Privacy Policy

[1.] Data integrity

In each case, the controllers have taken appropriate technical and organizational measures to protect your data, which protect your data against loss, manipulation or unauthorized access, among other things. The measures taken are subject to regular review and are continuously adapted to the state of the art. If there is a breach of the protection of your personal data that is likely to result in a high risk to your rights and freedoms, you will be notified by us immediately.

[2.] Use by minors

It is specified that all processing of personal data may only be used by persons who have reached the age of 14. Should such data processing nevertheless occur, we will stop processing this data as soon as we become aware of it.

[3.] Collection and processing of personal data

Information you provide

If you correspond with us or fill in a form on our website with data, you acknowledge that the data you provide in the respective form will be processed for the purposes described below.

Information we collect

When you visit our website, personal data is collected automatically by cookies. For more information about cookies used on our website, please see our Cookie Policy.

[4.] Transmission of data

Porsche Holding GmbH does not carry out some data processing itself, but has support from professional partners. The partners have been carefully selected and ensure that the processing of your personal data is carried out in accordance with the data protection regulations and that your rights are safeguarded by means of suitable technical and organisational measures. The partners are not permitted to use the personal data provided for their own or advertising purposes or to pass it on to third parties. In addition, the controller will not pass on any information to third parties - such as address publishers and direct advertising companies.

If recipients are located outside the European Union or the European Economic Area (so-called third countries), we ensure that an adequate level of data protection is guaranteed by appropriate guarantees. This is done, for example, by concluding standard contractual clauses from the European Commission or on the basis of an adequacy decision by the EU Commission.

[5.] Data processing on the website

General contact form

• Description: The contact form: (information about apprenticeships, information about summer internships, question about the application process, question to customer service, question to Porsche Holding): When you submit the respective contact form, your following personal data will be processed.
• Data categories: Contact and identification data and free text entry
• Purpose: Responding to your request
• Legal basis:
  • Fulfilment of pre-contractual measures – Art. 6 (1) (b) GDPR To process and respond to your individual enquiry
  • Legitimate interest – Art. 6 para. 1 lit. f GDPR The legitimate interest consists in being able to process your inquiries reliably and individually
• Recipients of the data:
  • Employees of the respective departments
  • Group affiliates
• Storage period: 12 months

[6.] Data processing in business operations

Processing within the framework of the Supplier Portal

• Description: Potential and existing suppliers can register their company data via the Supplier Portal of Porsche Holding Salzburg in order to be considered as a business partner and to participate in tenders. Registration is carried out via the SAP Ariba procurement system. As part of the registration process, company master data, contact information and proof of the legal form and compliance requirements are collected. In addition, suppliers must accept the applicable procurement conditions and the Code of Conduct for Business Partners.
• Data categories: Professional contact and (work) organisation data, contract data, creditworthiness and bank data
• Purpose: Implementation of tenders and award processes
• Legal basis:
  • Performance of Contract / Pre-Contractual Measures – Art. 6 (1) (b) GDPR For the implementation of registration and the initiation and processing of supplier contracts
  • Legitimate interest – Art. 6 para. 1 lit. f GDPR To efficiently manage procurement processes, check the suitability of suppliers and ensure a sustainable supplier relationship.
• Recipients of the data:
  • Group affiliated companies
  • IT service providers
• Storage period:
  • Registration data: for the duration of the ongoing supplier relationship.
  • Rejected or not followed up registrations: Deletion after 2 years at the latest.
  • Contract and compliance-related data: 7 years

[7.] Data processing in the context of compliance

Donations

• Description: Due to legal provisions against corruption as well as internal compliance guidelines, benefits (invitations, gifts, etc.) are recorded in the Incentive Lotus Notes database and a release process is carried out. All donations to and from third parties with a business connection are documented in a transparent manner.
• Data categories: Contact and identification data of business partners and employees
• Purpose: Compliance
• Legal basis:
  • Legitimate interest – Art. 6 (1) (f) GDPR The legitimate interest consists of the exchange of data within the group of companies for internal administrative purposes and for fraud prevention
• Recipients of the data:
  • Affiliates
  • Internal Compliance Department
  • External service providers (e.g. IT service providers fordatabase operation)
  • Authorities (if required by law)
• Storage period: 7 years according to § 132 BAO from the end of the calendar year

