Introduction and Scope

This General Data Protection Notice (the “Notice”) applies to the processing of personal data by ZF Friedrichshafen AG and its EU-based affiliates as part of the worldwide ZF Group (“ZF Group”). For purposes of this Notice, affiliates means any company with respect to which ZF Friedrichshafen AG owns, directly or indirectly, more than 50% of the shares, together ZF (“ZF”).

ZF considers protecting the personal data of all customers and business partners to be an important priority. This includes consumers as end-use customers and employees of our business partners in their role as contact persons and representatives in the context of a business relationship.

ZF is committed to processing Personal Data responsibly and in compliance with the applicable data protection laws in all countries in which ZF operates. This Notice describes the types of Personal Data ZF collects, how ZF uses that Personal Data, with whom ZF shares your Personal Data, and the rights you, as a Data Subject, have regarding ZF’s use of the Personal Data. This Notice also describes the measures ZF takes to protect the security of the data and how you can contact us about our data protection practices.

Contact Details of the Data Controllers

The legal entities responsible for the collection and use of your Personal Data (the “Data Controllers”) in your home country for the purposes described in this Notice are contained in the attached General Data Protection Notice.

Contact Details of the Data Protection Officer

A Data Protection Officer (“DPO”) is designated for each legal entity where required by applicable law. The DPO is involved in all issues related to the protection of your Personal Data. In particular, the DPO is in charge of monitoring and ensuring compliance with this Notice and the applicable data protection laws. For any comments or questions you may have regarding this Notice, please contact the the following address:

Coordinator for data protection
ZF Friedrichshafen AG
Corporate Headquarters / ZF Forum
Löwentaler Straße 20
88046 Friedrichshafen
Germany

You may also contact the ZF Group Coordinator for data protection by e-mail under dataprotection@zf.com.

Categories of Personal Data processed

We process the following Personal Data for a number of business purposes that we list further below:

• Contact information of customers and business partners’ contact persons, such as first name, family name, address, email address, phone number, fax number, company name, job title, function, department, management level, line manager;

• Contract information of consumers (provided they are end-use customers) including financial data such as bank account information, creditworthiness, terms of payment and financing; and

• Data from an end-use customer’s vehicle consisting of the vehicle identification number (VIN), the license plate number, as well as transmission records related to individual driving.

The Personal Data processed is limited to the data necessary for carrying out the business purpose for which such Personal Data is collected. ZF will maintain Personal Data in a manner that ensures it is accurate, complete and up-to-date.

ZF will collect the Personal Data as a general rule directly from the Data Subject. However, in line with legal provisions, data may also be collected from third parties. In particular, this applies to data regarding an end-use customer’s vehicle in the event that automotive manufacturers return to ZF products that have been sold to them to be incorporated in their vehicles.

Purposes of Data Processing and Legal Bases

ZF processes Personal Data in accordance with applicable data protection laws and regulations and only for limited, explicit and legitimate purposes. ZF will not use Personal Data for any purpose that is incompatible with the original purpose for which it was collected unless you provide your prior explicit consent for further use.

Personal Data relating to customers and business partners may be processed for the purposes of:

• Managing commercial relationships and strategies with current and potential customers as well as business partners such as vendors and suppliers;

• Carrying out promotional and marketing operations;

• Managing ZF’s external accounting, tax and treasury systems;

• Managing ZF’s IT customer relationship and service operations;

• Conducting quality audits, assessments and complaint management;

• Managing product research and development (“R&D”); and

• Product support and maintenance, failure diagnostic and identification of fault patterns.

The legal bases for the purposes listed above are the underlying contract with a customer or business partner, the request of a Data Subject in a pre-contractual situation allowing ZF to take steps prior to entering into a contract, or applicable legal provisions, e.g. the Tax Code or the Product Liability Act. Further, Personal Data of our customers and business partners (including their contact persons and sales representatives) will be processed for the purposes of ZF’s legitimate business interests consisting of customer relationship management, quality assurance, complaints management, marketing and promotional activities and only as long as ZF’s legitimate interests are not overridden by the Data Subject’s interests or fundamental rights and freedoms or if Data Subjects have given their consent to do so.

