Below you will find information on how we process personal data of visitors to our Website, regarding your interaction with us via social media and with respect to the DS-Cloud software that we offer to car repair shops.

1. Who are we and how can you contact us and our data protection officer (where one has been appointed)?

The controller of your Personal Data is PHINIA Inc. or the Affiliate company that operates the website you are currently visiting or that is operating the corporate presence in social media where you are interacting with such company, respectively. With respect to the DS-Cloud, PHINIA Inc. is the controller.

Contact information for the data protection contacts and data protection officers (where one has been appointed) is available DPO List - Website Privacy Notice. Additionally, you may always contact [email protected] with respect to questions about this Notice, the processing of your Personal Data in general and to exercise your rights towards PHINIA as outlined below under section I.2.

2. What rights do you have with respect to your Personal Data?

You have the following rights under GDPR provided that the legal requirements therein are met:

i. Right of access. You may request information about the processing of your Personal Data and a copy of the Personal Data undergoing processing insofar as such copy in particular does not adversely affect the rights and freedoms of others.

ii. Right to rectification. You may request correction of your Personal Data that is inaccurate and/or completion of such data which is incomplete.

iii. Right to erasure. You may request deletion of your Personal Data, in particular where (i) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, (ii) you objected to the processing and there are no overriding legitimate interests for the processing, (iii) your Personal Data has been unlawfully processed or (iv) your Personal Data has to be erased for compliance with a legal obligation to which we are subject. The right to deletion, however, does not apply in particular where the processing of your Personal Data is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims.

iv. Restriction of processing. You may request restriction of processing (i) for the period in which we verify the accuracy of your Personal Data if you contested the accuracy of the Personal Data, (ii) where the processing is unlawful and you request restriction of processing instead of deletion of the data, (iii) where we no longer need the Personal Data, but you require the data for the establishment, exercise or defense of legal claims or (iv) if you objected to processing until it has been verified whether our legitimate grounds override your interests, rights and freedoms.

v. Right to data portability. You may request to receive your Personal Data, which you have provided to us, in a structured, commonly used machine-readable format and transmit those data to another controller without hindrance from us, where the processing is based on consent or a contract and the processing is carried out by automated means; in these cases you may also request to have the Personal Data transmitted directly to another controller where this is technically feasible.

vi. Right to withdraw consent. You may withdraw your consent at any time for the future where processing is based on your consent, without affecting the lawfulness of processing based on consent before its withdrawal.

vii. Right to object.

Right to object You have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data which is based on our or a third party’s legitimate interests. We then will no longer process your Personal Data for the purpose to which you have objected unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. Where we process your Personal Data for direct marketing purposes, you have the right to object at any time to processing of your Personal Data for such direct marketing.

We then will no longer process your Personal Data for direct marketing purposes.

viii. Right to lodge a complaint. You may lodge a complaint with a supervisory authority if you consider that the processing of your Personal Data infringes the GDPR.

A list of the EEA supervisory authorities can be found here.

The UK Data Protection Authority’s (Information Commissioner’s Office) can be contacted at: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF (United Kingdom), telephone number +44 (0)303 123 1113 or here.

ix. France – Right to digital legacy. Should you be located in France, you additionally have the right to define (general or specific) directives regarding the fate of your Personal Data after your passing.

Please address your requests to exercise your rights to [email protected]  (with the exception of the right to lodge a complaint with a supervisory authority).

2.2 Rights of users located in Japan

i. Right to access. You may access your Personal Data and record of transfer we are keeping about you, if applicable.

ii. Right to correct, add and delete incorrect or incomplete Personal Data. If the Personal Data we have pertaining to you are incorrect or incomplete, you are entitled to have the Personal Data corrected, added or deleted

iii. Right to erase and cease processing. You have the right to request deletion of or cessation of processing of your Personal Data if your Personal Data has been used beyond the scope necessary to achieve the purpose for which they were collected, processed or obtained by deceit or in violation of the APPI, if our use of your Personal Data triggers illegal acts, are no longer necessary in relation to the purposes for which they were collected, compromised or otherwise processed in a manner which could harm the rights or legitimate interest of you. We may be permitted by applicable laws to retain some of your Personal Data to satisfy our business needs.

iv. Right to cease transfer to third parties. You have the right to request cessation of transferring of your personal data if your personal data is transferred to a third party in violation of the APPI or the transfer could harm your rights or legitimate interest.

v. Other rights. If you have any complaints regarding our processing of your Personal Data, questions on this Notice, our use of your Personal Data or our data protection measures implemented, and/or want to confirm the measures to exercise your privacy rights above, please contact at [email protected].

2.3 Rights of users located in the PRC

You have certain rights as set forth in this Notice, which include the following rights: 

i. Right of access. You may request information about the processing of your Personal Data and a copy of the Personal Data.

ii. Right to rectification. You may request correction of your Personal Data that is inaccurate and/or completion of such data which is incomplete.

iii. Right to erasure. You may request deletion of your Personal Data, in certain circumstances.

iv. Right to data portability. You have the right to request your Personal Data to be transferred to your designated third party where it is technically feasible to do so.

v. Right to limit or withdraw consent. You may limit or withdraw consent at any time.

vi. Right to de-register account. You may request deregistration of your account if you have registered an account with us.

vii. Right to lodge a complaint. You may lodge a complaint with us and/or a supervisory authority, if you have a privacy-related dispute or concern that remains unresolved by us internally. You may also bring a civil action against us in accordance with applicable laws. However, we would encourage you to first contact us should you have any requests for exercising your data subject rights, or for any enquiries and complaints.

Please address your requests to exercise your rights to [email protected].

2.4 Rights of users located in Brazil

You have the following rights under LGPD provided under article 18, as follows:

i. Right of confirmation and access. You have the right to obtain confirmation as to whether or not your personal data is being processed. If we are processing personal data concerning you, you have the right of access to the personal data and to certain information regarding the processing, as provided for in the LGPD, including information regarding the public and private entities with which we share your personal data.

ii. Right to rectification. You have the right to require the correction of incomplete, inaccurate, or out-of-date personal data concerning you.

iii. Right to anonymization, blocking or erasure. You have the right to request the anonymization, blocking or erasure of unnecessary or excessive personal data or personal data processed in non-compliance with the provisions of the LGPD.

iv. Right to data portability. You have the right to request that the personal data that we process concerning you is transmitted to another service or product provider, limited to our commercial or industrial secrets.

v. Right to withdraw consent. You have the right to withdraw consent at any time with future effect. This shall be without prejudice to the lawfulness of the processing of your personal data until consent has been withdrawn. You also have the right to request the erasure of personal data concerning you once consent is withdrawn and to be informed about the possibility of denying consent, and the consequences of such denial.

vi. Right to object. You have the right to object to the processing of your personal data to the extent that we rely on legal bases other than your consent, in case of violation of the LGPD.

vii. Right to revision. You have the right to request the revision of decisions taken solely on the basis of automated processing of your personal data which affects your interests, including decisions intended to define personal, professional, consumer or credit profile or aspects of your personality.

viii. Right to lodge a complaint. You have the right to lodge complaints before the supervisory authority and consumer protection entities.

2.5 Rights of users located in Turkey

You have certain rights under the DPL, which include the following rights:

i. to learn whether your Personal Data are processed or not,

ii. to demand information as to if your Personal Data have been processed,

iii. to learn the purpose of the processing of your Personal Data and whether these Personal Data are used in compliance with the purpose,

iv. to know the third parties to whom your Personal Data are transferred within the country or abroad,

v. to request the rectification of the incomplete or inaccurate data, if any,

vi. to request the erasure or destruction of your personal data, provided that the reasons for the processing no longer exist,

vii. to request reporting of the transactions carried out regarding the rectification request and erasure/destruction request to third parties to whom your Personal Data have been transferred,

viii. to object to the result occurred against yourself after analyzing the data processed solely through automated systems,

ix. to claim compensation for the damage arising from the unlawful processing of your Personal Data.

To make use of any of the above-mentioned rights or make any queries related to the DPL, please send an email to [email protected].