Business Partner Due Diligence (BPDD)

• Description: The Volkswagen Group's Business Partner Due Diligence (BPDD) process is carried out via the Proxora (AWS) cloud tool. Business partner data is collected for a risk analysis (comparison with the Business Partner Integrity List and external databases) and, if necessary, supplemented by further information. Based on the assessment, Compliance prepares a report; non-compliant business partners are included in the group-wide Business Partner Integrity List and excluded from cooperation.
• Data categories: Organization data, contract data, IT usage data, financial and creditworthiness data, data on personal/professional circumstances, sensitive personal data within the meaning of Art. 9 GDPR, data on criminal offences/administrative offences (Art. 10 GDPR)
• Purpose: Compliance, Fraud Prevention
• Legal basis:
  • Compliance with legal obligations – Art. 6 (1) (c) GDPR e.g. compliance with provisions from the Supply Chain Due Diligence Act, Sections 299 et seq. and 331 et seq. of the German Criminal Code, US Foreign Corrupt Practices Act, UK Bribery Act, UK Modern Slavery Act
  • Legitimate interest – Art. 6 (1) (f) GDPR The legitimate interest lies in the prevention of corruption, white-collar crime and ensuring legally secure supply chains within the Volkswagen Group
  • Special categories of personal data – Art. 9 (2) (g) GDPR To the extent necessary to safeguard a significant public interest on the basis of legal provisions, e.g. collection of health or ethnic data as part of risk assessment
  • Criminal record data – Art. 10 GDPR in conjunction with Austrian legal bases Processing of information on criminal offences or administrative offences, insofar as this is necessary for the integrity assessment of business partners
• Art. 26 GDPR – Joint Controllership:
  • VW and Porsche Holding (as participants in the JCA) jointly determine the purposes and means of the processing.
  • Responsibilities:
    • Group company concerned: Recording and initial risk assessment of business partner data
    • Porsche Holding GmbH: In-depth risk assessment, reporting, clearance decisions
    • VW AG & Porsche Holding: Monitoring, audit of integrity reports, if necessary inclusion in BPIL (Business Partner Integrity List)
• Recipients of the data:
  • Affiliates
  • External service providers who are commissioned to carry out the BPDD
  • IT Service Providers
  • Authorities and regulatory bodies, where required by law
• Storage period:
  • Basic data: 5 years after the end of the business relationship
  • Risk and integrity reports: 10 years after completion of the audit
  • Deletion takes place automatically from the Proxora tool, provided that there are no legal retention obligations

Whistleblowing system

• Description: Employees and external business partners can use the Group-wide whistleblower system to report possible violations of laws, internal guidelines or compliance requirements. The system is operated as a group-wide platform and offers the possibility of anonymous reporting. The information received will be reviewed and processed by the responsible compliance department of Porsche Holding and, if necessary, by Volkswagen AG (Group Compliance).
• Data categories: Contact and identification data, Special categories of personal data according to Art. 9 GDPR, Data on criminal offences and administrative offences according to Art. 10 GDPR
• Purpose: Compliance, Fraud Prevention
• Legal basis:
  • Legal obligation – Art. 6 para. 1 lit. c GDPR (e.g. implementation of the Whistleblower Protection Act)
  • Legitimate interest – Art. 6 para. 1 lit. f GDPR (detection and prevention of breaches, protection of the company and its employees)
  • Special categories of personal data – Art. 9 para. 2 lit. g GDPR (if necessary in the context of the clarification of a significant public interest)
  • Criminal record data – Art. 10 GDPR in conjunction with § 4 para. 3 DSG
• Art. 26 GDPR – Joint Controllership:
  • Porsche Holding and Volkswagen AG (Group Compliance) jointly determine the purposes and means of the processing.
  • Porsche Holding: Receiving and processing local information.
  • Volkswagen AG: Operation of the group-wide platform, support in complex proceedings, final coordination in group-wide cases.
• Recipients of the data:
  • Volkswagen AG (Group Compliance)
  • Authorities and courts, as required by law
  • If necessary, external examination service providers / lawyers
• Storage period:
  • In principle, 3 years after the conclusion of the procedure
  • Extension, if necessary for the enforcement or defence of legal claims

