Tag Archive for: Audit

Datenschutz im Autohaus - Datenschutzgrundverordnung - Datenschutz - Daten - DSGVO - Autohaus - Autohäuser

Data protection in the car dealership

Data protection cannot be transferred 1 to 1 from one company to another. The implementation of the GDPR in car dealerships poses particular challenges for those responsible. In the following, we would like to discuss some of the special features of data protection in car dealerships.

Data protection in the car dealership is end customer business

In the end customer business, it is particularly important for companies to protect the rights of the data subjects. Customers may react angrily if they are dissatisfied. As a result, they often ask for their data to be deleted and no longer want to receive advertising from the dealership. Special attention must then be paid to ensuring that the right to erasure under Art. 17 GDPR is identified as such and forwarded to the responsible parties at the dealership. These must carefully examine whether the right can be fully complied with or whether, for example, the right can be exercised. Invoices are still subject to further retention.

Adhere to deadlines for data subject rights

The effort involved in checking deletion requests should not be underestimated. In doing so, the company should comply with the time limit set out in Art. 12 para. 3 DSGVO to respond to deletion requests always keep in mind. A month goes by quickly, especially if employees are not sufficiently trained and do not recognize requests for data subject rights as such or do not take them seriously at first and simply ignore them.

It is essential to train employees

For companies, it pays to train their employees on data protection. If such training is neglected, it may happen that employees ignore the rights of those affected or even treat customer data carelessly. The employees of the car dealerships have a lot to pay attention to in terms of data protection, especially in direct customer contact.

Copies of ID and salary slips

If the responsible company underestimates the importance of its employees in terms of data protection compliance, it can be costly. Copies of identity cards and salary statements and similar sensitive data are sometimes requested from customers in the context of a car purchase or a test drive, copied and then, in the worst case, openly filed in a transparent film on the sales desk in the showroom.

Various customer loyalty programs

The implementation of the GDPR in car dealerships also causes difficulties when using various customer loyalty programs. It is important to respect the right of objection of the data subjects according to Art. 21 para. 2 GDPR to be taken seriously in the case of direct marketing. It is fatal when car dealerships use different systems that do not communicate consistently with each other or are not properly maintained. If the dealership fails to clearly define responsibilities, advertising objections from customers may not be considered.


Storage of customer data in the showroom

The storage of customer data in the exhibition room is unfavourable. When implementing the GDPR in the dealership, those responsible should ensure that customer data is not stored there. Customer traffic in the exhibition space is constantly running and unauthorised persons may gain access to personal data such as purchase and lease agreements. In case of doubt, the sales staff should be provided with lockable cabinets so that documents can be quickly locked away in case of short-term need.


Screen lock in the showroom

The salesman’s workstations in the showrooms of the car dealership also pose a risk of fines if the workstations are not blocked when the employees leave. The staff’s argument that they only went away for a short time does not hold up. You are quickly distracted from your daily work, approached by another customer, still want to get documents from your colleague and in 5 seconds the unlicensed person will be able to use minutes to get data. Responsible persons should therefore pay attention to training employees. A written instruction is often not sufficient to adequately sensitize employees to the handling of customer data.

Data protection audit helps with self-assessment

If responsible parties are unsure about the implementation of the GDPR in the dealership, data protection audits can work wonders. They help in the detection of vulnerabilities. If you find in the audit that the processes that were supposedly implemented have been ignored or “adapted” by employees, you now have the chance to improve. In addition, data controllers often get the impression that it is sufficient if they have trained their employees and documented everything in terms of data protection. However, especially in the end customer business, many mistakes happen in the handling of personal data in everyday work. If problems only come to light as a result of customer complaints or with the supervisory authority, there is a risk of fines. A data protection audit can therefore help in advance to identify problems, raise the general awareness of all employees and avoid fines.

Data protection in the car dealership as a quality feature

Ultimately, the dealership’s customers will also appreciate the prudent handling of their data. Data protection is increasingly seen as a quality feature. If data protection is treated too laxly, customers quickly get the impression that they are not in the right hands, not only when it comes to data protection, but also when buying a car. However, anyone who handles customer data in a data-protection-compliant and professional manner will have an easy time gaining and maintaining the trust of their customers!

Book your data protection audit now and check how well you are really positioned.


VDA-ISA für TISAX Version 5 - IT-Sicherheit - Informationssicherheit - Neuer Patch - Neue Version - Version 5 VDA ISA - Version 5 TISAX

VDA-ISA for TISAX® certifications: Publication of the new version 5

On August 4th, 2020 the Association of the Automotive Industry published a new version of the Information Security Assessment for TISAX® certifications. The current version 5.0 of the VDA-ISA catalog brings with it a new structure and fundamental changes in the structure of the modules. Find out more about the changes and the validity of the new requirements in our blog article.

Read more

ISMS einfach erklärt - IT-Sicherheit - IT-Security - Informationssicherheit - ISB - Informationssicherheitsmanagementsoftware - ISMS - Riskikofaktoren - Risikoidentifizierung - Risikoabschöpfung - Assets

ISMS – simply explained Part 1: The importance of an ISMS for your company

More and more companies are striving to improve information security in their own company. To meet this challenge, organizations rely on the establishment of an information security management system, or ISMS for short. In order for such a project to be implemented successfully, various aspects must be taken into account before the introduction, which the responsible persons must be made aware of. Find out more about the importance of an ISMS for your company in this blog article and our YouTube video.

Read more

TISAX® – simply explained: Assessment Levels

In the case of TISAX® assessment levels, the question arises again and again which of these are there and what impact they can have on a TISAX® project. Assessment levels are used to determine the depth of your final TISAX® audit, which is carried out by an external audit service provider. However, the type of […]

TISAX® – simply explained: assessment objectives and labels

Although there is still no general requirement for TISAX® certification, it is required by more and more automobile manufacturers. In order not to endanger the partnership, certification is then inevitable at the latest. Satisfying the complex requirements remains a challenge for many companies.

In our video series “TISAX® – simply explained”, we clarify the most frequently asked questions that we are asked again and again in practice. Our part 2 deals with test targets and labels.

Read more

TISAX ® – simply explained: You should know that

Many automobile manufacturers often develop their products in cooperation with supplier companies. In 2017, the Association of the Automotive Industry (VDA) developed the TISAX ® test and exchange mechanism to ensure secure processing and a trustworthy exchange of information between these companies. With TISAX®, a certification for information security in the company is created for automotive suppliers, which is specifically aimed at the needs of the automotive industry. The implementation of a TISAX® project is a complex challenge. With TÜV-certified TISAX® consultants from aigner business solutions GmbH, however, we support you efficiently and effectively in order to obtain the desired certification as quickly as possible. Find out more in our blog article and our first video in the TISAX ® series – simply explained.

Read more

Ransomware! How does malware get into the company?

Ransomware – A form of digital blackmail

Ransomware attacks are arguably one of the most widespread attack methods that cyber criminals use to harm companies. The attack method of digital blackmail aims to encrypt as many company-internal files as possible automatically. They should thus be made unusable for the company. The internal information can only be accessed again if the organization pays a ransom to the criminals and in return receives a decryption code for their unusable files. Encrypted files lead to production downtimes, reputational damage and financial losses in companies.

Read more

Hacker attack: do customers need to be informed?

As already announced in the media, electronics retailer Conrad fell victim to a hacker attack. This was due to an IT security gap in the company’s own IT systems. This allowed strangers to access a database with almost 14 million customer records over a period of several months. The customer data records included the customers’ postal addresses, e-mail addresses, fax numbers and IBAN numbers. The Bavarian State Office for Data Protection Supervision was also involved in this case.
Read more