PSA Customer process

Customer data is one of the most important assets of a dealer / AR. From the past, we within the Opel
organization are used to sharing our customer data with Opel, including via SADE, but also via other systems.
Besides the fact that this is a contractual agreement between dealer / AR and Opel, this method also has
advantages for dealers, such as handling (after-sales) marketing programs, proper functioning of myOpel and
jointly approaching certain customers. The customer data was synchronized daily and this method was
acceptable to many parties.

Many things have changed over time. The European Union has issued various data regulations, including the
GDPR. With the implementation of the GDPR at a national level, we see that the regulation for companies have
increased and the rights of customers have also increased. In addition, we see a significant increase in possible
penalties for companies if those regulations are not complied with.
In addition, the role of the importer / manufacturer in terms of customer approach has changed. The importer
/ manufacturer is appropriating an increasingly active role in the field of (online) retail and therefore also a
customer approach. This process has certainly accelerated with the entry of Opel to the PSA concern.

There is a great need to gain insight into the future retail landscape - as PSA envisions - for lead follow-up,
(online) retail and the provision of services. We see an increase in activities in the field of independent retail
from the PSA group, including by Distrigo, F2M, Spoticar, Mister Auto, Eurorepar and Autobutler. Questions
that arise here are:
- How will leads be followed up in the future. Will this process remain assured at dealers, or will PSA
take a more active role in this through the Customer Engagement Centre. What will be the role and
activities of such a CEC and for which costs and quality agreements?
- What does a joint contact plan look like. It is important that dealers maintain their independent role as
processor and that they always have access to their own customer data. The parties will have to make
a joint agreement on who, when and what communicates to a specific customer and also with what
timeframe also taking into account that specific customers are not always located in the same market
area as that dealer.
- Dealers are asked to share data with the PSA concern. To what extent will PSA share this dealer data
with other brands, but also with other group entities?
- What does the future IT network structure of the PSA organization with its dealers / AR look like and
what agreements will be made about this. Which documentation is available and which interfaces are
provided. This will also require inspection of the costs of various systems.
- What are the rules in case of contractual withdraw in protection to the dealers asset (customer data)

Next to these fundamental questions we would like to focus on the dealer / AR agreement articles and
appendices and highlight different GDPR issues and different Customer first issues. We have divided both
topics in no go items and items that address our concerns or questions to be solved. In the finale part we would
like to address some end of contract issues.

GDPR

A. No go items
1. The missing distinction between prospect and customer data is a must. The purposes of customer
date need to be different form the purposes of a prospect;
2. Dealers must be assured of keeping their full right of Processing Data at and the full access to the
Personal Data of their own customers and prospects at all times.
3. GDPR regulates customer data and allows controllers to ensure good protection and good
management of this data. The PSA data disclosure acts in full contrast with GDPR, in the way that
 dealers have no full access to his own data, his data is shared with other parties and the dealer
can get (his own) data back under strict conditions.
4. A dealer that provides specific customer data (his own customer) needs to have the highest
hierarchy.
5. The mentioned cases of joint controllership are limited to one. We believe, that because of the
width of the shared data and multiple purposes, the specific GDPR regulation asks anyhow for a
joint ownership.
6. The content of the dealer agreement in art. 10.7.x.x / 11,7.x.x. gives a broader range of data
sharing in comparing to the Charta. In the contractual articles, we should make reference to a
Privacy Agreement.
7. in point 3.2 where it is provided the possibility for the Parent company to modify Appendices 1,2,3
it would be useful to insert the provision "following the joint agreement between the Parties"

B. Concerns and questions to be solved

1. Violation of the obligation to minimize data. How can we make efforts to minimize data as much
as possible
2. The intervention of PSA Holding when the operators of each Brand only contract with their Brand
and local NSC. Is this PSA role possible in the total contract structure?
3. The extension to Affiliates, including "any existing or future national or foreign company". What
safeguards have dealers that their customer data is not shared with unauthorized parties
4. The transfer of customer data by dealers to entities of the Peugeot Group as to any other
Dealer/Repairer must be supervised in compliance with the obligations imposed in this regard by
the GDPR
5. The purposes mentioned in the new dealer contract article do not mention which specific
customer data is/has to be/can shared with that purpose. Looking at the obligation to minimize
data this is a strong recommendation.
6. The dealer can make use of more legal basis (f.e. consent) than PSA and the dealer has less
interest in the consent purpose. What means have been taken to grant the dealer still can use
other purposes when the customer withdrawals his consent?
7. The general framework is that all data will be gathered within one sole referential. And data is
collected form several databases used by the Brand and its Network notably central Databases,
local NVD and AR Databases, digital Data and external files. Data disclosure agreements have to
include an impact all databases instead of the sole referential (Customer 1st). Also all different
databases have to be clear for all parties, (also for IT protection measurements taken per
database).
8. According to the Austrian Data Protection Act, the other, new dealer/AR may only use the data if
they have a new data protection declaration signed by the customer for their business
9. What is not clear to us in terms of content is that if a PCD dealer/AR wants to query this Opel data
10. It would have to be clarified whether the new dealer/repairer can look up the customer’s name in
a database without this already violating the data protection law
11. There is no reference to the multiple IT systems and platforms, besides the necessity to define
them, it might be necessary to nominate dealers as an external operator.

C1st Process

A. No go items
1. The interface with C1st has to be bi-directional, real time and include contact history, purposes
and legal basis (consent, contract, legal obligations, vital interests of the data subject, public
interest and legitimate interest)
2. Many IT systems, platforms and other tools seem to coexist and are part of the C1 process and it
is necessary to have all the legal and technical information for each of them before any data
agreement can be made.
 3. Dealers / AR have to be able to work on their own systems and according to their own processes

B. Concerns and questions to be solved

1. What is the UCR process and how will this be implemented and how does this impact dealer
systems (f.e. external customer mailing program). Especially external dealer systems can be very
complex to automate (f.e. the obligation to register and share contact date and timing per UCR).
2. Will Eurorepar outlets also work with Customer 1st in the future?
3. What is the status of the Ic@n project in each country?
4. There is no clear distinction between PSA data and dealer data, for instance the non PSA brand
sales or aftersales activities of dealers and the holding companies that work with one database
and with more brands. Larger Dealer groups with multiple brands and outlets need to have the
possibility to Direct mail a for example KARL customer with a mailing of another own Group brand
(not PSA). Or an Opel dealer that sells an used Peugeot vehicle.
5. What is the impact of customers being transferred to other dealers on the retention scores and
CSI scores?
6. What is the process when a customer issues one of his GDPR rights (synchronisation and
cancellation of consents).

End of contract issues

Further more we need to include regulation in case a dealer leaves the network. In case of contractual
interruption:
• As the Information Sheet is in the hand of the Dealer
• Where PSA does NOT have autonomous signed information sheet and opt ins, the data must be
erased
• Where an other dealers agrees to buy the customer data, this must be available to be transferred
• Each party needs to keep its customer data files and processing at the end of the contract, regardless
of the reason for the termination of the contractual relationship
• PSA will not resell or make available free of charge the data in its possession to a candidate for the
purchase of a PSA network business before the actual conclusion of the sale of the business