The future of mobility is being shaped by phenomena such as digital networking—from digital production and digital processes through data-driven customer support offers to the driving experience. Extensive user data is collected for these purposes. Consequently, the responsible handling of collected data and the optimal protection of customers’ personal data are a high priority for the Porsche AG Group. The Porsche AG Group believes that the digital self-determination of its customers is of immense importance to the success of the company in the digital era. In the future, after all, customers will measure their freedom and sovereignty not only by the exclusivity of the vehicles, their acceleration, and downforce in corners, but also by their level of self-determination when they use digital products and with regard to the use of their data.
Data protection is commensurately closely interlinked with Strategy 2030 Plus and the core processes of the Porsche AG Group. The goal is to make the digital transformation work for employees, customers, and the company. Additionally, the products are to be developed with consideration for data protection and with a focus on privacy by design, and designed from the outset in such a way that customers can count on their data being protected.
Data protection management
The Porsche AG Group values customer-centric data protection highly and has set itself ambitious targets. In connection with the luxury position of the Porsche brand (modern luxury), the protection of customer data is also of fundamental importance to the customer experience. Privacy, especially the right to digital self-determination, is a key aspect of the driving experience of customers of the Porsche AG Group. As a brand, Porsche should be synonymous with sovereignty and the protection of privacy, while also supporting data availability so as to facilitate a digital Porsche experience. The Executive Board of Porsche AG is responsible for the Porsche Strategy 2030 Plus, and therefore also for the ambitions set out therein with regard to data protection and the data protection strategy.
The My Porsche Privacy & Preference Center is a central, easily accessible place where customers and potential customers can actively determine how personal data are handled. They can manage their settings and preferences and influence the purposes for which the Porsche AG Group is permitted to use data. Consent and preferences are structured in four categories in the Privacy & Preference Center: Consent, Third-Party Providers, Subscriptions, and Interests.
Here, customers and potential customers can, for example, manage their consent to data processing to improve products and for other processing purposes, or determine how and for which purposes they wish to be contacted to receive personal support. Customers and potential customers can even manage data transfers to third-party providers in the Privacy & Preference Center. They can also manage data-driven services such as use-based insurance tariffs, a digital logbook, or smart charging applications. A list of all available newsletters can be viewed and subscriptions to them managed under “Subscriptions.” In the reporting year, the “Interests” category was added to the settings for the purpose of managing interests and preferences. The options in the Privacy & Preference Center are being improved continuously.
Aside from other data that are processed on other legal grounds in compliance with the data protection regulations, voluntarily provided data are key for the purposes of developing and improving products, vehicle functions, or services, as well as fault analysis and troubleshooting. As such, the data are used to the benefit of customers. The Porsche AG Group makes sure that the stored personal data of customers are accurate and complete when collected, and are always kept up to date. To this end, it carries out regular checks, automatic updates, and internal controls in order to ensure the quality of the data.
On the level of collected vehicle data, the timeliness of collected data is guaranteed because only data relating to the vehicle status at the moment of export are processed on a regular basis. These provide information about each point in time, which means the timeliness of such data does not change.
For example, Porsche Communication Management (PCM) menu navigation is continuously optimized through privacy-by-design publications on the basis of PCM data. The improved user-friendliness therefore benefits Porsche drivers.
In current Porsche models, customers can even manage data processing by their vehicle with selection options in a privacy menu. For example, the vehicle can be set to private mode. This mode only allows data transmissions that are required by law or necessary for the vehicle to operate, such as the emergency call system eCall.
With the exception of data that are absolutely necessary for services booked by customers, that must be transferred to comply with legal requirements or mandatory security measures, or that are collected on the basis of a legitimate interest of Porsche AG, vehicle data are only used outside of the vehicle with the express prior consent of the customer.
Data protection organization
So as to effectively minimize liability and data protection risks, data protection is strategically steered, reported on, and implemented globally by means of a standardized data protection management system that is aligned with the data protection strategy. The structure of the management system is derived from the PS 980 standard published by the Institute of Public Auditors in Germany (IDW), the IDW Auditing Practice Statement IDW PH 9.860.1, and the COSO Framework.
The group guidelines on data protection describe the basic principles of how the Porsche AG Group handles personal data, defines roles and responsibilities in the global data protection organization of the Porsche AG Group, and sets out the framework for a standardized approach. They are based on the European General Data Protection Regulation (GDPR), with which Porsche AG has undertaken to comply in its implementation of the guidelines, and take into account the local data protection regulations of each country.
The group guidelines on data protection apply to the companies of the Porsche AG Group. Group companies are expected to implement them in corresponding company guidelines. The Executive Board of Porsche AG is responsible for compliance with the applicable data protection requirements. These are binding for Porsche AG and must be adhered to by employees. The relevant group guidelines and documents are available on the intranet for employees of Porsche AG.
