Who is responsible for data processing operations?
ALPHERA Financial Services/BMW Financial Services (Switzerland) Ltd (hereinafter referred to as “ALPHERA” or “we”), Industriestrasse 20, 8157 Dielsdorf, Switzerland, is the controller for the processing of your personal data within the meaning of the data protection legislation. ALPHERA Financial Services/BMW Financial Services (Switzerland) Ltd is based in Dielsdorf and is part of the BMW Group, whose parent company is BMW AG. It will process certain pieces of personal data for your leasing and insurance products and services, as well as in connection with the provision of ALPHERA websites, for the purposes set out in this Data Protection Notice in connection with the establishment and execution of the contract.
Unless stated otherwise, ALPHERA partners are legally and economically independent companies and are not part of ALPHERA. This Data Protection Notice also describes a number of operations involving processing of your data by ALPHERA partners. However, it is possible that ALPHERA partners may collect other personal data and apply their own data protection notices. If applicable, please refer to the data protection notices of the ALPHERA partners concerned to learn more about how your data is used in such cases.
What data do we process?
Personal data means information relating to an identified or identifiable natural person (hereinafter referred to as “data”). When you use ALPHERA websites, we process data concerning you to the extent permitted by law, in particular taking into account the principle of data minimisation. In particular, this concerns the following information:
- Contact details ► Name, title, initials, address, telephone numbers, email address, fax number.
- Personal details ► Date of birth, marital status, family members, driving licence (category), occupation, test drive, preferred payment method, preferred contact channel, chassis number, company name.
- Interests ► Information you provide to us about your interests, including the type of vehicle you are interested in.
- Sales and service data ► Data relating to purchases, including preferred dealers, customer number and contract number, support and service, including complaints and claims.
- Customer history data ► Customer satisfaction rates (and additional personal data from the Selfcare platform), offers received, vehicle financing data (contract data, e.g., payment method, lease term, deposit), optional insurance data (e.g., household vehicles, use of mobility services), data collected during dealer visits (e.g., enquiries, consultation data, responsible sales advisor, service history), campaign history/responses to campaigns, optional customer data for vehicles of other manufacturers, e.g., via BMW used car platform, participation in events (location, company), complaints history.
- Data on credit and fraud prevention ► Data that proves your identity, such as driving licences, passports; data on transactions, credit applications and failure to pay liabilities to us and third parties, credit rating assessments of credit bureaus; fraud, criminal offences, suspicious transactions, politically exposed persons and sanction lists containing your personal data].
Within this context, we will process the following categories of personal data in particular:
- Information about your credit rating, for example, defaults on other contracts known to credit bureaus.
- Information used to form customer groups. This includes, for example, investments in companies and ownership relationships.
- In order to defend against criminal acts within the meaning of the Consumer Credit Act, we receive certain pieces of information from credit bureaus with regard to known irregularities. This will be taken into account in the course of the loan application process.
- Information about your address in the context of a comparison of addresses with Swiss Post for the purposes of updating postal addresses (this includes, for example, addresses that you have provided to Swiss Post in the context of a redirection order and to whose disclosure you have consented.
- Information from publicly available sources, if necessary, for the provision of our services. These can include, for example, annual financial statements, debtor registers or commercial and association registers.
- Information about the use of your vehicle with our partners in the context of personalised services, such as fuel management.
- Special categories of personal data: In principle, we avoid collecting and processing special categories of personal data. Depending on the products booked by the lessee (e.g., claims management), we may also collect health data, e.g., information on whether a personal injury has occurred in the event of an accident or vehicle damage. In these cases or if we collect or otherwise process special categories of personal data for the purposes described below, we will always process it in accordance with the statutory requirements and the requirements set out in this Data Protection Notice.
On what legal basis will we process your data?
We will only process your data if an applicable legal provision allows us to do so. In particular, we will process your data on the basis of Articles 6, 30 and 31 FADP. Your data will be processed on the following legal bases, among others. Please note that this is not a complete or exhaustive list of the legal bases, but that these are only examples intended to make the legal bases more transparent.
Consent: We will only process certain pieces of data on the basis of your explicit prior and voluntary consent. You have the right to revoke your consent at any time with effect for the future.
Performance of a contract/pre-contractual measures: In order to initiate or execute your contract with ALPHERA and ALPHERA partners, we need access to certain data.
Compliance with a legal obligation: ALPHERA is subject to a number of statutory requirements. In order to comply with these requirements, we need to process certain data.
Safeguarding legitimate interests: ALPHERA will process certain data to protect your interests or the interests of third parties. This only applies, however, if your interests are not overriding in individual cases.
