Information and Policies

This Privacy Policy sets out the manner in which Great Wall Motor Netherlands Sales B.V., Bogert 31, 7th Floor, 5612 LX Eindhoven, The Netherlands (“GWM NL SALES”, “we”, “us”), processes personal data in connection with the operation of its websites, digital platforms, and online services (“Services”). GWM NL SALES acts as the data controller within the meaning of the General Data Protection Regulation (“GDPR”). Our Data Protection Officer may be contacted at info@gwm-eu.com

We process personal data only to the extent necessary for the provision, maintenance, and improvement of our Services, for the performance of contractual or precontractual measures, for compliance with statutory obligations, and for the protection of our legitimate interests. Unless expressly stated otherwise, this Policy applies exclusively to Services operated directly by GWM NL SALES.

When users access our website, certain technical information is automatically recorded by our servers. This includes the browser and device used, the operating system, the date and time of access, the referrer URL, the pages viewed, and the user’s IP address. These data are processed to ensure the secure and stable operation of the website, to detect and prevent misuse, and to maintain the integrity of our IT systems. The legal basis is Article 6(1)(f) GDPR. Log files are retained only for the period strictly necessary for these purposes and are ordinarily deleted after seven days unless longer retention is required for security investigations.

Our website uses cookies and comparable technologies governed through the OneTrust Consent Management Platform. Strictly necessary cookies are deployed without consent as they are indispensable for the functioning of the website and for the administration of user consent preferences. All other cookies—including analytics, performance, and marketing technologies—are used solely on the basis of the user’s prior consent pursuant to Article 6(1)(a) GDPR.

Where consent is granted, we use Google Analytics 4 with IP anonymisation and EUbased processing features. The data collected may include device identifiers, interaction data, and regionlevel location information. Google may process data outside the European Economic Area (“EEA”) under the European Commission’s Standard Contractual Clauses, supplemented by appropriate technical and organisational safeguards.

Users may withdraw consent at any time via the “Cookie Settings” link in the footer of our website. Withdrawal does not affect the lawfulness of processing carried out prior to such withdrawal.

Where users access map functionalities, such as dealer locators or testdrive location tools, certain technical data (including IP address, device information, and, where voluntarily enabled, geolocation data) may be transmitted to HERE Technologies. This processing is necessary to provide the requested map content and is based on Article 6(1)(f) GDPR or, in the case of optional geolocation features, Article 6(1)(a) GDPR. HERE may process data outside the EEA under appropriate safeguards.

When users contact us through online forms or by email, we process the information provided, including name, contact details, and the content of the communication. This processing is necessary to respond to the inquiry and is based on Article 6(1)(b) GDPR or, where applicable, Article 6(1)(f) GDPR. Correspondence may be retained for the duration of statutory commercial or tax retention periods, which may extend up to ten years.

If a user registers for a test drive, we process the personal data required to arrange the appointment, including name, contact details, country or postal code, and the selected vehicle model. For the purpose of fulfilling the request, we transmit the data to our authorised agents who act as independent controllers for the organisation and execution of the test drive. The legal basis for this processing and the associated data transfer is Article 6(1)(b) GDPR. Data may be retained for the duration of statutory retention obligations or for the establishment, exercise, or defence of legal claims.

Where users subscribe to newsletters or other marketing communications, we process the personal data necessary to provide such communications, including name, email address, and marketing preferences. Marketing communications are sent only on the basis of the user’s explicit consent pursuant to Article 6(1)(a) GDPR and § 7 of the German Act Against Unfair Competition (UWG). Users may withdraw consent at any time by using the unsubscribe link or by contacting the Data Protection Officer. Withdrawal does not affect the lawfulness of prior processing.

We may process pseudonymised or anonymised data derived from website usage to improve the design, functionality, and performance of our Services and to conduct customary business intelligence analyses. These analyses do not permit the identification of individual users. The legal basis is Article 6(1)(f) GDPR, reflecting our legitimate interest in enhancing our Services and ensuring efficient corporate management.

In the context of our obligations under EU automotive legislation—including the REACH Regulation (EC) No 1907/2006, typeapproval requirements, and productsafety regulations—we may process personal data where necessary to provide safety notifications, recall information, or regulatory disclosures. Such processing is carried out pursuant to Article 6(1)(c) GDPR, as required by law, or Article 6(1)(f) GDPR where necessary to ensure product safety and regulatory compliance.

Personal data are disclosed only where necessary and only to recipients who are subject to appropriate confidentiality and dataprotection obligations. These recipients may include internal departments, affiliated companies within the GWM group acting as processors, authorised dealers and agents, IT service providers, callcentre operators, and professional advisers such as lawyers or auditors. Public authorities may receive personal data where required by law. All processors are bound by Article 28 GDPR agreements.

Where personal data are transferred to recipients outside the EEA, such transfers occur exclusively under the conditions set out in Chapter V GDPR. This includes the use of Standard Contractual Clauses adopted by the European Commission, supplemented by technical and organisational measures designed to ensure an adequate level of protection. Information on these safeguards may be requested from the Data Protection Officer.

We maintain technical and organisational measures appropriate to the risk to ensure the confidentiality, integrity, and availability of personal data. These measures include encryption, access controls, secure hosting environments, regular audits, and incidentresponse procedures. Our security measures are continuously reviewed and updated in line with technological developments.

Personal data are retained only for as long as necessary for the purposes for which they were collected, or for the duration of statutory retention periods, or for the period during which legal claims may be asserted. Once the relevant retention period expires, personal data are deleted or irreversibly anonymised.

Users have the rights granted by Articles 12–22 GDPR, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection. Where processing is based on consent, users may withdraw consent at any time. Users also have the right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR. Contact details for all EU supervisory authorities are available at the website of the European Data Protection Board.

We may amend this Privacy Policy to reflect legal, technical, or organisational developments. The current version is published on our website. Where required by law, we will notify users of material changes.