The Data Protection department and local data protection units in the markets are responsible for organization, process design, implementation, consulting, training, awareness-raising, and monitoring data protection within the Porsche AG Group. The experts support and advise the departments and group companies that are responsible for data protection and process customer data with the implementation of the key national and international data protection standards in their internal processes, and also carry out regular voluntary and mandatory training and awareness-raising initiatives on data protection for all permanent employees. In the reporting year, the training and information courses were provided for all employees of Porsche AG and the web-based training in data protection was updated.
Within the Porsche AG Group, compliance with the data protection requirements is overseen on a national and international level by means of regular monitoring. For example, this involves inspections of the data protection management systems of the group companies, as well as operational data processing and other matters as necessitated by recent events. Data protection monitoring is scheduled and carried out annually on the basis of risk. The regular inspection of data protection management at Porsche AG is intended to ensure that the approach is continuously adapted to new data protection requirements.
Data protection risks are documented throughout the Porsche AG Group and actively mitigated on the basis of key indicators collected for the data protection processes in question. Group-wide data protection reporting identifies undesirable developments at an early stage, making it possible to take prompt action to counter them. The maturity levels in the data protection processes are improved continuously on the basis of the PDCA cycle (Plan—Do—Check—Act). In the reporting year, for example, the processing activities at Porsche AG were reviewed and the level of maturity in the “rights of data subjects” process was increased.
On the basis of the standardized Group-wide data protection processes and as part of the privacy governance and shared service model, Porsche AG offers its subsidiaries services designed to maintain the quality of processing of data protection enquiries at a high level in order to avoid risks.
The Porsche AG Group conducts situational customer surveys in selected regions in order to not only understand data protection as compliance with the law, but also to align it with the interests of customers. These surveys assess criteria including fairness, controls, and transparency. Customer feedback is analyzed statistically in order to derive customized ways of improving customer satisfaction with regard to data protection that will become relevant in the future.
Rights of consumers and end-users
The Porsche AG Group complies with its legal data protection obligations and endeavors to promote the future, digitalization, and data strategies of Porsche AG, minimize risks, and avoid damage through a distinct culture of data protection and effective data protection management.
Privacy policies, which expressly describe for consumers and end-users how their personal data are processed, the purposes and legal grounds, and their rights as data subjects, are published on the websites of Porsche AG and at other touchpoints. The Connect privacy policy, which informs consumers and end-users about data processing in the vehicle and the use of digital systems in the vehicle, is also available. It not only contains information about data processing while the vehicle is in use, but also about how the collected data are processed further. This privacy policy can be accessed through the PCM, although it is also set to be made available outside of the vehicle (especially in the Connect Store) in the coming year. In addition to the Connect privacy policy, specific data protection notices are available for each individual function and for every market in which they are available. The privacy policies of the Porsche Group always specify the relevant responsibilities and are provided by the relevant subsidiaries in each case.
If they have potential complaints concerning data protection, consumers and end-users have access to the general communication channels of Porsche AG. As the local requirements and supervisory regulations differ, the group companies have their own channels for complaints and points of contact. Special channels are also in place for consumers and end-users to voice or check the status of their concerns about data protection or data processing. Potential breaches can be reported internally to the Porsche Privacy Service Center and externally to the email address, as well as through an online form. Such reports can also be submitted to the Information Security department. Employees of Porsche AG can also use the internal information security hotline, which is available at all times.
Porsche AG has taken appropriate action to protect personal data. Relevant technical and organizational measures are taken into consideration as part of technical data protection consulting, and the controllers are required to implement them. Thanks to the comprehensive consulting processes within Porsche AG, data protection requirements like data minimization and privacy by design are addressed strategically at an early stage, which makes it possible to implement them.
Porsche AG has a comprehensive incident management process for processing data protection incidents. Reports of suspicious activity are processed and documented in line with an incident response plan. Appropriate action is taken in response to the reports. The action is either reactive/ad hoc, such as the deletion of documents, or proactive/preventative, such as situational training. Depending on the applicable legal regulations, Porsche AG is legally obligated to notify the authorities of a notifiable data protection incident within 72 hours.
Internally, incidents were identified and reported through the established reporting channels thanks to the internal control measures and vigilant employees. The rate of internal reports was slightly lower than in previous years, due to factors including continuous awareness measures and employee training or continuous process improvements. In all of the justified cases, Porsche AG took steps to remedy the causes and to avoid similar incidents from happening in the future.
Porsche AG observes the rights of data subjects in accordance with the GDPR. Data subjects can exercise their rights as data subjects vis-à-vis Porsche AG and selected German group companies. Among others, these rights include the right of access, the right to erasure, the right to rectification, and the right to object to data processing. There are various ways to file a request as a data subject, including using an online form that is available in various languages on the Porsche website, as well as other communication channels depending on the context of use, such as sending an informal message to the dedicated email address for the rights of data subjects.