 

1. Where do we collect your data and what types of data are collected?

With your consent (where required by applicable law), we collect your Personal Data when you use, navigate through, search on, contact us via or register as a potential supplier, distributor or technician on the Website. This may concern the following categories of Personal Data:

• (should you contact us or request a quote or register as a potential supplier), such as first name and last name, date of birth, gender;
• Contact details (should you contact us or request a quote or register as a potential supplier), such as email address, phone number and mailing address (among others ZIP code, city, state, country);
• Message details, i.e. data related to your messages sent to PHINIA via the Website, such as the company you work for/on behalf of which you contact PHINIA, country in which you are located, area of interest on which your message is based and the contents of your message;
• Supplier, distributor or technician registration details, i.e. data related to registration as potential supplier, distributor or technician, such as company name, country, and job title;
• Press distribution list details, i.e. data related to registration to the press distribution list, such as position, company name, publisher website and region;
• Responses and feedback, such as service satisfaction information or other information related to your use of our services, and any other information you so choose to provide if you participate in our surveys or questionnaires.
• Details with respect to the Delphi Configurator and other PHINIA Portals, such as your identification details and contact details (see above), message details, types of services received or products bought and payment information;
• Types of services received or products bought, such as the specific service or name, product ID of the product you purchased on our Website or for which you requested a quote;
• , such as your skill level, the course booked, your identification details and contact details (see above), payment information;
• Website activity data, such as your IP address, the name of your internet service provider, the operating system and the browser you use, browser language the date, time and duration of your visit to the Website, the name(s) of the visited pages and the Internet address of the website from which you accessed the Website;
• Events and other requests, such as if you register for or attend an event or webinar that we host or sponsor, we may collect information related to your registration for and participation in such event.
• Loyalty and rewards program data, such as the points you earned for one of our loyalty and rewards programs.
• Preferences, such as communications preferences, preferences related to your use of services, and any other preferences or requests you provide when interacting with us.
• Location information, such as general location information (e.g., city/state and/or postal code associate with your IP address);
• Subject to obtaining your further consent (where required by applicable law), any other Personal Data reasonably related to the conduct of PHINIA’s business.

You are generally not required to provide your Personal Data to us. However, in order to facilitate access to the Website and features provided via the Website, we require certain Personal Data (e.g., contact details if you contact us as we are otherwise unable to respond). Hence, if you do not provide such Personal Data, we might not be able to provide all features available via the Website to you (e.g., contacting PHINIA via the Website, registration as potential supplier, distributor or technician).

There may be instances in which the Personal Data that you provided to us is considered as sensitive data under local data protection laws.

Most of the Personal Data we process is information that is knowingly provided to us. However, please note that in some instances, we may process Personal Data received from a third party with their knowledge.

2. How is your data used (purposes and legal bases)?

1.1 General

We may process your Personal Data for the purposes set forth in the table below. With respect to some specific purposes of processing (e.g., provision of newsletters) you will find additional information below the following table. We do not sell your Personal Data to any other company.

For Website users within the EEA/UK, Brazil, or Turkey we rely on the legal bases listed in the table below. Where relevant, the legitimate interest we pursue is included in the table below as well. The relevant legal bases for users within the EEA/UK, Brazil, or Turkey are:

• Performance of a contract (including processing necessary to take steps at your request prior to entering into a contract);
• Compliance with legal obligations;
• Legitimate interests;
• Consent; and
• For Brazil only: Regular exercise of rights in administrative, judicial or arbitration proceedings.

Purpose of processing	Legal basis (EEA/UK; Brazil; Turkey)	Legitimate interest (where relevant) (EEA/UK; Brazil; Turkey)	Categories of Personal Data
To provide the Website	Legitimate interests	We have a legitimate interest in making an Internet site available in order to present and develop our business.	Website activity data, location information
To provide PHINIA Portals (including the Delphi Configurator, online catalogue, diagnostic portals and other portals on our Website)	Performance of a contract or - where this is not appropriate - legitimate interests	We have a legitimate interest in making an auto parts and related services configurator, diagnostic portal and other portals available to the public in order to allow for insights into our offerings.	Website activity data, location information, details with respect to the Delphi Configurator, diagnostic portals and other PHINIA Portals, identification details, contact details, message details, types of services received or products bought, preferences
To provide a protected website area for suppliers, distributors or technicians	(i) Performance of a contract if you are contractual partner of PHINIA or (ii) legitimate interest (e.g., if you are a contact person at a supplier, distributor or technician)	We have a legitimate interest in providing a protected website area to suppliers, distributors or technicians.	Identification details, contact details, supplier, distributor or technician registration details, preferences
To contact you and provide you with information, which you have requested	Performance of a contract or - where this is not appropriate - legitimate interests	We have a legitimate interest in communicating with you upon your request.	Identification details, contact details, message details, details with respect to the Delphi Configurator and other PHINIA Portals, details with respect to training and courses offered by PHINIA (including the Delphi Academy), types of services received or products bought or supplier, distributor or technician registration details, press distribution list details, preferences, events and other requests, loyalty and rewards program data
To improve our services, goods and the Website	Legitimate interests	We have a legitimate interest in developing and improving our services, goods and the Website in order to preserve and grow our business.	Website activity data, location information
To collect statistical information about the use of this website (web analytics)	(i) Consent or (ii) - where your consent is not required - legitimate interests	We have a legitimate interest in analyzing the usage of the Website in order to improve it.	Website activity data, location information
To show personalized advertisement / content to you	(i) Consent or (ii) - where your consent is not required - legitimate interests	We have a legitimate interest to advertise our services and goods to grow our business.	Website activity data, location information, preferences
To determine disruptions and to ensure the security of the Website and our systems, including the detection and tracing of (the attempt of) unauthorized access to our web servers	(i) Compliance with our legal obligations regarding data security or (ii) - where no such obligations exist - legitimate interests	We have a legitimate interest in resolving disruptions and ensuring the security of the Website and our systems.

Website activity data, location information, identification details To provide you with our training and courses

Performance of a contract

N/A Website activity data, location information, identification details, contact details, message details, details with respect to the Delphi Configurator and other PHINIA Portals, details with respect to training and courses offered by PHINIA (including the Delphi Academy), types of services received or products bought, preferences To provide you with direct marketing communication (such as a newsletter) regarding products and/or services we offer (including via email)

(i) Consent or (ii) – where lawful under applicable national direct marketing rules – our legitimate interests

We have a legitimate interest in marketing our products and/or services. Identification details, contact details, supplier, distributor or technician registration details, press distribution list details, location information, message details, types of services received or products bought, preferences, responses and feedback, loyalty and rewards program data, events and other requests To carry out the Delphi loyalty and rewards program

Performance of a contract

N/A Loyalty and rewards program data, identification details, contact details, message details, supplier, distributor or technician registration details, responses and feedback, details with respect to the Delphi Configurator and other PHINIA Portals, types of services received or products bought, details with respect to training and courses by PHINIA (including the Delphi Academy), preferences, location information To plan and manage events, including webinars, such as to manage registration, attendance, connecting you with other event attendees

Performance of a contract or - where this is not appropriate - legitimate interests

We and our event attendees have a legitimate interest in strengthening customer relationships and enabling our customers to network. Events and other requests, preferences To carry out auditing, reporting, and other internal operations (including to conduct financial, tax and accounting audits; audits and assessments of our operations, privacy, security and financial controls, risk, and compliance with legal obligations; our general business, accounting, record keeping, and legal functions, and to maintain appropriate business records and enforce company policies and procedures)

(i) Compliance with our legal obligations regarding auditing or reporting or (ii) - where no such obligations exist - legitimate interests

We have a legitimate interest in ensuring compliance with applicable laws and regulations. Identification details, contact details, message details, types of services received or products bought, loyalty and rewards program data To carry out research and surveys (including administering surveys and questionnaires, such as for market research or user satisfaction purposes)