HR Processes for Compliance Officers (CO)

• Description: To ensure an effective and independent compliance organization, uniform HR standards are implemented throughout the Group. This applies to the recruitment, development and, if necessary, dismissal of compliance officers. Relevant HR data is exchanged throughout the Group between local HR/Compliance departments, Group Compliance and the responsible HR departments of Volkswagen AG. If necessary, external service providers can be involved for background checks.
• Data categories: Professional contact and (work) organisation data, private contact and identification data, contract data, data on personal/professional circumstances and characteristics, payment and time management data
• Purpose: Compliance, Fraud Prevention
• Legal basis:
  • Contract / pre-contractual measures – Art. 6 para. 1 lit. b GDPR (e.g. in the context of application procedures and the establishment of the employment relationship)
  • Legal obligation – Art. 6 para. 1 lit. c GDPR (e.g. compliance with employment and company law requirements)
  • Legitimate interest – Art. 6 para. 1 lit. f GDPR (ensuring an effective and independent compliance organization, group-wide standardization of HR processes)
  • Special categories of personal data – Art. 9 (2) (b) GDPR (insofar as necessary for the exercise of obligations under employment law, e.g. in the case of severe disability)
  • Criminal record data – Art. 10 GDPR in conjunction with § 4 para. 3 DSG (Austria) (if necessary in the context of background checks, if legally permissible)
• Art. 26 GDPR – Joint Controllership:
  • Parties involved: Porsche Holding, Volkswagen AG (Group Compliance, HR), and other affected Group companies
  • Porsche Holding / local companies: Implementation of application, recruitment and administration processes, initial transmission of relevant HR data
  • Volkswagen AG (Group Compliance / HR): Coordination, exchange and evaluation of HR data throughout the Group, ensuring uniform standards
• Recipients of the data:
  • Volkswagen AG (Group Compliance, responsible HR department)
  • Affiliates
  • If applicable, external service providers for background checks (as far as legally permissible)
• Storage period:
  • As long as it is necessary for the purposes of employment
  • After termination: Deletion of HR data as soon as there are no longer any legal retention obligations (usually 7 years according to § 132 BAO or labor law deadlines)
  • Data from background checks: only as long as necessary for the decision, then immediately deleted

[8.] Data processing in the application process

Application Procedure & Selection Processes

• Description: As part of the application process, the Company processes personal data for the following purposes.
  • Processing and managing applications for advertised positions, including reviewing documents, communicating with applicants, and organizing and conducting selection procedures.
  • Conducting job interviews, which can also be done online via Microsoft Teams if required.
  • Participation in further selection procedures, such as assessment centers or apprentice knowledge tests for in-depth competence or aptitude assessment.
  • Sharing the application documents with the HR department and the responsible management to select suitable candidates
  • Providing feedback to applicants after the selection process has been completed.
  • Retention of application documents for record keeping – with the express consent of the person concerned – beyond the current selection process in order to be able to contact them again in the event of suitable vacancies in the future.
• Data categories: Private contact and identification data, Professional contact and (work) organisation data, IT usage data, Sensitive personal data (Art. 9 GDPR, e.g. health data, trade union membership), remuneration and time management data
• Purpose: Application / Recruitment
• Legal basis:
  • Pre-contractual measures – Art. 6 (1) (b) GDPR e.g. review of application documents, conductingjob interviews, organisation of selection procedures
  • Legitimate interest – Art. 6 para. 1 lit. f GDPR The legitimate interest lies in the efficient processing of applications and in the internal exchange of documents within the group of companies for administrative purposes
  • Consent – Art. 6 (1) (a) GDPR On keeping records of application documents for future vacancies
  • Special categories of personal data – Art. 9 (2) (b) GDPR If necessary for the exercise of rights or for the fulfilment of obligations under labour law (e.g. declaration of a severe disability)
  • Criminal record data – Art. 10 GDPR in conjunction with Art. 4 para. 3 FADP Processing of data from the criminal record
• Joint responsibility in accordance with Article 26: There is joint responsibility between the Human Resources department of Porsche Holding GmbH and the respective specialist departments of the Group companies. The HR department operates the application portal, prepares the tender documents, makes the pre-selection and takes care of the contract processing. The specialist departments decide on the final selection of applicants and the hiring.
• Recipients of the data:
  • Affiliates
  • IT service providers (for technical support, e.g. video conferencing software)
  • External consultants and service providers (e.g. assessment centres)
  • Authorities (only if required by law, e.g. criminal records information)
• Storage period:
  • Rejected applicants: 7 months (6 months according to the Equal Treatment Act (GlBG), § 15 para. 1 GlBG + 1 month).
  • Upon entry into the employment relationship: 7 years after the termination of the employment relationship, in accordance with the Austrian retention obligations (§ 132 BAO).

