As of 30/06/23, we have changed our customer data management.
Are you aware that since January 2021, PSA Automobiles SA and Fiat Chrysler Automobiles N.V, merged together to become known as Stellantis Group? Stellantis Group now incorporates the following brands: Abarth, Alfa Romeo, Citroën, DS Automobiles, Fiat, Fiat Professional, Jeep, Lancia, Opel, Peugeot, Vauxhall, Spoticar, Mopar, Stellantis & You.
1. Who we are
Stellantis Europe S.p.A. with registered offices in Corso Agnelli 200, 10135 Turin, Italy (hereinafter, “Stellantis Europe”; “we” or “us”) is the Data Controller of your Personal Data.
2. What data we collect and process
We collect data from Our Website (included from your personal area on Our Website) and Application, and during Our Events. Data collected and the relative purposes of processing depend on how you use our Services and how you manage the settings of your Browser, Device and the Application you are using.
You may find further details on the reason why we process your Personal Data
in “Why we collect and process your Data” section below.
a) Data provided by you
When you use our Services, you may provide us with Personal Data such as your name, phone/mobile number(s), e-mail address, place of residence, or data of third parties as well as your preferences (e.g., about certain vehicle models or services available at your local retailer). It is the case, for example, when you request a test drive, when you look for your nearest retailer, when you participate in one of Our Events or when you ask us questions, make requests or interact with our support services (e.g., when you contact us for asking for information, to file a complaint or to give us some feedbacks or new ideas). In these cases, you can call us at our customer service number or you can fill in an online form or you can reach us via chat, where available).
You can also choose to provide us with Information about your location if, for example, you want to search for Our Network in the area of your interest (e.g. Turin) using Our Website and Application.
If you provide us with the data of third parties, you will be held responsible for having shared such information. You must be legally authorized to share it (i.e., authorized by the third party to share their information, or for any other legitimate reason). You must fully indemnify us against any complaints, claims or demands for compensation of damages which may arise from the processing of third-party Personal Data in violation of applicable data protection law
b) Data collected by the Browser, Device and the Application
When you use Our Website and Application, we collect information on the Browser, the Device and the Application you are using. This information includes your IP Address, the date, time and the requested URL, the Unique Identifiers and other information such as the type of your Browser or Device. Information related to your Browser or Device may include your operating system, language, network settings, telephone operator or internet provider, installed third-party applications and plug-in lists.
Some of this information is collected using Cookies and Other Tracking Technologies that are on your Browser or Device. This helps us for instance to avoid malfunctioning during the provision of the Services and allows us to provide you with Content that may be useful to you.
c) Data inferred by your activity
We collect information based on your interactions with our Services in order to improve them (e.g., if we see that you are interested in a particular vehicle model, in Our Events, or in periodic vehicle check-ups in a given geographical area, we will focus on providing you with such content) and to understand the Content that may be useful to you.
In other cases, if you contact us by email, mail, telephone or otherwise regarding the Vehicles or request other information, we collect and maintain a record of your contact details, communications and our responses. If you contact us by telephone, more information will be provided during the call.
d) Information about your location
We collect information about your location in order to allow you to view Our Network near you, as part of our Services, and to provide you with Content that may be useful to you. Your location can be determined through:
- manually entering an address, city or zip code;
- the Sensors of your Device;
- your IP Address collected through the permission of you Browser or Device.
Your location is determined more or less accurately and consistently depending on whether it is collected by the Browser or Device and on the privacy settings you have set on them. We make every possible effort to ensure that Information on your location is not used to infer your Sensitive Data.
You can limit our collection of your position by changing your Browser or Device settings, as set out in the “How to control your Data and manage your choices” section below.
