Test Vehicle Privacy Notice
Effective from:
Published at:
This document describes how Volvo Cars (as defined below), and sometimes other entities, processes your personal data when it is collected by test vehicles on test tracks and public roads. Volvo Cars use test vehicles for the purpose of research, development, and certification of cars and its functions, including the assisted, connected, partly automated and autonomous driving functions. For these purposes, we use appropriately marked test vehicles to record data from various sensors, including video recording of the environment.
The Volvo Cars test vehicles are used for multiple purposes, which entail different types of personal data processing, as we will explain below. The different types of test vehicles are as follows:
- AD-HMI Vehicles
- Certification Vehicles
- Data Collection Vehicles (hereinafter ‘DCVs’)
You can find below:
1. Who is responsible for the processing of your personal data
The responsibility for the processing of your personal data collected by the test vehicles is divided according to below:
- The entity responsible for the processing of your personal data collected by the AD-HMI Vehicles, as well as the Certification Vehicles, is Volvo Car Corporation, having its registered office at Assar Gabrielssons Väg, SE-405 31, Gothenburg, Sweden, company registration number 556074-3089, hereinafter referred to as ‘Volvo Cars’, ‘we’, or ‘us’.
- The entities responsible for the processing of personal data collected by the DCVs are, jointly:
- Volvo Car Corporation, and
- Zenseact AB, company registration number 559228-9358, having its registered address at Lindholmspiren 2, 417 56 Göteborg, Sweden, hereinafter referred to as “Zenseact”.
2. Personal data collected, why and for how long
As previously stated, The Volvo Cars test vehicles are used for multiple purposes, which entail different types of personal data processing – the different test vehicles, what data they collect, and process are described below.
Volvo Cars will not process any of the personal data mentioned below, for any other purposes, than the purposes explicitly described in this privacy notice. We have implemented relevant measures to e.g. limit the access to the personal data and remove non-relevant material.
2.1 AD-HMI Vehicles
Volvo Cars AD-HMI Vehicles are test vehicles that are driven on public roads and collect traffic data. The processing of traffic data, which involves processing of personal data, is necessary for research, statistical and analytic purposes, and for the development, testing, evaluation, verification and validation of software, hardware, systems and technologies related to the safety and/or functionality of AD/ADAS/DMS and related technologies. Such data consists of the following data categories:
- Video Data collected through the use of video recorders installed in the AD-HMI test vehicles, which are positioned to capture the road and the public traffic environment in front of the AD-HMI Vehicle. The cameras will record pedestrians, cyclists, people in or on vehicles, and vehicles license plates in the vicinity of the AD-HMI Vehicle. To accomplish our purposes Volvo Cars need to collect data on real-world traffic environment and real-world traffic situations. Thus, the collected data must be authentic and cannot be modified by blurring for example. We are not interested in and do not in any way attempt to identify the individuals present in the data. Nor do we extract any other personal data from the collected data.
The legal basis for us to process the data mentioned above is our legitimate interests.
We will retain the data mentioned above for a maximum of 10 years to be able to reuse the data for test of new versions of software during the lifetime of the components. We will regularly sort out and erase data that is no longer needed in order to only keep relevant traffic situations. Data that is incomplete or corrupt due to technical errors is also candidate to be removed.
2.2 Certification Vehicles
Volvo Cars make use of test vehicles for testing and certification of our new cars and its functions. These Certification Vehicles will collect and process data, including personal data. The processing of data is necessary to ensure that the Volvo Cars vehicles meet applicable quality and road safety standards as well as other legal requirements. The data these vehicles collect consists of the following data categories:
- Sensor data – such as camera, LIDAR (light detection and ranging), radar and ultra-sonic sensors which can detect persons and objects moving around in the public traffic environment where the collection takes place. The cameras will record pedestrians, cyclists, people in or on vehicles, and vehicles license plates in the vicinity of the Certification Vehicle. We are not interested in and do not in any way attempt to identify the individuals present in the collected data.
- GPS – Geolocation data from the Certification Vehicle will be collected and stored in order to find relevant recorded data based on location.
The legal basis for us to process the data mentioned above is our legitimate interests.
We will retain the data for as long as it is necessary for purposes mentioned above, but no longer than 10 years.
2.3 Data Collection Vehicles
Personal data collected by the DCVs is processed by us and Zenseact which is also a data user in this scenario. Volvo Cars DCVs are driven on public roads to collect traffic data (hereinafter “Public Traffic Environment Data”). The processing of Public Traffic Environment Data, which involves processing of personal data, is necessary for the purpose of developing safe and reliable software and sensors for advanced driver assistance systems (ADAS) and autonomous drive (AD) systems, with the overall purpose of protecting all life on the road. Such data consists of the following data categories:
- Sensor Data - such as camera, LIDAR (light detection and ranging), radar and ultra-sonic sensors which can detect persons and objects moving around in the public traffic environment where the collection takes place. The data is used for evaluating sensors, the output from software interpreting the sensor data, and the software used in ADAS and AD systems. The cameras will record pedestrians, cyclists, people in or on vehicles, and vehicles license plates in the vicinity of the DCV. Volvo Cars need to collect data on real-world traffic environment and real-world traffic situations in order to be able to accomplish our purposes. Thus, this data must be authentic and cannot be modified by blurring for example. We are not interested in and do not in any way attempt to identify the individuals present in the Public Traffic Environment Data. Nor do we extract any other personal data from the collected data.
- GPS – Geolocation data from the DCV will be collected and stored in order to be able to develop our functionalities and to find relevant recorded data based on location.
- Annotations will be added to the data to be able to find relevant recorded data, such as annotations of sensitive places. Annotations can either be made by the drivers of the DCV or when the data is processed afterwards.
