Advanced driver assistance system Privacy Policy V0.2

Models
About GWM

GWM Introduction
News
GWM Technology

R&D
Smart Factory
Service

Warranty & Service
Genuine Parts
Cooperation

Dealership
Fleet
Career
Models
Models
About GWM
About GWM

GWM Introduction
News
GWM Technology
GWM Technology

R&D
Smart Factory
Service
Service

Warranty & Service
Genuine Parts
Cooperation
Cooperation

Dealership
Fleet
Career

Advanced Driver Assistance System Privacy Policy

Last updated date: May 7th, 2026

1. Introduction

1.1 This Privacy Policy explains how (i) personal data is processed during endurance run tests of pre-production vehicles through front-view integrated devices such as Advanced driver assistance system “ADAS”), and (ii) how Great Wall Motor Netherlands Sales B.V., together with its affiliates and parent companies (hereinafter referred to as “we”, “us” or “GWM”), collects, uses, discloses, transfers, stores and protects personal data, when we need to conduct data collection as well as the corresponding rights you have in relation to the processing of personal data.

Personal data refers to any data relating to an identified or identifiable natural person.

1.2 This Privacy Policy does not apply to vehicle dealers, which are independent third parties. and is solely intended to inform the public about road testing activities of pre-production vehicle models.

2. Who can you contact in regards to the Privacy Policy?

2.1 Controller of Personal Data
The data controller for the processing of your personal data in accordance with this Privacy Policy is:
Great Wall Motor Netherlands Sales B.V.
Bogert 31, 7de etage
5612 LX Eindhoven
E-Mail: info@gwm-eu.com
Customer Call Center: +31407988144

2.2 Data Protection Officer
If you have questions regarding the collection, use, disclosure, transfer or processing of your personal data, or wish to exercise your rights, please contact our data protection officer using the details below.

Email:dataprotection@gwm-eu.com
Address: Bogert 31, 7de etage, 5612 LX Eindhoven, the Netherlands.
Great Wall Motor Netherlands Sales B.V.

For UK users, our Representative for the purposes of UK data protection law is:
TMF Global Services (UK) Limited
Attn: MIND Business and Technology GmbH
8th Floor, 20 Farringdon Street
London EC4A 4AB
Email:dataprotection@gwm-eu.com

3. How is your personal data being collected and processed. for which purposes?

3.1 Vehicles launched in Europe must comply with local regulations and ensure that ADAS performance is adapted to local driving habits. During road tests and data collection, personal information such as pedestrians' faces and license plates may be unintentionally obtained, primarily from two types of data collection activities.

1.Regulatory certification data collection requirements
1.1 ISA Due Diligence
After intelligent speed limit sign assist [ISA] certification is obtained, it is necessary to conduct 2,000 km of road testing in 3–5 EU countries, covering highways, urban roads, and rural roads (each ≥25%), with nighttime driving ≥15%. The testing period is approximately 3 weeks.
1.2 ENCAP2026 Field Operational Data (FOT) Collection
To apply for a five-star rating, FOT data slices must be collected under harsh conditions such as rain, snow, fog, strong glare, and nighttime to verify the system’s stable perception capabilities for multiple target types. The collection period is approximately 1.5 months.
1.3 ENCAP 2026 EU-15 SLIF Open-Road Data Collection
Similar to the FOT data slices requirements, SLIF road tests must be conducted in more than half of the EU countries to verify compliance with speed limit recognition KPIs. The data is managed by the official ENCAP laboratory, with a testing period of approximately 1.5 months.

2. Data collection requirements for the issue analysis
2.1 Access Regulation
For our company's ISA certification application, it is necessary to evaluate the proportion of correctly identified explicit and implicit speed limit signs. The IFC must be jointly calibrated with the map, and data should be collected using Bosch equipment (recommended cycle: 2 weeks) to identify issues
2.2 Performance optimization of ADAS
To optimize the performance of ADAS in Europe, the focus should be on addressing: ① False positive (Adaptive Cruise Control [ACC] misjudging targets, ISA misidentifying signs, Integrated Cruise Control [ICC] misjudging lane lines, Autonomous emergency brake [AEB] mistakenly triggered by manhole covers or preceding vehicles); ② Adaptation to special European scenarios (recommended cycle: 3 weeks).
2.3 Data Collection of pre-tests about ENCAP 2026
To ensure a five-star rating, pre-testing will be conducted by an official EU laboratory. If actual test results do not meet expectations, IFC data will be collected using Bosch equipment (recommended cycle: 2 months) to expose and resolve issues in advance.