Legitimate interests

We have a legitimate interest in engaging with customers and other users of our products and services to obtain their thoughts and opinions on our products and services. Responses and feedback, identification details, contact details, message details, preferences To enable corporate transactions (including sale of all or part of our asset(s) and/or activity(ies)) Legitimate interests We may have a legitimate interest in disclosing information to (potential) buyers or acquirers and their external counsels in certain scenarios. Identification details, contact details, message details, details with respect to the Delphi Configurator and other PHINIA Portals, details with respect to training and courses offered by PHINIA (including the Delphi Academy), types of services received or products bought, supplier, distributor or technician registration details, loyalty and rewards program data, press distribution list details To safeguard our rights For EEA/UK and Turkey: Legitimate interests
For Brazil: Regular exercise of rights in administrative, judicial or arbitration proceedings We have a legitimate interest in the establishment, exercise and defense of legal claims. Identification details, contact details, message details, supplier, distributor or technician registration details, press distribution list details, website activity data, location information, details with respect to the Delphi Configurator and other PHINIA Portals, details with respect to training and courses offered by PHINIA (including the Delphi Academy), loyalty and rewards program data, events and other requests, preferences, responses and feedback, types of services received or products bought To comply with legal obligations to which we are subject (e.g., deriving from tax law, or foreign trade law) (i) Compliance with legal obligations or (ii) legitimate interest for compliance with international legal requirements where no legal obligation under applicable data protection law exists We have a legitimate interest to comply with international legal requirements where no legal obligation under applicable data protection law exists. Identification details, contact details, message details, supplier, distributor or technician registration details, press distribution list details, website activity data, location information, details with respect to the Delphi Configurator and other PHINIA Portals, details with respect to training and courses offered by PHINIA (including the Delphi Academy), loyalty and rewards program data, events and other requests, preferences, responses and feedback, types of services received or products bought Sanction list screenings (i) Compliance with our legal obligations or (ii) - where no such obligations exist - legitimate interests We have a legitimate interest in complying with sanctions regulations applicable to PHINIA in various jurisdictions. Identification details, contact details, supplier, distributor or technician registration details To carry out compliance investigations Legitimate interests We have a legitimate interest carrying out compliance investigations to safeguard that we comply with our legal obligations. Identification details, contact details, message details, supplier, distributor or technician registration details, press distribution list details, website activity data, location information, details with respect to the Delphi Configurator and other PHINIA Portals, details with respect to training and courses offered by PHINIA (including the Delphi Academy), loyalty and rewards program data, events and other requests, preferences, responses and feedback, types of services received or products bought For any of the above listed purposes it might be necessary to transfer data to our Affiliates (i) Consent where the relevant processing activity listed above relies on consent or (ii) legitimate interests We, as part of the PHINIA group of companies, have a legitimate interest in transferring your Personal Data within the group of companies with our Affiliates for internal administrative purposes. The data categories correspond to those listed with respect to the relevant purpose for processing.

In some cases, for example for Website users within the PRC, your Personal Data may be collected, used, disclosed, and processed for the abovementioned purposes based on your consent. Where we process your Personal Data for purposes not mentioned in this Notice, we will obtain your consent for such processing (as may be required by applicable law). Website users within the EEA/UK, or Brazil will be informed about the purposes of such processing prior to being asked to give consent.

2.2 Log files

As indicated in the table above, we save log files including website activity data for the purpose of determining disruptions and ensuring security of the Website and our systems.

We also use such log files for website analytics by means of cookies; for further information on our use of cookies please see our Cookie Notice.

2.3 Direct Marketing and Newsletter

As mentioned above, we may use your Personal Data to let you know about our products and services that we believe will be of interest to you and/or provide you with our newsletter. We may contact you by email or through other communication channels that we think you may find helpful.

If you subscribe to a newsletter, we will process your Personal Data in order to dispatch the newsletter based on your consent. In all cases, we will respect your preferences for how you would like us to manage marketing activity with you. You may ask us to stop direct marketing and withdraw your consent at any time, without affecting the lawfulness of processing based on such consent before its withdrawal, by cancelling the subscription by clicking on the respective link provided in each newsletter or contacting us. 

2.4 Cookies

PHINIA uses cookies to improve Website performance and enhance the user experience for those who visit the Website.

Cookies which are not strictly necessary for the provision of the Website will only be stored on your device and accessed based on your consent. You may withdraw such consent at any time, without affecting the lawfulness of processing based on such consent before its withdrawal, by accessing our Cookie Policy – Delphi . Further information on our use of cookies can be found in our Cookie Notice.

We also use Google Analytics to collect usage data about our services in order to provide us with reports and metrics to help us evaluate usage of our services and improve performance and user experience. To learn more about Google’s privacy practices, please review the Google Privacy Policy at https://www.google.com/policies/privacy/partners/. You can also download the Google Analytics Opt-out Browser Add-on to prevent their data from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.

3. Who has access to your information (recipients)?

3.1 Within PHINIA, only authorized PHINIA employees with appropriate responsibilities have access to your Personal Data. In addition, we may share your Personal Data with the categories of recipients mentioned in this section.

• IT service providers (hosting services) (EEA, US, UK, Taiwan)
• Newsletter service provider (handling and dispatch of newsletter) (EEA)
• Provider of website analytics tools (website analytics) (EEA, US)
• Web agency developing functions and maintaining operation of website (EEA)

• Affiliates: We may share your Personal Data of the categories listed in section II.1 above with Affiliates for the purposes listed in section II.2 above. For Website users within Japan, PHINIA Inc. is responsible for management of your Personal Data jointly used within PHINIA. The name of the representative persons of PHINIA Inc. is available at https://www.phinia.com/company/executive-management.
• Other third parties (data controllers):
  • Financial services providers (including banks for the purpose of carrying out financial transactions, e.g., when you purchase one of our products or services)
  • State authorities (including tax authorities and law enforcement agencies) for the purpose of compliance with laws and regulations applicable to us
  • Consultants (lawyers and auditors) for the purpose of compliance with legal obligations, corporate transactions and safeguarding our rights
  • Courts for the purpose of safeguarding our rights
  • Third party marketing providers
  • Potential buyer or acquirer of all or part of our asset(s) and/or activity(ies) for the purpose of corporate transactions

4. Do we transfer your data internationally (third country transfers)?

Some recipients of Personal Data may be located outside the EEA/UK and/or outside of the countries which you reside in (e.g., outside of Japan or the PRC) and these countries may not offer a level of protection equivalent to the one granted in your jurisdiction.

Where Personal Data of Website users from the EEA/UK is transferred to locations outside the EEA/UK, we will, as required by law, ensure that your privacy rights are adequately protected either because the respective country to which Personal Data are transferred has been recognized as proving an adequate level of protection by the competent body (Art. 45 GDPR) or the transfer is subject to appropriate safeguards provided by entering into standard data protection clauses of the European Union or the UK equivalent with the recipient (Art. 46 GDPR) unless GDPR provides for an exception or you have given explicit consent (Art. 49 GDPR). In addition to this, we intend to, where necessary, agree on additional measures with recipients to ensure an adequate level of data protection.

If we transfer your Personal Data from the EEA/UK to such a jurisdiction which has been recognized as providing an adequate level of data protection, we will rely on adequacy decisions. When transferring Personal Data to recipients in the US we may rely on the DPF (EU-U.S. DPF / UK Extension to the EU-U.S. DPF) which ensures an adequate level of protection for recipients certified under the DPF. A list of the European Commission’s adequacy decisions can be found here. A list of the UK’s adequacy decisions can be found here.

Where we rely on standard data protection clauses of the European Union or the UK equivalent, insofar as the transfer is made to a service provider (including Affiliates acting as such) processing Personal Data on our behalf, Module Two (transfer from controllers to processors) of the standard contractual clauses or the UK equivalent is relevant; insofar as the transfer is made to recipients which do not process Personal Data on our behalf but for their own purposes, Module One (transfer from controllers to controllers) is relevant.

Where Personal Data of Website users from Japan is transferred to locations outside Japan, we will, as required by law, ensure that your privacy rights are adequately protected either because the respective country to which Personal Data are transferred has been recognized as proving an adequate level of protection by the competent body (Art. 28.1 APPI) or the transfer is subject to appropriate safeguards provided by entering into an appropriate data processing agreement (Art. 28.1 APPI) APPI provides for an exception or you have given explicit consent (Art. 28.1 APPI). In addition to this, we intend to, where necessary, agree on additional measures with recipients to ensure an adequate level of data protection.

