Toyota respects your privacy. If you deal with Toyota as a customer, a consumer, a member of the general public, etc., you are entitled to protection of your personal data. This data may relate to your name, telephone number, e-mail address, but also to other data, such as your vehicle registration number, geolocation location, etc.

In this Toyota General Privacy and Data Protection Policy ("this Policy") we describe how we collect your personal data and why we collect it, what we do with your personal data, with whom we share it, how we protect it and the choices you can make about your personal data.

This Policy applies to the processing of your personal data in the context of various services, tools, applications, websites, portals, (online) sales promotions, marketing actions, sponsored social media platforms, etc. provided or operated by us or on our behalf.

This policy contains general rules and explanations. It is supplemented by separate specific privacy notices related to services, tools, applications, websites, portals, (online) sales promotions, marketing actions, sponsored social media platforms, etc. provided or operated by or on behalf of Toyota. These privacy notices will be communicated to you whenever your personal data is needed in connection with the above activities (e.g. via websites, portals, individual communication services, newsletters, reminders, surveys, offers, events, etc.).

This Policy applies to all of your personal data collected by (or on behalf of) TOYOTA ESPAÑA S.L.U. or Toyota Caetano Portugal, S.A. referred to in this Policy as "Toyota", "we", "us", "us" and "our".

If you accept the provisions of this Policy, you consent to our processing of your personal data in the manner set out in this Policy.

At the end of this Policy, you will find some definitions of certain key concepts used in this Policy which are in capital letters (e.g. Personal Data, Processing, Controller ...).

Las entidades que son responsables del tratamiento de sus datos personales son:

Toyota Caetano Portugal, S.A. ,

AV. Vasco da Gama, nº14104431-956

Vila Nova de Gaia ( DATOS TCAP)

y

TOYOTA ESPAÑA, SLU

AV. de Bruselas, 22

28108 Alcobendas, Madrid

España

We have organised a data protection point of contact who will deal with your questions or requests relating to this policy, any specific privacy notices, your personal data (and their processing).

For any questions, requests or complaints regarding the application of this Policy or to exercise your rights as described in this Policy, you may contact us at the Data Protection Contact Point:

• dpo@toyota.es, and
• de Bruselas, 22, 28108 Alcobendas, Madrid, Spain

We value the personal data you have entrusted to us and are committed to treating your Personal Data fairly, transparently and securely. The key principles that Toyota applies are as follows:

• Lawfulness: We will only collect your Personal Data for specified, explicit and legitimate purposes and will not process your Personal Data in a way that is incompatible with those purposes.
• Data minimisation: we will limit the collection of personal data to what is strictly relevant and necessary for the purposes for which it was collected.
• Purpose limitation: we will only collect your personal data for specified, explicit and legitimate purposes, and we will not process your personal data in a way that is incompatible with those purposes.
• Accuracy: We will keep your personal data accurate and up to date.
• Data Security: we will implement appropriate technical and organisational measures to ensure an adequate level of security in relation to the risks presented by the processing and the nature of the data to be protected. Such measures are put in place to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss or alteration and any other form of unlawful processing.
• Access and Rectification: we will process your personal data in accordance with your privacy rights.
• Retention: We will retain your personal data in a manner consistent with applicable data protection laws and regulations and no longer than is necessary for the purposes for which it was collected.
• International transfers: we will ensure that all personal data transferred outside the EU/EEA is adequately protected.
• Third parties: we will ensure that access and transfer of personal data to third parties is carried out in accordance with applicable laws and regulations and with appropriate contractual safeguards.
• Direct Marketing and cookies: we will ensure compliance with applicable advertising and cookie legislation.

Whenever we request your Personal Data, we will clearly inform you of what Personal Data we collect. This information will be provided to you via a separate privacy notice which, for example, will be included in specific services (including communication services), e-newsletters, reminders, surveys, offers, invitations to events, etc.