Digital recruiting process

• Description: Porsche Holding and its affiliated companies have the option of completing the application process via WhatsApp. Communication takes place via a specially integrated app that accesses the WhatsApp Business API. The API serves exclusively as a technical switching module and does not process any additional data. WhatsApp only gets access to the applicants' phone numbers, but no insight into other personal data or conversation content.
• Data categories: contact and identification data, data on personal/professional circumstances & characteristics
• Purpose: To simplify and accelerate communication in the application process.
• Legal basis:
  • Legitimate interest – Art. 6 (1) (f) GDPR The legitimate interests include increasing efficiency and accelerating communication as well as improving the accessibility of applicants
• Recipients of the data:
  • Affiliates
  • IT service provider (for technical implementation of the recruiting platform)
  • WhatsApp (Business API) – as a technical switching module, with access only to phone numbers
• Storage period: Your applicant data will be deleted 30 days after the last activity related to your application. Should you choose the option to be included in a candidate pool (to be considered for future job postings), your data will be stored for up to 6 months after the last activity. After that, they will be deleted.

Handling the hiring of new employees

• Description: Collection and processing of personal data in the course of the preparatory measures for the establishment of an employment relationship after the acceptance has been made. The aim is to prepare the employment relationship in a structured, efficient and legally compliant manner. This includes in particular:
  • Collection of personal data via a personal data sheet
  • Obtaining and processing an extract from the criminal record (if required by law)
  • Drafting and preparation of the employment contract
  • Organization of all administrative and technical measures for the start of work (e.g. IT trains, workstation, time recording systems)
  • Reports to authorities, social security institutions and other bodies provided for by law
• Data categories: Private contact and identification data, Sensitive personal data (Art. 9 GDPR) or data on criminal convictions, Credit and bank data, Contract data
• Purpose: Application / Recruitment
• Legal basis:
  • Pre-contractual measures – Art. 6 (1) (b) GDPR For the preparation and execution of the employment contract
  • Legal obligation – Art. 6 para. 1 lit. c GDPR Due to legal obligations, e.g. from tax, social security or reporting
  • Legitimate interest – Art. 6 (1) (f) GDPR The legitimate interest lies in a structured and rapid preparation of employment contracts (e.g. early establishment of system access)
  • Health data – Art. 9 (2) (b) GDPR Processing of sensitive personal data (e.g. information on severe disability) to the extent required under employment law
  • Criminal record data – Art. 10 GDPR in conjunction with Art. 4 para. 3 FADP Processing of data from the criminal record
• Recipients of the data:
  • Affiliates
  • IT service providers (e.g. HR software, onboarding systems)
  • Authorities and public bodies (e.g. social security, tax authorities)
  • Banks (e.g. to process salary payments)
• Storage period:
  • Upon entry into the employment relationship: Storage of the data in the personnel file for 7 years after the termination of the employment relationship, in accordance with the Austrian retention obligations (§ 132 BAO).
  • Rejected applicants: 7 months (6 months according to the Equal Treatment Act (GlBG), § 15 para. 1 GlBG + 1 month).

[9.] Cookies, social plug-ins and other tracking tools

Our website uses cookies and similar technologies. Some are technically necessary to ensure the operation of the site (legitimate interest according to Art. 6 para. 1 lit. f GDPR). Others are for statistical purposes or to display personalized content and advertising. We only use these with your consent in accordance with Art. 6 (1) (a) GDPR. Detailed information on the cookies used, their purpose, storage period and your setting options can be found in our Cookie Policy.