For Website users from PRC, with your consent and where your Personal Data is being transferred or shared outside of your country of residence, we will, as required by applicable law, put in place contractual and other measures to ensure your Personal Data is provided with protection that is at least comparable to that required under applicable law in your jurisdiction. If you require more details about our transfer activities, please contact us at [email protected].

Where Personal Data of Website users from Turkey is transferred to locations outside Turkey, we will, as required by law, ensure that your privacy rights are adequately protected either because the respective country to which Personal Data are transferred has been recognized as proving an adequate level of protection by the competent body (Art. (9) (1) DPL) or the transfer is subject to appropriate safeguards (Art. (9) (4) DPL) or conditions for derogations for specific situations have been met (Art. (9) (6) DPL).

A copy of the standard data protection clauses of the European Union or the UK equivalent can be obtained by contacting [email protected]. Please also contact this email address if you would like to know which of the clauses apply to a specific transfer or for copies of other safeguards.

5. How long do we store your data and how we protect your personal data?

6. No automated decision-making

In the context of this Website no automated decision-making takes place. 

Below you will find information on how we process personal data of individuals who interact with us through social media.

1. Where do we collect your data?

We have a presence on (i) LinkedIn, (ii) YouTube, (iii) X (formerly known as Twitter), (iv) Instagram, (v) Facebook, and (vi) WeChat / Weixin.

 

The providers of these social media networks process information about how you interact with our corporate presence in the respective social media network and data that you provide in your respective profile. The providers aggregate this data and provide it to us as statistics; however, you are not identifiable from these statistics. These statistics help us to better understand trends and demographics of the groups of people who interact with our corporate presence in social media networks.

The social media network providers may include the following companies among others:

• LinkedIn: LinkedIn Ireland Unlimited Company ("LIUC"), Wilton Place, Dublin 2, Ireland

In connection with the processing of Personal Data of social media users within the EEA/UK to produce the statistics, we and LIUC are joint data controllers. In this context, we and LIUC have entered into a joint controllership arrangement (available here). Pursuant to this arrangement, LIUC assumes compliance with the data protection obligations that exist in connection with the provision of the statistics. This includes the fulfillment of all rights you have as a user of LinkedIn. These are, for example, your rights to information, disclosure, deletion and objection. LIUC will also ensure that any existing notification obligations due to personal data breaches (such as towards authorities or you) are fulfilled. LIUC will therefore also ensure that LinkedIn members are informed about the processed data.

Information about LIUC's processing of your personal data when using LinkedIn can be found in LIUC's privacy notice, which is available here. You can view the user agreement for LinkedIn here.

• YouTube: Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland

  Information about Google's processing of your personal data when using YouTube can be found in Google's privacy notice, which is available here. You can view the terms of service for YouTube here.

• X (formerly known as Twitter): Twitter International Unlimited Company ("TIUC"), One Cumberland Place, Fenian Street Dublin 2, Ireland

  Information about TIUC's processing of your personal data when using Twitter can be found in Twitter's privacy notice, which is available here. You can view the Twitter terms of service here.

• Instagram: Meta Platforms Ireland Limited ("Meta"), 4 Grand Canal Square, Dublin 2, Ireland

  Information about Meta's processing of your personal data when using Instagram can be found in Meta's privacy notice, which is available here. You can view the terms of use for Instagram here.

• Facebook: Meta Platforms Ireland Limited ("Meta"), Block J, Serpentine Avenue, Dublin 4, Ireland

  In connection with the processing of Personal Data of social media users within the EEA/UK to produce the statistics, we and Meta are joint controllers. In this context, we and Meta have entered into a joint controllership arrangement (available here). Thereafter, we and Meta have agreed that Meta is obligated to enable data subjects' rights under Articles 15 to 20 of the GDPR (in particular, the right of access, the right of rectification, the right of erasure, the right to restrict processing and the right to object) with respect to personal data stored by Meta after joint processing. You may exercise your rights in relation to the processing of your personal data towards Meta.

Under this arrangement, we are also required to inform you of the following: Meta relies on the legal basis of "legitimate interests" (Art. 6 (1) (f) GDPR) for the processing of your personal data in connection with the statistics.

 

Information about Meta's processing of your personal data when using Facebook, in particular Meta's contact details and the contact details of Meta's designated data protection officer, as well as your rights vis-à-vis Meta, can be found in Meta's privacy notice, which is available here. You can view the terms of service for Facebook here.

WeChat / Weixin:

• WeChat: For users using a non-PRC phone number: Tencent International Services Europe BV ("Tencent EU"), Buitenveldertselaan 1-5, 1082 VA Amsterdam, the Netherlands (for users using a UK, EEA, or Switzerland phone number) or WeChat International Pte. Ltd. ("WeChat International"), 10 Anson Road, #21-07 International Plaza, Singapore 079903 (for users using a non-UK, EEA, or Switzerland phone number)

  Information about Tencent EU's and WeChat International’s collection, processing, and sharing of your personal data with us when using WeChat can be found in their privacy notice, which is available here. You can view the terms of use for WeChat here.

• Weixin: For users using a PRC phone number or contracted with Tencent Computer Systems Company Limited for Weixin: Shenzhen Tencent Computer Systems Company Limited ("Tencent PRC"), 35/F., Tencent Building, Kejizhongyi Avenue, Maling Community, Yuehai Street, Nanshan District, Shenzhen, PRC.

Information about Tencent PRC's collection, processing, and sharing of your personal data with us when using Weixin can be found in Tencent PRC's privacy notice, which is available here. You can view the terms of use for Weixin here.

For social media users outside of the EEA/UK the legal entities providing the social media networks might be different than those listed above.

The abovementioned social media providers may share your Personal Data with us. With your consent (where required by applicable law), we may also directly collect your Personal Data when you interact with us via social media. The categories of Personal Data we process in the course of such interaction depend on the platform used. This may involve the following categories of Personal Data:

• Identification details, such as first name and last name, username;
• Contact details, such as email address and phone number;
• Message / post details, such as the company you work for/on behalf of which you contact PHINIA via social media, country in which you are located, and the contents of your message / social media posts;
• Social media activity data, such as your IP address, your behavior on social media, information about the device you are using, browser language, time and duration of your visit to social media
• Location information, such as general location information (e.g., city/state and/or postal code associate with your IP address).

We may process your Personal Data for the purposes set forth in the table below. We do not sell your Personal Data to any other company.

For social media users within the EEA/UK, Brazil, or Turkey we rely on the legal bases listed in the table below. Where relevant, the legitimate interest we pursue is included in the table below as well. The relevant legal bases for users within the EEA/UK, Brazil, or Turkey are:

• Performance of a contract (including processing necessary to take steps at your request prior to entering into a contract);
• Compliance with legal obligations;
• Legitimate interests;

Consent; and

For Brazil only: Regular exercise of rights in administrative, judicial or arbitration proceedings.

