Data Protection Declaration

Porsche Home Charging Equipment

(Applies to Home Energy Manager, Mobile Charger Connect, Wall Charger Connect and Porsche Wallbox)

We, Dr. Ing. h.c. F. Porsche AG (hereinafter referred to as “we” or “Porsche AG”) are delighted by your interest in our home charging products (hereinafter referred to as “Porsche charging hardware”). We take the protection of your personal data and the confidential treatment of this data very seriously. Your personal data are processed only within the scope of the legal provisions of data protection law, in particular, the European Union General Data Protection Regulation (hereafter “GDPR”). This Data Protection Declaration provides information about the processing of your personal data and your rights as a data subject in connection with your use of the Porsche Digital Service Infrastructure. For information on the processing of personal data in other areas, please refer to the relevant specific data protection declaration.

If we refer to this privacy policy from external social media profiles, the following explanations only apply insofar as the processing takes place in our area of responsibility and insofar as no more specific and therefore overriding information on data protection is provided in the context of such social media profiles.

1. Responsible Person and Data Protection Officer

The responsible party for data processing within the meaning of the data protection laws is:

Porsche Cars North America, Inc.
One Porsche Drive
Atlanta, GA 30354
USA
Tel.: (770) 290-3500
Email: info@porsche.de

If you have any questions or suggestions relating to data protection, please feel free to contact us. Our data protection officer can be reached at:

Dr. Ing. h.c. F. Porsche AG
Data Protection Officer
Porscheplatz 1
70435 Stuttgart
Germany
Contact: https://www.porsche.com/privacy-contact/

2. Subject Matter of Data Protection

The subject matter of data protection is the protection of personal data. This includes all information relating to an identified or identifiable natural person (data subject). This includes not only information such as name, postal address, email address or telephone number, but also information that arises during your use of the Porsche Digital Service Infrastructure, in particular information about the beginning, end and scope of use as well as the transmission of your IP address.

3. Purposes of and Legal Grounds for Data Processing

An overview of the purposes of and legal grounds for data processing within the scope of the Porsche Digital Service Infrastructure is given below. We process personal data in accordance with the legal requirements, even if a legal basis other than that specified below is relevant in individual cases.

Your provision of personal data may be legally or contractually prescribed or may be required to conclude a contract. We will inform you separately if you are obliged to provide personal data and the possible consequences of failure to do so (e.g. loss of claims or our notification that we will not be able to provide the requested service without the provision of certain information). The use of the Porsche Digital Service Infrastructure is generally possible without registration. The use of individual services and functions may require prior registration. Even if you use our Porsche Digital Service Infrastructure without registration, personal data may still be processed.

3.1. Fulfillment of Contractual and Pre-contractual Obligations

We process your personal data if this is necessary for the performance of a contract to which you are a party, or for the performance of pre-contractual measures taken at your request. Data are processed on the basis of Article 6 (1) (b) GDPR. The purposes of processing include enabling the use of our specific products and services within the scope of the Porsche Digital Service Infrastructure.

Specifically, these include the following functions:

• Transmission of technical diagnostic data for support purposes

In the event of faults in the device, the technical diagnostic data can be sent to Porsche AG in encrypted form. With this data, the support employee is able to provide you with the best possible assistance. Consent to automatic data transmission is voluntary and can be revoked at any time. The transmission contains the following data: unique ID of the device, technical status values at a specific time, diagnostic codes, performance class, software and hardware versions, production date, manufacturer’s information, country specifications including status information.

• Inspection and installation of software updates

In order to ensure proper functionality of the Porsche charger, updates must be installed regularly. These updates include functional enhancements, troubleshooting and important security updates. The availability of new software at the Porsche backends is checked at regular intervals. In this case, the package will be downloaded and installed by the device upon your agreement.

• Link to existing Porsche ID account

If you wish to use additional optional online services for the Porsche charging equipment, your Porsche charging equipment must be linked to your Porsche ID account, which is offered by the respective Porsche Connect sales company in selected markets. Within the scope of using the Porsche Digital Service Infrastructure, the following personal and device-specific data are transmitted to Porsche for provision and processing there:

• Customer identification (Porsche ID or device serial number)

• Charging statistics (does not apply to Home Energy Manager)

• Charging history information (does not apply to Home Energy Manager)

• Status (of the device and of the charging process)

• Connection status and

• Time stamp of the last connection.

3.2. Fulfillment of Legal Obligations

We also process your personal data to comply with legal obligations to which we are subject. Data is processed on the basis of Article 6 (1) (c) GDPR. The obligations may arise, for example, from commercial, tax, money laundering, financial or criminal law. The purposes of processing arise from the respective statutory obligation; processing generally serves the purpose of complying with state obligations with regard to monitoring and duty of disclosure.

3.3. Legitimate Interests

We also process your personal data to protect our legitimate interests or those of third parties, unless your interests, which require the protection of your personal data, take precedence. Data processing is done on the basis of Article 6 (1) (f) GDPR. Processing to safeguard legitimate interests is carried out for the following purposes or to safeguard the following interests:

• Further development of products, services and support offers, as well as other measures for managing business transactions and processes;

• Improving product quality, rectifying faults and malfunctions including by analyzing vehicle data and customer feedback

When you access the Porsche Digital Service Infrastructure, data relating to your end device and your use of the Porsche Digital Service Infrastructure is processed and logged. This applies in particular to technical data such as date and time of access, duration of visit, type of end device, operating system used, functions used, quantity of data sent, IP address and referrer URL. We process this data to ensure technical operation and to determine and rectify faults. In doing so, we have an interest in ensuring technical functionality in the long term. We do not use this data for the purpose of identifying you personally.

