Data Protection

ZF considers protecting the personal data of all natural persons to be an important priority. This includes all traffic participants. That is why we want to inform you here about how we handle personal data from camera recordings of ZF test vehicles in public spaces. We use these recordings to develop reliable algorithms for automated and autonomous driving. All activities of ZF Friedrichshafen AG in connection with this data processing are exclusively carried out in compliance with the GDPR and the BDSG (Federal Data Protection Act). This means that our employees and data processors are contractually obliged to observe these privacy law regulations.

For any comments or questions you may have regarding this statement, please contact the ZF Group's Coordinator for Data Protection, who is also the DPO for ZF Friedrichshafen AG:

Josef Hermes
ZF Friedrichshafen AG
Corporate Headquarters / ZF Forum
Löwentaler Straße 20
D-88046 Friedrichshafen
Germany

You can also contact the ZF Group's Coordinator for Data Protection via e-mail at qngrafpuhgm@ms.pbz as well as by using the contact form below.

Our automated driving functions are designed to relieve the strain on the driver so that he can concentrate fully on the road traffic, thereby improving road safety. Functions such as cruise control, Park Distance Control or lateral support system were the first developments in this area and many drivers already use them as a matter of course. We constantly build on this basis to expand vehicle functionality.

To ensure safe and correct operation of our test vehicles, cameras for environment recognition are also installed in them. This means that vehicle systems detect e.g. obstacles in the path of the vehicle to keep the vehicle in a safe condition.

The number, range and level of detail of the cameras are restricted to the degree necessary for ensuring traffic safety and do not go beyond this.

Recorded images are only used for the purposes of road safety, product safety and technical trialling as well as further development of automated driving functions. ZF Friedrichshafen AG has no interest in identifying persons or vehicle registration plates recorded incidentally. We process personal data in compliance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). The legal basis for the data processing is the legitimate interest of ZF Friedrichshafen AG for the purposes stated above (Article 6 para. 1f. GDPR).

A broadest-possible range of different traffic situations is necessary for verification tests of automated driving functions.

Project-specific recordings based on customer requests are in general globally possible.

ZF will not retain your personal data for longer than is allowed under the applicable data protection laws and regulations or for longer than is justified for the purposes for which it was originally collected. As a basic principle, the data collected will be stored for the duration of the research and/or development projects.

ZF has implemented appropriate technical and organizational measures to ensure an appropriate security level for the risk.

The corresponding risk analysis contains an analysis of the risk of infringing against the rights of individuals concerned, the costs for implementation as well as the type, extent, context and purposes of the data processing.

The measures include:

• (I) The encryption of personal data where applicable/appropriate.
• (II) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services in connection with the processing.
• (III) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• (IV) A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

ZF Friedrichshafen AG is the corporate headquarter of the ZF Group. Due to shared corporate IT systems within the ZF Group and because of the international nature of our business, Personal Data collected and processed by ZF Friedrichshafen AG and its subsidiaries (“ZF legal entities”) can be shared with or accessed by other ZF legal entities of the ZF Group for the purposes above. A data transfer to ZF legal entities outside of the EU and the UK will only occur under the provisions for international data transfers laid out in Section VIII of this Notice (see below). An overview of the ZF legal entities that are part of the ZF Group can be found at:

https://www.zf.com/locations

Further, ZF may share your Personal Data with:

• Suppliers of IT and collaboration related services;
• Providers of marketing, research and communications related services;

ZF will also disclose your Personal Data to third parties:

• in the event that ZF sells or buys any business or assets, in which case ZF may disclose your Personal Data to the prospective seller or buyer of such business or assets;
• if ZF or substantially all of its assets are acquired by a third party, in which case the Personal Data ZF holds about you may be one of the transferred assets;
• if ZF is under a duty to disclose or share your Personal Data in order to comply with any legal obligation or to protect the rights, property or safety of ZF, its customers or others. This includes exchanging Personal Data with public authorities (including judicial and police authorities) in the event of, for example, a cyber security incident; and
• if you specifically consented thereto.

When disclosing your Personal Data to third parties that will process your Personal Data on ZF’s behalf,

your Personal Data will only be disclosed to carefully selected data processors acting on the basis of

ZF’s instructions to comply with the applicable legal and contractual obligations.

International data transfers refer to transfers of Personal Data outside of the European Economic Area (“EEA”) and the UK. The international footprint of ZF involves the transfer of Personal Data to and from other group companies or third parties, which may be located outside the EEA and the UK, including the United States of America.

In case your Personal Data is transferred outside of the EEA and the UK, ZF will make sure that your Personal Data is protected by the following safeguards:

• the laws of the country to which your Personal Data is transferred ensure an adequate level of data protection (Article 45 of the EU General Data Protection Regulation (2016/679)(GDPR));
• the transfer is subject to data protection clauses approved by the European Commission (Article 46.2 GDPR) or is subject to the EU-US Privacy Shield (Article 45.1 of the GDPR); or
• any other appropriate safeguards under article 46 GDPR.

If you wish to receive more information relating to the transfers of your Personal Data outside the EEA and the UK and/or the safeguards that have been implemented (including on how to receive a copy of these), you can contact the ZF Group Coordinator for Data Protection.

Under applicable data privacy laws, you can invoke the following rights. You can exercise these rights at any time by contacting the ZF Group's Coordinator for Data Protection:

• Right to information, rectification and erasure of personal data
• Right to restriction of processing
• Right of data portability to the extent applicable
• Right to withdraw consent where the processing is based on consent
• Right to lodge a complaint with the supervisory authority
• Right to object to processing

You can use the following contact form to submit a corresponding request. Please specify both the time of the recording and the precise location as well as the vehicle as accurately as possible. This will ensure we can find the correct recording.