Data Protection at MSI Platform
In the following we will be informing you about the controller responsible for the processing of your personal data and the controller’s data protection officer (Section A) as well as your rights regarding the processing of your personal data (Section B).
Furthermore, we have detailed information below on the processing of your personal data (Section C) and information regarding the use of cookies (Section D) on https://msi.audi.com/ and https://collaboration.msi.audi.com/.
Furthermore, we have detailed information below on the processing of your personal data (Section C) and information regarding the use of cookies (Section D) on https://msi.audi.com/ and https://collaboration.msi.audi.com/.
In section E to H you will also find information about the processing of your personal data by the VW Group Company as controller regarding the use of the MSI Platform.
The terminology applied throughout this privacy notice, such as "Controller", has the meaning as attributed to it under Article 4 of the GDPR (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC General Data Protection Regulation ("GDPR")).
A. Information Regarding the Controller (Audi Business Innovation GmbH as Controller)
I. Name and contact details of the controller
The controller of the Internet presence https://msi.audi.com/ and https://collaboration.msi.audi.com/ is:
Audi Business Innovation GmbH
Helmut-Dietl-Straße 2
81671 Munich
Germany
Email: contact@msi.audi.com
- hereinafter referred to as “We” -
II. Contact details of the controller’s data protection officer
You may contact our data protection officer as follows:
Audi Business Innovation GmbH
Mr. Andreas Buchberger
Data Protection Officer
Helmut-Dietl-Straße 2
81671 Munich
Germany
Email: data.privacy.abi@audi.de
B. Information Regarding the Rights of Data Subjects
As the data subject, you have the following rights regarding the processing of your personal data:
- the right of access to information (Article 15 of the GDPR)
- the right to the correction of data (Article 16 of the GDPR)
- the right to erasure ("right to be forgotten" - Article 17 of the GDPR)
- the right to the restriction of processing (Article 18 of the GDPR)
- the right to data portability (Article 20 of the GDPR)
- the right to object (Article 21 of the GDPR)
- the right to withdraw a consent (Article 7 para. 3 of the GDPR)
- the right to lodge a complaint with a supervisory authority (Article 57 para. 1 lit. f of the GDPR)
To exercise your rights, you may contact our data protection officer (Section A.II.).
Information regarding the specific modalities and mechanisms which facilitate the exercise of your rights, especially in relation to the exercise of your rights to data portability and to object, is available (where applicable) from the information on the processing of personal data in Section C of this privacy notice.
Below we provide you with detailed information of your rights regarding the processing of your personal data.
I. Right of Access to Information
As the data subject, you have a right of access to information subject to the prerequisites laid down in Article 15 of the GDPR.
This means in particular that you have the right to request confirmation from us as to whether we process personal data concerning you. If this is the case, you also have the right to be informed of these personal data and such information as specified under Article 15 para. 1 of the GDPR. This includes, but is not limited to, information pertaining to the purposes of the processing; the categories of personal data that are processed; and the recipients or categories of recipient(s) to whom personal data have been or will be disclosed (Article 15 para. 1 lit. a, b, and c of the GDPR). To view the full scope of your right of access to information, please refer to Article 15 of the GDPR which can be prompted with this link.
II. Right to Rectification
As the data subject, you have a right to the rectification of data subject to the prerequisites laid down in Article 16 of the GDPR.
This means in particular that you have the right to request that we rectify incorrect personal data concerning you and complete any incomplete personal data without delay. To view the full scope of your right to rectification, please refer to Article 16 of the GDPR which can be prompted with this link.
III. Right to Erasure ("right to be forgotten")
As the data subject, you have a right to erasure ("right to be forgotten") subject to the prerequisites laid down in Article 17 of the GDPR.
This means that in principle, you have the right to request that we promptly erase the personal data concerning you and that we are obliged to erase these personal data without delay provided that one of the reasons as specified under Article 17 para. 1 of the GDPR applies. This may be the case, for example, if personal data are no longer required in relation to the purposes for which they were collected or otherwise processed (Article 17 para. 1 lit. a of the GDPR).
Insofar as we made the personal data public and if we are obliged to erase them, we are equally obliged (subject to the available technology and cost of implementation) to take reasonable measures, even of technical nature, so as to inform other data controllers processing such personal data that a data subject requested that they erase all links to these personal data or copies or replications of said personal data (Article 17 para. 2 of the GDPR).
In the exceptional case, the right to erasure ("right to be forgotten") does not apply insofar as processing is necessary for reasons specified in Article 17 para. 3 of the GDPR. This may be the case, for example, if processing is necessary to comply with a legal obligation or to establish, exercise or defend legal claims (Article 17 para. 3 lit. a and e of the GDPR).
To view the full scope of your right to erasure / right to be forgotten, please refer to Article 17 of the GDPR which can be prompted with this link.
IV. Right to the Restriction of Processing
As the data subject, you have a right to the restriction of processing subject to the prerequisites laid down in Article 18 of the GDPR.
This means that you have the right to request that we restrict the processing provided that one of the reasons as specified under Article 18 para. 1 of the GDPR applies. This may be the case, for example, if you contest the accuracy of the personal data. In such a case, processing will be restricted for such period that we require to verify the accuracy of the personal data (Article 18 para. 1 lit. a of the GDPR).
Restriction means the marking of stored personal data with the aim of limiting their processing in the future (Article 4 para. 3 of the GDPR).
To view the full scope of your right to the restriction of processing, please refer to Article 18 of the GDPR which can be prompted with this link.
V. Right to Data Portability
As the data subject, you have a right to data portability subject to the prerequisites laid down in Article 20 of the GDPR.
This means that in principle, you have the right to receive the personal data concerning you and which you provided to us in a structured, commonly-used and machine-readable format and that you have the right to transmit these data to another controller without hindrance on our behalf, provided the data were processed based on a consent pursuant to Article 6 para. 1 lit. a or Article 9 para. 2 lit. a of the GDPR or for the performance of a contract pursuant to Article 6 para. 1 lit. b of the GDPR and processing was conducted using automated means (Article 20 para. 1 of the GDPR).
Information as to whether processing is based on a consent pursuant to Article 6 para. 1 lit. a or Article 9 para. 2 lit. a of the GDPR or a contract pursuant to Article 6 para. 1 lit. b of the GDPR is defined in the information regarding the legal basis for processing, Section C of this privacy notice.
In exercising your right to data portability, you also have the right in principle to request that we transmit the personal data directly to another controller insofar as is technically feasible (Article 20 para. 2 of the GDPR).
To view the full scope of your right to the restriction of processing, please refer to Article 20 of the GDPR which can be prompted with this link.
