1. Legal
  2. Data Privacy Policy | KINTO

Data Privacy Policy


KINTO Europe GmbH (“KINTO”)


KINTO respects your privacy. Whether you deal with KINTO as a customer, a consumer, a member of the general public, etc., you are entitled to the protection of your Personal Data. This data may relate to your name, telephone number, email address but also to other data, such as your Vehicle Identification Number (VIN), (geo-)location, etc.

In this Privacy and Data Protection Policy (“this Policy”) we describe how we collect your Personal Data and why we collect it, what we do with your Personal Data, with whom we share it, how we protect it, and the choices you can make about your Personal Data.

This Policy applies to the processing of your Personal Data in the framework of various services, tools, applications, websites, portals, (online) sales promotions, marketing actions, sponsored social media platforms, etc. that are provided or operated by us or on our behalf.

This Policy contains general rules and explanations. It is complemented with separate specific privacy notices relating to particular services, tools, applications, websites, portals, (online) sales promotions, marketing actions, sponsored social media platforms, etc. provided or operated by or on behalf of KINTO. These privacy notices will be communicated to you whenever your Personal Data is needed in the framework of the activities mentioned above (for example, via websites, portals, individual communication services, newsletters, reminders, surveys, offers, events, etc.).

This Policy applies to all your Personal Data collected by (or on behalf of) KINTO Europe GmbH, together referred to in this Policy as “KINTO”, “we”, “us” and ”our”.

If you accept the provisions of this Policy, you are agreeing to us processing your Personal Data in the ways that are set out in this Policy.

At the end of this Policy, you will find some definitions of certain key concepts used in this Policy and which are capitalised (for example, Personal Data, Processing, Data Controller…).


The entity which is responsible for the processing of your Personal Data is:

KINTO Europe GmbH (“KINTO”)
Toyota-Allee 5
50858 Köln


For general questions and concerns about data protection (e.g. request for deletion, revocation of consent), you can contact us. You can reach our data protection officer at our postal address with the addition: "To the data protection officer", as well as by e-mail: Kintoeu.gdpr@kinto-mobility.eu


We value your Personal Data entrusted to us and we are committed to processing your Personal Data in a fair, transparent and secure way. The key principles KINTO applies are as follows:

  • Lawfulness: we will only collect your Personal Data in a fair, lawful and transparent manner.
  • Data minimisation: we will limit the collection of your Personal Data to what is directly relevant and necessary for the purposes for which they have been collected.
  • Purpose limitation: we will only collect your Personal Data for specified, explicit and legitimate purposes and not process your Personal Data further in a way incompatible with those purposes.
  • Accuracy: we will keep your Personal Data accurate and up to date.
  • Data security and protection: we will implement technical and organisational measures to ensure an appropriate level of data security and protection considering, among others, the nature of your Personal Data to be protected. Such measures provide for the prevention of any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and any other unlawful form of Processing.
  • Access and rectification: we will process your Personal Data in line with your legal rights.
  • Retention limitation: we will retain your Personal Data in a manner consistent with the applicable data protection laws and regulations and no longer than is necessary for the purposes for which they have been collected.
  • Protection for international transfers: we will ensure that any of your Personal Data transferred outside the EEA is adequately protected.
  • Safeguards towards third parties: we will ensure that Personal Data access by (and transfers to) third parties are carried out in accordance with applicable law and with suitable contractual safeguards.
  • Lawfulness of direct marketing and cookies: when we send you promotional materials or place cookies on your computer, we will ensure that we do so in accordance with applicable law.


Each time you access our website or sub-page of our offer and each time a file is retrieved, access data about this process is stored in a log file on the server. Usually, this is the following information, which accumulates each time a website is accessed:

  • File name of the subpage or file accessed or the information passed in the context of entries (e.g. query parameters in the URL).
  • File name of the subpage from which the current page or file was requested
  • Date, time and duration of the request
  • Type and operating system of the web browser used

We use this information to constantly improve and update our website and thus increase its attractiveness. An identification of persons by us is not possible.

Legal basis for the processing of your data:

Art. 6 Para. 1 S. 1 lit. a GDPR allows us to process your data based on your consent for the purposes stated there.

Art. 6 Para. 1 S. 1 lit. b GDPR covers data processing that is necessary for the fulfillment of a contract as well as for pre-contractual measures, e.g. in case of requests for a KINTO offer.