[10.] Social Media

Our website uses social media and social plugins to provide content and enable users to interact with social networks. This may result in the transmission of personal data to the operators of the respective platforms.

In this section, we inform you about the type, scope and purposes of data processing in connection with our social media presences. For data protection issues in connection with the platforms, the respective data protection guidelines of the operators also apply.

This information applies to the following platforms:

• Facebook
• Instagram
• TikTok
• LinkedIn
• YouTube

Responsibilities

Joint responsibility

In the context of our social media pages (e.g. Facebook fan pages, Instagram profiles, TikTok accounts), we are jointly responsible for the processing of personal data with the respective platform operator in accordance with Art. 26 GDPR. This applies in particular to the processing of user interactions, posts, comments, messages and the use of anonymised usage statistics ("insights").

Sole responsibility of the platform operators

The respective platform operators are solely responsible for independent data processing by the social media platforms, such as the use of cookies, tracking technologies or personalized advertising. This processing is beyond our control. For more information, please refer to the privacy policies of the platforms:

• Facebook Data Policy
• Instagram Privacy Policy
• TikTok Privacy Policy
• LinkedIn Privacy Policy
• YouTube Privacy Policy

Processing of personal data via social media

Postings on reporting

• Description: We regularly post posts on our social media platforms for our company's reporting. This may result in the processing of personal data of the persons photographed.
• Data categories: Contact & Identification Data, Photograph
• Purpose: Reporting and informing about news
• Legal basis:
  • Legitimate interest – Art. 6 para. 1 lit. f GDPR The legitimate interest lies in the external presentation and transparent reporting of company activities.
• Storage period: We regularly check the necessity of the posts we post on Facebook and Instagram and carry out appropriate deletion routines in the course of which we delete posts that are no longer needed. However, due to the lack of technical control over the Facebook platforms, we cannot ensure that Facebook will actually delete them.

Interactions and communication

• Description: When you interact with us on social media by following our platforms or liking posts on these pages ("Like" button), commenting, sharing, posting on them yourself or writing messages to us, we process your personal data.
• Data categories: Contact & Identification Data
• Purpose: To respond to your inquiry as well as to analyze and optimize our pages
• Legal basis:
  • Legitimate interest – Art. 6 para. 1 lit. f GDPR The legitimate interest lies in being able to process and reliably answer your individual inquiries as well as to be able to optimize our social media platforms.
• Storage period: We regularly check the necessity of the personal data stored by us on Facebook and Instagram and carry out appropriate deletion routines, in the course of which, for example, we initiate the removal of messenger messages or delete posts. However, due to the lack of technical control over the Facebook platforms, we cannot ensure that Facebook will actually delete them.

Processing of competitions

• Description: We regularly organize competitions on our Facebook fan page and our Instagram account. If you take part in one of our competitions, we need to process personal data about you in order to administer the competition.
• Data categories: Contact & Identification Data
• Purpose: Processing and implementation of the competition.
• Legal basis:
  • Contractual or pre-contractual measures – Art. 6 (1) (b) GDPR The processing is carried out for the purpose of conducting the competition and fulfilling the associated obligations towards the participants (e.g. notifying the winners, sending prizes).
• Storage period: The personal data of the participants will be deleted after the winner has been drawn. The personal data of the winner will also be processed until the processing and handover of the prize.

Insights / Usage statistics

• Description: The social media platforms provide us with anonymized usage statistics (page insights) based on users' interactions with our pages, such as likes, comments, follower counts, and demographics. This data helps us to better tailor our content to the target group and increase reach. We do not receive personal data from individual users; the collection and processing is carried out exclusively by the platform operator.
• Data categories: Anonymized usage data
• Purpose: Analysis and optimization of our social media presences
• Legal basis:
  • Legitimate interest – Art. 6 para. 1 lit. f GDPR Our legitimate interest lies in the analysis and optimisation of our social media presences as well as the needs-based orientation of our content.
• Storage period: The storage period of the Insights data depends on the specifications of the respective social media platform operator and is usually between a few weeks and several months. We ourselves do not store this data separately, but access the current statistics provided by the platform if necessary.

[11.] Your rights

You have the following rights:

Right to information: You can request confirmation as to whether and to what extent data about you is being processed.