VI. Right to Object
As the data subject, you have a right to object subject to the prerequisites laid down in Article 21 of the GDPR.
1. Right to object for reasons resulting from the specific situation of the data subject
As the data subject, you have the right to object at any time to the processing of personal data concerning you for reasons resulting from your personal situation by virtue of Article 6 para. 1 lit. e or f of the GDPR; this equally applies to any profiling based on this provision. Information as to whether processing is based on Article 6 para. 1 lit. e or f of the GDPR is defined in the information regarding the legal basis for processing, Section C of this privacy notice.
If you object for reasons resulting from your specific situation, we will no longer process the personal data concerning you unless we can provide proof of compellingly legitimate grounds for such processing which override your interests, rights and freedoms, or such processing serves to establish, exercise or defend legal claims.
To view the full scope of your right to object, please refer to Article 21 of the GDPR which can be prompted with this link.
2. Right to object to direct marketing
If the personal data concerning you are processed for direct marketing purposes, you have the right to object to the processing of personal data that concern you for the purposes of such marketing; this applies equally to profiling provided that it is tied to such direct marketing.
Information as to whether and to which extent personal data are processed for purposes relating to direct marketing is defined in the information regarding the purposes of processing, Section C of this privacy notice.
If you object to the processing for purposes relating to direct marketing, we will no longer process personal data concerning you for these purposes.
To view the full scope of your right to object, please refer to Article 21 of the GDPR which can be prompted with this link.
VII. Right to Withdraw Consent
If processing is based on a consent issued pursuant to Article 6 para. 1 lit. a or Article 9 para. 2 lit. a of the GDPR, you as the data subject have the right according to Article 7 para. 3 of the GDPR to withdraw your consent at any time. Your withdrawal of the consent does not affect the lawfulness of any processing carried out by virtue of a consent that was issued prior to such withdrawal. We shall notify you accordingly prior to issuing such consent.
Information as to whether processing is based on a consent pursuant to Article 6 para. 1 lit. a or Article 9 para. 2 lit. a of the GDPR is defined in the information regarding the legal basis for processing, Section C of this privacy notice.
VIII. Right to complain to the supervisory authority
As a data subject, you have the right to lodge a complaint with the competent supervisory authority under the conditions of Article 57 para. 1 lit. f of the GDPR.
The address of the competent supervisory authority responsible for Audi Business Innovation GmbH is the following:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
91522 Ansbach
Germany
C. Information on the Processing of Personal Data
I. Legal Basis and Purpose of Processing Your Data
We process your personal data in compliance with the provisions set forth in the GDPR as well as the German Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”) for various purposes. The specific purposes of data processing are primarily dependent on the individual request or the selected product.
The processing of your personal data is based on one of the legal reasons specified below:
- you issued your prior consent (Article 6 para. 1 a of the GDPR)
- processing is necessary in order to comply with the performance of a contract with you or to take steps prior to entering into a contract at your request (Article 6 para. 1 lit. b of the GDPR);
- processing is necessary to comply with a legal obligation under EU law or the legislation of an EU Member State (Article 6 para. 1 lit. c of the GDPR);
- processing is necessary for the purposes of the legitimate interests pursued by Audi Business Innovation GmbH or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (Article 6 para. 1 lit. f of the GDPR).
If, in the exceptional case, we process special categories of personal data (data that identify the race or ethnicity, political opinions, religious or ideological convictions or the affiliation to a trade union; the processing of genetic data, biometrical data to clearly identify a natural person; health data or data on a person’s sexual life or sexual orientation) concerning you, one of the following legal grounds must be relevant in addition:
- you issued your express prior consent (Article 9 para. 2, lit. a of the GDPR);
- processing is necessary to protect your vital interests or those of another natural person and the data subject is unable to issue his or her consent because of physical or legal reasons (Article 9 para. 2 lit. c of the GDPR);
- processing encompasses personal data which you manifestly made public (Article 9 para. 2 lit. e of the GDPR);
- processing is necessary to establish, exercise or defend legal claims (Article 9 para. 2 lit. f of the GDPR);
- processing is necessary for reasons of substantial public interest, on the basis of EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (Article 9 para 2 lit. g of the GDPR).
Please observe your rights to object to the processing of data for purposes relating to direct marketing or personal reasons and your right to withdraw a consent given (see Section B, especially paragraph VI. about your right to object).
II. Personal Data on the Website
In connection with the website https://msi.audi.com/ and https://collaboration.msi.audi.com various personal data are processed for different purposes.
Insofar as we as the so-called controller decide alone or jointly with others on the purposes and means of processing personal data, you are given information below that particularly regards
- the personal data or categories of personal data that are processed;
- the purposes for which the personal data are to be processed;
- legal basis for processing and, insofar as processing is based on Article 6 para. 1 lit. f of the GDPR, the legitimate interests which we or a third party pursue;
- where applicable, the recipient or the categories of recipient of the personal data;
- where applicable, our intention to transmit the personal data to a third country or to an international organisation as well as the presence or absence of an adequacy decision by the Commission or, in the event of transmissions pursuant to Article 46 or Article 47 of the GDPR or Article 49 para. 1 of the GDPR, a reference to suitable or reasonable guarantees and the possibility of how a copy of them can be obtained or where they are available;
- the storage period of personal data or, if this is not possible, the criteria that establish this period.
Insofar as we collect your personal data from you as the data subject you will receive additional information as to whether the provision of personal data is prescribed by law or by contract or whether it is necessary to conclude a contract for this, whether you are obliged to provide the personal data and which potential consequences may result from the failure to provide said data.
Insofar as we do not collect personal data from you as the data subject you will also receive additional information regarding the source providing the personal data and where applicable, whether they originate from publicly accessible sources.
III. Log Files
In principle, you may access our website without providing personal data. However, your Internet browser will automatically transmit specific information each time you visit the website, which we store in so-called log files.
The following information is automatically transmitted in these cases:
- IP address (Internet Protocol address) of the terminal device accessing the online offer;
- URL of the website prompting the online offer (so-called referrer URL);
- name of the service provider enabling access to the online offer;
- name of the file or information requested;
- date, time and duration of the request;
- data volume transferred;
- operating system and information about the Internet browser used, including add-ons that are installed (e.g. for Flash Player);
- http status code (e.g. ‘request successful’ or ‘requested file not found’).
Log files save the above data without storing your full IP address so that it is not possible to identify your IP address.
However, for the use of the MSI Platform Services your Log-In with your login data is required. Therefore, with every login, further personal data is automatically transferred to us.
IV. MSI Platform
1. Creation of a Billing Account
In order to conclude a contract with us, you must first submit a request for the creation of a Billing Account.