3. Source of Personal Data
a) Data collected by Our Partners' Websites and Apps
We also collect information about you from our Partners' Websites and Apps. Our Partners may communicate your Personal Data to us only after they have contractually assured us that they have obtained your consent or that they have another legal basis that legitimizes their communication/sharing of such data with us (for example, if you ask one of our Partners to book a test drive, when you purchase and when you request to receive commercial communications). This practice will be referred to below as "Indirect Collection". On this point, we would like to point out that we make every possible effort to verify the conformity of the data we receive before they are used. We also ask them not to provide us with your Sensitive Data.
b) Data collected from public or publicly accessible sources
We may collect or enrich your Personal Data with information obtained from public sources accessible within the limits of the law applicable to us. These sources may include public registers, online newspapers, lists or public directories. Please note that a preliminary check is always carried out on the possibility to use this information, according to the best practices established by the respective leading authority competent to which we are subject (currently the Italian Supervisory Authority - Autorità Garante per la protezione dei dati personali).
4. Why we collect and process your Data and legal basis
Your Data serves the following purposes:
a) Ease the collection and correction of your Data
To the extent permissible under applicable data protection law, we use your Data, especially the Data provided by you to Our Network, to update the information that we have about you as an owner of one of our Vehicles or as a person interested in Stellantis brands. This purposes also includes the sharing back to Our Network and Car Manufacturers to make sure your Personal Data are correct and up to date. This processing is based on Stellantis Europe, Our Network and Car Manufacturers’ legitimate interest in keeping up to data the quality of Personal Data about owners and leads.
b) Providing our Services and related support
We use your Data to offer you our Services, including the booking of test drives on Our Website and Application; to organize Our Events in which you take part; to respond to your requests/suggestions/reports.
This processing is based on the execution of a contractual obligation or pre-contractual measures taken at your request.
c) Sending you promotional communications
We may use your contact details (e-mail, phone, SMS, postal address and/or any other available means) to send promotional communications or for market research and consumer surveys that include marketing contents. These communications relate to all Stellantis Europe’s current and future brands (e.g., Fiat, Fiat Professional, Alfa Romeo, Lancia, Abarth, Peugeot, Citroên, DS automobiles, Opel, Jeep, Mopar, Vauxhall) and brands bearing to Stellantis Group, such as for example Stellantis Financial Services S.A., Stellantis Financial Services UK Ltd, Stellantis Insurance Limited, Stellantis Life Insurance Limited, Stellantis Insurance Europe Limited and Stellantis Life Insurance Europe Limited.
In some cases, communications may include product or service promotions from selected Partners. When we send out this type of communications, we can act as Joint Data Controller with the relevant Partners. Specific information and agreements will be in place with such Partners before sending of any communication to you.
On this point, we specify that no communication will be sent to you without your prior consent, which you can provide through specific tick-boxes for this purpose.
d) Detecting anomalies and improving our Services
We use Data you provide, Data collected by the Browser, the Device and the Application, Data inferred by your activities and Aggregated Information in order to avoid anomalies in our Services. For example, we may detect anomalies when you open a section of Our Website and Application, access a link, or when a bug is present in our system.
The processing is based on our need to guarantee the best Services and on our legitimate interest in avoiding any service disruptions.
e) Excluding you from irrelevant promotional communications
We process your Data to exclude you from promotional communications, in case such communications are not consistent with your profile (e.g., if you are based in Italy, we will not share promotions pertaining to France etc.).
This processing is based on our legitimate interest in fastening and reducing or effectively use our marketing budget and on your legitimate interest in not receiving irrelevant communications.
f) Analysing your preferences and behaviours in order to customize our Services and communications, including any Content that may be useful to you
We use your Data, in particular Data inferred by your activities, Vehicle Data, Information about your location (if shared with us) and Data collected by the Browser, Device and the Application, to improve our Services (e.g., Our Website and Application, Our Events, promotional communications) and to show you Content that may be useful to you, also on social media platforms or through Programmatic Advertising platforms, only to the extent that you have authorized us to upload them to these platforms.
