Data Protection Policy for acquisition of video, image and audio data in public traffic as part of research and development projects by Robert Bosch GmbH

Protection of person related data is a top priority for Robert Bosch GmbH and is taken into account in all of our business processes. The following data protection information provides an overview of the processing of person related data by Robert Bosch GmbH as data controller by law. Person related data means all information that relates to an identified or identifiable natural person.

With this data protection notice, we provide information on type, scope and purpose of the acquisition of person related data at Robert Bosch GmbH in the context of research and development on driver assistance systems, automated and autonomous driving, driving functions and other services, as well as the handling of these data. In addition, the web site clarifies what rights exist in relation to the processing of person related data and what essential content is established in the processes of Robert Bosch GmbH in relation to the acquisition and processing of person related data.

1. What data are processed?

Within the framework of the above-mentioned research and development purpose, marked test vehicles move in public traffic areas and - as far as permitted by other laws - on private plants, test sites and other sites. The vehicles are equipped with camera systems with different detection angles, focal lengths and sensor technologies, and some of them are equipped with outside microphones and other sensor systems. These systems record, process and store video, image and audio data from the vehicle environment for the purposes described in section 4 of this data protection policy.

Depending on the individual case, these data may also contain the following personal information:

Faces, other characteristics and surroundings of traffic participants and other persons in the vicinity of the test vehicles
License plates, other characteristics as well as the surroundings of vehicles and other objects in the vicinity of the test vehicles
Acoustic information from the vicinity of the test vehicles
Additional data from other sensor systems (such as radar, LIDAR) as well as GPS position and time stamp

2. To whom does this data protection information apply?

This data processing potentially affects all traffic participants who are in the vicinity of one of the (marked) test vehicles during the test operation.

3. Who is responsible for the data processing and who can be contacted about data protection?

Robert Bosch GmbH is data controller in accordance with Art. 26 GDPR for the processing of person related data described below, unless someone else is explicitly named as the responsible body.

Business Divisions in charge:

Robert Bosch GmbH, Chassis Systems Control

Bosch Engineering GmbH

Robert-Bosch-Allee 1

74232 Abstatt

Robert Bosch GmbH, Cross-Domain Computing Solutions

Burgenlandstr. 33

70469 Stuttgart-Feuerbach

Data Protection Officer of the Bosch-Group:

Robert Bosch GmbH, Information Security and Privacy Bosch-Group (C/ISP)

Postfach 300220

70442 Stuttgart

Germany

https://www.bosch.com/data-protection-notice

Email: DPO@bosch.com

4. What are the data used for (purpose of processing) and on what basis (legal basis) does this happen?

The purposes of this data processing are research, development and testing in the areas of driver assistance systems, automated driving, driving functions and other services, including the documentation of these processes and the fulfillment of other downstream obligations.

Driver assistance systems and driving functions are already used in today's vehicles in particular to increase traffic safety, but also to increase comfort. In future automated and autonomous vehicles, technical systems for perceiving and coping with traffic and environmental situations will enable such vehicles to participate in public transport safely and in accordance with the rules. Other services make it possible to make means of transport, traffic and traffic systems safer, more efficient and more comfortable.

Research, development and testing of such systems require their use in test vehicles under real environmental and traffic conditions - including in public traffic - including the acquisition, processing and storage of video, image and audio recordings during and after these operations.

Based on these materials, technical systems for the perception and classification of traffic participants, vehicles, infrastructure and other objects in the context of traffic and environmental situations are researched, developed and tested.

People, vehicles, other objects as well as audio information are only analyzed, classified and further processed as "objects" in the context of traffic and environmental situations in the context of data processing, for example as "pedestrians on the right-hand side of the lane", "cars on an intersection", "emergency siren behind the vehicle ”.

It is usually not possible to identify registered persons by name or other personal identification or to assign registered vehicles or objects to persons identified in this way from the video, image and audio material, and the registration often takes place only very briefly in passing. However, identifiability and identification of persons cannot be completely excluded in special situations (e.g. traffic lights, traffic jams, pedestrian crossings, ...), so that the data have to be considered as person related according to Art. 4 (1).

The primary legal basis for processing is Art. 6 Para. 1 Litera F, GDPR "Protection of legitimate interests". The controller's legitimate interest is to carry out research, development and testing on driver assistance systems, automated driving, driving functions and other services.

The conflicting interests, fundamental rights and freedoms of the data subjects do not prevail, since the identification of individual data subjects by name or otherwise is neither necessary nor intended. In addition, technical and organizational measures are taken to ensure that the data collected is processed in accordance with data protection regulations.

5. Will the data be passed on?

The data will only be shared with group companies, cooperation partners, processors or third parties within the above mentioned data protection purpose limitations. Data will only be disclosed if it is permitted by law and/or by official or court order or if the third party has a legitimate interest.

Categories of recipients to whom data may be transmitted within the scope of the purposes described above are in particular:

Internal and external cooperation partners of Robert Bosch GmbH within the scope of the research and development processes.
Suppliers within the scope of the research and development processes
Other order data processors (in particular IT service providers as well as service providers for data preparation / data evaluation).

If a transfer to recipients in third countries takes place within the framework of the research, development and testing processes or the downstream processing, this will only take place in the presence of an adequacy decision pursuant to Art. 45 DSGVO, on the basis of suitable guarantees within the meaning of Art. 46 DSGVO or if permitted under other law.

6. Is there automated decision making?

An automated decision in an individual case or 'profiling' in the sense of Art. 22 DSGVO does not take place and would be almost impossible due to the short and one-off recording times.

7. How long are the data stored?

The video, image and audio data are stored for the duration of the aforementioned research, development and testing purpose.

In some cases, additional legal provisions (e.g. product liability) or a further justified interest may lead to correspondingly longer storage periods.

8. What rights exist against Robert Bosch GmbH?

The DSGVO stipulates the following rights of data subjects, which can be asserted against Robert Bosch GmbH as data controller:

Right of access
Right of rectification
Right of cancellation
Right to restrict processing
Right to data portability
Right to objection
Right of appeal to a supervisory authority

Enforcement of rights:

According to Art. 11 DSGVO, the recorded video, image and audio data are a "processing for which it is not necessary to identify the data subject". Additional identification features are neither recorded nor processed.

Therefore, information about LOCATION and TIME are always required in order to determine whether someone has actually been in the vicinity of one of the test vehicles and is affected by the processing. Only then can the aforementioned rights such as 'information', 'deletion' etc. be fulfilled. With a deletion, the rights to 'restriction of processing' and 'objection' are automatically covered. The right of rectification and data transferability, on the other hand, is not relevant due to the type of data.

Special notes on the limitation of data subject rights:

We would also like to point out that in the context of the present processing your rights under Art. 15 DSGVO (right to access), Art. 16 DSGVO (right to rectification), Art. 17 DSGVO (right to deletion), Art. 18 DSGVO (right to limitation of processing) and Art. 21 DSGVO (right to object) may be subject to special additional restrictions. These special restrictions apply if the exercise and fulfilment of these rights in a specific case would probably make the realization of research purposes impossible or seriously impair them and the restriction is therefore necessary for the fulfilment of these research purposes.

This special limitability and its conditions result in particular from Art. 89 DSGVO in conjunction with § 27 BDSG and Art. 17 DSGVO.

Contact persons are listed in section 3.