For what purposes is your data processed?
We will only process your data for purposes permitted by data protection law. This applies, in particular, to the purposes listed below:
- Purposes for which you have given us prior consent;
- Processing for the performance of our contract with you;
- The implementation of pre-contractual measures at your request;
- Compliance with legal obligations to which we are subject;
- The protection of our legitimate interests or the legitimate interests of third parties, unless your interests are the overriding interests;
- The assertion, exercise or defence of legal claims;
- Marketing and advertising, in particular direct marketing.
Among other things, we will process your data for the specific purposes mentioned below, for example. Please note that this is not a complete or exhaustive list of individual purposes, but that these are only examples intended to make the above-mentioned purposes more transparent.
Contract-related processing purposes
In particular, we need to process your data for the execution of the contractual relationship concluded with you. In the context of our contractual relationship, we will process your data in particular in the context of the following tasks and activities:
- Decision on the conclusion of a contract: In order to make a decision as to whether we can enter into a contract with you and based on which conditions we can do so, we need to review and process data concerning you. We need to check your credit rating as part of the decision on whether or not to grant a loan. Within this context, we also transmit your data to credit bureaus.
- Contract-related contact: During the course of the contractual relationship or to initiate another contractual relationship, scenarios will always arise in which we would like, and/or need, to contact you for contractual purposes. For this purpose, we need personal information concerning you which you provide to us, for example, via customer service or, where appropriate, via the ALPHERA websites.
- Contract management: Contract management includes the management, modification, processing and continuation of our contracts in general. We process personal information concerning you within this context.
- Customer service: As part of the customer service we provide, we regularly process your data, for example, in order to advise you on any necessary modifications or changes.
- Accounts receivable management: In the context of the leasing and insurance business, we have accounts receivable as part of the contractual relationship with you. In order to manage these accounts receivable, we process your data (e.g., payment behaviour, balance of outstanding accounts receivable). If necessary, we will contact you via various communication channels (post, telephone, SMS, email, on-site contact) to clarify any outstanding accounts receivable. The type of contact may vary depending on the payment reminder level and default risk. In individual cases, we reserve the right to involve external lawyers. Ultimately, only the information that is absolutely necessary for the collection of the outstanding accounts receivable would be transmitted. If you actively contact your authorised dealer regarding outstanding accounts receivable or payment reminders, we reserve the right to share this information with the dealer. In principle, however, we do not intend to transmit any personal data on outstanding accounts receivable to dealers.
- Claims management: If your vehicle is a leased or rental vehicle, you are obliged to report any damage to the vehicle to us. In this context and for the purposes of handling vehicle claims, we and the cooperation partner commissioned by ALPHERA will process your data if necessary. In addition, the data you provide to us to assert claims for damages will be passed on to the parties involved in the process, such as insurance companies, lawyers or experts.
- Contract termination management: We will process your data even if our contractual relationship is terminated for convenience or cause. As part of this process, we may also contact you to discuss the arrangements for the end of the agreement with you.
- Cooperation with dealers: ALPHERA cooperates with the relevant dealer as part of the conclusion of the contract, contract management and the support provided to you. In addition, your dealer may also support you at the end of term. You may be contacted by your dealer as part of this process. The dealer will provide you with support on his own responsibility. In order to ensure optimal customer service, ALPHERA shares the necessary data with the dealer as part of the cooperation.
- Transmission to third parties in the course of contract initiation: If you use the option of confirming your identity via what is known as the video identification procedure or digitally sign your application for a financial product, we will transmit the necessary personal data to the operators of the platforms used for these processes.
- Transmission to cooperation partners for optional contract components: In the case of certain optional contract components such as fuel management, workshop service, tyre service, ALPHERA works together with cooperation partners. For example, data is provided to our cooperation partners for customers with the “fuel management” contract component (these partners will be named in the application for your leasing product when you book the individual contract component) in order to be able to provide the fuel card required for fuel invoicing. In addition, there are also cooperations with insurance partners, for example (these partners will be named specifically in the application for your leasing product if you book an insurance package) to which we transmit personal data to the extent necessary for the implementation of the selected contract components. If you cannot see cooperation partners to which we will transmit data in your specific case, we will be happy to help you if you get in touch.
Consent-based processing purposes
In some areas, we process your data on the basis of the consent you have granted to such processing.
- Market research: In order to be able to offer our customers interesting and sought-after services, we conduct research on our customers’ wishes. For example, this also includes studies on our customers’ satisfaction with our services. In the course of these market research activities, we only process anonymised and aggregated data as far as possible, unless you have explicitly consented to a personal evaluation.