Content that may be useful to you:
- is not created using Sensitive Data such as those that may be derived from Information about your location;
- may also be visible on websites and mobile applications other than ours once uploaded to Programmatic Advertising platforms only to the extent that you have authorized us to upload them to these platforms.
This processing is based on your prior consent.
When we target you on social media platforms or through Programmatic Advertising platforms, we can act as Joint Data Controller with the relevant platform provider. Specific information and agreements will be in place with the platform provider before sending of any communication to you.
If you do not want personalized Services or Content that may be useful to you, you can change you preferences, as explained in the “How to control your Data and manage you choices” section below.
g) Analysing and improving our Services and creating new services and features
We use your Data and Aggregated Information to measure the performance of our Services or to create new ones. This can be done, for example, through the analysis of your interactions with Our Network, Our Events, our newsletter and/or promotional communications (if requested).
As far as possible, we use anonymous or pseudonymous data for these purposes. Only in exceptional cases a personal reference may be possible. In such cases, the following applies: Except for your consent to the customization of our Services, measuring the effectiveness of our Services and the creation of new Services is based on our legitimate interest in creating and maintaining Services that are truly useful to our users.
h) Sharing Data with Partners for their own marketing purposes
We share your contact details to third selected Partners for their own autonomous marketing purposes. Partners will contact you only by automated means (e.g., e-mail, SMS, recorder phone call) and will be obliged to provide their information notice.
This processing in based on your prior consent. You may see the full list or categories of Partners with whom we shared you Data directly at: https://privacyportal.stellantis.com.
i) Complying with legal and tax obligations
We may use your Data to comply with legal obligations and orders that we are subject to, which are the legal basis for such processing of your Data.
Some legislations may require us to share your Data with public authorities (e.g., recall notices). If this sharing is not required by law in your country, we may consider to send your Data regardless as parent company of us as explained in more detail in the "Protecting our interests and your interests" section below.
j) Sending corporate and institutional communications
To the extent permissible under applicable data protection law, we share your contact details to send corporate surveys and institutional communications regarding the Stellantis Group as whole. These are non-promotional communications sent by us on behalf or in substitution of Car Manufacturers, based on our legitimate interest to provide consistent information to you.
k) Protecting our interests and your interests
To the extent permissible under applicable data protection law, we may need to use your Data to detect, react to, and prevent fraudulent and illegal behaviour or activities which could compromise the security of our Services and Our Website and Application. This could be the case when you use our Application in ways other than what is permitted, in order to verify so-called Indirect Collection, or in the case of inappropriate behaviour at Our Events. This purposes also includes audits and assessments of our business operations, security controls, financial controls, records and information management program, and otherwise relating to the administration of our general business, accounting, record keeping and legal functions.
These purposes rest on our legitimate interest in safeguarding our interests and protecting our users, including you.
5. How we use your Data (method of processing)
Data collected for the purposes indicated above are processed both manually and via automated processing, namely, through programs or algorithms that analyse Data inferred by your activities, Information about your location, and Data collected by the Browser, Device and the Application.Your Data may also be subject to Combination and/or Crossing, to the extent permissible under applicable data protection law. This allows us to understand, for example, if a single user is utilizing our Services with the same IP Address or Unique Identifiers from the Browser and the Device; or if promotional communications or Content that may be useful to you strictly related to Information about your location or Data provided through your activities or Data collected by your Browser, Device, and the Application. The Combination and/or Crossing of your information for the purposes we process it for (e.g., customizing the Services) can be enabled or disabled as explained in the “How to control your Data and manage your choices” section below.
