicit consent to share your personal data with other BMW Group companies for promotional or marketing purposes;
  • It is possible that we transfer personal data during group reports; for example, we transfer data for the respective vehicle identification numbers in the case of leased vehicles for the assessment of residual values. To protect your interests additional security measures and controls are implemented where necessary, such as strict restrictions on access to personal data, restrictions on data use, security measures, retention periods, as well as measures to reduce personal data, such as the exclusive collection of relevant personal data;
  • In some cases, it is necessary to process and store your personal data, for example because of a joint consolidated accounting in accordance with the International Financial Reporting Standards (IFRS) for companies.

Basis for processing

The basis for processing here is consent, legal basis and legitimate interest.

Sales compliance – Service and administrative processes of Alphabet

To continuously optimise customer experience and cooperation with partners and customer service, we create assessments and reports based on contract information and share them with the responsible partners. The main purpose of these assessments is to improve application procedures and sales processes. We prepare the reports described above in an aggregated and anonymised format, i.e. the recipients of the reports cannot draw any conclusions regarding you as a person from the data they receive.

Some specific data is also processed - if necessary - in order to comply with the service processes (including repairs, warranty and goodwill). This processing is in Alphabet’s legitimate interest to offer our customers the best possible service processes. To protect the privacy of our customers, the processing of technical data is in general vehicle specific without direct reference to the customer.

Basis for processing

The basis for processing here is legitimate interest.

[1] For our mobility solution Private Lease we use EDR Credit Services B.V. for financial check and acceptance; for more information about data collection by EDR see Alphabet Private Lease.

We implement a range of security measures such as encryption and authentication tools in keeping with the latest technology to protect and maintain the security, integrity and availability of your personal information.

While we cannot guarantee 100% protection against unauthorised access in the case of data transmission over the Internet or a website, we, along with our service providers and business partners, make every effort to protect your personal data in accordance with the applicable data protection regulations by means of physical, electronic and process-oriented security measures in accordance with the current state of the art. The facilities we use include the following:

  • Strict criteria for permission to access your personal data in accordance with the principle of ‘need-to-know’ (limitation to as few people as possible) and only for the specified purposes;
  • Encrypted transmission of collected personal data only;
  • Protection with an IT network firewall to protect against unauthorised access, e.g. by hackers;
  • Permanent monitoring of access to IT systems to detect and prevent misuse of personal data.

If you have received a password from us or created your own password to access certain sections of our website or other portals, apps or services operated by us, it is your responsibility to keep this password confidential and to comply with any other security procedures we may instruct you to follow. We specifically request that you do not share your password with anyone.

Security measures for location data

Some services can only be offered if you disclose your location or the location of your vehicle. We take the confidentiality of this location data extremely seriously.

Your location data (including data that is accessed as part of maintenance work on the vehicle) is therefore protected by the following security measures:

  • The data will only be stored in a form that can be traced back to you or your vehicle to the extent required to fulfil the intended purpose for which storage is required;
  • Personal data is only collected and accessed in this form when required to provide the requested services;
  • Personal data is also collected and accessed in this form to the extent that we are legally obliged to store or transfer the personal data;
  • Personal data used to locate the vehicle and personal data used to locate a mobile device/your mobile device will only be linked if necessary to provide the services requested;
  • Any other use of location data for analysis takes place using data files that have been anonymised in advance.

If it is not necessary for the implementation of our agreement with your employer, we will not transfer location data to your employer.

In accordance with Article 17 GDPR, we store your personal data for as long as required for the purposes for which we process your personal data. If we process personal data for multiple purposes, it is automatically deleted or stored in a format that prevents the personal data from being directly traced back to you as a person once the last task has been performed. To ensure that all your personal data is deleted in accordance with the principle of data minimisation and Article 17 GDPR, Alphabet has developed internal procedures for deletion. The fundamental principles on which your personal data will be deleted are described below.

Use for contractual compliance

To comply with contractual obligations, personal data collected from you may be retained as long as the contract is in force and - depending on the nature and scope of the contract - for 5 to 15 years thereafter in order to comply with legal requirements for retention and to be able to answer any questions or resolve any complaints after the termination of the contract.

Additionally, there are contracts for the supply of products and services that require longer retention periods; see also the section “Use for assessing claims” below.

Use for assessing claims

Personal information that we deem necessary for the assessment and prevention of claims against us, or to institute criminal proceedings or prevent claims against you, us or third parties, may be retained by us for as long as such proceedings could be instituted.

Use for customer service and marketing purposes

Personal data collected about you for customer service and marketing purposes may be retained for a period of 3 to 10 years unless you request the deletion of this personal data and there is no contractual or legal obligation for retention that blocks this request for deletion.

Alphabet is part of the BMW Group. The personal data of Alphabet customers may also be processed for and by other companies associated with BMW AG. Customers may also be contacted for product and service offers from other BMW Group companies, provided the customer has given their consent. Personal data processed by us and/or BMW Group are preferably processed within the EU.

If personal data is processed in countries outside the EU, Alphabet uses standard EU contracts, including appropriate technical and organisational measures, to ensure that your personal data is processed at the same level as under European data protection law.

In some countries outside the EU, such as Canada and Switzerland, the EU has already established a level of data protection comparable to that of Europe. A similar level of data protection means that no special consent or agreement is required for data transfer to these countries.

You can access the personal data we store about you in My Alphabet, our online CRM portal. If authorised, you can also change your personal data there.

