Privacy Notice

The protection of personal data is very important to us. The following information gives you an overview of how we process your personal data and your rights under data protection law.

 1. Controller

Verband der Automobilindustrie e. V. (VDA)
Behrenstr. 35
10117 Berlin
Tel.: +49 30 897842-0
Fax: +49 30 897842-600
E-mail: info@vda.de

2. Data Protection Officer

Nikolaus Bertermann, Attorney-at-Law
daspro GmbH,
Kurfürstendamm 21,
10719 Berlin
datenschutz@vda.de

3. Which sources and data do we use?

We process only the personal data that is necessary for the respective purpose of the processing (see section 4 below). This is data that we have received directly from you in the context of fulfilling the purpose of the Associationor that is legitimately transmitted to us by third parties (e.g. certification companies, licensees).

4. The purposes of and legal bases for processing your personal data

We process your personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Data Protection Act (Bundesdatenschutzgesetz, BDSG). The Association represents and promotes the interests of the entire German automotive industry, in particular the common interests of its members. This includes ensuring quality management in the automotive industry through the VDA Quality Management Center (VDA QMC). The spectrum ranges from the development of systems and methods to shaping the future of quality management systems in the automotive industry.

Personal data is processed for this general purpose in the following contexts:

4.1. Committee work

Among other things, the VDA QMC organizes its work through specific bodies (e.g. committees and project groups) on various quality management themes within the automotive industry. These bodies are made up of members’ representatives, whose data is used for this purpose for the performance of a contract pursuant to Article 6(1) (b) GDPR. For this purpose and on the same legal basis, information about quality management in the automotive industry is also communicated and transmitted to the members of the bodies.

4.2. Training courses and examinations

In the field of training and professional development in the VDA QMC, among other things the content previously elaborated in the project groups is passed on to the employees of the automotive industry both in Germany and worldwide by the licensees of the VDA QMC in the form of sector-specific training courses for qualifications. The great advantage of this is that under the VDA QMC umbrella, the relevant areas of expertise are developed by experts from the companies, who can also be deployed by the VDA QMC as trainers and examiners.

In the following we provide you with an overview of the personal data processing associated with the training courses and the purposes pursued thereby. We process your personal data to the extent that this is necessary in the course of our contractual relationship, or to initiate a contract (Article 6(1) (b) GDPR), and/or to safeguard our legitimate interests (Article 6(1) (f) GDPR); this applies to data that you provide voluntarily, which another user provides for you, or which we receive from our licensees. The purposes set out below therefore also constitute our legitimate interests in the data processing.

4.2.1. Registration and booking processes

Creating an account and registering for a training course

Participants register for their desired training course through our Webshop and its integrated International Training Management Tool (ITMT). You will find more detailed information about the processing of your personal data during creation of an account and registering for a training course in the VDA QMC Webshop data protection information.

Registration for examinations and extension of certificates

Once you have created your account and registered for a training course (or been registered by a colleague), if applicable you can apply via our website for admission to the examination for the training you have booked. To enable us to check your entitlement to register for the examination, you have to upload your curriculum vitae or some other documentary evidence of your professional experience in manufacturing, evidence of the audits performed, additional necessary qualification documents, plus a digital passport photo for your auditor card. Furthermore, we process yourdata that is specified for creating an account and registering for a training course. Once we have checked your application, you will receive an e-mail from us informing you whether your application has been accepted or rejected.

4.2.2. Organization of training courses and examinations

Organization of training courses

The training courses take place either face-to-face or online.

At a face-to-face training course, your presence will be checked against a list of participants, which you have to sign.

If you take part in an online training course, on the day of the course a “Participate” button will appear in our ITMT, through which you access the training platform of our service provider. The training courses are held as video conferences using Zoom.

During the event, all the training documents will be made available to you on the platform of our service provider. In addition, during the video conference all the participants will be listed on Zoom. You can use section chats and individual chats to communicate with the trainer and the other participants. Furthermore, you can share content relevant to the training with other participants during the event to enable cooperation between the participants.

Organization of examinations and issue of certificates

If you are admitted to an examination, you can take it after the training courses. Written examinations are held either on-site or online on the platform of our service provider, and take the form of a multiple-choice test or a case study with open-ended questions. If you take part in a written examination on-site, you must write your title, given name, family name, date of birth, and the date and location of the examination on the title page of the examination documents. In the case of an online examination, you can enter your answers to the questions in an examination screen.

Oral examinations are also held either on-site or online as a video conference in the form of an interview.

 To prevent cheating and to ensure compliance with the examination regulations, we deploy invigilators at on-site examinations. If you take the examination online, you are required to keep your webcam switched on for the entire duration of the examination. In addition, if necessary you must prove your identity before the examination begins, by presenting your ID document (presenting it to the camera in the case of an online examination), so we can be sure that you are the person entitled to take the examination.

Your answers, which are written down in the case of a face-to-face examination or recorded in a protocol in the case of an oral examination, will be scanned and archived, so that our approved examiners can evaluate them.

If the examination is held online, your answers and your responses recorded during the oral examinations will be stored on the training platform of our service provider so that they can also be evaluated.