6. How we may disclose your Data
We may disclose your Data to the following recipients and/or categories of recipients (“Recipients”):
- Persons authorized by us to perform any of the data-related activities described in this document: our employees and collaborators who have undertaken an obligation of confidentiality and abide by specific rules concerning the processing of your Data;
- Our Data Processors: external subjects to whom we delegate some processing activities. For example, security systems providers, accounting and other consultants, data hosting providers, bank, insurance, etc. We have signed agreements with each of our Data Processors to ensure that your Data is processed with appropriate safeguards and only under our instructions;
- System administrators: our employees or those of Data Processors to whom we have delegated the management of our IT systems and are therefore able to access, modify, suspend or limit the processing of your Data. These subjects have been selected, adequately trained and their activities tracked by systems they cannot modify, as provided for by the provisions of our competent Supervisory Authority;
- Our Network and Car Manufacturers: Our Network in case you requested a service carried out by them (e.g. a request for a test drive close to you) or if your required their assistance or the one provided by the Car Manufacturer;
- Our selected Partners: when you consented to the communication to them of your Personal Data for their own marketing and/or profiling purposes and who act as autonomous Data Controllers.
- Law enforcement or any other authority whose provisions are binding for us: this is the case when we have to comply with a judicial order or law or defend ourselves in legal proceedings.
7. Where your Data is located
We are global company and our services are available in multiple jurisdictions worldwide. This means that your Data may be stored, accessed, used, processed, and disclosed outside your jurisdiction, including within the European Union, the United States of America, or any other country where our Data Processors and sub-processors are located, or where their servers or cloud computing infrastructures may be hosted. We take steps to ensure that the processing of your Data by our Recipients is compliant with the applicable data protection laws, including EU law to which we are subject. Where required by EU data protection law, transfers of your Data to Recipients outside of the EU will be subject to adequate safeguards (such as the relevant EU standard contractual clauses for data transfers between EU and non-EU countries), and/or other legal basis according to the EU legislation. For more information about the safeguards implemented by us to protect Data transferred to third countries outside the EU, please write to us at: firstname.lastname@example.org
8. How long we retain your Data
Data processed for the purposes indicated above will be retained for the period deemed strictly necessary to fulfil such purposes. However, the Data might be stored for a longer period in case of potential and/or actual claims and resulting liabilities and/or in case of other mandatory legal retention requirement and/or storage obligations.
• Customer Data processed for Marketing and Profiling purposes, will be retained by the controllers from the moment the customer gives consent until the moment the customer withdraws the consent. Once consent is withdrawn, Data will no longer be processed for Marketing and Profiling purposes, although it might still be kept by the controllers to manage potential claims and/or lawsuits. Data retention in case of Marketing and Profiling is compliant with the local law and with the decisions of the Data Protection Authority.
• Customer Data processing to comply with legal obligations will be retained for the period foreseen by the laws and regulations.
• Customer Data processing to improve the product and the services could be retained for the period deemed strictly necessary to fulfil such purposes and not beyond three years.
Once the relevant retention period/criterion has expired, your Data is erased pursuant to our retention policy. You can ask us for more information on our data retention criteria and policy by writing us here: email@example.com
9. How to control your Data and manage your choices
At any time, you can ask to:
- Exercise your right to portability of your Personal Data (right to data portability): according to your use of our Services, we will provide you with an interoperable file containing the Data we have about you.
- Correct your Data (right to rectification): for example, you can ask us to modify your e-mail address or telephone number if they are incorrect;
- Limit the processing of your Data (right to restriction of processing): for example, when you think that the processing of your Data is unlawful or that processing based on our legitimate interest is not appropriate;
- Delete your Data (right to erasure): for example, when you do not want to use our Services and may not want us to retain your Data any longer;
- Object the processing activities (right to object);
- Withdraw your consents (right to withdrawal).
You can exercise any of the above rights or express any concern or make a complaint regarding our use of your Data directly at: https://privacyportal.stellantis.com.
At any time, you may also:
- contact our Data Protection Officer (DPO), here firstname.lastname@example.org
- contact the competent Supervisory Authority, here you can find the list of all the Supervisory Authorities by country https://edpb.europa.eu/about-edpb/board/members_en
10. How we protect your Data
We take reasonable precautions from a physical, technological and organizational point of view to prevent the loss, misuse, or modification of Data under our control. For example:
- We ensure that your Data is only accessed and used by, transferred or disclosed to Recipients that need to have access to such Data.