You can also view and, if necessary, change your consent for promotional communications, newsletters and other marketing communications.

Please note that the settings for the use of your personal data by service partners cannot be changed in your online account. If you wish to change these settings or if you have any questions about the use of this personal data, you should directly contact the respective service partners.

If you have questions about how we use your personal data, how we treat it or about this Privacy Statement, please do not hesitate to contact our data protection officer (DPO) using the address details below:

Email address: data_privacy@bmw.nl

Your privacy rights:

In accordance with the GDPR, as an individual you have the following rights which you may use in your relationship with us. The next section explains your rights as defined in the GDPR. Depending on the type and scope of your request, we may ask you to submit your request in writing.

In accordance with the GDPR, you, the data subject, in particular, have the following rights with respect to Alphabet:

Right of access and correction (Articles 15 and 16 GDPR)

You can always ask us what personal data we process about you. This information includes the data categories we process, the purposes of the processing, the origin of the personal data (if we have not received it directly from you) and, if applicable, the recipients to whom we have transferred your personal data.

If you would like to have access to the personal data that is processed by Alphabet, we initially refer you to the My Alphabet portal. Here you can consult the personal data we have received from you as well as your personal data concerning your vehicle (such as refuelling, damage and traffic and parking fines).

Insight into settings (consent):

We offer you the option to indicate whether we may use/process your personal data for commercial solicitation (offers) or analysis purposes (surveys). The My Alphabet portal also includes an overview of your recorded preferences. We also offer the option to easily change your previously made settings at any time.

Right to rectification

You can ask us to rectify your personal data. We will take appropriate measures to ensure that the personal data we collect about you is processed correctly and to keep it as up to date as possible, based on the most recent information available to us.

Request for access

If you cannot find the information you are looking for, you can submit a request for access. This information is provided free of charge. If you are interested in additional statements, we reserve the right to charge you for these extra copies.

You can receive this statement by sending a letter to:

BMW Financial Services Nederland B.V.

Attn. Compliance Department/DPO

Takkebijsters 59

PO Box 6890

4802 HW Breda, the Netherlands

Please enclose a copy of a valid legal ID; this must be provided in accordance with the instructions of the national government. (see link below: https://www.rijksoverheid.nl/onderwerpen/identiteitsfraude/vraag-en-antwoord/veilige-kopie-identiteitsbewijs).

Right to erasure (Article 17 GDPR):

You may submit a request that we erase your data. We can only comply with this request if the legal requirements for this are satisfied. This may be the case under Art. 17 GDPR if:

  • Your personal data is no longer required for the purposes for which it was collected or otherwise processed;
  • You withdraw the consent on which personal data processing is based, and there is no other legal basis for processing;
  • You lodge an objection to the processing of your personal data and there are no legitimate reasons for processing, or you object to personal data processing for direct marketing purposes;
  • The personal data was processed unlawfully.

Or if processing is not required

  • To ensure compliance with a legal obligation that requires us to process your data;
  • Especially with regard to statutory retention periods;
  • To establish, exercise or defend legal claims.

Right to block your data / restriction of processing (Article 18 GDPR):

You have the right to request that we restrict/block processing of your personal data if:

  • You dispute the accuracy of the data – in which case processing may be restricted during the time it takes to verify the accuracy of the data;
  • Processing of the personal data is unlawful, and you reject erasure of your data, requesting that its usage be restricted instead;
  • We no longer need your personal data, but you do need this personal data in order to establish or exercise legal claims or to defend against legal claims;
  • You have lodged an objection to its processing, but it has not yet been decided whether our legitimate reasons outweigh yours.

Right to personal data portability (Data portability Article 20 GDPR)

At your request, we will, if technically possible, transfer your personal data to another responsible party or you can obtain certain personal data from us on a transferable data carrier. This right only applies if data processing is based on your consent or is necessary for the performance of a contract.

Right to object (Article 21 GDPR)

You may object to the processing of your personal data at any time for reasons that arise from your particular situation, as long as data processing is based on your consent, on our legitimate interests or those of a third party. In this case, we will cease to process your personal data. The latter does not apply if we can show that there are compelling legitimate grounds for processing that outweigh your interests, or if we need your personal data in order to establish or exercise legal claims or to defend against legal claims.

Timeline to comply with your individual rights

As a rule, we will try our best to comply with your request within 30 days. Nevertheless, this period may be extended for reasons relating to the specific rights of the data subject/depending on the reason underlying a specific individual right or because of the complexity of your request.

Restriction on the provision of information regarding your rights

If you submit a request regarding the exercise of your rights to us, we will let you know as soon as possible if and to what extent we can comply with your request. Please note that in some cases we may refuse this request, for example if you ask us to delete personal data that we still need for tax-related reasons or other legal requirements. If this is the case, we will explain why we cannot fully comply with your request.

Complaint to the Dutch Data Protection Authority

Alphabet is serious about your comments/objections and rights with regard to the processing of personal data. But if you believe that we have not handled your comment or objection properly, you have the right to lodge a complaint with the Dutch Data Protection Authority.

Vehicle localisation

In circumstances where we wish to protect our legitimate interest, where we have exercised our right to terminate the agreement and as a result of omission in relation to any of your obligations under the agreement; or a court order granted to our advantage for the return of the vehicle; then we can enable vehicle localization to locate the vehicle. This is done through the existing in-car functionality. Such vehicle localization systems may involve the processing of your personal information, such as your location or address.