FCA US DATA PRIVACY FRAMEWORK STATEMENT("DPF Policy")

FCA US LLC (“FCA US,” “we” or “us,”) participates in and has certified its adherence to the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF (“UK Extension”), and the SwissUS Data Privacy Framework (“Swiss-US DPF”), administered by the US Department of Commerce. A list of participating companies is available here. As set forth in this FCA US Data Privacy Framework Statement (the “DPF Policy”), FCA US will comply with the respective Principles of the EU-US DPF, the UK Extension and the Swiss-US DPF (collectively, the “Data Privacy Framework”). The US Federal Trade Commission has jurisdiction over FCA US’s compliance with the EU-US DPF, the UK Extension and the Swiss-US DPF (collectively, our “DPF Certification”). 

As used in in this DPF Policy, the following capitalized terms apply:

• “EU Personal Information” means personal information that FCA US receives from the EU in reliance on the EU-US DPF.
• “Swiss Personal Information” means personal information that FCA US receives from Switzerland in reliance on the Swiss-EU Framework.
• “UK Personal Information” means personal information that FCA US receives from the UK or Gibraltar (collectively, the “UK” herein) in reliance on the EU-US DPF and UK Extension.
• “Principles” means(as applicable) the Principles, including the Supplemental Principles and Annex 1 of the Principles, of the EU-US DPF with respect to the EU Personal Information, the EU-US DPF and UK Extension with respect to the UK Personal Information, and the Swiss-US DPF with respect to Swiss Personal Information.
• “Sensitive Information” means personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sex life of an individual that FCA US receives from the EU, UK or Switzerland in reliance on its DPF Certification.
• “Stellantis Affiliate” means a Stellantis Group company from or on behalf of which FCA US receives personal information in reliance on the Data Privacy Framework.
• “Stellantis Group” refers to the Stellantis group of companies, including FCA US and the Stellantis Affiliates and other Stellantis group entities located in the EU and the UK.
• “Agent” means an agent or processor of FCA US that receives and processes personal information in order to perform task(s) on behalf of and under the instructions of FCA US.

FCA will apply the relevant Principles to the EU Personal Information, Swiss Personal Information, and UK Personal Information received by FCA US in reliance on the EU-US DPF, Swiss-US DPF and UK Extension, respectively. If there is any conflict between this DPF Policy and the Principles, the relevant Principles shall govern.

COLLECTION AND USE OF PERSONAL INFORMATION. FCA US is a member of the Stellantis Group and may receive and process EU Personal Information, Swiss Personal Information and UK Personal Information from and on behalf of other Stellantis Group entities, including personal information about current and former employees, personnel and applicants (“HR Data”), as well as current, former and prospective customers, vendors, suppliers and business partners (“Other Data”), of Stellantis Group companies. In many cases, FCA US receives this personal information as a processor to other Stellantis Affiliates, in which case it only processes such personal information on behalf of the relevant Stellantis Affiliates and in accordance with their instructions. 

HR Data.   FCA US may receive HR Data, from and on behalf of Stellantis Affiliates, including personal information about current and former employees, applicants, temporary workers, contract workers, and site personnel of Stellantis Affiliates in the EU and the UK. In general, FCA US processes HR Data as a processor, on behalf of other Stellantis Affiliates who are the controllers. Generally, the HR Data received by FCA US includes: name and contact details; family and beneficiary details; user IDs and employee numbers; education and training details; title, role, business unit, cost center, supervisor, hire and termination dates, and other employment details; and network logs and other IT administration-related data. FCA US collects and uses HR Data for internal business and operational purposes, including accessing and maintaining global corporate directories, managing and administering access to certain Stellantis Group systems and IT resources, and supporting HR operations, as well as facilitating business reorganizations and restructuring, and for security, audit, reporting, compliance and corporate governance purposes. 

Other Data.  FCA US may receive personal information of current and former customers, vendors, suppliers, business partners and others in connection with the business operations of, and the manufacture, distribution and sale of automobiles and related goods and services by, Stellantis Group companies in the EU, UK and Switzerland. This generally includes name, contact information, VIN and vehicle data, telematics data, warranty, recall and purchase data, and registration data. FCA US may processthis data for: warranty, recall and safety purposes; analytics, research and development; customer support; to facilitate business reorganizations and restructuring; and for security, audit, reporting, compliance and corporate governance purposes. 

Notwithstanding the purposes described above, we will not use Sensitive Information for purposes materially different than those for which the information was originally collected or subsequently authorized, unless we obtain prior, opt-in consent from individuals, unless the use: (1) relates to sensitive information that has been manifestly made public by the individual; (2) is in the vital interests of the individual or another person; (3) is necessary for the establishment of legal claims or defenses; (4) is required to provide medical care or diagnosis; or (5) is necessary to carry out our employment law obligations. 

DISCLOSURES AND ONWARD TRANSFERS. The personal information that we receive may be disclosed to and processed by our third parties service providers (e.g., processors and Agents) that process the personal information on our behalf and in order to provide services to us, such as, analytics services, data storage and hosting, cloud-based services, security, fraud prevention and systems monitoring and other business and technical operations and support. We may also disclose personal information where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, to protect the rights of us and others, and to respond to claims asserted against us. FCA US remains responsible and liable under the Principles for any onward transfers of your personal information to third parties. 

Notwithstanding the purposes described above, we will not disclose Sensitive Information to third parties (other than our Agents), unless we obtain prior, opt-in consent from individuals, unless the disclosure: (1) relates to Sensitive Information that has been manifestly made public by the individual; (2) is in the vital interests of the individual or another person; (3) is necessary for the establishment of legal claims or defenses; (4) is required to provide medical care or diagnosis; or (5) is necessary to carry out our employment law obligations. 

Compelled Disclosures.  In addition to the disclosures described above, we may be required to disclose personal information in response to lawful requests by courts and other public authorities, including to meet national security or law enforcement requirements. 

YOUR RIGHTS.  Pursuant to the Data Privacy Framework, EU, UK, and Swiss individuals have the right to accesstheir personal information that we collect pursuant to our DPF Certification, and to request to limit our disclosure of such personal information to third parties (other than our Agents), or our use of such personal information for a purpose that is materially different from those for which the personal information was originally collected or subsequently authorized by the individual. FCA US is committed to respecting these rights. EU, UK, and Swiss individuals can submit a request to access their personal information that we receive and process, or to limit our use or disclosure of such personal information by emailing us at dprivacy@stellantis.com. If your request relates to personal information that we have received as a processor, we will notify the relevant Stellantis Affiliate and work with them as necessary to respond to your request.

INQUIRIES AND COMPLAINTS.  If you have any inquiries or complaints about our compliance with the Principles or our handling of personal information that we have received in reliance on the Data Privacy Framework, please direct your inquiry or complaint to dprivacy@stellantis.com. We are committed to working with individuals to resolve complaints and will respond to complaints submitted within 45 days. If we are unable to satisfactorily resolve your complaint directly, you may contact (free of charge) the relevant data protection authority to submit a complaint, using the links below: 

•  EU Data Protection Authorities (DPAs)
• Swiss Federal Data Protection and Information Commissioner (FDPIC)
• UK Information Commissioner’s Office (ICO)
• Gibraltar Regulatory Authority

For more information about submitting a complaint under the Data Privacy Framework, go here. 

If your complaint cannot be resolved through the above means, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. For more information on this option, please see Annex I of the EU-U.S. DPF Principles.