 

Purpose of processing	Legal basis (EEA/UK; Brazil; Turkey)	Legitimate interest (where relevant) (EEA/UK; Brazil; Turkey)	Categories of Personal Data
To provide a corporate presence in social media networks	Legitimate interest	We have a legitimate interest in providing and maintaining (legally compliant) presences in social media in order to present the PHINIA group of companies and its services and content on the Internet and to grow engagement by visibility with a variety of audiences globally.	Social media activity data
To contact you and provide you with information you have requested	Performance of a contract or - where this is not appropriate - legitimate interests	We have a legitimate interest in communicating with you upon your request.	Identification details, contact details, message / post details
To improve our services, goods and our corporate presence in social media	Legitimate interests	We a legitimate interest in improving our services, goods and social media presence in order to preserve and grow our business.	Social media activity data
To collect and use statistical information on the use of corporate presences in social media (e.g., to efficiently carrying out marketing campaigns, placing advertisements and providing editorial content)	(i) Consent or (ii) - where your consent was not required for this purpose - legitimate interests	We have legitimate interests in analyzing the usage of the social media presences in order to improve them, in evaluating the use of our corporate presence in social media networks to play out advertising as targeted as possible, and in advertising goods/services.	Social media activity data, location information
To understand how customers and potential customers think about our brand (by analysing what people are saying about us on social media networks)	(i) Consent or (ii) – where your consent is not required – legitimate interests	We have a legitimate interest in understanding how customers and potential customers think about our brand in order to preserve and grow our brand and improve our goods and services.	Message / post details
To provide you with direct marketing communication (such as a newsletter)	(i) Consent or (ii) – where lawful under applicable national direct marketing rules – our legitimate interests	We have a legitimate interest in marketing our products and/or services.	Contact details, identification details
To interact with you via social media networks	Legitimate interests	We have a legitimate interest in interacting with followers of our corporate social media presences and other interested parties via social media in order to present the PHINIA group of companies and its services on the Internet.	The categories of Personal Data depend on the social media network. In particular, the following categories may be concerned: contact details, identification details, other information that you provide to us as part of the interaction via social media.
To enable corporate transactions (including sale of all or part of our asset(s) and/or activity(ies))	Legitimate interests	We may have a legitimate interest in disclosing information to (potential) buyers or acquirers and their external counsels in certain scenarios.	Identification data, contact data, messaging data, social media activity data, location information.
To safeguard our rights	For EEA/UK and Turkey: Legitimate interests For Brazil: Regular exercise of rights in administrative, judicial or arbitration proceedings	We have a legitimate interest in the establishment, exercise and/or defense of legal claims.	Identification data, contact data, messaging data, social media activity data, location information.
To comply with legal obligations (e.g., from tax law)	(i) Compliance with legal obligations or (ii) legitimate interest for compliance with international legal requirements where no legal obligation under applicable data protection law exists	We have a legitimate interest to comply with international legal requirements where no legal obligation under applicable data protection law exists.	Identification data, contact data, communication data, social media activity data, location information.

For any of the above listed purposes it might be necessary to transfer data to our Affiliates (i) Consent where the relevant processing activity listed above relies on consent or (ii) legitimate interests We, as part of the PHINIA group of companies, have a legitimate interest in transferring your Personal Data within the group of companies for internal administrative purposes. The categories of Personal Data correspond to those listed for the respective processing purpose.

In some cases, for example for social media users within the PRC, your Personal Data may be collected, used, disclosed, and processed for the abovementioned purposes based on your consent. Where we process your Personal Data for purposes not mentioned in this Notice, we will obtain your consent for such processing (as may be required by applicable law).

2.2 Analysis of usage behavior in social media networks

The social media network providers process information about how you interact with our corporate presence in the respective social media network and data that you provide in your respective profile. The providers aggregate this data and provide it to us as statistics ("Social Media Statistics"); you are not identifiable from this aggregated data. These statistics help us better understand trends and demographics of the groups of people who interact with our corporate presences in social media networks. Details about our corporate presences in social media networks and the respective providers can be found in section III.1.

2.3 Social media networks

In connection with our corporate presences on social media networks, we ask you to consult the privacy notices of the respective platform if you would like to learn more about the processing and sharing of your personal data on/by these platforms.

3. Who has access to your information (recipients)? 

3.1 Within PHINIA, only authorized PHINIA employees with appropriate responsibilities have access to your Personal Data. In addition, we may share your Personal Data with the categories of recipients mentioned in this section.

• Social media channel management platform provider (to manage our corporate presences on social media networks) (US)
• Newsletter service provider (handling and dispatch of newsletter) (EEA)

Some recipients of Personal Data may be located outside the EEA/UK and/or outside of the countries which you reside in (e.g. outside of Japan or PRC) and these countries may not offer a level of protection equivalent to the one granted in your jurisdiction.

Where Personal Data of social media users from the EEA/UK is transferred to locations outside the EEA/UK, we will, as required by law, ensure that your privacy rights are adequately protected either because the respective country to which Personal Data are transferred has been recognized as proving an adequate level of protection by the competent body (Art. 45 GDPR) or the transfer is subject to appropriate safeguards provided by entering into standard data protection clauses of the European Union or the UK equivalent with the recipient (Art. 46 GDPR) unless GDPR provides for an exception or you have given explicit consent (Art. 49 GDPR). In addition to this, we intend to, where necessary, agree on additional measures with recipients to ensure an adequate level of data protection.

If we transfer your Personal Data from the EEA/UK to such a jurisdiction which has been recognized as providing an adequate level of data protection, we will rely on adequacy decisions. When transferring Personal Data to recipients in the US we may rely on the DPF (EU-U.S. DPF / UK Extension to the EU-U.S. DPF) which ensures an adequate level of protection for recipients certified under the DPF. A list of the European Commission’s adequacy decisions can be found here. A list of the UK’s adequacy decisions can be found here.

Where we rely on standard data protection clauses of the European Union or the UK equivalent, insofar as the transfer is made to a service provider (including Affiliates acting as such) processing Personal Data on our behalf, Module Two (transfer from controllers to processors) of the standard contractual clauses or the UK equivalent is relevant; insofar as the transfer is made to recipients which do not process Personal Data on our behalf but for their own purposes, Module One (transfer from controllers to controllers) is relevant.

Where Personal Data of social media users from Japan is transferred to locations outside Japan, we will, as required by law, ensure that your privacy rights are adequately protected either because the respective country to which Personal Data are transferred has been recognized as proving an adequate level of protection by the competent body (Art. 28.1 APPI) or the transfer is subject to appropriate safeguards provided by entering into an appropriate data processing agreement (Art. 28.1 APPI) APPI provides for an exception or you have given explicit consent (Art. 28.1 APPI). In addition to this, we intend to, where necessary, agree on additional measures with recipients to ensure an adequate level of data protection.

For social media users from PRC, with your consent and where your Personal Data is being transferred or shared outside of your country of residence, we will, as required by applicable law, put in place contractual and other measures to ensure your Personal Data is provided with protection that is at least comparable to that required under applicable law in your jurisdiction. If you require more details about our transfer activities, please contact us at [email protected].

Where Personal Data of social media users from Turkey is transferred to locations outside Turkey, we will, as required by law, ensure that your privacy rights are adequately protected either because the respective country to which Personal Data are transferred has been recognized as proving an adequate level of protection by the competent body (Art. (9) (1) DPL) or the transfer is subject to appropriate safeguards (Art. (9) (4) DPL) or conditions for derogations for specific situations have been met (Art. (9) (6) DPL).

A copy of the standard data protection clauses of the European Union or the UK equivalent can be obtained by contacting [email protected]. Please also contact this email address if you would like to know which of the clauses apply to a specific transfer or for copies of other safeguards.

5. How long do we store your personal data and how we protect your personal data?

5.1 General

5.2 Newsletter

With respect to newsletters your Personal Data actively provided by you when registering to the newsletter will be stored as long as the newsletter subscription is active; your consent will be stored for up to three further years, depending on the respective standard limitation period.

5.3 Analysis of usage behavior on social media networks

Social Media Statistics are collected and stored by us exclusively in a non-personal manner.

5.4 Data security

We use appropriate technical and organizational measures aimed to protect your personal data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. However, do note that the risk of such incidents always remains.

6. No automated decision-making

In the context of interaction with us via social media networks no automated decision-making takes place.

PHINIA offers car repair shops software via the DS-Cloud. The software helps repair shops identify and fix vehicle issues and find the right replacement parts. This software is referred to as "DS Software" throughout the following.

Phinia generally only acts on behalf of and subject to the instructions of car repair shops when processing personal data (as a data processor under Art. 28 GDPR or other applicable legislation as defined in Annex 1). However, we also process the personal data we receive for our own purposes (as a data controller). Below, you will find information about our processing of personal data as data controller, specifically how we process the personal data of:

• individuals who are customers of car repair shops using the DS Software (“Car Repair Shop Customer”);
• individuals who are drivers of vehicles of Car Repair Shop Customers (“Vehicle Drivers”)
• individuals who own vehicles of Car Repair Shop Customers or are registered holders of such vehicles (together and each of itself: “Vehicle Owners”);
• individuals who work for car repair shops using the DS Software (“Car Repair Shop Staff”); and
• individuals who own a car repair shop in their own name, including cases in which the official name of a legal entity identifies one or more individuals (“Car Repair Shop Owners”).