Please note that, in accordance with the applicable data protection regulations, your personal data may be processed if:

• you have given us your consent for the purposes of the processing (as described in the privacy notice relating to that particular processing). For the avoidance of doubt, you always have the right to withdraw your consent at any time; or
• is necessary for the performance of a contract to which you are a party; or
• with such processing, we pursue a legitimate interest that is not undermined by your privacy rights. Such legitimate interest will be duly disclosed to you in the privacy notice relating to that particular processing.
• is required by law

We only process your personal data for specified, explicit and legitimate purposes, and we will not process your personal data in a way that is incompatible with those purposes.

Such purpose may be the execution of an order you have placed, the improvement of your visit on one of our websites or portals, the improvement of our products and services in general, the offering of services or applications, communications and marketing actions, etc. The purpose of each processing of your personal data will be clearly defined in the specific privacy notice relating to that particular processing. This privacy notice will be accessible, for example, on a website or portal, in an application, in an e-newsletter, etc.).

Other processing of the Customer's personal data may also be carried out on the basis of Toyota's legitimate interest. Thus, provided that the Customer does not object through the channels described in paragraph 16, he/she will receive information about products or "Joint Offers", related to the service he/she is contracting or has already contracted. A "Joint Offer" is a set of products directly related to the products already contracted, marketed jointly by Toyota and the Toyota Group, or under the Toyota brand.

To this end, the Customer's personal data may be analysed beforehand in order to draw up a very basic profile with the same that will allow these commercial communications to be adjusted as closely as possible to their preferences in order to offer them products under the Toyota brand. This analysis may take into account certain Customer data (name and surname, telephone number, email address, address, ID card number, etc.), so it may be necessary to make occasional communications of data between Toyota and the Toyota Group to ensure that the campaigns and "Joint Offers" that may be made, if any, are not repetitive, unnecessary or annoying. In any event, full communication of Customer data between such companies will only take place with the consent of the Customer.

In any event, the Customer may object to the receipt of such commercial communications, as well as to the occasional communication of its data between Toyota and the Toyota Group, at any time by exercising its right to object through the channels set out in paragraph 16. The Customer will only receive such communications for as long as it remains a Toyota or Toyota Group Customer, unless it gives its consent to do so at a later date.

Without prejudice to the foregoing, any complex profiling, including the cases provided for in Article 22 of the GDPR, shall be subject to obtaining the prior explicit, informed, free and unambiguous consent of the Customer. This refers, in particular, to decisions, if any, based solely on automated processing, including profiling, which produce legal effects on the data subject or similarly significantly affect him or her in a similar way.

It is important to us to keep our records of your personal data up to date. Please inform us of any changes or errors in your personal data as soon as possible by contacting us at the Data Protection Contact Point (see section 3 "Who can you contact if you have questions or requests?"). We will take reasonable steps to ensure that any inaccurate information about your data is deleted or amended accordingly.

You have the right to access the personal data that we hold about you and, if such personal data is inaccurate or incomplete, to request the rectification or erasure of such personal data. If you would like more information in relation to your privacy rights or wish to exercise any of these rights, please contact us at the Data Protection Contact Point (see section 3 "Who can you contact if you have questions or requests").

We will keep your personal data in accordance with the provisions of data protection regulations. Your personal data will only be kept for as long as is necessary to comply with the provisions of applicable law or for the purposes for which your personal data is processed.

For information on how long certain personal data is likely to be kept before we delete it from our systems and databases, please contact us at the Data Protection Point of Contact (see section 3 "Who can you contact if you have questions or requests").

We have a set of technical and organisational security measures in place to protect your Personal Data against unlawful or unauthorised access or use, as well as against accidental loss or damage to its integrity. They have been designed taking into account our IT infrastructure, the potential impact on your privacy and the costs involved and in accordance with current industry standards and practices.

Your personal data may only be processed by a third party if the Data Controller undertakes to take the necessary technical and organisational measures to comply with the data processing security commitment.

Maintaining data security means protecting the confidentiality, integrity and availability of your personal data:

(a) Confidentiality: we will protect your personal data from disclosure to third parties.