The legal basis for us to process the data mentioned above is our legitimate interests as well as to fulfil our legal obligations specified in laws and by government authorities.
We limit our locations of interest to exclude school and hospitals’ entrances, homes for the elderly, women’s refuges, court, prisons, accident location with injured individuals, beaches or public parks, private area such as interior of the house, its garden or balcony, and other places that might be sensitive for the persons being recorded.
We will retain the data for as long as it is necessary for purposes mentioned above, but no longer than 10 years. We will regularly sort out and erase Public Traffic Environment Data that is no longer needed in order to only keep relevant traffic situations. Data that is incomplete or corrupt due to technical errors is also candidate to be removed. The drivers will also make annotations of recorded material when the data needs manual review and potential removal if the data can be considered intrusive or harmful for the individuals recorded.
3. Sharing of your personal data
We will share your personal data with the following categories of third parties, on a need-to-know basis:
- We will share the data for with our intragroup entities in order to co-operate in research and development;
- We will share the data with the suppliers, including service providers and technology service providers, in order to facilitate finding and correcting errors in the technology they provide;
- We will share the data with our suppliers that provides the IT-infrastructure for the means to provide us with storage and data handling.
- To third parties, but only necessary for compliance with a legal obligation to which we are subject (including but not limited to, Law Enforcement Authorities) or where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
All suppliers will act as processors and will be bound by contractual arrangements with us and in line with the purpose set out in this notice. Transfer of the data to third parties outside EU will be made using Standard Contractual Clauses approved by the EU Commission. Additionally supplementary measures will be implemented to ensure compliance and security during such transfers.
We can share anonymised data with other parties. Anonymized data can’t be attributed to a natural person and is no longer personal data. We might also share anonymised or data non-attributed to a natural person with research entities for traffic-related research and with road traffic authorities for road safety improvements, such as to help them assess the quality of lane markings.
4. Your rights and controls
4.1 Your rights under GDPR
You have specific legal rights relating to the personal data we process about you. The rights may differ depending on which jurisdiction you are in and the nature of the processing. Generally, your rights concern the possibility to:
- object to our processing of your data
- ask for a copy of the data we hold about you (so-called subject access right)
- ask for the data to be transferred to another entity (so-called data portability)
- ask for the data to be corrected or restricted
- ask for the data to be deleted (so-called right to be forgotten)
As mentioned, these rights are not absolute and in some cases data protection law limits their application. Should this be the case for a request you make to us, we will always explain why we cannot fulfil your request.
If you would like to submit a rights request, please use our form available here and clearly state your request refers to our Data Collecting Vehicle. We kindly ask that you use the form as it sets out the information that we need to verify your identity and effectively process your request. However, should you prefer not to use the form, you are always welcome to contact us and submit your request using the contact information in the next section.
You also have a right to submit a complaint to your local data protection authority should you have concerns about how we use your personal data. However, we would appreciate it if you reached out and raised your concerns directly with us first to allow us to try to resolve them together. You can find our contact information here.
4.2 Your rights under Malaysian Law
You have specific legal rights granted by the Malaysian Personal Data Protection Act 2010 ("MY PDPA") relating to the personal data we process about you if MY PDPA applies to you or the processing of your personal data by us. Such rights include (subject to the MY PDPA):
- Right to access and correct your personal data: You have the right to request access to and to request correction of your personal data subject to the following: (i) you may make a data access request (upon payment of a prescribed fee (if any)) or a data correction request in writing to us; and (ii) we may refuse to comply with your data access request or a data correction request pursuant to the MY PDPA and shall, by notice in writing, inform you of our refusal and the reasons of our refusal.
- Right to prevent processing for purposes of direct marketing: You may, by providing us a notice in writing, request us to cease or not begin processing your personal data for purposes of direct marketing subject to a reasonable duration of time for the request to be effected.
- Right to withdraw consent: You may by notice in writing withdraw your consent to the processing of your personal data.
- Right to make a complaint: You can make a complaint to the Malaysian data protection authority/commissioner in accordance with the MY PDPA. However, we will appreciate if you first contact us to try and solve your problem – you can find our contact details in section 6 below.
You may also contact Volvo Cars with any inquiries or complaints in respect of your personal data or to exercise your rights (you can find our contact details in section 5 below). If you limit the processing or withdraw your consent to any or all use of your personal data, we may not be in a position to continue to administer any arrangement or contractual relationship in place, which in turn may result in: (i) us being unable to (continue to) process your personal data for any of the purposes specified in this privacy notice; and/or (ii) the termination of any arrangements/agreements you have with us.
5. Contact information
If you have any questions about how we use your personal data, you can contact us at dataprotection@volvocars.com, or Volvo Car Corporation Data Protection Officer as follows:
Jan Wellergård
Data Protection Officer
Phone: +46 31-590000
Email: globdpo@volvocars.com
Volvo Car Corporation
Avdelning 50092 / HABVS
405 31 Göteborg
Sweden
Electronic form to raise a complaint or to exercise your rights:
https://www.volvocars.com/intl/subject-rights-request
You can find contact information and other information regarding Zenseact’s processing of personal data in their Privacy Policy, http://www.zenseact.com/privacy-policy/.
6. Updates to this notice
We continuously develop our products and services and will review and update this Privacy Notice as a result. As such we encourage you to revisit this Privacy Notice regularly. The date at the top of this Privacy Notice lets you know when it was last updated. We will handle your personal data in a manner consistent with the Privacy Notice under which it was collected unless we have your consent to handle it differently.
7. Language
This privacy notice is drafted in the English and Bahasa Malaysia language. In the event of any inconsistency between the English version and the Bahasa Malaysia version of this Privacy Notice, the English version shall prevail over the Bahasa Malaysia version.