For this purpose, we provide our “Request Billing Account” form which can be prompted with the following link: https://collaboration.msi.audi.com/jira/servicedesk/customer/portal/3/create/550 and https://msi.audi.com/en/.
Below we provide you with detailed information on this.
a) Details on personal data to be processed
Categories of personal data that are processed: Data that you share with us via the request form ("Request Form Data").
Personal data included in categories: This includes information which you provided to us via the request form on the website. This may include the following data in particular: your company name, the name of your contact person as well as the email address of the contact person, project name and the email address of the Billing Account Owner(s). Some of this information is marked as optional and is therefore not mandatory to be provided by you, but will help us to process your Billing Account Request. You are obliged to upload documents for financing purposes (e. g. Betriebsmittelanforderungen in the following “BM” or Werksaufträge in the following “WA”). These documents may also contain personal data that is collected and processed as part of the contract negotiation, contract conclusion and contract execution.
Data sources: Request form user.
Obligation to provide the data: The provision is not mandatory by law or contract or necessary to conclude a contract. There is no obligation to provide the data. If said data is not provided, we will not be able to process your request.
Storage period: Data will be stored until your request has been completed and as far as a contract is concluded until termination of the contract. We save these data for evidential purposes, to potentially establish, exercise or defend legal claims and moreover, beyond this, for a transition period of three years from the end of the year in which you shared these data with us and, in the event of potential legal disputes, until those disputes have been concluded. Moreover, we save these data beyond this insofar as legal retention requirements apply, and here in particular commercial law-related and tax law-related requirements. Depending on the nature of the documents, commercial law-related and tax law-related retention requirements of six or ten years may apply (Section 147 of the German Fiscal Code (Abgabenordnung- "AO"), Section 257 of the German Commercial Code (Handelsgesetzbuch- "HGB").
b) Details on the processing of personal data
Purpose of processing of personal data: Processing of your request; Creation of a billing account.
Categories of personal data that are processed: Request Form Data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Your consent, Art. 6 para. 1 lit. a of the GDPR and/or the processing for communication prior to the conclusion of the contract, the creation of the contract, fulfilment of the contract and execution of the contract, Art. 6 para. 1 lit. b of the GDPR.
Recipient: Audi Business Innovation GmbH.
Purpose of processing of personal data: Processing is necessary to establish, exercise or defend legal claims Art. 9 para. 2 lit. f of the GDPR.
Categories of personal data that are processed: Request form data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Legitimate interest, Article 6 para.1 lit f of the GDPR. Our legitimate interest is to potentially establish, exercise or defend legal claims.
Recipient: Audi Business Innovation GmbH.
Purpose of processing of personal data: We save these data insofar as legal retention requirements apply, and here in particular commercial law-related and tax law-related requirements. Depending on the nature of the documents, commercial law-related and tax law-related retention requirements of six or ten years may apply (Section 147 AO, Section 257 HGB).
Categories of personal data that are processed: Request Form Data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Compliance with legal obligations, Art. 6 para. 1 lit c of the GDPR.
Recipient: Audi Business Innovation GmbH.
2. Creation of an MSI user account as Part of the Contract Conclusion
For all Billing Account Owner(s), we also create an MSI user Account (kums-only-user) upon activation of the Billing Account, in case an MSI user Account does not exist already. We do so, to grant the respective Billing Account Owner(s) access to their corresponding Billing Account. A kums-only-user ("K-UMS user") will only have access to the corresponding Billing Account, MSI Customer Service Portal which can be prompted with this link: https://msi.audi.com/en/billingaccount.
a) Details on personal data to be processed
Categories of personal data that are processed: Data that you share with us via the website’s request form ("Request Form Data").
Personal data included in categories: First name, surname, email address of the billing account owner.
Data sources: Request form users.
Obligation to provide the data: The provision is not mandatory by law or contract or necessary to conclude a contract. There is no obligation to provide the data. If said data is not provided, we will not be able to process your request.
Storage period: Data will be stored until your request has been completed and as far as a contract is concluded until termination of the contract.
b) Details on the processing of personal data
Purpose of processing of personal data: Processing of your request; Creation of an MSI user Account.
Categories of personal data that are processed: Request Form Data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Processing for communication prior to the conclusion of the contract, the creation of the contract, fulfilment of the contract and execution of the contract, Art. 6 para. 1 lit. b of the GDPR.
Recipient: Audi Business Innovation GmbH.
For more information about the data processing in connection with your MSI user Account, please see the section C. VII. 1. "Registration with regards to MSI Platform Services" of this Privacy Policy.
V. Conducting a survey
1. Description of the survey and the collected data as well as the legal basis
As operator of the MSI Platform Services we periodically conduct surveys among MSI users. We will inform you about this via banner in the applications, via messages in the community chat channel, via blog posts or directly via email.
a) Details on personal data to be processed
Categories of personal data that are processed: Contact data.
Personal data included in categories: First name, surname and email address.
Data sources: User.
Obligation to provide the data: The provision is not mandatory by law or contract or necessary to conclude a contract. There is no obligation to provide the data. If said data is not provided, we will not be able to contact you via email for the purpose of conducting surveys.
Storage period: Until deletion of your MSI user.
b) Details on the processing of personal data
Purpose of processing of personal data: Conducting a survey.
Categories of personal data that are processed: Contact data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Your consent, Art. 6 para. 1 lit. a of the GDPR.
Recipient: Audi Business Innovation GmbH.
The surveys will be conducted within the MSI Platform Service Confluence. The content of the surveys is especially questions concerning the user behaviour e.g. how often installed services and plugins are used. This helps us to keep our services as attractive and user friendly as possible. The surveys will be evaluated by the employees of Audi Business Innovation GmbH.
Participation in the survey is voluntary. Our surveys are conducted in an “anonymous mode”. As user of the MSI Platform Services you have to be logged in with your MSI user Account to participate in the survey, however, when the results of the survey are transferred to us, only your answers are shared with us we cannot see or trace it back to your MSI user.
It is not necessary for you to provide personal data to answer the survey. The survey is formulated in a way that no information has to be given that would allow us to identify you. However, you may voluntarily provide data that could identify you as a person when answering the questions. The processing of the data included in these answers is then based on your consent (Art. 6 para. 1 lit. a of the GDPR). In publications, we will then only quote parts of the survey and anonymized data, to make sure that the overall context does not reveal the identity of you as the person interviewed.
VI. Links to other Websites
In case we provide links to websites of other entities ("third parties"), this Privacy Policy does not apply for the processing of personal data on these third party-websites. We recommend to you, to read the Privacy Policy on the third party-websites.