- Advertising and marketing: If we have your express prior consent, we will process your data for direct marketing purposes, which require consent.
- Transmission of personal and contract-related data to group companies for marketing purposes: In the event that you have consented to the transmission of personal and contract-related data, we will transmit it to the group companies listed in the declaration of consent to the extent specified therein. Based on this consent, the companies specified may contact you for marketing purposes and send you product information.
Processing purposes to fulfil legal obligations
We are subject to a wide range of statutory obligations. In order to comply with them, we process your personal data where necessary.
- Credit check: In the course of the application and monitoring of lease agreements, we need to process personal data to determine your credit rating for risk management purposes. Different methods are used to determine your credit rating. For scoring, we use relevant information that we have about you or that you have provided to us, taking into account the statutory provisions. Important data that is generally taken into account in our scoring procedures, to differing degrees depending on the customer’s legal form, includes:
- Financial situation, e.g., income and expenditure
- Experience gained from a previous business relationship, e.g., your payment behaviour
- Information from credit bureaus, e.g., customers’ other payment obligations
- Contract-related data, e.g., leasing instalment
- We evaluate the above-mentioned and further information and allow it to be incorporated into a common numerical value based on different weightings. The numerical value is called the score and indicates how likely it is that payment obligations can be met. The score is partly determined in an automated process. This score helps us to decide whether to approve the leasing application and how it can be structured. Scoring does not involve making decisions based on individual pieces of information; rather, the combination of all the underlying factors is decisive. Scoring enables us to make an objective credit rating decision. It ensures that we assess each leasing request according to the same standards. In order for the scoring criteria to remain meaningful, accurate and up-to-date, we constantly review and develop the procedures. This means that scoring is an organic system that enables us to make neutral and reliable decisions. If customers receive a rental vehicle in individual cases within the context of the lease agreement, it is in ALPHERA’s legitimate interest to check the credit rating of its customers in advance. As a result, ALPHERA uses the credit rating information already identified in the course of the leasing business.
- Prevention of, and defence against, criminal acts: ALPHERA is also legally obliged to take internal security measures to prevent criminal acts within the meaning of the Consumer Credit Act and to carry out sanctions list checks. In this context, we process personal data and, if necessary, transmit it to public authorities.
- Purposes of data security: Our statutory obligations to ensure the security of your data are very important to us. If necessary, we also process your data as part of measures to check and ensure data security, for example as part of a simulated hacker attack.
- Statutory obligations and legal defence: ALPHERA is subject to a number of other statutory obligations, for example in the area of financial market supervision. In order to comply with these obligations, we process your data to the extent required and, if necessary, disclose them to the responsible authorities as part of legal reporting requirements. If necessary, we process your data in the event of a legal dispute if the legal dispute requires the processing of your data.
Processing purposes on the basis of legitimate interest
We process some of your data to safeguard legitimate interests, unless your interests are overriding.
- Advertising and marketing: We use your data for direct advertising purposes that do not require explicit prior consent, as well as for marketing measures. In this context, we also process your data to inform you about our offers that may be of interest to you and to contact you via various communication channels.
- Business intelligence & reporting: In order to continuously improve our products and services, we carry out certain automated analyses based on contract information and create corresponding reports. We use these evaluations, for example, to develop new products or measures to improve customer processes. As with sales management, we generally create the evaluations and reports described above in aggregated and anonymised form.
- Administrative tasks within the BMW Group: ALPHERA is a BMW Group company. We process some of your data in order to keep the administration of the various companies within the BMW Group as efficient and successful as possible. This applies, for example, to joint consolidated accounting in accordance with international accounting standards for companies (such as the International Financial Reporting Standards, IFRS) or the subsidisation of some lease agreements by BMW AG.
- Incentives management for sellers and dealers: In order to offer BMW dealers and their sales staff a certain incentive to sell products from ALPHERA and its partners, e.g., to sell leasing or rental services or additional products, ALPHERA uses the “allstarlounge” incentive platform, operated by BMW Financial Services. It is primarily intended to provide sellers at the dealer with incentives on the basis of a defined point system and in the form of non-cash bonuses or prizes for this sales performance, i.e., to provide sellers with incentives to sell. The incentives are based, among other things, on contract information on active customer contracts to the extent necessary for this purpose.