(b) Integrity: we will protect your personal data from modification by unauthorised third parties.

(c) Availability: we ensure that authorised persons can access your personal data when necessary.

Our data security procedures include: access security, back-up systems, monitoring, review and maintenance, security incident and continuity management, etc.

We use cookies on our websites. This helps us to provide you with a better experience when you browse our website and also allows us to make improvements to our site.

For more information on the use of cookies and how to avoid them, please see our cookie policy, available at (link).

Depending on the purposes for which we collect your Personal Data, we may disclose your Personal Data to the following categories of recipients, who will then process your Personal Data only within the framework of these processing operations:

1. a) Within our organisations and our brand environment:

• Our authorised members of staff;
• Our subsidiaries and affiliates;
• Members of our network of Authorised Retailers and Authorised Repairers that you have indicated as preferred Authorised Retailers or Authorised Repairers or that are located near you (based on your postcode, address) or with whom you have been in contact;
• Toyota Kreditbank GMBH, Sucursal en España;
• Toyota Insurance Management;

(b) Third-party trading partners:

• Advertising, marketing and promotion agencies: to help us deliver and analyse the effectiveness of our advertising campaigns and promotions;
• Business partners: for example, trusted companies that may use your Personal Data to provide you with the services and/or products you have requested and/or that may provide you with marketing materials (provided that you have consented to receive such marketing materials). We ask such companies to always act in accordance with applicable laws and this Policy and to pay careful attention to the confidentiality of your personal information;
• Toyota service providers: companies that provide services for or on behalf of Toyota, for the purpose of providing such services (for example, Toyota may share your personal data with third party IT-related service providers);

1. c) OTHER THIRD PARTIES:

• when required by law or as legally necessary to protect Toyota:
• to comply with the law, requests from authorities, court orders, legal procedures, obligations related to reporting and submission of information to authorities, etc;
• to verify or enforce compliance with Toyota's policies and agreements; and
• to protect the rights, property or safety of Toyota and/or its customers;
• in connection with corporate transactions: in the context of a transfer or divestiture of all or part of its business, or in connection with a merger, consolidation, change of control, reorganisation or liquidation of all or part of Toyota's business.

Please note that the third party recipients listed in (b) and (c) above - especially service providers who may offer products and services to you through Toyota's services or applications or through their own channels - may collect your personal data separately. In such case, these third parties are solely responsible for the control of such personal data and your dealings with them will be governed by their terms and conditions.

If you purchase a car or other product or service from one of our Authorised Dealers or Authorised Repairers or if you authorise them to process your personal information, you will have a separate relationship with this network member. In this case, the network member will become the data controller for the processing of your personal data, possibly together with us. For all requests regarding the use of your personal information by your distributor, please contact them.

How is your preferred Authorised Retailer or Authorised Repairer identified? The preferred authorised retailer or authorised repairer is either (1) the authorised retailer or authorised repairer you have selected as your preferred retailer or authorised repairer through your MyToyota account settings (which you can change at any time) or (2) if you have not made such a selection, we will identify an Authorised Dealer or Authorised Repairer based on location (nearest by postcode, address) or based on your contact history with our network.

If you use a specific username on a social network such as your Facebook username, Toyota will record the data available on this social network and for which you have expressly permitted communication through the selected application.

Toyota sometimes facilitates the publication of (personal) data via social media such as Twitter and Facebook. These social media have their own terms of use which you are obliged to take into account and observe if you make use of them.

Posting on social media may have (unintended) consequences, including the impossibility of removal within a short time of sharing your privacy or that of the persons whose data is shared. You should be aware of these consequences, for which you are making the decision about posting on social media. Toyota accepts no liability in this regard.

Your personal data may be transferred to recipients which may be outside the EU/EEA, and may be processed by us and these recipients outside the EU/EEA. In relation to any transfer of your personal data to countries outside the EEA which generally do not offer the same level of data protection as in the EU/EEA, Toyota will implement appropriate specific measures to ensure an adequate level of protection for your personal data.