Art. 6 Para. 1 S. 1 lit. c GDPR allows us to process your data on the basis of a legal obligation, e.g. retention obligations under financial and tax law.

Art. 6 Para. 1 S. 1 lit. f GDPR allows us to process your personal data if we or a third party have legitimate interests in this processing and your interests, fundamental rights or freedoms do not conflict, e.g.:

  • Analyzing the use of our websites and creating corresponding reports
  • Provision of service functions for website visitors
  • Preventing damage and/or liability to the company by taking appropriate (security-)measures
  • Assertion, exercise or defense of legal claims


It is important for us to maintain accurate and up-to-date records of your Personal Data. Please inform us of any changes to or errors in your Personal Data as soon as possible by contacting us at the Data Protection Contact Point (see section 3 “Who can you contact in case you have questions or requests?”). We will take reasonable steps to make sure that any inaccurate or outdated Personal Data is deleted or adjusted accordingly.


You have the right to access your Personal Data which we are processing and, if your Personal Data is inaccurate or incomplete, to request the rectification or erasure of your Personal Data. If you require further information in relation to your privacy rights or would like to exercise any of these rights, please contact us at the Data Protection Contact Point (see section 3 “Who can you contact in case you have questions or requests?”).


We will keep your Personal Data in a manner consistent with applicable data protection law. We will only keep your Personal Data for as long as necessary for the purposes for which we process your Personal Data or to comply with the law or. For information on how long certain Personal Data is likely to be kept before being removed from our systems and databases, please contact us at the Data Protection Contact Point (see section 3 “Who can you contact in case you have questions or requests?”).


We have a set of technical and organisational security measures in place to protect your Personal Data against unlawful or unauthorised access or use, as well as against accidental loss or damage to their integrity. They have been designed taking into account our IT infrastructure, the potential impact on your privacy and the costs involved and in accordance with current industry standards and practice.

Your Personal Data will only be processed by a third party Data Processor if that Data Processor agrees to comply with those technical and organisational data security measures.

Maintaining data security means protecting the confidentiality, integrity and availability of your Personal Data:

1.    Confidentiality: we will protect your Personal Data from unwanted disclosure to third parties.

2.    Integrity: we will protect your Personal Data from being modified by unauthorised third parties.

3.    Availability: we will ensure that authorized parties are able to access your Personal Data when needed.

Our data security procedures include: access security, backup systems, monitoring, review and maintenance, management of security incidents and continuity, etc.


We use cookies on our websites. This helps us to provide you with a better experience when you browse our website and also allows us to make improvements to our site.

When you enter the website for the first time you’ll see a cookie management tool where you have an overview of the types of cookies and can manage your consent depending on the type of cookies. Some cookies are necessary and functional and provide you a functional website, these cookies are accepted.   

For further information about our use of cookies and on how to avoid them, please consult our cookie policy, available at our cookie policy page.


Depending on the purposes for which we collect your Personal Data, we may disclose it to the following categories of recipients, which will then process your Personal Data only within the framework of these purposes:

a. Within our organisations and our brand environment:

  • Our authorised staff members;
  • Our affiliates and subsidiary companies;
  • Members of our Authorised Retailers and Authorised Repairers network which you have indicated as preferred Authorised Retailers or Authorised Repairers or which are located near you (based on your postcode, address) or which you have been in contact with;
  • Affiliates and entities part of the Toyota Group: Toyota Motor Europe,Toyota Financial Services, Toyota Insurance Management;

b. Third party business partners:

  • Advertising, marketing and promotional agencies: to help us deliver and analyse the effectiveness of our advertising campaigns and promotions;
  • Business partners: for example, trusted companies that may use your Personal Data to provide you with the services and/or the products you requested and/or that may provide you with marketing materials (provided that you have consented to receiving such marketing materials). We ask such companies to always act in compliance with applicable laws and this Policy and to pay high attention to the confidentiality of your personal information;
  • Service providers of KINTO: companies that provide services for or on behalf of KINTO, for the purposes of providing such services (for example, KINTO may share your Personal Data with external providers of IT related services);

c. Other third parties:

  • when required by law or as lawfully necessary to protect KINTO:
  • to comply with the law, requests from authorities, court orders, legal procedures, obligations related to the reporting and filing of information with authorities, etc.;
  • to verify or enforce compliance with KINTO policies and agreements; and
  • to protect the rights, property or safety of KINTO and/or its customers;
  • in connection with corporate transactions: in the context of a transfer or divestiture of all or a portion of its business, or otherwise in connection with a merger, consolidation, change in control, reorganisation or liquidation of all or part of KINTO business.