- We also limit the amount of Data accessible, transferred or disclosed to Recipients to only what is necessary to fulfil the purposes or specific tasks performed by the Recipient.
- The computers and servers where your Data is stored are kept in a secure environment, are password-controlled with limited access, and have industry standard firewalls and anti-virus software installed.
- Paper copies of any documents containing your Data (if any) are kept in a secure environment as well.
- We destroy paper copies of documents containing your Data that is no longer needed.
- When destroying Data recorded and stored in the form of electronic files that is no longer needed, we make sure that a technical method (for example, low level format) ensures that the records cannot be reproduced.
In case required by the applicable legislation, if a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Data transmitted, stored or otherwise processed, will be notified to you and to the competent data protection authority as required (for example, unless Data is unintelligible to any person or the breach is unlikely to result in a risk to your rights and freedoms and those of others).
12.Usage of data for other purposes
If we should need to process your Data differently or for purposes other than those indicated herein, you will receive specific notice before such processing begins.
The icons illustrated in this Policy are “Data Protection Icons” by Maastricht University European Centre on Privacy and Cybersecurity (ECPC) CC BY 4.0.
ggregated Information: refers to statistical information about you that does not contain your Personal Data. We use this information for analysing and improving our Services and creating new services and features and to create statistical reports for our Partners and Our Network. For example, we may collect Information on your location or Content that may useful to you that you have viewed. We would like to point out that we do not share your Data in these reports.
Application: means this application if applicable.
Browser: refers to programs used to access the internet (e.g. Safari, Chrome, Firefox, etc.).
Car Manufacturer: singularly or collectively refers to the following entities acting as manufacturer of Vehicles: Stellantis Europe S.p.A., Corso Agnelli 200, 10135 – Turin, Italy; PSA Automobiles S.A. (Stellantis Auto S.A.S.)., 2-10 Boulevard de l’Europe, F-78300 Poissy, France; Opel Automobile GmbH, Bahnhofsplatz, D-65423 Rüsselsheim am Main, Germany.
Combination and/or Crossing: this is the set of fully automated and non-automated operations which we combine with the Information about your location, the Data inferred by your activity, the Data collected by the Browser, Device and the Application, the Data you provide and those collected by Our Partners' Websites and Application used to provide the Services, analysing and improving our Services and creating new services and features, as well as to offer Content that may be useful to you. We may also combine and/or cross information from different sources, such as information collected from Our Website and Application, Our Partners' Websites and Apps and/or Data collected from public or publicly accessible sources.
Content that may be useful to you: for example, if you search for the "Jeep" model, we may display other content related to this model on Our Website and Application or through Programmatic Advertising. Customization of the content may occur through the Combination and/or Crossing of Data.
Data Controller: refers to the legal person, public authority, service or other entity which, individually or jointly determines the purposes and means for processing your Personal Data. This definition typically refers to Stellantis Europe S.p.A.. In other cases, it is preceded by the word "Independent" (e.g. "Independent Data Controller") to indicate that your Personal Data is processed by a subject other than Stellantis Europe S.p.A.
Data Processor: refers to an entity that we engage to process your Personal Data solely on behalf of and pursuant to the written instructions of Stellantis Europe S.p.A.
Device Sensors: depending on your device, these are sensors such as accelerometers, gyroscopes, Bluetooth, Wi-fi and GPS which in one way or another share the information they collect through the Device and therefore through the Application. If enabled by the Device settings, these allow us to obtain information about your location.
Device: refers to the electronic device (e.g. iPhone) through which you visit Our Website and Application and/or our Partners’ Websites and Apps.
Indirect Collection: is one of the Services we provide on Our Partners’ Websites and Application. In such cases, it is the Partner which assures us to have received your consent or to have another legal basis that legitimizes the communication/sharing of your Personal Data. On this point, we precise that, before being used, we check how Partners collect and transfer data to us in order to respect your preferences.