These measures may include, for example, agreeing binding contractual clauses with recipients that ensure an adequate level of protection. We will always clearly inform you when your Personal Data is transferred outside the EU/EEA. This information will be provided to you via a separate privacy notice which will, for example, be included in specific services (including communication services), e-newsletters, reminders, surveys, offers, invitations to events, etc.

We want to be as transparent as possible with you, so that you can make meaningful choices about how you want us to use your information.

• Your personal data

You can always contact us at the Data Protection Contact Point (see section 3 "Who can you contact if you have questions or requests?") to find out what personal data we hold about you and its source. Under certain conditions, you have the right to receive your personal data, which you have provided to us, in a commonly used structured machine-readable format and to transmit your personal data to any third party of your choice.

• Your corrections

If you find any errors in your personal information or if it is incomplete or incorrect, you may ask us to correct or complete it.

• Its restrictions

You have the right to request a restriction on the processing of your personal data (e.g. while the accuracy of your personal data is being verified).

• Your objections

You can also object to the use of your data for direct marketing purposes (if you prefer, you can also tell us through which channel and how often you prefer to be contacted by us) or to the sharing of your personal information with third parties for the same purpose.

You may withdraw your consent at any time to continue processing the personal data you have provided to us by contacting us at the data protection point of contact (see section 3 "Who can you contact with questions or requests").

In addition, you may be required to delete any data concerning you (except in certain cases, for example, for proof of a transaction or where required by law).

Finally, please note that you have the right to lodge a complaint against the controller with the relevant data protection authority ("DPA").

With regard to TME (as controller), the relevant DPA is the Belgian Data Protection Authority. With regard to TES (as controller), the relevant DPA is the Spanish Data Protection Agency.

The requirements of this Policy supplement, and do not replace, any other existing requirements under applicable data protection law. In the event of any inconsistency between what is written in this Policy and the requirements in the applicable data protection law, the applicable data protection law will take precedence.

Toyota may change this Policy at any time. When this happens, we will notify you of any changes and ask you to re-read the most recent version of our Policy and confirm your acceptance. You may also check this Policy periodically at www.toyota.es for any changes.

1.1 In this policy, the following terms have the following meanings:

(a) Controller means the organisation that determines the purposes for which and the manner in which personal data are processed. Unless we inform you otherwise, the data controllers are Toyota España S.L.U. (Av. de Bruselas, 22, Arroyo de la Vega, 28108, Alcobendas) and/or Toyota Caetano Portugal, S.A. (Av. Vasco da Gama, nº1410 4431-956 Vila Nova de Gaia)

Further information may be provided to you through a separate privacy notice which, for example, will be included in specific services (including communication services), e-newsletters, reminders, surveys, offers, invitations to events, etc.

(b) Processor means the person and/or organisation processing personal data on behalf of the Controller.

(c) Data Protection Point of Contact means the point of contact (i.e. a person designated by Toyota in the relevant jurisdiction) where you can direct your questions or requests regarding this Policy and/or the processing of your Data to the Data Controller and who will respond to such questions and requests. Unless we inform you otherwise, you may contact the Data Protection Point of Contact as described in section 3 "Who can you contact if you have questions or requests").

(d) EEA means European Economic Area (consisting of the EU Member States, Iceland, Norway and Liechtenstein).

(e) Personal Data is data relating to you directly or allowing your identification, such as, for example, your name, telephone number, e-mail address, vehicle identification number (VIN), (geographical) location, etc.

(f) Processing means the collection, access and all forms of use of your personal data.

(g) Toyota Group includes Toyota España, S.L.U. Toyota Motor Europe, S.L.U., Toyota Motor Corporation, Concesionario Oficial de la Red de Toyota, Toyota Kreditbank, GMBH, Sucursal en España, Aioi Nissai Dowa Insurance Company of Europe Limited, Sucursal en España and Toyota Insurance Management, Ltd, Sucursal en España.