The above listed matters serve the optimization of our ADAS. The data controller is Great Wall Company and data protection is essential.

3.2 During our test vehicle's operation on public roads in the European Union, raw data (including raw video data and internal data) was collected through equipment provided by suppliers. This initiative aims to enhance the ADAS’s performance of European models, optimize the handling of edge scenarios, and ensure compliance with regulatory certifications and ENCAP ratings.
The raw video data captures the road environment, traffic signs, and conditions, which are used for issue analysis and certification. This may include personal data such as pedestrians' faces and license plates. Internal data includes vehicle speed, steering angle, accelerator/brake status, and signals from the intelligent driving module, without location or sensitive information, and is used to identify the root causes of ADAS issues.
All data is solely for internal analysis and compliance purposes and is not shared externally. GWM has commissioned Bosch to split the raw video data into video and internal data. The video data is transmitted to the China Automotive Engineering Research Institute (CAERI) Frankfurt Amazon server, where anonymization tools are used to process information, such as faces and license plates, targeting a 100% anonymization rate to ensure no personal data remains during the debugging process.


3.3 Since the Vehicle-end testing equipment is an offline lower-level machine, the Bosch data extraction tool cannot be deployed. Additionally, due to copyright restrictions, CAERI’s anonymization tool cannot be installed on the industrial computer or Bosch supporting equipment, resulting in the inability to smoothly perform data extraction and anonymization on the vehicle side. To ensure data compliance, we have established the following processing workflow:

1. Problem data processing workflow
In-vehicle Recording: Bosch uses Vehicle-end testing equipment (password-protected login) to record raw data in MF4 format, which is stored on an encrypted hidden drive accessible only to project staff. After copying the data to an encrypted portable hard drive, the raw data on the computer and the hard drive is immediately deleted. Employees’ computers are encrypted with BitLocker, and access permissions are strictly controlled.
Data Extraction: After road testing, employees extract raw data into AVI videos and internal data on their computers. Encrypted videos are uploaded to AWS Frankfurt Cloud via the CAERI’s compliance cloud account, with keys sent separately (via email/phone). Large files can be transmitted via password-protected lockboxes, with passwords shared simultaneously. After upload confirmation, local video data is immediately deleted.
Data Anonymization: CAERI uses cloud-based tools to anonymize the videos, with manual quality checks ensuring a 100% anonymization rate.
Analysis and Usage: After quality checks, anonymized data can be downloaded by Bosch to employees’ computers within the EU for temporary storage. CAERI deletes all raw and desensitized video data from the cloud immediately after confirming usability (typically retained for one week). Cross-border transmission of desensitized video data is prohibited. Analysis methods include:
① Combining internal data for analysis within the EU;
② Using only internal data for analysis outside the EU.
Upon project mass production (within one month after SOP), all desensitized video data and internal data temporarily stored on Bosch employee computers must be completely deleted.

2. Processing workflow for regulatory certification requirements data
2.1 ENCAP2026 FOT Data
In-vehicle Recording: Bosch uses a Vehicle-end testing equipment to record raw data in MF4 format, storing it on an encrypted hidden drive accessible only to project staff. The data is copied to an encrypted portable hard drive and sent to Bosch Germany via mail or courier, with passwords transmitted separately.
Extraction and selection: Upon data arrival, the raw data is immediately deleted. The German team temporarily stores it on an internal server with restricted access. After extracting un-desensitized FOT slices, they are sent to the UTAC laboratory via encrypted hard drives or cloud storage. Once transmission is confirmed, all data is deleted.
Data Anonymization: UTAC anonymizes the FOT slices, and the desensitized data slices are delivered to the official ENCAP agency. UTAC does not retain any copies.
2.2 EU-15 SLIF road test on public Road of ENCAP 2026
As the data controller, UTAC only collects scenario markers such as road signs, speed limits, road segment types, day/night conditions, and country/region information. It does not collect personal information beyond faces, license plates, or locations. Driver biometrics, passenger data, and in-vehicle privacy data are prohibited. Vehicles are labeled with privacy notices.
2.3 ISA Due Diligence
GWM engineers use CAERI ‘s tools to complete a 2,000 km road test in five EU countries. Video data is uploaded to CATARC’s AWS cloud platform in Frankfurt after completion. CAERI anonymizes the data, generates reports combined with KPIs, and deletes all cloud data after GWM’s acceptance. The entire process takes approximately one month.