- Use in the course of the IT change management process: We are constantly developing our system landscape. On the one hand, we do this in order to meet new regulatory requirements and, on the other, to make the contractual relationship as convenient as possible for you by continuously optimising our systems for you. In this context, we may process your personal data in the course of cross-system integration tests in order to ensure data integrity within our application.
- Transmission of positive data to credit bureaus: Data known as positive data is also transmitted to credit bureaus during the contractual relationship. Among other things, this includes personal data concerning the modification, due and proper implementation, and termination of a contractual relationship with a financial risk of default.
- Transmission of negative data to credit bureaus: If the statutory requirements for the transmission of data relating to accounts receivable are met, we may transmit personal data to credit bureaus in the event of an expected default in payment.
- BMW and Mini vehicle positioning: In the cases described below, we reserve the right to obtain and process technical data from the vehicle and from BMW AG’s data for the purposes of vehicle positioning, and to use it for the purposes of executing the contract. In the case of lease agreements, vehicles may be positioned if the lease agreement has been terminated and the vehicle has not been returned to ALPHERA Fuhrparkmanagement GmbH after a deadline for such return has been set to no avail. In addition, all vehicle positioning measures require evidence of criminally relevant conduct. This also serves our legitimate interest in safeguarding vehicles that are owned by us where there are indications of criminal conduct.
How long do we keep your data?
In accordance with Article 6 FADP, we will keep your data only for as long as necessary for the respective purposes for which we process your data. If we process data for multiple purposes, they will be automatically erased or stored in a format that does not allow for direct conclusions about your person once the final specific purpose has been completed. To ensure that all your data is erased in accordance with the principle of data minimisation, ALPHERA has put in place an internal erasure concept.
How do we protect your personal data? (Articles 7 and 8 FADP)
We use a variety of security measures, including state-of-the-art encryption and authentication tools, to protect and maintain the security, integrity and availability of your data.
Full protection against unauthorised access cannot be guaranteed for data transmissions over the Internet or a website, but we and our service providers and business partners make every effort to safeguard your personal data in accordance with applicable data protection regulations through state-of-the-art physical, electronic and procedural security measures. Among other things, we use the following measures:
- Strict criteria for the right to access your data according to the need-to-know principle (limited to as few people as possible) and only for the stated purpose
- Transfer of collected data exclusively in encrypted form
- Storage of confidential data, such as credit card data, exclusively in encrypted form
- Firewall protection of IT systems for protection against unauthorised access, e.g., by hackers
- Permanent monitoring of access to IT systems to detect and prevent the misuse of personal data.
If you have obtained a password from us or have created one yourself that gives you access to certain areas of our website or to other portals, apps or services that we operate, you are responsible for keeping this password secret and for following all other security procedures, about which we will keep you informed. In particular, we ask that you do not share your password with anyone.
With whom we will we share your data?
We will share your data with third parties outside ALPHERA for the purposes described in this Data Protection Notice. When your data is transmitted, we will always take appropriate steps to ensure that your data is processed, protected and transmitted in accordance with applicable statutory requirements.
Data transmission within BMW Group Financial Services
As a matter of principle, your personal data will remain with ALPHERA, if possible. In this respect, we also observe the principle of data economy. ALPHERA, however, is part of BMW Group Financial Services (hereinafter referred to as “BMW FS”). Your data may therefore be transmitted in individual cases to one or more subsidiaries of BMW FS or the BMW Group. Data may be transmitted in particular in the context of the scenarios described below:
- If you have previously given us your explicit consent to share your data with other BMW FS or BMW Group companies for advertising or marketing purposes.
- As a matter of principle, we only report anonymised or aggregated data to BMW AG and BMW FS. Scenarios may arise, however, in which individual contract-related information and/or chassis numbers are transmitted in these internal reports.
Data transmission within the BMW Group
ALPHERA, as part of the BMW FS, is also part of the BMW Group. In some cases, we will send your data to other companies in the BMW Group which process your data entirely on our behalf and according to our instructions. Cases of contract data processing like these arise, for example, with BMW Group IT at BMW AG. We may also transfer your data to other companies in the BMW Group that process it further in their capacity as controllers. Such data transmission may occur, for example, under the following circumstances and for the following purposes:
- If you have previously given us your explicit consent to share your data with other BMW Group companies for advertising or marketing purposes.
- In the course of Group reporting, we may transfer data to BMW AG, e.g., in the case of leased vehicles, we may transfer information concerning the relevant chassis numbers to BMW AG to assess residual values.