We have no influence on the content of third party-websites and cannot assume any liability for foreign content. The responsible for the content on these websites is always the respective provider or operator of the website. At the time of linking, the linked websites were checked on any infringement of law. At the time of linking we could not identify any infringements. Should we become aware of any infringement of law, we will remove the relevant link immediately.
VII. Use of the MSI Platform Services
1. Registration with regards to MSI Platform Services
If you wish to use the MSI Platform Services we first ask you to register as a user.
Your MSI user Account can be created by the responsible Account Manager for MSI Platform Services from your department or your registration can be recorded as a so-called Single Sign-On ("SSO"). This procedure allows you to register via our platform using your Single Sign-On K-UMS user of Volkswagen AG ("VW AG"), with your Group Retail Portal user account (GRP user) or even with your Porsche Partner Network user Account (PPN user).
At first, you are asked either to log in by using your K-UMS user, your GRP user, your PPN user or by using your MSI user.
a) How to Register your MSI user Account
MSI user Accounts are created by the responsible Account Manager or by other authorized persons from your department upon your request. For this purpose, that person will use your email address and the corresponding MSI Collaboration Tool Service Agreement ID ("DLV ID") of your specific department. If the registration was successful, you will receive an email from the MSI Operations Team to the email address provided. Afterwards, you can complete your registration by changing your password. You will find a detailed step-by-step guide in the corresponding email.
In the following we inform you about the personal data processed in this regard:
aa) Details on personal data to be processed
Categories of personal data that are processed: Data that the authorized person uses for the request for the creation of an account (“Account data”).
Personal data included in categories: First name, surname, email address, DLV ID.
Data sources: Authorized person.
Obligation to provide the data: The provision is not mandatory by law or contract or necessary to conclude a contract. There is no obligation to provide the data. If said data is not provided, we will not be able to register you as an MSI user.
Storage period: Until deletion of your MSI user account.
bb) Details on the processing of personal data
Purpose of processing of personal data: Registration as an MSI user.
Categories of personal data that are processed: Account data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Your consent, Art. 6 para. 1 lit. a of the GDPR and/or the processing for communication prior to the conclusion of the contract, the creation of the contract, fulfilment of the contract and execution of the contract, Art. 6 para. 1 lit. b of the GDPR.
Recipient: Audi Business Innovation GmbH.
b) How to Register as a K-UMS user
The registration as K-UMS user is carried out by the company in the VW Group or partner company of the VW Group, which is also registered for the ONE.Konzern Business Platform, at which you are employed ("Employer"). Your Employer creates a K-UMS user for you when you start working for the company or as needed during your employment by registering you as an employee and entering your first name, surname, email address and profile ID (master number: VW-User or NT-User) ("K-UMS Data") on the ONE.Konzern Business Platform and thus creating a K-UMS user for you. Upon successful registration, you will receive an email with a password to your K-UMS Account. If you work within the VW Group, you can also register via your PKI Card. VW AG, Berliner Ring 2, 38440 Wolfsburg ("SSO Provider") is responsible for processing your personal data in relation to your K-UMS user.
For more information regarding the processing of your personal data in connection with your K-UMS user by VW AG, please click here.
Thereafter, your K-UMS user will enable you to use the SSO for all connected platforms. You will be able to use all MSI Platform Services with the access data of your K-UMS user, for which you have been activated by your employer. A separate registration and log-in process is not required.
c) How to Register as a GRP user
The registration as GRP user is carried out by the VW Group retail department. For information on the registration proecess of your GRP user please contact the responsible VW Group Retail department.
d) How to Register as a PPN user
The registration as PPN user is carried out by the Porsche Partner Network. For information on the registration process of your GRP user please contact the responsible Porsche department.
2. How to Connect the K-UMS user with your MSI user account
The SSO service is automated to transfer some of the data that is recorded for your K-UMS user that are required to use MSI Platform Services. It is: First name, surname, e-mail address and a technical user ID ("Registration Data"). Your K-UMS user connects with your MSI user account through your email address. It is used to identify the user. By clicking on "Weiter" (automatic forwarding to the authentication process via idp.cloud.vwgroup.com), you consent to VW AG to transfer the above data to Audi Business Innovation GmbH for your MSI user account.
In the following we inform you about the personal data processed in this regard:
a) Processing of personal data upon initial registration with your K-UMS user
aa) Details on personal data to be processed
Categories of personal data that are processed: Registration data.
Personal data included in categories: 2 pseudonomised token (1x Access-token and 1x ID-Token), first name, surname, email address, company code, group ID, VCDGID (personal code created by VW AG), VW-User (= NT-User).
Data sources: VW AG.
Obligation to provide the data: The provision is not mandatory by law or contract or necessary to conclude a contract. There is no obligation to provide the data. If said data is not provided, we will not be able to register you as an MSI user via the connection to your K-UMS user .
Storage period: Until the end of the registration process. In addition first name, surname, email adress of the corresponding MSI user until deletion of your MSI user account.
bb) Details on the processing of personal data
Purpose of processing of personal data: Creation of an MSI user account.
Categories of personal data that are processed: Registration data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Your consent, Art. 6 para. 1 lit. a of the GDPR. By clicking on “Weiter” you consent to VW AG to transfer the above data to Audi Business Innovation GmbH for your MSI user account.
Recipient: Audi Business Innovation GmbH.
Purpose of processing of personal data: Log-in authentication and checking the access rights.
Categories of personal data that are processed: K-UMS data, log-In Authentification-data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Legitimate interest, Art. 6 para.1 lit. f GDPR. Our legitimate interest lies in securing, that only those users can enter our services that are authenticated as authorized MSI users by corresponding tokens.
Recipient: Audi Business Innovation GmbH.
b) Processing of personal data with every login with your K-UMS user
aa) Details on personal data to be processed
Categories of personal data that are processed: K-UMS data, authentication data.
Personal data included in categories: First name, surname, email address, token, VCDGID, VW-User.
Data sources: VW AG.
Obligation to provide the data: The provision is not mandatory by law or contract or necessary to conclude a contract. There is no obligation to provide the data. If said data is not provided, you will not be able to login to your MSI user account with your K-UMS user data.
Storage period: The data is stored for the duration of the session.
bb) Details on the processing of personal data
Purpose of processing of personal data: Connecting your K-UMS user with your MSI user account at every login.
Categories of personal data that are processed: K-UMS data, authentication data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Your consent, Art. 6 para. 1 lit. a of the GDPR. By clicking on “Weiter” you consent to VW AG to transfer the above data to Audi Business Innovation GmbH for your MSI User Account.
Recipient: Audi Business Innovation GmbH.