1. Where do we collect your data and what types of data are collected?

The Personal Data is provided to us by the respective car repair shop respectively collected directly by the DS Software.

You are generally not required to provide your Personal Data to us. However, in order to provide our services in connection with the DS Software, we require certain Personal Data (e.g., billing details of Car Repair Shop Owners as we are otherwise unable to manage our contractual relationship with them). Hence, if you do not provide such Personal Data, we might not be able to provide the DS Software to the respective car repair shop.

1.1 Car Repair Shop Customers, Vehicle Drivers, Vehicle Owners

For Car Repair Shop Customers, Vehicle Drivers, and Vehicle Owners, this may concern the following categories of Personal Data (the information relates to the vehicle on which the car repair shop is working):

• Vehicle Identification Number (VIN);
• Registration number;
• Make / brand of vehicle;
• Vehicle model;
• Year of vehicle's production;
• Mileage of vehicle;
• Date of connection;
• DS Software user device name / id number;
• List of the various electric control units on the vehicle which the DS Software connects to and their designation (petrol, diesel, advanced driver-assistance system, brakes.

These categories of Personal Data are collectively referred to as “Vehicle Data” in the following.

1.2 Car Repair Shop Staff

For Car Repair Shop Staff, this may concern the following categories of Personal Data:

• Name;
• Name of car repair shop;
• Business email address; and
• Log-in data for the DS Software.

These categories of Personal Data are collectively referred to as “Staff Data” in the following.

1.3 Car Repair Shop Owners

For Car Repair Shop Owners, this may concern the following categories of Personal Data:

• Name;
• Name of car repair shop;
• Business contact data (such as email address, postal address, telephone number);
• Log-in data for the DS Software;
• Details concerning the contractual relationship with us (such as contractual agreements, payments made, billing details).

These categories of Personal Data are collectively referred to as “Shop Owner Data” in the following.

2. How is your data used (purposes and legal bases)?

If you are located within the EEA/UK, Brazil, or Turkey we rely on the legal bases listed in the table below. Where relevant, the legitimate interest we pursue is included in the table below as well. The relevant legal bases for users within the EEA/UK, Brazil, or Turkey are:

• Performance of a contract (including processing necessary to take steps at your request prior to entering into a contract);
• Compliance with legal obligations;
• Legitimate interests; and
• For Brazil only: Regular exercise of rights in administrative, judicial or arbitration proceedings.

 

Purpose of processing	Legal basis (EEA/UK; Brazil; Turkey)	Legitimate interest (where relevant) (EEA/UK; Brazil;

Turkey)Categories of Personal DataFor Car Repair Shop Customers, Vehicle Drivers and Vehicle Owners only:
To enable PHINIA to provide high quality and consistent support and recommendations to car repair shops and their customers, in particular by recognizing vehicles of business partners' customers independently of which business partner such customers rely on and having available historical data on issues/faults for those vehicles. Performance of contract if the processing only relates to a single Car Shop Customer requesting this specific service from a car repair shop; legitimate interests in all other cases We have a legitimate interest in furthering our business by providing consistent support that is of a high quality and by offering recommendations to our business partners and their customers which are of help to them, in particular by recognizing vehicles of business partners' customers independently of which business partner such customers rely on and having available historical data on issues/faults for those vehicles Vehicle Data For Car Repair Shop Staff and Car Repair Shop Owners only:
To enable PHINIA to carry out administrative activities necessary to provide the DS Software to the respective car repair shop (e.g., by providing log-in data for the DS Software). Legitimate interests We may have a legitimate interest in carrying out administrative activities which are to provide the service contractually agreed upon with the respective car repair shop. Staff Data, Shop Owner Data For Car Repair Shop Owners only:
To manage the (contractual) relationship with you, e.g., contract negotiations, billing. Performance of a contract (including processing necessary to take steps at your request prior to entering into a contract) N/A Shop Owner Data To enable PHINIA to make its services better and create new ones with the features car repair shops and their customers want, e.g. by analyzing whether the DS Software is working correctly, troubleshoot and fix it when it’s not, and to test out new features to see if they work. Legitimate interests We have a legitimate interest in furthering our business by making our services better and creating new ones. Vehicle Data, Staff Data, Shop Owner Data To use less information that’s connected to individuals, where possible we pseudonymize (de-identify) or anonymize (e.g. by aggregating information) personal data. Legitimate interests We have a legitimate interest in pseudonymizing or anonymizing personal data to protect the rights and freedoms of individuals and to comply with data minimization and privacy by design requirements Vehicle Data, Staff Data, Shop Owner Data To enable corporate transactions (including sale of all or part of our asset(s) and/or activity(ies)) Legitimate interests We may have a legitimate interest in disclosing information to (potential) buyers or acquirers and their external counsels in certain scenarios. Vehicle Data, Staff Data, Shop Owner Data To safeguard our rights For EEA/UK and Turkey: Legitimate interests
For Brazil: Regular exercise of rights in administrative, judicial or arbitration proceedings We have a legitimate interest in the establishment, exercise and defense of legal claims. Vehicle Data, Staff Data, Shop Owner Data To comply with legal obligations to which we are subject (e.g., deriving from tax law, or foreign trade law) (i) Compliance with legal obligations or (ii) legitimate interest for compliance with international legal requirements where no legal obligation under applicable data protection law exists We have a legitimate interest to comply with international legal requirements where no legal obligation under applicable data protection law exists. Vehicle Data, Staff Data, Shop Owner Data To carry out compliance investigations Legitimate interests We have a legitimate interest carrying out compliance investigations to safeguard that we comply with our legal obligations. Vehicle Data, Staff Data, Shop Owner Data For any of the above listed purposes it might be necessary to transfer data to our Affiliates (i) Consent where the relevant processing activity listed above relies on consent or (ii) legitimate interests We, as part of the PHINIA group of companies, have a legitimate interest in transferring your Personal Data within the group of companies with our Affiliates for internal administrative purposes. The data categories correspond to those listed with respect to the relevant purpose for processing.

 In some cases, for example if you are located in the PRC, your Personal Data may be collected, used, disclosed, and processed for the abovementioned purposes based on your consent. Where we process your Personal Data for purposes not mentioned in this Notice, we will obtain your consent for such processing (as may be required by applicable law). If you are located within the EEA/UK, or Brazil, you will be informed about the purposes of such processing prior to being asked to give consent.

3. Who has access to your information (recipients)?

3.1 Within PHINIA, only authorized PHINIA employees with appropriate responsibilities have access to your Personal Data. In addition, we may share your Personal Data with the categories of recipients mentioned in this section.

3.2 With your consent (where required by applicable law), we may share your Personal Data with service providers that process Personal Data on our behalf in the jurisdictions mentioned below, and subject to our instructions as so-called processors, for the purpose of providing their professional services to us:

• IT service providers (hosting services) (EEA, US, UK, Taiwan)

Where we share your Personal Data with these service providers, we will – as required by law – put in place contracts to ensure they process your Personal Data in accordance with our instructions and to adopt security measures to protect your Personal Data. 

3.3 With your consent (where required by applicable law), we may share your Personal Data with the following third parties:

• Affiliates: We may share your Personal Data of the categories listed in section IV.1 above with Affiliates for the purpose listed in section IV.2 above. If you are in Japan, PHINIA Inc. is responsible for management of your Personal Data jointly used within PHINIA. The name of the representative persons of PHINIA Inc. is available at https://www.phinia.com/company/executive-management.
• Other third parties (data controllers):
  • State authorities (including tax authorities and law enforcement agencies) for the purpose of compliance with laws and regulations applicable to us
  • Consultants (lawyers and auditors) for the purpose of compliance with legal obligations, corporate transactions and safeguarding our rights
  • Courts for the purpose of safeguarding our rights
  • Potential buyer or acquirer of all or part of our asset(s) and/or activity(ies) for the purpose of corporate transactions

If you are located within the EEA/UK, Brazil, or Turkey the legal bases relevant for the transfer of Personal Data to third parties can be found in section IV.2 above.

If you are located in the PRC, you may contact us at [email protected] for further information about our sharing of Personal Data with third party data controllers.