Data transmission to authorised ALPHERA dealers
ALPHERA will grant access to certain data to the authorised dealer via which you will have the end customer contract processed. Your dealer will be granted an access right, in particular for the purposes of providing you, as a customer, with personal support and for the implementation and processing of your contract until the end of the relationship. Within this context, the authorised dealer will perform the following tasks in particular, although this list is not exhaustive: Please note that this is not a complete or exhaustive list of the data transmission processes within the BMW Group, but merely lists examples that are intended to make data transmissions more transparent.
- Arrangement of financial product and application process (leasing, financing, insurance);
- Confirmation of identity in accordance with Anti-Money Laundering Act;
- Support for claims management (vehicle);
- End-of-term (vehicle return, vehicle sale).
Data transmission to other third parties
In the context of statutory information and reporting obligations, we may also transfer your data to other third parties, such as external service or IT providers, payment service providers, external consultants or cooperation partners, for the purposes defined above. ALPHERA will ensure that these third parties guarantee the confidentiality of your data.
Data transmission to countries outside Switzerland/the EU
If the data processing operations described in this Data Protection Notice are performed in countries outside the EU or the European Economic Area (“EEA”), ALPHERA will ensure that your data is processed in accordance with European data protection standards. If necessary, we will use data transmission agreements to ensure the security of data transfer to recipients in third countries outside the EU or the EEA on the basis of EU standard contractual clauses or other data protection law authorisation rules, which also include appropriate technical and organisational measures to protect the data transferred.
Contacting us and your data protection rights
If you have any questions regarding the use of your personal data by us, it is best to first contact ALPHERA Customer Service – either by sending an email to firstname.lastname@example.org or by calling +41 058 269 66 66.
ALPHERA Customer Service can also forward your request to the responsible data protection officer.
As the data subject affected by the processing of your data, you may assert certain rights against us under FADP and other relevant data protection regulations. The following section contains explanations about your rights under FADP. Depending on the nature and scope of your request, we will ask you to address it to us in writing.
Data subject rights
According to the FADP, you are entitled to the following rights vis-à-vis BMW in particular as the data subject:
Right to information (Article 25 FADP): You may request information from us about your data that we keep about you at any time. This information includes, among other things, the categories of data we process, the purposes for which we process them, the origin of the data if we have not collected them directly from you and, if applicable, the recipients to whom we have transferred your data. You can obtain a free copy of your data from us. If you are interested in further copies, we reserve the right to charge you for further copies.
Right to provision of data (Article 28(1) FADP): You can request that your personal data that you have made available to us be provided to you in a common electronic format if the data is processed automatically; and the data is processed with your consent or in direct connection with the conclusion or processing of a contract between BMW (Switzerland) and you.
Right to data portability (Article 28(2) FADP): In addition, you can request that we transfer your personal data to another controller if the conditions referred to in paragraph 1 are met and this does not require disproportionate effort.
Right to rectification (Article 32(1) FADP): You may request that we correct your data. We will take reasonable steps to ensure that your data that we have about you and process continuously is accurate, complete and up to date, based on the most up-to-date information we have.
Right to erasure (Article 6(5) and Article 32(2)(c) FADP): You may request that we erase your data, provided that the legal requirements for this are met. This may be the case, for example, if:
- the data is no longer required for the purposes for which it was collected or otherwise processed;
- you withdraw your consent, which is the basis of data processing, and there is no other legal basis for the processing;
- you object to the processing of your data and there are no overriding legitimate reasons for the processing, or you object to the processing of data for direct marketing purposes;
- the data has been processed unlawfully; unless processing is necessary
- to ensure compliance with a legal obligation that requires us to process your data;
- in particular with regard to statutory retention periods;
- to assert, exercise or defend against legal claims.
Right to object (Article 30(2)(b) FADP): You may object to the processing of your data at any time for reasons that arise from your particular situation, insofar as the data processing is based on your consent or on our legitimate interests or those of a third party. In this case, we will no longer process your data. The latter does not apply if we can prove compelling legitimate reasons for the processing that override your interests or if we need your data to assert, exercise or defend against legal claims.
Deadlines for complying with data subject rights
We endeavour to comply with all enquiries within 30 days. However, this period may be extended for reasons relating to the specific data subject right or due to the complexity of your request.
Restriction of information when satisfying data subject rights (Article 26 FADP)
In certain situations, we may be unable to provide you with information about all of your data due to legal requirements. If we have to reject your request for information in such a case, we will also inform you about the reasons for the rejection.
ALPHERA takes your concerns and rights very seriously. However, if you believe that we have not adequately complied with your requests or concerns, you have the right to lodge a complaint with the company data protection officer of ALPHERA (BMW Financial Services (Switzerland) Ltd).