Purpose of processing of personal data: Log-in authentication and checking the access rights.
Categories of personal data that are processed: K-UMS data, Log-In Authentification-data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Legitimate interest, Art. 6 para.1 lit. f of the GDPR. Our legitimate interest lies in securing, that only those users can enter our services that are authenticated as authorized MSI users by corresponding tokens.
Recipient: Audi Business Innovation GmbH.
3. How to Connect the GRP user with your MSI user account
The SSO service is automated to transfer some of the data that is recorded for your GRP user that are required to use MSI Platform Services ("Registration Data"). It is: first name, surname, email address and profile ID (master number: VW-User or NT-User), Group Dealer Portal User ID ("GRP Data"). Your GRP user connects with your MSI user account through your email address. It is used to identify the user. By clicking on "Weiter" (automatic forwarding to the authentication process via https://grp.volkswagenag.com), you consent to VW AG to transfer the above data to Audi Business Innovation GmbH for your MSI user account.
In the following we inform you about the personal data processed in this regard:
a) Processing of personal data upon initial registration with your GRP user
aa) Details on personal data to be processed
Categories of personal data that are processed: Registration Data.
Personal data included in categories: 1 pseudomised access token, first name, surname, email address, Group Dealer Portal User ID.
Data sources: VW AG.
Obligation to provide the data: The provision is not mandatory by law or contract or necessary to conclude a contract. There is no obligation to provide the data. If said data is not provided, we will not be able to register you as an MSI user via the connection to your GRP user .
Storage period: Until the end of the registration process. In addition first name, surname, email address of the corresponding MSI user until deletion of your MSI user account.
bb) Details on the processing of personal data
Purpose of processing of personal data: Creation of an MSI user account.
Categories of personal data that are processed: Registration data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Your consent, Art. 6 para. 1 lit. a of the GDPR. By clicking on “Weiter” you consent to VW AG to transfer the above data to Audi Business Innovation GmbH for your MSI user account.
Recipient: Audi Business Innovation GmbH.
Purpose of processing of personal data: Log-in authentication and checking the access rights.
Categories of personal data that are processed: GRP data, log-In authentication data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Legitimate interest, Art. 6 para.1 lit. f GDPR. Our legitimate interest lies in securing, that only those users can enter our services that are authenticated as authorized MSI users by corresponding tokens.
Recipient: Audi Business Innovation GmbH.
b) Processing of personal data with every login with your GRP user
aa) Details on personal data to be processed
Categories of personal data that are processed: GRP data, authentication data.
Personal data included in categories: 1 pseudomised access token, first name, surname, email address, Group Dealer Portal User ID.
Data sources: VW AG.
Obligation to provide the data: The provision is not mandatory by law or contract or necessary to conclude a contract. There is no obligation to provide the data. If said data is not provided, you will not be able to login to your MSI user account with your GPR user data.
Storage period: The data is stored for the duration of the session.
bb) Details on the processing of personal data
Purpose of processing of personal data: Connecting your GRP user with your MSI user account at every login.
Categories of personal data that are processed: GRP data, authentication data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Your consent, Art. 6 para. 1 lit. a of the GDPR. By clicking on “Weiter” you consent to VW AG to transfer the above data to Audi Business Innovation GmbH for your MSI user account.
Recipient: Audi Business Innovation GmbH.
Purpose of processing of personal data: Log-in authentication and checking the access rights.
Categories of personal data that are processed: GRP data, Log-In authentication data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Legitimate interest, Art. 6 para.1 lit. f of the GDPR. Our legitimate interest lies in securing, that only those users can enter our services that are authenticated as authorised MSI users by corresponding tokens.
Recipient: Audi Business Innovation GmbH.
4. How to Connect the PPN user with your MSI user account
The SSO service is automated to transfer some of the data that is recorded for your PPN user that are required to use MSI Platform Services ("Registration Data"). It is: first name, surname, email address and profile ID (PPN-User), Porsche Partner Network Portal User ID ("PPN Data"). Your PPN user connects with your MSI user account through your email address. It is used to identify the user. By clicking on "Weiter" (automatic forwarding to the authentication process via https://ppn.porsche.com/as/authorization), you consent to Porsche AG to transfer the above data to Audi Business Innovation GmbH for your MSI user account.
In the following we inform you about the personal data processed in this regard:
a) Processing of personal data upon initial registration with your PPN user
aa) Details on personal data to be processed
Categories of personal data that are processed: Registration Data.
Personal data included in categories: 1 pseudomised access token, first name, surname, email address,Porsche Partner Network Portal User ID.
Data sources: VW AG.
Obligation to provide the data: The provision is not mandatory by law or contract or necessary to conclude a contract. There is no obligation to provide the data. If said data is not provided, we will not be able to register you as an MSI user via the connection to your PPN user.
Storage period: Until the end of the registration process. In addition first name, surname, email address of the corresponding MSI user until deletion of your MSI user account.
bb) Details on the processing of personal data
Purpose of processing of personal data: Creation of an MSI user account.
Categories of personal data that are processed: Registration data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Your consent, Art. 6 para. 1 lit. a of the GDPR. By clicking on “Weiter” you consent to Porsche AG to transfer the above data to Audi Business Innovation GmbH for your MSI user account.
Recipient: Audi Business Innovation GmbH.
Purpose of processing of personal data: Log-in authentication and checking the access rights.
Categories of personal data that are processed: PPN data, log-In authentication data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Legitimate interest, Art. 6 para.1 lit. f GDPR. Our legitimate interest lies in securing, that only those users can enter our services that are authenticated as authorized MSI users by corresponding tokens.
Recipient: Audi Business Innovation GmbH.
b) Processing of personal data with every login with your PPN user
aa) Details on personal data to be processed
Categories of personal data that are processed: PPN data, authentication data.
Personal data included in categories: 1 pseudomised access token, first name, surname, email address,Porsche Partner Network Portal User ID.
Data sources: Porsche AG.
Obligation to provide the data: The provision is not mandatory by law or contract or necessary to conclude a contract. There is no obligation to provide the data. If said data is not provided, you will not be able to login to your MSI user account with your PPN user data.
Storage period: The data is stored for the duration of the session.
bb) Details on the processing of personal data
Purpose of processing of personal data: Connecting your PPN user with your MSI user account at every login.
Categories of personal data that are processed: PPN data, authentication data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Your consent, Art. 6 para. 1 lit. a of the GDPR. By clicking on “Weiter” you consent to Porsche AG to transfer the above data to Audi Business Innovation GmbH for your MSI user account.
Recipient: Audi Business Innovation GmbH.
Purpose of processing of personal data: Log-in authentication and checking the access rights.
