NIO Autonomous Driving Project Privacy Notice

NIO Autonomous Driving Project Privacy Notice

("Privacy Notice")

Last update: 20. November 2023

We take privacy issues very seriously at NIO and we are fully committed to protecting your privacy. Please read this Privacy Notice carefully as it contains important information regarding how we collect, store, process, transfer, share and use your personal information.

This Privacy Notice applies to information we collect through our on-car sensors and cameras in connection with the NIO Autonomous Driving Project ("NAD-Project”).

WHO IS RESPONSIBLE FOR THE PROCESSING?

NIO GmbH, Montgelasstrasse 14, 81679 Munich, Germany ("NIO", "we", "us", or "our") is responsible for the collection, processing and use of personal data in connection with our NAD-Project.

WHAT DATA DO WE PROCESS, FOR WHAT PURPOSE AND ON WHAT LEGAL BASIS?

Our goal is to enhance NIO’s autonomous driving algorithms to bring our NIO connected vehicles to the next level of autonomous driving with the highest possible quality standards. To achieve this goal, it is necessary to train our autonomous driving algorithms on real world scenarios, with real world data.

Therefore, we have equipped NIO vehicles with additional sensors (lidar,radar) and cameras to collect raw data and video footage (“raw data”) while driving in public traffic. The NIO vehicles will drive across different countries in the EU/EEA and the United Kingdom (UK) to collect different road information including different road types, road marking, traffic signs, parking lots and vehicle behavior in traffic.

You can identify NIO vehicles participating in the NAD-Project as they are marked with a camera symbol as well as a QR-code. Scanning the QR-code with your mobile device directs you to this Privacy Notice.

During the collecting process, our sensors and cameras might collect some personal data such as faces of pedestrians or license plates of vehicles. Under some circumstances company names of sole proprietors are recorded.

The raw data and video footage we collect will first be stored encrypted onboard. In a following step personal data, except company names of sole proprietors, collected during the collection will be blurred using an advanced anonymization algorithms which have been developed in-house and that are subject to regular adoption. In a final step, after 7 days of upload of the data, all raw data and video footage will be deleted after the anonymization process is completed. After the anonymization process, it will not be possible to identify you or to single out any data that is related to you. This ensures that no personal data will be used for the training of the autonomous driving algorithms.

During the entire collection and anonymization process, access to the raw data is strictly restricted in accordance with internal policies.

The legal basis for the processing of personal data is Article 6 (1) f) GDPR as NIO has a legitimate interest to improve the autonomous driving systems and technologies. The data collected is used to develop and optimize algorithms for various autonomous driving functions and to ensure safety of next generation connected vehicles.

DISCLOSURES OF YOUR PERSONAL DATA NIO Group and/or NIO Affiliated Companies. To ensure proper training of our autonomous driving- algorithms we share the data after anonymization with other NIO Affiliates Companies especially our Autonomous Driving department in China.

Service providers and advisors. Personal data may be disclosed to third party service providers that perform services on our behalf, which may include but not limited to collecting the raw data and ensuring state of the art anonymization. These service providers are engaged as data processors.

Law enforcement, regulators and other parties for legal reasons. Personal data may be disclosed to third parties as required by law or if we reasonably believe that such action is necessary to (a) comply with the law and the reasonable requests of law enforcement; (b) to protect the security or integrity of the service; and/or (c) exercise or protect the rights, property, or personal safety of users of the Service or others.

RETENTION PERIODS

We will only retain your personal data for as long as is necessary to fulfil the purposes described in this Privacy notice.

STORING AND TRANSFERRING YOUR PERSONAL DATA

Security. We implement appropriate technical and organizational measures to protect your personal data against unlawful access or disclosure.

Data Storage. Your personal data is stored within the European Union. The anonymization operation takes place in Frankfurt, Germany.

 International Transfers of your Personal Data. Prior any transfer of data takes place in connection with the NAD-Project; all raw data will be anonymized to ensure personal data has been removed. After the anonymization has been completed, we may transfer the data to NIO Co., Ltd based in Shanghai, China. Any International Transfers of your personal data are made either: (a) to a country or territory ensuring an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data as determined by the European Commission; (b) to a third party that is a member of a compliance scheme recognized as offering adequate protection for the rights and freedoms of data subjects as determined by the European Commission; or (c) pursuant to appropriate safeguards, such as the Standard Contractual Clauses released by the European Commission

YOUR RIGHTS IN RESPECT OF YOUR PERSONAL INFORMATION

In the event your personal data is processed jointly with other NIO Group companies, first point of contact for exercising your rights is the NIO Group company, which has collected your personal data directly, is in direct communication with you or is in other ways your first point of contact. You may also exercise your rights towards every other NIO Group Company which is involved in the joint processing of your personal data.

In accordance with applicable privacy law, you have the following rights in respect of your personal information that we hold:

Right of access. You have the right to obtain:

confirmation of whether, and where, we are processing your personal information.

information about the categories of personal information that we are processing, the purposes for which we process your personal information, and information as to how we determine applicable retention periods.

information about the categories of recipients with whom we may share your personal information; and

a copy of the personal information we hold about you.

Right of portability. You have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another person.

Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete personal information that we hold about you without undue delay.

Right to erasure. You have the right, in some circumstances, to require use to erase your personal information without undue delay, if the continued processing of that personal information is not justified.

Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal information if the continued processing of the personal information in this way is not justified, such as where the accuracy of the personal information is contested by you, for a period enabling us to verify the accuracy of that personal information.

RIGHT OF OBJECTION. YOU HAVE A RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL INFORMATION, BASED ON LEGITIMATE INTERESTS AND DIRECT MARKETING.

If you wish to exercise one of these rights, please contact us using the contact details at the end of this Privacy Notice.

You also have the right to file a complaint with the Data Protection Authority responsible if you believe that our processing practices are not in compliance with data protection laws. You can find your competent data protection authority on the website of the European Data Protection Board following the link below:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

We assume the responsibility of the Bavarian Data Protection Authority (BayLDA) as the lead supervisory authority. You can find contact details under the following link:https://www.lda.bayern.de/de/kontakt.html

If you are located in the UK, your competent supervisory authority in the UK is the Information Commissioner’s Office (ICO) https://ico.org.uk/.

Additionally, under the UK GDPR, because NIO GmbH is not located in the UK; it has appointed NIO Performance Engineering Limited (the representative) an entity located in the UK to be contacted on its behalf on all issues related to processing, for the purposes of ensuring compliance with applicable privacy regulations. The contact details for the representative are as follows.

NIO Performance Engineering Limited
Data Protection
Building 6, Begbroke Science Park

Begbroke Hill Woodstock Road

Oxfordshire OX5 1PF

United Kingdom
privacy.ad.uk@nio.io

CHANGES TO THIS PRIVACY NOTICE

We evaluate our Privacy Notices, policies and procedures to implement improvements and refinements from time to time. Accordingly, we may update this Privacy Notice from time to time, and so you should review this page periodically.

If we make material changes to this Privacy Notice, we will update the "last updated" date at the start of this Privacy Policy. Changes to this Privacy Notice are effective when they are posted on this page.

PRIVACY CONTACT

If you have any questions about this Privacy Notice, the processing of your personal data in relation to the NAD-Project or if you want to reach our data protection  officer, please feel free to contact us at privacy.ad.eu@nio.io or via mail to NIO GmbH., Data Protection, Montgelasstrasse 14, 81679 Munich.