Please be aware that third party recipients listed under points b) and c) above –especially service providers who may offer products and services to you through KINTO services or applications or via their own channels – may separately collect Personal Data from you. In such case, these third parties are solely responsible for the control of such Personal Data and your dealings with them will fall under their terms and conditions.

13. Use of Google Analytics

Data collection by Google Analytics: This website uses Google Analytics, a web analytics service provided by Google, Inc ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there.

In the event that IP anonymization is activated on this website, however, your IP address will be shortened by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases the full IP address will be transmitted to a Google server in the USA and shortened there.

Google uses the information to evaluate your use of the website, to compile reports on website activities and to provide us with further services related to website and internet use. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.

The processing of personal data by Google is based on your explicit consent, Art. 6 Para. 1 S. 1 lit. a GDPR. You grant this consent by means of the cookie management tool displayed on the website. As described above, you can also revoke your consent at any time with effect for the future. The consent also includes the possible transmission to Google in the USA.


Your Personal Data may be transferred to recipients which may be outside the EEA, and may be processed by us and these recipients outside the EEA. In connection with any transfer of your Personal Data to countries outside the EEA that do not generally offer the same level of data protection as in the EEA, KINTO will implement appropriate specific measures to ensure an adequate level of protection of your Personal Data. These measures can for instance consist in agreeing with recipients on binding contractual clauses guaranteeing such adequate level of protection.

We will always clearly inform you whenever your Personal Data would be transferred outside the EEA. This information will be provided to you through a separate privacy notice which will, for example, be included in specific services (including communication services), electronic newsletters, reminders, surveys, offers, invitations for events, etc.


We want to be as transparent as possible with you, so that you can make meaningful choices about how you want us to use your Personal Data. According to the GDPR, you have the following rights with regard to your personal data:

  • Right to information, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure of personal data, Art. 17 GDPR
  • Right to restrict the processing, Art. 18 GDPR
  • Right to object to the processing, Art. 21 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to withdraw consent Art. 7 para. 3 S. 1 GDPR. The withdrawal of consent shall not affect the lawfulness based on consent before its withdrawal.

You also have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data.


The requirements of this Policy supplement, and do not replace, any other requirements existing under applicable data protection law. In case of contradiction between what is written in this Policy and requirements in applicable data protection law, applicable data protection law will have priority.

KINTO may amend this Policy at any point in time. Where this happens we will alert you of any changes and we will then ask you to re-read the most recent version of our Policy and to confirm your acceptance thereof. You can also check this Policy periodically on https://www.kinto-mobility.eu/eu/en/legal/data-privacy-policy to inform yourself of any changes.


In this Policy, the following terms have the following meanings:

1.    Data Controller means the organisation which determines the purposes for which, and the manner in which, your Personal Data is processed.
Unless we inform you otherwise, the Data Controller is KINTO Europe GmbH (Toyota-Allee 5, 50858 Köln, Germany). Further information may be provided to you through a separate privacy notice which will, for example, be included in specific services (including communication services), electronic newsletters, reminders, surveys, offers, invitations for events, etc.

2.    Data Processor means the person or organisation which processes your Personal Data on behalf of the Data Controller.

3.    Data Protection Contact Point means the contact point (i.e. a person appointed by Toyota in the relevant jurisdiction) where you can address to the Data Controller your questions or requests regarding this Policy and/or (the Processing of) your Personal Data and which will handle such questions and requests. Unless we inform you otherwise, the Data Protection Contact Point can be reached as described in section 3 “Who can you contact in case you have questions or requests?”).

4.    EEA means the European Economic Area (= member states of the European Union + Iceland, Norway, and Liechtenstein).

5.    Personal Data is any data relating to you directly or which allows your identification, such as, for example, your name, telephone number, email address, Vehicle Identification Number (VIN), (geo-)location, etc.

6.    Processing means the collection, accessing and all forms of use of your Personal Data.