Right to rectification: If we process incomplete or incorrect data about you, you can request their correction or completion at any time.

Right to erasure: You can request the deletion of your data if the purpose for which it was collected has ceased to exist, unlawful processing has occurred, the processing disproportionately interferes with your legitimate interests in protection, or if the data processing is based on your consent and you have withdrawn it. It should be noted that there may be other reasons that may prevent the immediate deletion of your data, e.g. legally regulated retention obligations, pending proceedings, assertion, exercise or defence of legal claims, etc.

Right to restriction of processing: You have the right to request restriction of processing of your data if:

• you contest the accuracy of your data, for a period of time that allows us to verify the accuracy of the data;
• the processing of your data is unlawful, but you oppose erasure and request restriction of data use instead;
• we no longer need the data for the intended purpose, but you still need this data to assert, exercise or defend legal claims; or
• you have objected to the processing of the data as long as it has not yet been determined whether our legitimate reasons outweigh yours.

Right to data portability: You can ask us to provide you with the data you have provided to us in a structured, commonly used and machine-readable format or to transmit this data to another controller without hindrance from us, provided that we process the data on the basis of your consent or for the performance of a contract between us and the processing is carried out by automated means.

Right to object: If we process your data for the performance of tasks that are in the public interest, for the exercise of official authority, or if we invoke the necessity of safeguarding our legitimate interest in the processing, you can object to this data processing if there is an overriding interest in protecting your data.

Right to withdraw: You may revoke any consent you have given to us at any time without giving any reason, and you may revoke any individual consent form independently of any other consent you have given to us. We expressly point out that a revocation has no direct or indirect negative consequences for your employment with us. A revocation only has the consequence that we will no longer process your data from this point on for the purposes specified in the respective declaration of consent, and any rights and/or benefits (if any) related to the processing of the specific data can no longer be claimed.

Right to lodge a complaint: If you believe that the processing of your data violates data protection law or that your data protection rights have otherwise been violated in any other way, please contact us. Of course, you can also lodge a complaint with the Austrian Data Protection Authority (for further information: www.dsb.gv.at).

[12.] Group affiliates of Porsche Holding GmbH

• Porsche Holding GmbH (Louise-Piëch-Straße 2, 5020 Salzburg) Porsche Immobilien GmbH (Louise-Piëch-Straße 2, 5020 Salzburg) Porsche Air Service GmbH (Louise-Piëch-Straße 2, 5020 Salzburg) Porsche Corporate Finance GmbH (Louise-Piëch-Straße 2, 5020 Salzburg)
• Porsche Austria GmbH & Co OG (Louise-Piëch-Straße 2, 5020 Salzburg) Porsche Konstruktionen GmbH & Co KG (Louise-Piëch-Straße 2, 5020 Salzburg) Allmobil GmbH (Louise-Piëch-Straße 2, 5020 Salzburg) Porsche Media & Creative GmbH (Louise-Piëch-Straße 2, 5020 Salzburg) Moon Power GmbH (Louise-Piëch-Straße 2, 5020 Salzburg)
• Porsche Versicherungs AG (Vogelweiderstraße 75, 5020 Salzburg) Porsche Mobility GmbH (Trattnerhof 1, 1010 Vienna) ARAC GmbH (Louise-Piëch-Straße 2, 5020 Salzburg)
• Volkswagen-Versicherungsdienst GmbH (Trattnerhof 1, 1010 Vienna)
• Porsche Inter Auto GmbH & Co KG (Louise-Piëch-Straße 2, 5020 Salzburg) Exclusive Cars Vertriebs GmbH (Ketzergasse 120, 1230 Vienna) Bikes Vertriebs GmbH (Ketzergasse 120, 1230 Vienna)
• Porsche Informatik GmbH (Louise-Piëch-Straße 2, 5020 Salzburg) DigiLab Porsche Informatik GmbH (Rothschildplatz 3, 1020 Vienna)
• Porsche Bank AG (Vogelweiderstraße 75, 5020 Salzburg)

[13.] Contact details

You can assert all rights directly with Porsche Holding GmbH. Please send your concerns by e-mail to [email protected] or directly to [email protected] in the case of data subject requests.

As of: October 2025