Based on the evaluation of your performance in the examinations, our service provider will subsequently issue the appropriate certificates.

Feedback sheet

After the training courses and examinations, you will have an opportunity to assess them by filling out a feedback sheet. You are free to decide whether to indicate your name. We will evaluate the feedback sheet in order to improve the training courses and examinations we offer.

4.2.3. Training courses and examinations organized by our licensees

If you participate in training courses and examinations organized by our licensees, we will receive from the licensees the personal data necessary for issuing the examination certificates. Furthermore, in individual cases we will request presentation of examination applications in order to ensure compliance with the terms of the license.

If you wish to become an approved trainer or examiner for training courses and examinations at our licensees, we will receive from the licensees the personal data necessary for a decision on your application for approval. If you are already an approved trainer or examiner, we will receive from the licensees the personal data necessary for determining whether you continue to fulfill the approval criteria.

4.3. Public relations/communication work:

The VDA QMC sends information and communications to customers and member companies (e.g. specialist QM articles to trade media). For this purpose we process names, e-mail addresses, and addresses of our customers and member companies. Our publicity and communication work constitutes a legitimate interest. The legal basis for this data processing is the balance of interests pursuant to Article 6(1) (f) GDPR.

4.4. VDA and IATF certifications

As a monitor of certifications according to the regulations contained in VDA 6.1, VDA 6.2, VDA 6.4 and IATF 16949, the VDA QMC processes the personal data of auditors. If you act as an auditor within the scope of these regulations, please see the more detailed information on the processing of your personal data in this context in our data protection information for auditors, which is made available to you by the relevant certification company.

4.5. Business activities

The VDA QMC maintains business contacts (e.g. with suppliers, caterers) so that the Association can operate. This involves communication with and sending information to these VDA QMC business partners. For this purpose we process names, e-mail addresses, and addresses. The partners’ data is processed for the performance of contractual obligations (Article 6(1) (b) GDPR).

5. Internet presence:    

One of the ways in which the VDA QMC aims to serve the representative bodies and customers’ wishes is by optimizing the provision of its services on the websites. This constitutes a legitimate interest within the meaning of Article 6(1) (f) GDPR for the subsequent data processing insofar as this involves the processing of personal data by the VDA.

5.1. Server log files:Every access to our web presentation and every retrieval of a file stored there is logged. The storage serves internal system-related and statistical purposes. The following items are logged: name of the retrieved file, date and time of the retrieval, volume of data transmitted, notification of successful retrieval, web browser and requesting domain. In addition, IP addresses of the requesting computers are logged.

5.2. Cookies:Some of the websites use what are called cookies. They enhance the user-friendliness, effectiveness and security of the Internet pages. Cookies are small text files that are stored locally in the cache of the site visitor’s Internet browser. The cookies allow the Internet browser to be recognized. You can prevent the cookies from being stored by adjusting your browser settings. If you choose this option, you may not be able to use all the interactive features of our websites and all our services.

5.3. Session cookies:We use “session cookies” on these websites to enable you to browse quickly and to ensure that information you enter is remembered. Your information remains stored in the cookie file in your browser while the connection is active, but is deleted when you close the browser, depending on the settings of your browser program.

5.4. Other cookies: A cookie for the login on the frontend homepage www.vda-qmc.de (for Forum users) storing information that identifies the person accessing the homepage, e.g. view settings, search entries.

5.5. The Plug in Tool for the VDA QMC Forum and the VDA QMC login forms act as an interface between (partially) incompatible systems when data is imported and exported from and to different software systems.

5.6. Analytical tools without cookies – Matomo

This website uses the open source web analytics service Matomo. Matomo enables us to evaluate your website usage in a privacy-friendly way to measure the success of our offers, to improve our offers and to make the content more interesting. Matomo does not place cookies on your end device for this purpose. Instead, so-called fingerprinting is used, which records website usage with the aid of automatically transmitted data (e.g. IP address, screen resolution, page URL) in combination with user browser settings. The IP address is pseudonymized directly. Under these conditions visits and individual page views can be recorded, but it is not possible to draw conclusions about the identity of individual users. If you wish to generally prevent the recording of your page visits, you have the option of activating the Do-Not-Track function in your browser. This measure is effective for all pages you visit that belong to the domain “vda.de”. The legal basis for the data processing is Article 6(1) (f) GDPR. Since only information that has already been automatically transmitted is used for the evaluation and no additional information is stored or read on terminal equipment, our use of Matomo does not fall under Section 25(1) of the German Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG).

For this website, recording of your page visits can also be prevented by the following opt-out. Please note that when you activate this option, a cookie is stored on your system:

You have the option of preventing the actions you take here from being analyzed and linked. This will protect your privacy, but will also prevent the owner from learning from your actions and improving usability for you and other users.

Your visit to this website is currently being recorded by the Matomo web analysis tool. Uncheck this box to opt-out.