Categories of personal data that are processed: PPN data, Log-In authentication data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Legitimate interest, Art. 6 para.1 lit. f of the GDPR. Our legitimate interest lies in securing, that only those users can enter our services that are authenticated as authorised MSI users by corresponding tokens.
Recipient: Audi Business Innovation GmbH.
5. Personalization of your MSI user account
We enable you to optionally add further data to the data required for the creation of your MSI user account (see above) to adjust and personalize your MSI user account.
a) Details on personal data to be processed
Categories of personal data that are processed: Data that you additionally add to your MSI User Account Profile (“Profile data”).
Personal data included in categories: Phone number, company, department, place, profile picture, different name, further optional information that may contain data which enables to identify you.
Data sources: User.
Obligation to provide the data: The provision is not mandatory by law or contract or necessary to conclude a contract.
Storage period: The data is stored until deletion of your MSI User Account or until you change the optional data.
b) Details on the processing of personal data
Purpose of processing of personal data: Personalisation of your MSI user account.
Categories of personal data that are processed: Profile data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Your consent, Art. 6 para. 1 lit. a of the GDPR.
Recipient: Audi Business Innovation GmbH.
6. Data Collection and Data Storage by VW AG
Following your one-time registration with us (see section below, C. VII. 2.), your K-UMS user or GRP user will connect with the MSI user account. For this, VW AG processes your personal data both when you register and every time you identify and authenticate yourself when using MSI Platform Services and transmits pseudonymised data (= token) to us. Also, VW AG activates cookies when you click on the log-in button. Using this text file, it is possible for the SSO provider to collect information about you and your session. This information is stored and possibly merged with other profile information which the SSO provider stores about you.
To find out which data VW AG collects in detail and for which purposes, click here.
7. Erasing and updating K-UMS user / GRP user / PPN user / MSI user account
a) Erasing your MSI user account
Your MSI user account is not automatically erased when your K-UMS or GRP user account is deleted. For this, you must separately erase your MSI user account. If you want to delete your MSI user account, you have to request the deletion from your responsible account manager of your department or create a support ticket to delete your account via https://collaboration.msi.audi.com/jira/servicedesk/customer/portal/3/create/357. A third party is also able to create a deletion request via this link. We will therefore get back to you in any case before the final deletion of your MSI user account.
aa) Details on personal data to be processed
Categories of personal data that are processed: Deletion Request data; account data.
Personal data included in categories: Username, email-address.
Data sources: User or third person via the request file; Data stored for the MSI user account.
Obligation to provide the data: The provision is not mandatory by law or necessary to conclude a contract. If said data is not provided, the account cannot be deleted. The MSI user account data is provided in accordance with section C. VII. 1. a) aa) of this privacy policy.
Storage period: Until deletion of your MSI user account.
bb) Details on the processing of personal data
Purpose of processing of personal data: Answering your deletion request via the account manager or the deletion request ticket.
Categories of personal data that are processed: Deletion Request data; account data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Your consent, Art. 6 para. 1 lit. a of the GDPR.
Recipient: Audi Business Innovation GmbH.
b) Consequences of inactivity
In addition, after 83 days of inactivity, you will receive an email stating that your MSI user account will be deleted if you do not log in within the next 7 days. After 90 days of inactivity your MSI user account will be deactivated.
aa) Details on personal data to be processed
Categories of personal data that are processed: Account data; last log-in.
Personal data included in categories: Username, first name, surname, email-address, IT usage data (last login).
Data sources: Data stored for the MSI user account ("IT usage data").
Obligation to provide the data: The provision is not mandatory by law but is necessary to conclude a contract (providing an MSI user account). If said data is not provided, the account cannot be deleted.
Storage period: Further 20 days after notification of deactivation, should the MSI user account has not been reactivated by then. Thereafter, your MSI user account including the data named above will be deleted.
bb) Details on the processing of personal data
Purpose of processing of personal data: Contact to inform about the upcoming deletion of the MSI user account.
Categories of personal data that are processed: Account data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Execution of the contract, containing the registration and the usage of our platform, Art. 6 para. 1 lit. b of the GDPR.
Recipient: Audi Business Innovation GmbH.
c) Updates and Changes in your K-UMS user / GRP user / PPN user account
If data stored with your K-UMS user or GRP user account are changed, we will only receive any information on this when we match your data to your MSI user account when you log in via your K-UMS or GRP user and identify a change of your personal data. Your MSI user account is therefore not automatically updated. We will use your data exclusively to grant you access to MSI Platform Services.
aa) Details on personal data to be processed
Categories of personal data that are processed: K-UMS / GRP data.
Personal data included in categories: for K-UMS user- First name, surname, email-address, VW-User. / for GRP user - first name, surname, email address, Group Dealer Portal User ID / for PPN user - first name, surname, email address, Porsche Partner Network Portal User ID.
Data sources: VW AG.
Obligation to provide the data: The provision is not mandatory by law but is necessary to conclude a contract. If said data is not provided, you can not sign in to your account with your K-UMS / GRP user as you are used to it.
Storage period: Until deletion of your MSI user account.
bb) Details on the processing of personal data
Purpose of processing of personal data: Providing your MSI user account.
Categories of personal data that are processed: K-UMS / GRP / PPN data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Execution of the contract, containing the registration and the usage of our platform, Art. 6 para. 1 lit. b of the GDPR.
Recipient: Audi Business Innovation GmbH.
8. Using the online support form
On our website we offer the opportunity to get in touch with us threw a support request. We process the data that you enter in the support form to answer your request.
a) Details on personal data to be processed
Categories of personal data that are processed: Data that you share with us in the support form (“support form data”).
Personal data included in categories: This includes the information that you enter in the support form. This may be in particular: salutation, first name, surname, email-address, MSI username and content of the support request.
Data sources: User of the support form.
Obligation to provide the data: The provision is not mandatory by law but is necessary to conclude a contract. There is no obligation to provide said data. If said data is not provided we cannot process your support request.
Storage period: Data will be stored until your request has been completed. We may also save these data for evidential purposes, to potentially establish, exercise or defend legal claims and moreover, beyond this, for a transition period of three years from the end of the year in which you shared these data with us and, in the event of potential legal disputes, until those disputes have been concluded. Moreover, we save these data beyond this insofar as legal retention requirements apply, and here in particular commercial law-related and tax law-related requirements. Depending on the nature of the documents, commercial law-related and tax law-related retention requirements of six or ten years may apply (Section 147 of the German Fiscal Code (Abgabenordnung- "AO"), Section 257 of the German Commercial Code (Handelsgesetzbuch- "HGB").
b) Details on the processing of personal data
Purpose of processing of personal data: Answering your request.
