185 BMW Group Report 2024 To Our Stakeholders Combined Management Report Group Financial Statements Responsibility Statement and Auditor’s Report Remuneration Report Other Information Sustainability Statement Structured approach to minimizing risks when processing customer data Protecting vehicle data The BMW Group is responsible for protecting any vehicle data transmitted. This includes the secure transmission and pro- cessing of such data by BMW Group contractors. BMW Group automobiles use internet connections or private networks to con- nect to the ConnectedDrive backend or third-party services. A special gateway controls access to the internet in accordance with the extended vehicle approach, which is based on the ISO 20078 standard. This approach ensures compliance with data protection and data security requirements at a high level, while also fulfilling legal cybersecurity requirements, such as the UN R155 regulation. As part of the CarData service offering, customers purchasing BMW, MINI and Rolls-Royce automobiles are provided with full transparency and control over how their data is shared with third parties. CarData meets the requirements of the EU General Data Protection Regulation (EU GDPR) with regard to the right to ac- cess information and data portability, while also providing a basis for meeting the requirements of the Data Act in 2025. The roll- out of this service in Europe in 2017 and in the USA in 2020 is testament to the BMW Group’s commitment to complying with country-specific data protection regulations. The California Con- sumer Privacy Act (CCPA) that applies in the USA is another ex- ample of this. Health and safety Product quality and product safety standards All BMW Group products and services are required to meet the highest standards in terms of quality and safety, People’s safety has top priority, right from the vehicle development stage. The Corporate Strategy unit bears overall strategic responsibility for product quality. Responsibility for the vehicle safety strategy lies with the development for the entire vehicle. The relevant depart- ments are responsible for implementing the measures. Data transparency is created by collecting metadata for every IT application on a central platform. Monetary risk values are calculated automatically. The responsibilities for the respective applications are defined within the CDD network. The implementation of the measures is continuously measured and re- ported internally. Measures such as increasing IT security, decommissioning systems or adapting interfaces are carried out. Risk minimization in the processing of customer data in IT applications