5.7. OpenStreetMap / map displays

An individually created map is integrated into the VDA QMC website using iFrame, which is based on the cartographic material from OpenStreetMap (Link zu deren“About“). On the map we indicate the locations of our regional offices and certification companies. This offering enables visitors to our website to see and contact the nearest office of a VDA certification company, for instance. OpenStreetMap (Link -> Privacy Policy – OpenStreetMap Foundation (osmfoundation.org) automatically records the IP addresses of users of this offer. To technically enable this use of this service, IP data of the end devices used is transmitted to servers in the EU and in the United Kingdom. The legal basis for forwarding the data is consent in accordance with Article 6(1) (a) GDPR. (Technischer Hinweis: Vor der Nutzung der Karte erscheint diese Meldung „I agree to the forwarding of the IP address to OpenStreetMap“ Opt-In + Link auf unsere Datenschutzhinweise).

6. Who has access to my data?

6.1. Access to your data within the VDA is limited to those persons/bodies whose access is necessary to fulfill the purpose of the processing. In some cases, the VDA uses service providers who receive data for this purpose. We use these service providers only if they follow our written data protection instructions and guarantee compliance with the provisions of the EUGeneral Data Protection Regulation (GDPR) and the German Data Protection Act (Bundesdatenschutzgesetz, BDSG).

6.2 Banking and payment service providers

Banks and payment service providers can be recipients of data for the processing of payments and credit checks. One of the payment service providers we use in the web shop is the provider PAYONE (PAYONE GmbH, LyonerStraße 15, 60528 Frankfurt am Main, Germany). PAYONE also acts as an acquirer in these cases. PAYONE's data processing is carried out under the independent responsibility of PAYONE. Further details on data processing by PAYONE can be found in PAYONE's privacy policy: Data protection information for cardholders | PAYONE

 The legal basis for the transmission of payment information to payment service providers is the performance of the contract and the legitimate interest in making payments of our purchase transactions (Art. 6 para. 1 b) and f) GDPR). The legal basis for storing your data – which may be relevant for certain legal disputes – is usually for three years (statutory standard limitation period) is the legitimate interest in defending us against possible claims (Art. 6 para. 1 f) GDPR). The provision of personal data is mandatory for the conclusion of the contract."

7. Duration of storage and deletion of your data

7.1. The length of time for which your data is stored depends on the purpose of the data processing. Accordingly, we store your data only for as long as is necessary for the purposes for which it is processed.

If the data is no longer required to fulfill the purpose, it is regularly deleted, unless further processing is required for the purpose of fulfilling commercial and tax law retention obligations or for the preservation of evidence as required by the statutes of limitation.

7.2. All contract and accounting-relevant data will be stored for a period of ten calendar years after the end of the contract in accordance with the retention periods under tax and commercial law. Data that becomes relevant for the defense of possible claims is stored for three years (statutory standard statute of limitations).

8. Recipients of personal data

8.1. Internal recipients

Within the VDA, only those departments and staff working there have access to your personal data, which have a compelling need to access the data in order to perform their functions or tasks.

8.2. External recipients

We pass your personal data on to external recipients only if this is necessary to fulfill purposes mentioned in section 4 above, if another legal permission/obligation exists, or if you have given us your consent to do so. External recipients may be:

• Processors: external service providers that we use to supply (IT) services, e.g. the provision of the training platform, training documents and qualification certificates;
• Public offices: authorities and governmental institutions, such as financial authorities, to which we have to transmit personal data for compelling legal reasons;
• Trainers and examiners approved by the VDA QMC;
• Other entities: under certain circumstances other entities may also be given access to your personal data in connection with legal data protection requirements. In such cases the confidentiality required by law is guaranteed.

9. Transmission to third countries

If we transfer your data to recipients in third countries outside the EU and the EEA in the absence of an adequacy decision by the European Commission for the third country, before the data is forwarded we will work toward an appropriate level of data protection for the transmission by concluding the relevant agreements with the recipients, which are regularly concluded on the basis of the EU’s standard contractual clauses.

10. Your rights as a data subject

According to the General Data Protection Regulation (GDPR), as a data subject you have the following rights, if the respective legal conditions are fulfilled:

Information: You have the right to receive information about your personal data that is processed.

Rectification: You can request the rectification of incorrect personal data about you. In addition, you can request the completion of incomplete data.

Erasure: In certain cases you can request the erasure of your personal data.

Restriction of processing: In certain cases you can request that the processing of your data be restricted.

Data portability: If you have provided data on the basis of a contract or consent, you can request that you receive the data provided by you in a structured, commonly used and machine-readable form, or that it be transmitted to a different controller.

Right to object in individual cases: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is based on Article 6(1) (f) GDPR. This personal data will then no longer be processed for these purposes, unless compelling grounds for the processing can be demonstrated which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims.

Withdrawal of consent: If you have given your consent to the processing of your data, you can withdraw it at any time with future effect. This does not affect the lawfulness of the processing of your data before consent was withdrawn.

Asserting your rights: To exercise any of your aforementioned rights, please contact us by e-mail at datenschutz@vda.de or by regular mail at the address given in section 1 above. Please ensure that we are able to identify you unequivocally.

Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of your personal data is unlawful.