Categories of personal data that are processed: Support form data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: If your request regards the performance of a contract to which you are party or aims at taking steps prior to entering into a contract: Article 6 para.1 lit. b of the GDPR. Otherwise: Balancing of interests, Article 6 para.1 lit. f of the GDPR. In this case our legitimate interest constitutes the processing of your request.
Recipient: Audi Business Innovation GmbH.
aa) Support with regards to the MSI service desk and its ticket system.
Recipient: jambit GmbH
Role of recipient: Auftragsverarbeiter
Seat of recipient:
jambit GmbH
Friedenheimer Brücke 20
80639 München
Purpose of processing of personal data: Processing your request via email or phone.
Categories of personal data that are processed: Support form data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: If your request regards the performance of a contract to which you are party or aims at taking steps prior to entering into a contract: Article 6 para.1 lit. b of the GDPR. Otherwise: Balancing of interests, Article 6 para.1 lit. f of the GDPR. In this case our legitimate interest constitutes the processing of your request.
Recipient: Audi Business Innovation GmbH.
Purpose of processing of personal data: Processing is necessary to establish, exercise or defend legal claims Art. 9 para. 2 lit. f of the GDPR.
Categories of personal data that are processed: Support form data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Legitimate interest, Article 6 para.1 lit f of the GDPR. Our legitimate interest is to potentially establish, exercise or defend legal claims.
Recipient: Audi Business Innovation GmbH.
Purpose of processing of personal data: We save these data insofar as legal retention requirements apply, and here in particular commercial law-related and tax law-related requirements. Depending on the nature of the documents, commercial law-related and tax law-related retention requirements of six or ten years may apply (Section 147 AO, Section 257 HGB).
Categories of personal data that are processed: Support form data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Compliance with legal obligations, Art. 6 para. 1 lit c of the of the GDPR.
Recipient: Audi Business Innovation GmbH.
D. Information on the Use of Cookies
In connection with the website https://msi.audi.com/ and https://collaboration.msi.audi.com/, we use cookies. Cookies are used to facilitate the use of the website and improve user friendliness or provide different functionalities (to make the website overall more user-friendly, effective, and secure). For this, we use processing and storage functionalities of the browser of your terminal device and collect information from the browser cache of your terminal device.
Below we provide you with detailed information on this.
I. General Information on Cookies
Cookies are small text files with information which can be placed during the visit of a website via the browser on the terminal device of the user. When viewing the website again with the same terminal device, the cookie as well as the information it has stored can be retrieved.
1. Categories of cookies that are used
Necessary cookies: These cookies are necessary for the website to function. Without these cookies, certain services would not function.
2. First- und third Party-cookies
Depending on the origin of a cookie, cookies are differentiated between first-party cookies and third-party cookies.
First-party cookies: Cookies which are placed and retrieved by the operator of the website as the responsible controller for processing or by a processor which the controller contracted with.
Third Party cookies: Cookies which are placed and retrieved by other parties responsible for processing other than the operator of the website yet that are not active as the processors on the part of the website’s operator.
3. Transient und persistent cookies
The validity of cookies further differentiates so-called transient cookies from persistent cookies:
Transient cookies (session cookies): Cookies that are automatically deleted when you close your browser.
Persistent cookies: Cookies that are saved for a specific period of time on your terminal device after you close your browser.
4. Cookies that do (not) require consent
According to their functionality and designated purpose, certain cookies may require the express consent from the user. To this extent cookies are differentiated between those that require the user’s consent, and those that do not require such consent (necessary cookies).
The legal basis for setting cookies that are upon your wish necessary to provide our services is Section 25 para. 2 no. 2 of the German Telecommunication-Telemedia-Data-Protection-Law (Telekommunikations-Telemedien-Datenschutz-Gesetz – “TTDSG”). Your consent is not necessary.
II. Overview of Cookies used on this Website
1. Necessary Cookies
a) IDP (SSO-Login Service)
Cookie Name | Description | Category | Expiration | First Party / Third Party Cookie | Set by |
_cf_bm | This cookie is part of Cloudflare’s Bot Management service and helps manage incoming traffic that matches criteria associated with bots | Necessary Cookie | 30 minutes | Third Party Cookie | Cloudflare |
auth0 | Used to implement the Auth0 session layer. | Necessary Cookie | 10 hours | First Party Cookie | Auth0 |
auth0-compat | Fallback cookie for single sign-on (SSO) on browsers that don’t support the sameSite=None attribute. | Necessary Cookie | 10 hours | FirstParty Cookie | Auth0 |
did | Device identification for attack protection. | Necessary Cookie | 1 year (10 hours) | First Party Cookie | Auth0 |
did_compat | Fallback cookie for anomaly getection on browsers that don’t support the sameSite=None attribute. | Necessary Cookie | 1 year (10 hours) | First Party Cookie | Auth0 |
b) Collaboration Tools
Cookie Name | Description | Category | Expiration | First Party / Third Party Cookie |
atlassian.xsrf.token | This Cookie is used for the MSI Platform Service Jira. It helps prevent XSRF attacks. Ensures that during a user's session, browser requests sent to a Jira server originated from that Jira server. | Necessary Cookie | Max. 1 year (for our services usually 10 hours) | First Party Cookie |
JSESSIONID | This cookie is used for the MSI Platform Services Jira, Confluence, Crowd and for the Password-Self-Service. It is created by the application server and used for session tracking purposes. This cookie contains a random string and the cookie expires at the end of every session or when the browser is closed. | Necessary Cookie | Max. 1 year (for our services usually 10 hours) | First Party Cookie |
seahub_auth | Log-In-Token for Seafile. | Necessary Cookie | Max. 1 year (for our services usually 10 hours) | First Party Cookie |
sessionid | This cookie sets a session ID for Seafile. | Necessary Cookie | Max. 24 hours (for our services usually 10 hours) | First Party Cookie |
sfcsrftoken | This cookie impedes cross-site-request-forgeries in Seafile. | Necessary Cookie | Max. 1 year (for our services usually 10 hours) | First Party Cookie |
rc_token | Logged in users resume token (generated on each log in, removed on each log out, that is used for authentication in a logged in state) | Necessary Cookie | Max. 1 year (for our servicecs usually 10 hours) | First Party Cookie |
rc_uid | The logged in user's user ID. | Necessary Cookie | Max. 1 year (for our services usually 10 hours) | First Party Cookie |
_atl_bitbucket_remember_me | This cookie is used to remember the BitBucket session. The function has been deactivated by us, nevertheless, the cookie is set. | Necessary Cookie | Max. 30 days (for our services usually 10 hours) | First Party Cookie |
BITBUCKETSESSIONID | This cookie sets a Java Session ID. | Necessary Cookie | Max. 14 days (for our services usually 10 hours) | First Party Cookie |
hazelcast.sessionId | This cookie is used for direct mapping of users between the different instances in the cluster. | Necessary Cookie | Max. 1 year (for our services usually 10 hours) | First Party Cookie |
crowd.token | This cookie is used for the MSI Platform Service Crowd. It is created by the application server and used for session tracking purposes. This cookie contains a random string and the cookie expires at the end of every session or when the browser is closed. | Necessary Cookie | Max. 1 year (for our services usually 10 hours) | First Party Cookie |
VouchCookie | This cookie is used for the MSI Platform Service Crowd. It is created by the application server and used for session tracking purposes. This cookie contains a random string and the cookie expires at the end of every session or when the browser is closed. It is specified for Vouchproxy | Necessary Cookie | 10 hours | First Party Cookie |
crowd.directory.selected | Required on the Crowd Console UI page to prepopulate some UI components. | Necessary Cookie | Max. 1 year (for our services usually 10 hours) | First Party Cookie |
route | Saves the last location on the website. | Necessary Cookie | Max. 1 year (for our services usually 10 hours) | First Party Cookie |
ID | Sets an ID for the logged in user. | Necessary Cookie | Max. 1 year (for our services usually 10 hours) | First Party Cookie |
SESSION | This cookie sets a session ID. | Necessary Cookie | Max. 1 year (for our services usually 10 hours) | First Party Cookie |
IV. Use of Service Providers
1. Auth0
For the purpose of authentication of our users we use the services of Auth0, an authentication tool, which is provided by Okta, Inc.
