Data Protection Policy EU - Home | Daimler

1 data Protection Policy data Protection Policy | FOREWORD 2. Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data to be collected and processed. Yet, regardless whether in the car, in vehicle maintenance or when selling a vehicle, we adhere to this principle: When storing and transmitting data , we must ensure a high level of data Protection and data security. That goes for information pertaining to our customers, prospects, business partners and employees. Because data Protection is people Protection . We want Daimler to not only stand for safe cars but also set the standard in data Protection . For that reason, we view it as our duty, as an international corporation, to comply with the various legal regulations around the world that govern the collection and processing of personal data .

2 Our top priority is to ensure universally applicable, worldwide standards for handling personal data . For us, protecting the personal rights and privacy of each and every individual is the foundation of trust in our business relationships. Our Corporate data Protection Policy lays out strict requirements for processing personal data pertaining to customers, prospects, business partners and employees. It meets the require- ments of the European data Protection Directive and ensures compliance with the principles of national and international data Protection laws in force all over the world. The Policy sets a globally applicable data Protection and security standard for our company and regulates the sharing of information between our Group companies.

3 We have established seven data protec- tion principles among them transparency, data economy and data security as our guideline. Our managers and employees are obligated to adhere to the Corporate data Protection Policy and observe their local data Protection laws. As the Chief Officer Corporate data Protection , it is my duty to ensure that the rules and principles of data Protection at Daimler are followed around the world. My staff and I will be pleased to answer any questions you have about data Protection and security at Daimler . Dr. Joachim Riess Chief Officer Corporate data Protection data Protection Policy | CONTENTS 3. Contents I. Aim of the data Protection Policy 4. II. Scope and amendment of the data Protection Policy 4.

4 III. Application of national laws 5. IV. Principles for processing personal data 5. 1. Fairness and lawfulness 5. 2. Restriction to a specific purpose 5. 3. Transparency 5. 4. data reduction and data economy 6. 5. Deletion 6. 6. Factual accuracy; up-to-date data 6. 7. Confidentiality and data security 6. V. Reliability of data processing 7. 1. Customer and partner data 7. data processing for a contractual relationship 7. data processing for advertising purposes 7. Consent to data processing 7. data processing pursuant to legal authorization 7. data processing pursuant to legitimate interest 8. Processing of highly sensitive data 8. Automated individual decisions 8. User data and internet 8. 2. Employee data 9.

5 data processing for the employment relationship 9. data processing pursuant to legal authorization 9. Collective agreements on data processing 9. Consent to data processing 9. data processing pursuant to legitimate interest 10. Processing of highly sensitive data 10. Automated decisions 10. Telecommunications and internet 11. VI. Transmission of personal data 11. VII. Contract data processing 12. VIII. Rights of the data subject 13. IX. Confidentiality of processing 14. X. Processing security 14. XI. data Protection control 14. XII. data Protection incidents 15. XIII. Responsibilities and sanctions 15. XIV. Chief Officer of Corporate data Protection 16. XV. Definitions 16. data Protection Policy | I. AIM OF THE data Protection Policy | II.

6 SCOPE AND AMENDMENT OF THE data Protection Policy 4. I. Aim of the data Protection Policy As part of its social responsibility, the Daimler Group is committed to international compliance with data Protection laws. This data Protection Policy applies worldwide to the Daimler Group and is based on globally accepted, basic principles on data Protection . Ensuring data Protection is the foundation of trustworthy business relationships and the reputation of the Daimler Group as an attractive employer. The data Protection Policy provides one of the necessary framework conditions for cross-border data transmission1 among the Group companies. It ensures the adequate level of data Protection prescribed by the European Union data Protection Directive2 and the national laws for cross-border data transmission, including in countries that do not yet have adequate data Protection laws3.

7 II. Scope and amendment of the data Protection Policy This data Protection Policy applies to all companies of the Daimler Group, Daimler AG, all of its dependent Group companies, affiliated companies and their employees. Dependent in this instance means that Daimler AG may enforce the adoption of this data Protection Policy directly or indirectly, on the basis of voting majority, majority management representation, or by agreement. The data Protection Policy extends to all processing of personal data4. In countries where the data of legal entities is protected to the same extent as personal data , this data Protection Policy applies equally to data of legal entities. Anonymized5 data , for statistical evaluations or studies, is not subject to this data Protection Policy .

8 Individual Group companies are not entitled to adopt regulations that deviate from this data Protection Policy . Additional data Protection policies can be created in agreement with the Chief Officer Corporate data Protection only if required by applicable national laws. This data Pro- tection Policy can be amended in coordination with the Chief Officer Corporate data Protection under the defined procedure for amending policies. The amendments will be reported immediately to the Daimler Group companies using the process for amending policies. Amendments that have a major impact on compliance with the data Protection Policy must be reported annually to the data Protection authorities that issue approval for this data Protection Policy as Binding Corporate Rules.

9 The latest version of the data Protection Policy can be accessed with the data privacy information at Daimler AG's website: 1 See XV. 2 . Directive 95/46/EC of the European Parliament and the Council on the Protection of individuals with regard to the processing of personal data and on the free movement of such data ;. available at #guideline 3 See XV. 4 See XV. 5 See XV. data Protection Policy | III. APPLICATION OF NATIONAL LAWS | IV. PRINCIPLES FOR PROCESSING PERSONAL data 5. III. Application of national laws This data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this data Protection Policy , or it has stricter requirements than this Policy .

10 The content of this data Protection Policy must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed. Each company of the Daimler Group is responsible for compliance with this data Protection Policy and the legal obligations. If there is reason to believe that legal obligations contradict the duties under this data Protection Policy , the relevant Group company must inform the Chief Officer Corporate data Protection . In the event of conflicts between national legislation and the data Protection Policy , Daimler AG will work with the relevant Group company to find a practical solution that meets the purpose of the data Protection Policy .