ZF ensures that our internal governance procedures clearly specify the reasons behind decisions to use Personal Data for alternative processing purposes. Prior to using your personal data for a purpose other than the one for which it was initially collected, you will be informed about such new purpose.

Data Security

ZF has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, such risk analysis includes an analysis of the risk of compromising the rights of the Data Subject, costs of implementation, and the nature, scope, context and purposes for data processing.

The measures include:

(i) encryption of personal data where applicable/appropriate;

(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Recipients of Personal Data

ZF Friedrichshafen AG is the corporate headquarter of the ZF Group. Due to shared corporate IT systems within the ZF Group and because of the international nature of our business, Personal Data collected and processed by ZF Friedrichshafen AG and its subsidiaries (“ZF legal entities”) can be shared with or accessed by other ZF legal entities of the ZF Group for the purposes above. A data transfer to ZF legal entities outside of the EU will only occur under the provisions for international data transfers laid out in Section VIII of this Notice (see below). An overview of the ZF legal entities that are part of the ZF Group can be found at:

https://www.zf.com/locations

Collected Personal Data will only be transferred to carefully selected data processors acting on the basis of ZF’s instructions to comply with the applicable legal and contractual obligations. ZF will only grant access to Personal Data on a need-to-know basis, and such access will be limited to the Personal Data that is necessary to perform the function for which such access is granted. Authorization to access Personal Data will always be linked to the function so that no authorization will be extended to access Personal Data on a personal basis. Service providers and other data processors will only receive Personal Data according to the purposes of the service agreement with ZF.

International Data transfers

International data transfers refer to transfers of Personal Data outside of the European Economic Area (“EEA”). The international footprint of ZF involves the transfer of Personal Data to and from other group companies or third parties, which may be located outside the EEA, including the United States of America. ZF will ensure that Personal Data is transferred to countries that have adequate data protection standards as per the European Commission’s specifications. Alternatively, data will only be transferred after implementation of appropriate safeguards to adequately protect the Personal Data and secure that such data transfers are in compliance with applicable data protection laws. ZF has implemented Data Transfer agreements based on EU model clauses to cover international data transfers. A copy of these agreements can be obtained by contacting the ZF Group Coordinator for Data Protection (see Section III. above).

Retention of Personal Data

ZF will not retain your Personal Data for longer than is allowed under the applicable data protection laws and regulations or for longer than is justified for the purposes for which it was originally collected. As a general rule, collected data will be deleted as soon as there no longer exists a business relationship with the customer/business partner or in the event of communication inactivity for the duration of a period of 2 years. However, collected data may be subject to retention requirements pursuant to applicable legal provisions. In other cases, Personal Data may be stored and retained for as long as the statutory period of limitations with regards to legal claims against ZF has not expired.

Notice Compliance and Contact Information

Under applicable data protection laws, you will benefit from the following rights. You can exercise these rights at any time by contacting the ZF Group Coordinator for data protection (see Section III. above):

• Right to access to, rectification and erasure of Personal Data;

• Right to restriction of processing;

• Right of data portability to the extent applicable;

• Right to withdraw consent where the processing is based on consent;

• Right to lodge a complaint with the supervisory authority and

• Right to object to processing.

Notice Compliance and Contact Information

Monitoring and ensuring compliance of the Personal Data processing within ZF with this Notice and applicable data protection laws and regulations is the responsibility of the ZF Group Coordinator for data protection and of your local DPO, where applicable.

You may contact the ZF Group Coordinator for data protection with regard to any issue related to processing of your Personal Data and to exercise your rights as mentioned above.

Miscellaneous

This Notice will be effective as of 25 May 2018 and will be applicable to ZF (see Section I. above for a precise definition of the scope).

This Notice may be revised and amended from time to time and appropriate notice about any amendments will be given.

ZF is allowed to adapt the text of this Notice only in order to be compliant with local legislation by means of an addendum attached to this Notice. In case of any discrepancies between this Notice and a specific local addendum made in accordance with local law, the terms of the latter will prevail.