3.4. Consent

We process your personal data on the basis of your consent. Data processing is done on the basis of Article 6 (1) (a) GDPR. Your granting of consent is always for a specific purpose; the purposes of processing are determined by the content of your declaration of consent. You may revoke your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Based on your granted consent, the companies listed in the declaration of consent may use the data for the stipulated purposes, e.g. for individual customer and prospective customer support, and may contact you via the communication channels you request. We use your data in this context to offer you an inspiring brand and customer care experience with Porsche and to make communication and interaction with you as personal and relevant as possible. The data specifically used for individual customer and prospective customer support depends in particular on the data collected on the basis of requests, orders and consultations, (e.g. when purchasing Porsche products) and which data you provided (e.g. in the Porsche Center) to the relevant points of contact, (e.g. your personal interests).

3.5. Change of Purpose

To the extent that we process your personal data for a purpose other than that for which the data was collected, without your consent or a compelling legal basis, we take into account the compatibility of the original purpose and the purpose now being pursued, the nature of the personal data, the possible consequences of further processing for you and the guarantees for the protection of personal data in accordance with Article 6 (4) GDPR.

4. End Device Access Permissions

Some functions of our Porsche Digital Service Infrastructure require the granting of permission to access your end device (e.g. access to location data). Granting permissions is voluntary. However, use of the corresponding functions requires that the appropriate permissions first be granted. The permissions remain active until you reset them in your end device by deactivating the respective setting.

5. Recipients of Personal Data

Within our company, only those individuals who require your personal data for specified purposes have access to it. We will only disclose your personal data to external recipients if we have a legal authorization to do this, or if you have consented to this. An overview of the corresponding recipients is provided below:

• Processors: Group companies or external service providers, for example in technical infrastructure and servicing, which are carefully selected and reviewed. Processors may only use the data in accordance with our instructions.

• Public bodies: Authorities and public institutions, such as tax authorities, public prosecutors or courts, to which we (are obliged to) disclose personal data, e.g. to fulfill legal obligations or to protect legitimate interests.

• Private bodies: Group companies, Porsche dealers and service companies, cooperation partners, (non-instruction-based) service providers or commissioned persons such as Porsche Centers and Porsche Service Centers, financing institutions, credit agencies or transport service providers.

6. Data Processing in Third Countries

If data are transmitted to bodies whose headquarters or place of data processing is not located in a member state of the European Union, another country outside of the European Union that is a signatory to the Agreement on the European Economic Area or a state for which an appropriate level of data protection has been determined through a decision of the European Commission, we will ensure before disclosure that the data transfer is covered by a legal authorization, that there are guarantees for an adequate level of data protection with regard to the data transfer (e.g. through the agreement of contractual warranties, officially recognized regulations or binding internal data protection regulations at the recipient) or that you have given your consent to the data transfer.

Insofar as data is transferred on the basis of GDPR Article 46, 47 or 49 (1) 2, you may obtain from us a copy of the guarantees for the existence of an adequate level of data protection with regard to the data transfer or notice of the availability of a copy of the guarantees. For this purpose, please use the information under point 1.

7. Duration of Storage, Deletion

We will store your personal data, if we have legal permission to do so, only for as long as necessary to achieve the pursued purposes and/or provided you have not revoked your consent. In the event of an objection to processing, we will delete your personal data, unless further processing is permitted according to the relevant legal provisions. We will also delete your personal data if we are obliged to do so for other legal reasons. Pursuant to these general principles, we will usually delete your personal information immediately

• after the legal basis ceases to apply and if no other legal basis (e.g. retention periods under commercial and tax law) is applicable. If the latter is the case, we will delete the data once that other legal basis ceases to apply;

• if your personal data is no longer required for our purposes and if no other legal basis (for example, commercial and tax retention periods) applies. If the latter is the case, we will delete the data once that other legal basis ceases to apply.

8. Rights of Data Subjects

Right of access: You have the right to receive information regarding the data we have stored about you.

Right to rectification and erasure: You may demand the correction of incorrect data, and insofar as the legal requirements are met, the erasure of your data.

Restriction of processing: You may demand, provided the legal requirements are met, that we limit processing of your data.

Data portability: If you have provided us with data based on a contract or consent, you may, if the statutory requirements are met, obtain from us the data provided by you in a structured, commonly used and machine-readable format, or require us to transmit it to another controller.

Objection: You have the right to object to data processing by us at any time for reasons arising from your particular situation, insofar as this is based on the safeguarding of legitimate interests. If you exercise your right to object, we will cease the processing of your data unless we can – pursuant to the legal requirements – prove compelling legitimate reasons for further processing which override your rights.

Objection to direct marketing: If we process your personal data in order to carry out direct marketing, you have the right to object to the data processing by us at any time for the purpose of direct marketing. If you exercise your right to object, we will stop the processing for such purposes.

Withdrawal of consent: If you have given your consent to process your personal data, this consent can be revoked at any time, with future effect. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint with a supervisory authority: You may lodge a complaint with the supervisory authority if you believe that the processing of your data violates applicable law. You can contact the supervisory authorities responsible for your home or your country or to the supervisory authorities responsible for us.

Contacting us and exercising your rights: You can also contact us free of charge if you have any questions about the processing of your personal data and your rights as a data subject. Please contact https://www.porsche.com/privacy-contact/ or at the postal address specified in point 1 above. When doing so, please identify yourself clearly. If you wish to withdraw your consent, you can alternatively use the method of contact that you used to grant your consent.

9. Status

The current version of this Data Protection Declaration shall apply. Status as of: 02/12/2024.

***