4. What areas are involved in the collection and processing of personal data? What categories of personal data are being processed What are the types and frequencies of the data collection? and what are the relevant legal bases for processing?

4.1 Involved countries
According to ENCAP’s requirements, Austria, France, Germany, Italy, Luxembourg, the Netherlands, Spain, Sweden, the United Kingdom, and Norway are mandatory countries. The remaining five countries are preliminarily selected as Poland, the Czech Republic, Slovenia, Croatia, Belgium, and Denmark.

4.2 Personal Information Collection Categories
The IFC has a pixel resolution of 230MP and a frame rate of 30fps. The raw data is recorded through a project staff trigger method, allowing the flexibility to define the data recording length by specifying the number of seconds before and after the trigger moment. The data format is MDF 4, which can only be opened using Bosch's proprietary toolchain. The raw video extracted from the raw data is in AVI format, with a file size of approximately 210MB per minute.
Typically, video captured by the camera may include pedestrians, cyclists, vehicles, traffic signs, road signs, etc. When a target is within 10 meters of the camera's field of view, relatively clear personal faces or license plates may be identified. To meet ENCAP requirements, some vehicle models are equipped with corner radars, but these are generally only used for detecting moving objects and cannot directly identify personal information.

4.3 Frequency of Personal Information Collection
In compliance with GDPR requirements, the collection of all personal information must adhere to the principles of "purpose limitation," "data minimization," and "transparency." We commit to collecting raw data only when necessary for analyzing issues related to ADAS, and we strive to collect as little data as possible while ensuring the completion of issue analysis and compliance with regulatory road-testing objectives.
Once raw data collection is completed, we ensure that data extraction is carried out on the same day, with timely anonymization and no unnecessary delays. We will use the aforementioned data processing workflow to protect your personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. During this process, you have the right to:
① Request access and obtain a copy of your personal data that we process (if the data is within the valid retention period);
② Request correction of inaccurate personal data or deletion of your personal information;
③ Stop or object to the processing of your personal data;
④ File a complaint with the applicable regulatory authority.

4.4 Legal Basis
Legitimate interests (Art. 6(1)(f) GDPR) in quality control, warranty management, and customer support; Performance of our contract with you (Art. 6(1)(b) GDPR) for maintenance services; Compliance with legal obligations (Art. 6(1)(c) GDPR) (e.g., safety regulations).
Furthermore, we will take reasonable and appropriate measures to protect your personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. During this time, you have the right to:

5. Are their prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area?

GWM has established a comprehensive data security management system, covering access control, encryption measures, and regular security assessments to ensure that data processing is lawful, secure, and controllable.
Its anonymization and standardization operations for ADAS road testing data are industry norms, commonly employing technologies such as local processing, encrypted transmission, access authentication, and log auditing.
The technological trends focus on data minimization, cross-border control, and strengthening user control rights. GWM’s technological roadmap aligns with global developments.

6. What are the benefits of the processing – for us, and more broadly? and how do we share your personal data and how do we protect your personal data?

6.1 Personal data is disclosed externally to the GWM only when necessary, including to suppliers providing ADAS development and road-testing services, as well as regulatory certification bodies, and only to partners who have contractually committed to complying with data protection and confidentiality obligations.
The data is used to enhance the intelligence, safety, and reliability of ADAS, specifically including:
(a) Optimizing functions such as LKA, ACC, and ICC through localized debugging to improve driving safety.
(b) Enhancing IFC's perception capabilities for traffic signs, pedestrians, non-motorized vehicles, and obstacles to reduce accident risks.
(c) Meeting mandatory regulatory requirements such as EU ECE and GSR.