On the one hand, Auth0 is used in case you want to log in with your MSI user-data. For purposes of authentication, Auth0 sends a seed/code to the Guardian App, that executes a reconciliation of time and date and afterwards sends a six digit code, which allows the log in via the log in mask in MSI. This code can also be generated by other authenticator apps.
On the other hand, in case you want to log in with your K-UMS or GRP user, Auth0 gets a code after a successful log in to the VW Cloud IDP and enables the log in to the MSI Platform.
In the following you get detailed information on the service provider:
a) Details on personal data to be processed
Categories of personal data that are processed: Data that is included in the Cookies see section D. II. 1. a) for the authentication tool (Auth0) saved on the device of the user.
Personal data included in categories: First name, surname, email-address, VW-User (if linking with the K-UMS or GRP user takes place) (“Authentication data”).
Data sources: User.
Obligation to provide the data: The provision is not mandatory by law but is necessary to conclude a contract. There is no obligation to provide said data. If said data is not provided you cannot log in to your MSI user account and/or we cannot offer the SSO-Service.
Storage period: Various. For information regarding the period of the cookie’s validity see section D. II. 1. a).
b) Details on the processing of personal data
Purpose of processing of personal data: Authentication of the user
Categories of personal data that are processed: Authentication data.
Automated individual decision-making: There is no automated individual decision-making.
Legal basis and where appropriate, legitimate interests: Legitimate, Article 6 para. Our legitimate interest lies in securing, that only those users can enter our services that are authenticated as authorised MSI users.
Recipient: Service provider of the authentication tool: Okta, Inc.
c) Details on recipients of personal data and the transmission of personal data to third countries and / to international organisations
Recipient: Okta, Inc.
Role of recipient: Subrocessor
Seat of recipient:
10800 NE 8th Street, Ste. 600
Bellevue, WA, 98004
United States
Adequacy decision or adequate or reasonable guarantees regarding the transmission to third countries and / or to international organisations:
Conclusion of Standard contractual clauses for international transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Provision of Infrastructure as a Service
Our MSI Platform Services are run on the Amazon Web Services infrastructure in a public cloud. The provider of the infrastructure (Infrastructure as a Service) is Amazon Web Servies, Inc.
Recipient: Amazon Web Services, Inc.
Role of recipient: Processor
Seat of recipient:
Amazon Web Services, Inc.
410 Terry Avenue NorthSeattle WA 98109
United States
Adequacy decision or adequate or reasonable guarantees regarding the transmission to third countries and / or to international organisations:
Amazon Web Services, Inc. is certified under the EU-U.S. Data Privacy Framework.
3. Logfile Evaluation and Reporting
We use the tool Splunk as a security information and event management system. With the help of Splunk, we record log information so that we can detect and respond to security incidents at an early stage. This helps us in particular in detecting cyberattacks. The tool is provided to us by AUDI AG.
Recipient: AUDI AG
Role of recipient: Processor
Seat of recipient:
AUDI AG
Auto-Union-Straße 1
85057 Ingolstadt
E. Information regarding the Controller (Group Company as Contoller)
In the following we will be informing you about the controller responsible for the processing of your personal data and the controller’s data protection officer (Section F) as well as your rights regarding the processing of your personal data (Section G).
Furthermore, we have detailed information below on the processing of your personal data and information regarding the use of cookies (Section H) on the website and the services accessible via https://msi.audi.com/ and https://collaboration.msi.audi.com/.
F. Information Regarding the Controller
I. Name and contact details of the controller
The controller of the MSI Platform is the group company where you are employed, and which provides you with the MSI Platform.
You can find the relevant contact details on the website of the group company you work for.
II. Contact details of the controller’s data protection officer
You can find the relevant contact details of your employer’s data protection officer in the privacy policy on the website of the group company you work for.
G. Information Regarding the Rights of Data Subjects
As the data subject, you have the following rights regarding the processing of your personal data:
- the right of access to information (Article 15 of the GDPR)
- the right to the correction of data (Article 16 of the GDPR)
- the right to erasure ("right to be forgotten" - Article 17 of the GDPR)
- the right to the restriction of processing (Article 18 of the GDPR)
- the right to data portability (Article 20 of the GDPR)
- the right to object (Article 21 of the GDPR)
- the right to withdraw a consent (Article 7 para. 3 of the GDPR)
- the right to lodge a complaint with a supervisory authority (Article 57 para. 1 lit. f of the GDPR)
For more information, please see above "Audi Business Innovation GmbH as Controller", section B.
The address and contact details of the supervisory authority responsible for your group company can be found in the group companys privacy policy.
H. Information on the processing of personal data
Detailed information about the processing of your personal data by the group company as controller can be found under section C. VII. to D. In these cases, Audi Business Innovation GmbH acts as sub processor.
I. Version and Amendments to this Privacy Notice
This privacy notice was last updated in January 2026.
Technical advancements and/or changed legal and/or official requirements may require an update of this privacy notice.