Introduction
Ducati is fully committed to complying with the EU Data Act (Regulation EU 2023/2854), applicable by September 12, 2025, alongside the GDPR (Regulation EU 2016/679), EUDPR (Regulation EU 2018/1725), and e-Privacy Directive.
This Notice outlines how we manage data generated by our connected vehicles and related services (e.g., Ducati apps, diagnostics, navigation systems), ensuring transparency, secure user access, and robust data protection.
Following our comprehensive data mapping process, this Notice details specific data types, their purposes, and access methods, reflecting our commitment to compliance and user trust.
1. Scope of data
Our connected vehicles and services generate a variety of data, including:
• VIN Number: for vehicle identification and diagnostics.
• GNSS Coordinates: for navigation and location-based services.
• Telemetry Data (e.g., speed, lean angle): for performance tracking and user experience.
• Apps Account Details (e.g., email, login): for personalized user services.
• Navigation Licenses (e.g., Sygic, Here): for navigation system functionality.
• Diagnostic Data: fault codes and software versions for maintenance.
• Maintenance Data: service schedules and indicator resets for user and dealer use.
• EDR Crash Data: crash-related data for incident analysis, restricted due to encryption.
• Accessory Installation Data: software activation for accessories (e.g., cruise control).
• Usage Data: aggregated statistics (e.g., gear shifts) for internal analysis.
• Connection Credential: IP addresses or tokens for vehicle connectivity, non-accessible due to technical limitations.
These data, whether personal or non-personal, are subject to the Data Act as they are generated by connected products or related services, and each data type’s purpose (e.g., diagnostics, performance enhancement, user experience) and storage location (e.g., vehicle, backend, Ducati apps) have been documented to ensure transparency, in line with Art. 3(2) Data Act.
2. User access rights
As a vehicle owner or authorized user, you have the right to access the data generated by your vehicle or related services, free of charge, in a secure, structured, and machine-readable format (e.g., JSON, in accordance with Art. 3(1), 4 of Data Act).
Access is provided as follows:
• Direct Access via Ducati Apps: user-friendly data, such as route information, vehicle configuration, maintenance data, telemetry data, and navigator GPS track, are available in real-time through the Ducati apps, where technically feasible. The apps employ secure interfaces and technical measures to protect personal data, in compliance with the GDPR. For replicated data, access via the app is sufficient, as identical data in the backend does not require separate access.
• Access on request: for complex data not easily accessible via the app (e.g., Diagnostic Data, Accessory Installation Data, Usage Data), you can currently submit direct requests to DUCATI at privacy@ducati.com, with secure delivery in structured formats. Where technical limitations apply (e.g., EDR Crash Data, data encrypted and accessible only via specialized tools; Usage Data, available only in aggregated form; Connection Credential, non-decipherable due to technical constraints), access may be restricted, and we will transparently inform you of these constraints, in line with Art. 18 Data Act. By way of example, you will be informed if data is only available in macro, aggregated, or encrypted form and is not accessible in a readable format.
3. Data sharing with third parties
You may choose to share your vehicle data with third parties (e.g., insurers, fleet managers), subject to your explicit consent. For integrated third-party systems, DUCATI facilitates access to data stored or processed in the vehicle. For data exclusively managed by third parties, DUCATI will coordinate with providers to ensure seamless access, pending formalized agreements.
DUCATI plans to develop contractual clauses in future agreements with third parties to clarify responsibilities, potentially redirecting users to providers for exclusive data upon request. We will inform you about the process for accessing such data, ensuring transparency.
4. Public authority access
DUCATI provides data to public authorities for public interest purposes, such as emergencies, public safety, or scientific research, in line with Art. 14 and 15 Data Act.
Responses are provided promptly, within 5 working days for emergencies or 30 working days for other exceptional needs, accounting for technical, organizational, and legal constraints in accordance with Art. 18 Data Act.
Personal data is anonymized unless disclosure is necessary, with pseudonymization applied where feasible. DUCATI may refuse requests if it lacks control over the data (e.g., third-party exclusive data), if a similar request was already fulfilled, or if conditions are not met, notifying the requesting authority and identifying prior requesters.
Disputes are resolved by the competent authority.
5. Data protection and retention
Personal data is processed in strict compliance with GDPR principles (e.g., lawfulness, data minimization, accuracy, in line with Art. 5 GDPR), with retention periods determined by necessity or legal requirements (e.g., contract duration, statutory obligations), while non-personal data (e.g., navigation licenses, software versions) is retained based on business needs, offering flexibility unless specific regulations apply.
All data is secured through encrypted connections and access controls to prevent unauthorized access. Trade secrets, such as proprietary diagnostic algorithms, are protected under Art. 8 of the Data Act, with safeguards like encryption and restricted access protocols.
6. Interaction with other regulations
When processing personal data, mixed data, or electronic communications, DUCATI complies with the GDPR, EUDPR, and e-Privacy Directive. In case of normative conflicts, these regulations and their national implementations take precedence over the Data Act. However, the Data Act’s access and portability rights complement GDPR rights (e.g., access under Art. 15, portability under Art. 20 GDPR). Data processing is lawful only if based on GDPR legal grounds (Art. 6, and Art. 9 for special categories), applicable to both DUCATI and any third-party data users.
7. Transparency and Data Purposes
Our data mapping process has identified several types of data and their purposes, listed briefly in paragraph 1, including diagnostics, maintenance, performance tracking, user experience, and incident analysis. This list will be updated with any additional data types or purposes as our compliance efforts progress, ensuring transparency.
8. Your Rights and Contact
You can access your data at any time via the Ducati apps or submit a request to DUCATI at privacy@ducati.com.
To exercise your GDPR rights (e.g., access, portability, erasure, restriction) or for inquiries, complaints, or further information, contact our Data Protection Officer at privacy@ducati.com.
DUCATI is committed to transparency and will update this Notice as new data types, access methods, or third-party agreements are implemented.