4. Do we transfer your data internationally (third country transfers)?

Some recipients of Personal Data may be located outside the EEA/UK and/or outside of the countries which you reside in (e.g., outside of Japan, or the PRC) and these countries may not offer a level of protection equivalent to the one granted in your jurisdiction.

Where Personal Data of Car Repair Shop Customers, Vehicle Drivers, Vehicle Owners, Car Repair Shop Staff and/or Car Repair Shop Owners from the EEA/UK is transferred to locations outside the EEA/UK, we will, as required by law, ensure that your privacy rights are adequately protected either because the respective country to which Personal Data are transferred has been recognized as proving an adequate level of protection by the competent body (Art. 45 GDPR) or the transfer is subject to appropriate safeguards provided by entering into standard data protection clauses of the European Union or the UK equivalent with the recipient (Art. 46 GDPR) unless GDPR provides for an exception or you have given explicit consent (Art. 49 GDPR). In addition to this, we intend to, where necessary, agree on additional measures with recipients to ensure an adequate level of data protection.

If we transfer your Personal Data from the EEA/UK to such a jurisdiction which has been recognized as providing an adequate level of data protection, we will rely on adequacy decisions. When transferring Personal Data to recipients in the US we may rely on the DPF (EU-U.S. DPF / UK Extension to the EU-U.S. DPF) which ensures an adequate level of protection for recipients certified under the DPF. A list of the European Commission’s adequacy decisions can be found here. A list of the UK’s adequacy decisions can be found here.

Where we rely on standard data protection clauses of the European Union or the UK equivalent, insofar as the transfer is made to a service provider (including Affiliates acting as such) processing Personal Data on our behalf, Module Two (transfer from controllers to processors) of the standard contractual clauses or the UK equivalent is relevant; insofar as the transfer is made to recipients which do not process Personal Data on our behalf but for their own purposes, Module One (transfer from controllers to controllers) is relevant.

Where Personal Data of Car Repair Shop Customers, Vehicle Drivers, Vehicle Owners, Car Repair Shop Staff and/or Car Repair Shop Owners from Japan is transferred to locations outside Japan, we will, as required by law, ensure that your privacy rights are adequately protected either because the respective country to which Personal Data are transferred has been recognized as proving an adequate level of protection by the competent body (Art. 28.1 APPI) or the transfer is subject to appropriate safeguards provided by entering into an appropriate data processing agreement (Art. 28.1 APPI) APPI provides for an exception or you have given explicit consent (Art. 28.1 APPI). In addition to this, we intend to, where necessary, agree on additional measures with recipients to ensure an adequate level of data protection.

For Car Repair Shop Customers, Car Repair Shop Staff Car, Vehicle Drivers, Vehicle Owners, Car Repair Shop Staff and/or Car Repair Shop Owners from PRC, with your consent and where your Personal Data is being transferred or shared outside of your country of residence, we will, as required by applicable law, put in place contractual and other measures to ensure your Personal Data is provided with protection that is at least comparable to that required under applicable law in your jurisdiction. If you require more details about our transfer activities, please contact us at [email protected].

Where Personal Data of Car Repair Shop Customers, Vehicle Drivers, Vehicle Owners, Car Repair Shop Staff and/or Car Repair Shop Owners from Turkey is transferred to locations outside Turkey, we will, as required by law, ensure that your privacy rights are adequately protected either because the respective country to which Personal Data are transferred has been recognized as proving an adequate level of protection by the competent body (Art. (9) (1) DPL) or the transfer is subject to appropriate safeguards (Art. (9) (4) DPL) or conditions for derogations for specific situations have been met (Art. (9) (6) DPL).

A copy of the standard data protection clauses of the European Union or the UK equivalent can be obtained by contacting [email protected]. Please also contact this email address if you would like to know which of the clauses apply to a specific transfer or for copies of other safeguards.

5.1 General

Your Personal Data will generally only be stored until the Personal Data are no longer necessary in relation to the purposes for which they were collected (or otherwise processed).

As an exception, Personal Data may be stored longer where their processing is necessary for compliance with a legal obligation – including compliance with statutory retention periods – to which we are subject or for the establishment, exercise or defense of legal claims.

5.2 Vehicle Data

Vehicle Data is generally stored by us until the Vehicle Data are no longer necessary in relation to the purposes for which they were collected (or otherwise processed), in particular, because the number of vehicles still in operation falls below a relevant threshold which usually will be the case at the latest 25 years after the respective model has been put on the market.

5.3 Staff Data

Staff Data is generally stored by us until closure of the Shop Owner account or if we are informed by the car repair shop that the respective staff member no longer requires access to the DS Software.

5.4 Shop Owner Data

Shop Owner Data is generally stored by us until closure of the Shop Owner account.

6. Data security

We use appropriate technical and organizational measures aimed to protecting your personal data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. However, do note that the risk of such incidents always remains.

7. No automated decision-making

In the context of the processing activities described above concerning the DS Software, no automated decision-making takes place.

In this section of the Notice, we provide additional information for California residents about how we collect, use, disclose, and otherwise process their personal information, including the rights and choices they may have, as required by applicable California privacy laws. This section describes our information practices pursuant to the California Consumer Privacy Act (as amended, including by the California Privacy Rights Act of 2020) and its implementing regulations (as amended) (collectively, the “CCPA”). This section does not address or apply to our handling of personal information that is exempt under the CCPA.

• Advisors and agents
• Regulators, government entities, and law enforcement
• Affiliates and subsidiaries
• Internet service providers, operating systems, and platforms
• Others as required by law

Professional Information. Includes professional and employment-related information such as current and former employer(s), position(s), job title(s) and job role(s), business contact information, and professional memberships, qualifications, and licensing.

• Advisors and agents
• Regulators, government entities, and law enforcement
• Affiliates and subsidiaries
• Internet service providers, operating systems, and platforms
• Others as required by law

Profiles and Inferences. Including inferences drawn from any of the information identified above to create a profile reflecting a California resident’s preferences, characteristics, behavior, or attitudes.

• Advisors and agents
• Regulators, government entities, and law enforcement
• Affiliates and subsidiaries
• Others as required by law

Protected Classifications. In limited circumstances, such as when you provide this information voluntarily, we may collect certain information that is considered a protected classification under California/federal law, such as your gender and date of birth.

• Advisors and agents
• Regulators, government entities, and law enforcement
• Affiliates and subsidiaries
• Others as required by law

Biometric Information. Includes physiological, biological, or behavioral characteristics that can be used alone or in combination with each other to establish individual identity. For example, we may collect and process voiceprints for fraud detection and authentication purposes when you contact us by phone, or facial recognition or fingerprint scans for security purposes.

• Advisors and agents
• Regulators, government entities, and law enforcement
• Affiliates and subsidiaries
• Internet service providers, operating systems, and platforms
• Others as required by law

Sensitive Personal Information. In limited circumstances, we may collect social security number, driver’s license number, state identification card number, passport number, biometric information, and precise geolocation data.

• Advisors and agents
• Regulators, government entities, and law enforcement
• Affiliates and subsidiaries
• Others as required by law

Sales and Sharing of Personal Information. California privacy laws define a “sale” as disclosing (or otherwise making available) personal information to a third party in exchange for monetary or other valuable consideration. “Sharing” broadly includes disclosing (or otherwise making available) personal information to a third party for purposes of cross-context behavioral advertising. While we do not disclose personal information to third parties in exchange for monetary compensation, we may “sell” or “share” (as defined by the CCPA) identifiers and Internet and electronic network activity information to third-party ad companies and analytics providers to improve and evaluate our advertising campaigns, monitor and measure Website performance, and better reach customers and prospective customers with more relevant ads and content. We do not sell or share sensitive personal information, nor do we sell or share any personal information about individuals who we know are under sixteen (16) years old.