6.2 The overall impact of data processing on individuals is positive: it will significantly improve driving safety, reduce the risk of collision and lane departure, and provide a more convenient and assisted-driving experience.
For us: Ensuring compliant and secure data processing is a prerequisite for achieving excellent performance in driver assistance functions, meeting EU access regulations, enhancing product safety and brand credibility, and reducing accident risks.
For drivers and passengers: Enjoy a safer, smarter, and more comfortable assisted-driving experience firsthand, significantly reducing the likelihood of traffic accidents while enhancing travel efficiency and peace of mind.
For road users: ADAS can reduce collisions and rear-end accidents caused by human error, lower traffic risks, and enhance overall road safety, which aligns with the purpose of driving assistance system.

6.3 The GWM will use the collected data strictly in accordance with the requirements and workflows specified in the privacy statement and will prohibit any unauthorized use beyond the scope. We have established a data-use approval process that requires joint review by the DPO, supplier and the product team. Furthermore, it conducts regular compliance audits identify and remediate potential compliance risks.
We will provide the following information to the public simply and clearly through the privacy label on the car:
(a) Identity of the data controller; contact details of the DPO.
(b) Purpose of data processing, legal basis, categories of data, and retention period.
(c) Identity of the data processor, third parties, and cross-border transfer details.
(d) Data subject rights enjoyed by users and the methods for exercising such rights.
At the same time, we will sign the same DPA with all data processors (technology suppliers, anonymization suppliers, regulatory authorities etc.): clarify the scope of data collection, the data processing workflow, confidentiality obligations, as well as the responsibilities for cooperating with regulatory inspections.

7. Your rights

7.1 We will take reasonable and appropriate measures to protect your personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. During this time, you have the right to
(A) the right to obtain information about the processing of your personal data and to access the personal data that we hold about you (Art. 15 GDPR);
(B) the right to request rectification of inaccurate or incomplete personal data (Art. 16 GDPR);
(C) the right to request erasure of your personal data in certain circumstances (Art. 17 GDPR).;
(E) the right to object to the processing of your personal data in certain circumstances (Art. 21 GDPR). You may object at any time, on grounds relating to your particular situation, to the processing of personal data based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. We will then cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is required for the establishment, exercise or defence of legal claims. You may object at any time to the processing of personal data for direct marketing purposes, including related profiling, and we will no longer process your data for such purposes;
(F) the right to request restriction of processing in certain circumstances (Art. 18 GDPR);
(G) the right to lodge a complaint with a competent supervisory authority if you believe that your rights have been infringed (Art. 77 GDPR).

7.2 We will respond to your request within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay. Where we do not take action on your request, we will inform you without delay and at the latest within one month of receipt of the reasons for not taking action and of your right to lodge a complaint with a supervisory authority.

7.3 Contact Details of Supervisory Authorities
If you have concerns about our processing of your personal data, you have the right to lodge a complaint with the relevant supervisory authority:
European Union & EEA (including Iceland): Contact details for all EU and EEA supervisory authorities are available at: https://edpb.europa.eu/about-edpb/board/members_en
United Kingdom: The supervisory authority is the Information Commissioner's Office (ICO): https://ico.org.uk
Israel: You may contact the Privacy Protection Authority (PPA) at: https://www.gov.il/en/departments/the_privacy_protection_authority/govil-landing-page
Turkey: You may contact the Personal Data Protection Authority (KiVKK - Kişisel Verileri Koruma Kurumu) at: https://www.kvkk.gov.tr/en/

8. Protection of minors' personal data

The data collection requirements for GWM’s ADAS are not designed with children in mind. The system does not actively collect information that could identify a child, nor does it separately tag, analyze, or process such data for children’s use. There are no specific risk scenarios targeting vulnerable groups. Furthermore, the system makes every effort to avoid capturing video segments where children are the primary subjects; if such footage is inadvertently recorded, it will be deleted immediately after necessary debugging is completed—much shorter than the standard retention period. If you believe that we have collected such data without appropriate consent or otherwise unlawfully, please contact us using the details provided in the “Contact us” section and we will take appropriate steps to delete the data.

9. Changes and notifications

This Privacy Policy is effective as of April 24th, 2026.
We may update this Privacy Policy from time to time due to product developments, service changes or legal and regulatory requirements.
The most current version of this Privacy Policy can always be accessed our website.

×

GWM Europe Website

EU Site

English

Spain Site

Spanish

Italy Site

Italian
Top