IP Address: is a unique number used by your Browser, your Device and the Application in order to connect to the internet. The internet service provider provides this number allowing identification of the provider and/or the approximate area where you are located. Without this data, you cannot connect to the internet and use our Services or use Content that may be useful to you.
Other Tracking Technologies: pixel tags (tracers used with Cookies and embedded in images on web pages or the Application to track certain activities, such as the viewing of Content that may be useful to you, or to see if an e-mail has been read) or Unique Identifiers embedded in links to commercial communications that send us information when clicked on.
Our Events: these are events/showrooms organized by Stellantis Europe, Our Network, or in collaboration with other brands with which Stellantis Europe has signed partnership agreements.
Our Network: these are retailers and/or dealers and/or repairers with whom Stellantis Europe and Car Manufacturers has/have signed commercial agreements for the sale of the Vehicles and/or for providing services/products assistance.
Partners: means third-party entities who may communicate your Personal Data to us only after they have contractually assured us that they have obtained your consent or that they have another legal basis that legitimizes their communication/sharing of such data with us (for example, if you ask one of our Partners to book a test drive, when you purchase, and when you request to receive commercial communications). This definition also includes the selected Partners with whom we may share your Data. Partners may belong to the following product sectors: manufacturing, wholesale and retail trade, financial, bank, transportation and warehousing, information and communication services, professional, scientific and technical activities, travel agencies, business support services, artistic, sports, entertainment and amusement activities, activities of membership organizations, services of physical wellness centers, suppliers of electricity and gas, rental, e-mobility and insurance companies.
Personal Data: means any information relating to an identified or identifiable natural person whether directly or indirectly, as well as any information that is linked or reasonably linkable to a particular individual or household. For example, an e-mail address (if it refers to one or more aspects of an individual), IP addresses, and Unique Identifiers are considered Personal Data. For your convenience, we will collectively indicate all Personal Data mentioned also as “Data”.
Programmatic Advertising: these are platforms that share the information they collect about you, such as your IP Address and the data collected by Cookies and Other tracking technologies, with entities who have an interest in showing you Content that may be useful to you. In our case, if you visualize the "Jeep" model on Our Website and Application, we will ask participants in Programmatic Advertising to grant us an advertising space on one of the websites you visit in order to display Content that may be useful to you. On this point, we would like to reiterate that the communication of your Data to participants in Programmatic Advertising is based on your prior and specific consent provided on the banner when the first visiting Our Website and Application.
Services: collectively, this means all the services available on Our Website and Application, such as "configure and order", "find Our Network", “buy or rent”, test drive bookings, the institutional newsletter, customer service, and Our Events.
Sensitive Data: means Personal Data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of genetic data, biometric data aimed at uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Unique Identifiers: mean information that can uniquely identify you through your Browser, Device and/or the Application. On the Browser, your IP Address and Cookies are considered Unique Identifiers. On the Device, advertising identifiers provided by manufacturers, such as Apple's IDFA and Android’s AAIG, which we use for analysing and improving our Services and creating new services and features including Content that may be useful to you, are considered Unique Identifiers. Please note that for these purposes and in line with the opinions of the European Supervisory Authorities, we do not use other Unique Identifiers such as MAC Addresses and IMEIs as they are not resettable by you. For the Application, instead, the Unique Identifiers are considered to be the code that identifies the Application you have installed.
Vehicle: refers to a vehicle of a brand of Stellantis Group.
Vehicle Data: means any technical, diagnostic and real-world data that is possible to collect via the Vehicle Device installed on the Vehicle (e.g., location, speed and distances, engine running time and turning off time; if the battery cable is cut, battery diagnostics, movements with the key out, presumed collision, as well as diagnostic data such as, but not limited to, oil and fuel levels, tire pressure, and engine status).