As described in more detail in section 2.1 above in the “Purposes of Processing” column and section 3, “Who has access to your information (recipients)” above, we may collect, use, disclose, and otherwise process the above personal information for the following business or commercial purposes and as otherwise directed or consented to by you:

 

• To provide the Website and a corporate presence in social media networks
• To provide PHINIA Portals (including the Delphi Configurator, online catalogue, diagnostic portals and other portals on our Website)
• To provide a protected website area for suppliers, distributors or technicians
• To interact with you, including via social media networks, contact you and provide you with information, which you have requested
• To improve our services, goods, the Website, and our corporate presence in social media
• To collect statistical information about the use of this website (web analytics)
• To understand how customers and potential customers think about our brand (by analyzing what people are saying about us on social media networks)
• To show personalized advertisement / content to you
• To determine disruptions and to ensure the security of the Website and our systems, including the detection and tracing of (the attempt of) unauthorized access to our web servers
• To provide you with our training and courses
• To provide you with direct marketing communication (such as a newsletter) regarding products and/or services we offer (including via email)
• To carry out the Delphi loyalty and rewards program
• To plan and manage events, including webinars
• To carry out auditing, reporting, and other internal operations
• To carry out research and surveys
• To enable corporate transactions (including sale of all or part of our asset(s) and/or activity(ies))
• To safeguard our rights
• To comply with legal obligations to which we are subject (e.g., deriving from tax law, or foreign trade law)
• Sanction list screenings
• To carry out compliance investigations

For any of the above listed purposes it might be necessary to transfer data to our Affiliates.

Retention. We retain the personal information we collect only as reasonably necessary for the purposes described above or otherwise disclosed to you at the time of collection. For example, we will retain certain personal information for as long as necessary to comply with our tax, accounting, and record-keeping obligations, to administer our Services, and for research, development, and safety purposes as well as an additional period of time as necessary to protect, defend or establish our rights, defend against potential claims, and comply with legal obligations.

 

 

California Residents’ Rights. Under the CCPA, California residents have the following rights (subject to certain limitations):

• Opt-Out of Sales and Sharing. The right to opt out of our sale and sharing of their personal information.
• Limit Use and Disclosure. The right to limit our use or disclosure of sensitive personal information to those uses authorized by the CCPA. However, we do not use or disclose sensitive personal information in ways triggering this right.
• Deletion. The right to the deletion of their personal information that we have collected, subject to certain exceptions.
• Know/Access. The right to know what personal information we have collected about them, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about them.
• Correction. The right to correct inaccurate personal information that we maintain about them.
• Non-Discrimination. The right not to be subject to discriminatory treatment for exercising their rights under the CCPA.

If you have any questions or concerns regarding this section of the Notice or our privacy practices, you may contact us at [email protected]. 

The terms and expressions in capital letters used in this policy have the meanings set forth below. Additionally, the definitions included in Art. 4 of the GDPR shall apply.

“Affiliate” shall mean PHINIA Inc. and any entity which directly or indirectly controls, or is controlled by, PHINIA Inc. ‘Control’ means direct or indirect ownership or domination of more than 50% of the voting interest of the respective entity.

“APPI” shall mean the Japanese Act on the Protection of Personal Information.

“CCPA” means the California Consumer Privacy Act and any implementing regulations issued thereto, each as amended (including by the California Privacy Rights Act and any regulations promulgated thereto).

“CCPA” means the California Consumer Privacy Act and any implementing regulations issued thereto, each as amended (including by the California Privacy Rights Act and any regulations promulgated thereto).

“CMP” shall mean the consent management platform integrated into the Website where required by applicable law.

“Controller”, “we”, “us”, “our” shall mean the PHINIA entity which is controller of your Personal Data according to section I.1 in the Notice.

“DPF” shall mean the Data Privacy Framework Program (EU-U.S. Data Privacy Framework / UK Extension to the EU-U.S. Data Privacy Framework).

“DPL” shall mean the Turkish Law on the Personal Data Protection w. no. 6698.

“EEA” shall mean European Economic Area. The European Economic Area consists of the Member States of the European Union plus Iceland, Liechtenstein and Norway.

“GDPR” shall mean the General Data Protection Regulation (Regulation (EU) 2016/679) or UK GDPR where UK GDPR is relevant.

“LGPD” shall mean the Brazilian General Data Protection Law (Law 13,709/2018).

“Notice” shall mean this privacy notice.

“Personal Data” shall mean any information relating to an identified or directly or indirectly identifiable living individual, or otherwise as defined in applicable law.

“PHINIA” shall mean PHINIA Inc., 3000 University Drive, Auburn Hills, MI 48326, United States of America.

“PIPL” shall mean the PRC Personal Information Protection Law.

“PRC” shall mean People’s Republic of China, excluding for the purpose of this Notice, Hong Kong SAR, Macau SAR, and Taiwan.

“UK” shall mean United Kingdom.

“UK GDPR” shall mean the GDPR as transposed into UK national law by operation of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the UK.

“US” shall mean the United States of America.

“Website” shall mean the website you are visiting on which you accessed this Notice.

Thank you for visiting our website. We are part of the PHINIA group of companies. PHINIA Inc. (3000 University Drive, Auburn Hills, MI 48326, United States of America) and its Affiliates (together and each for itself “PHINIA”, “we”, “us”, “our”) take data protection very seriously. We have developed this Cookie Notice in particular to clearly inform you about how we use cookies and pixels on our website.

1. What are cookies?

We use “cookies” and “pixels” on our website, which can store data and help to provide you with additional functions to make our website more user-friendly, more effective and safer. “Cookies” are small text files that are sent from our web server to your device in order to store certain information (e.g., features for identification). “Pixels” are graphics that are embedded in the website and perform corresponding functions. “Flash Cookies” make it quicker and easier for you to access sites on subsequent visits that use Flash technology. Deleting them means you may have to re-enter information each time you visit the same site. But just like any cookie, you can delete Flash cookies by going to the settings manager for your Adobe Flash Player. You will be taken to the Adobe website, which lists the websites with the cookies in your browser. Just click Delete opposite the relevant website. Cookies and pixels are used, for example, to store information about a website user during or after a visit to a website. There are various types of cookies and pixels (hereinafter collectively referred to as “cookies”).

2. Which cookies are set on the website and how do you decide which cookies are set?

3. What types of cookies are set?

There are different types of cookies.

Session cookies are stored temporarily during a browsing session and deleted from the device when the browser is closed. Persistent cookies are saved on the device for a fixed pre-defined period of time and are not deleted when the browser is closed. Persistent cookies are used where we need to be able to recognize your device for more than one browsing session.

First party cookies are set by the website you are visiting and can only be read by that site. Third party cookies are not set by the owner of the website you are visiting but by a different organization. For example, we might engage a third party analytics company that will set their own cookie to perform their services.

Cookies can be further categorized as follows:

Necessary cookies are cookies that are required for the operation of the website, such as to ensure security. Other necessary cookies allow us to provide features or services that you expressly request. Setting these cookies does not require your consent. You can, however, set your browser to block or alert you about these cookies, but some parts of our website may not work if you block necessary cookies.

Preference cookies enable our website to remember information that changes the way the website behaves or looks, like your preferred language or region that you are in. We will only store and access preference cookies on your device if you consent to such storage and access. If you do not consent to these types of cookies we will not be able to provide certain functionalities to you.

Statistics cookies allow us to analyze usage of our website and understand how visitors use it. These cookies recognize and collect information about the number of visitors, the pages they view, how long they view pages and how they move around the website when they are using it. This helps us to improve the way our website works, for example, by ensuring that visitors are easily finding what they are looking for. We will only store and access statistics cookies on your device if you consent to such storage and access. If you do not consent to these types of cookies we will not be able to provide certain functionalities to you.

Marketing cookies are used to display advertisements that are relevant for website users. These cookies may be used to track visitors across websites. We will only store and access marketing cookies on your device if you consent to such storage and access. If you do not consent to these types of cookies we will not be able to provide certain functionalities to you.

4. What rights do you have with respect to your Personal Data?

To learn more about your rights and to obtain additional information about the processing of your Personal Data, click Cookie Policy – Delphi to access our website and social media privacy notice.

5. Changes to this Cookie Notice

We reserve the right to amend or modify this Cookie Notice at any time to ensure compliance with applicable laws. Please check regularly whether this Cookie Notice has been updated.

This Cookie Notice has been updated last in July 2025.