Legal
Data Protection Notice
Definitions
"Confidential Information" means the confidential, proprietary, and trade secret information of the disclosing party to be disclosed by the disclosing party under this Agreement, and comprises:
a) information in tangible form that: (1) bears a Confidentiality Legend (“confidential”, “proprietary,” “secret,” or similar legend); or (2) does not bear any Confidentiality Legend, if the receiving party knew, or reasonably should have known under the circumstances, that the information was confidential and had been communicated to it in confidence; and
b) discussions about that information that may occur before, at the same time, or after disclosure of the information.
“Data Controller" means the natural or legal person, organization, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
“Data Incident” means any or all the following: (i) accidental or unlawful destruction of Personal Data; (ii) accidental loss, alteration, unauthorized disclosure collection, use, copying, modification, disposal, or access of Personal Data or similar risks, in particular where the Processing involves transmission of Personal Data over a network; and (iii) all other unlawful forms of Processing.
“Data Subject” means an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity, or any natural person to which Personal Data relates under applicable data protection laws.
“Personal Information” or “Personal Data” means the personally identifiable information or personal data or any other information regulated as personal data or personal information under the applicable data protection laws relating to a Data Subject and Processed by Mobileye or any Mobileye Sub-processors for the purpose of providing the Services.
“Process/Processing” means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, blocking, erasure or destruction.
“Standard Contractual Clauses” mean the 2021 standard contractual clauses for the transfer of Personal Data from a Data Controller in the European Economic Area to Data Controllers established in third countries under the EU General Data Protection Regulation 2016/679 (the "GDPR") as amended, replaced or superseded, or any alternative or successor Decision that approves new standard contractual clauses for transfers to Data Controllers in third countries, as amended by incorporating the description of the Personal Data to be transferred. The standard contractual clauses are available on the European Commission's website at the following link: Standard Contractual Clauses.
Data Controllers
Processing of Personal Data in connection with vehicle operations, including test drives, validation activities, and operations on public roads, is primarily conducted by Project 3 Mobility d.o.o., Ilica 31, 10000 Zagreb, Croatia (P3M), acting as a Data Controller for processing operations under its responsibility.
In specific cases, Mobileye Vision Technologies Ltd., 13 Hartom St., P.O.B. 45157, Jerusalem, 9777513 Israel (Mobileye), acts as an independent Data Controller, bound by Data Sharing Agreement which formalizes nature of this collaboration.
Project 3 Mobility may also rely on external service providers and technology partners acting as Data Processors on its behalf. Such processors are bound by Data Processing Agreements and required to implement appropriate technical and organizational measures to ensure the protection of Personal Data in accordance with the applicable data protection directives.
Data Collection & Processing
Personal Data may be collected in driving scenarios, serving distinct purposes.
a) When vehicles are operated by P3M for testing, validation, or public service operations, Personal Data may be collected using systems or sensors integrated in the vehicle or additional devices such as dash cameras. In these cases, P3M acts as the only Data Controller, relying external service providers and technology partners acting as Data Processors on its behalf.
b) When vehicles are operated by P3M with the Mobileye System integrated, data collected during test drives may be transferred to Mobileye, which acts as an independent Data Controller.
Purposes for Data Processing
Personal Data may be processed for different purposes depending on the nature of driving activity and the systems involved.
a) Personal Data collected and processed by Project 3 Mobility during vehicle operation, whether for testing, validation, or service activities, may be processed for ensuring safety, regulatory compliance, operational efficiency, fleet monitoring, or incident analysis.
b) Personal Data collected and processed through vehicles equipped with the Mobileye System may be processed by Mobileye, acting as an independent Data Controller, for the purpose of improving, developing, and validating the Mobileye Drive™ self-driving system and its related perception and safety technologies.
Project 3 Mobility may process Personal Data to ensure the safety, security and efficiency operation of automated driving services and may rely on authorized Data Processors for supporting these technical and operational functions under strict contractual safeguards.
Legal Basis for Processing
The processing of Personal Data by Project 3 Mobility and Mobileye is based on Article 6(1)(f) of the General Data Protection Regulation, which permits processing necessary for the legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the rights and freedoms of the data subject.
Where processing is carried out by Project 3 Mobility’s appointed processors, it is done strictly on behalf of Project 3 Mobility and under its lawful basis for processing.
Data Categories & Data Subjects
Data creation includes raw footage captured by vehicle’s external cameras, which may capture biometric and textual Personal Data. Examples of Personal Data are human faces, and license plate numbers.
Data Subjects may include individuals incidentally captured by the vehicle's external cameras, pedestrians, and other road users using public roads.
Individuals may also incidentally include employees of P3M, Mobileye and/or partner companies.
Data shall not contain special categories of data or sensitive Personal Data. If such Data is collected, it shall be processing of such Data shall be limited to the extent strictly necessary for specific purposes outlined in this Notice. If not necessary for the purposes outlined in this Notice, such Data shall be anonymized or deleted.
Data Storage
Data is stored securely at different locations depending on processing purposes:
Project 3 Mobility Data Storage repositories, located within the European Union, implementing comprehensive technical and organizational measures to safeguard Personal Data.
Mobileye data storage repositories, ensuring compliance with GDPR and other applicable data protection regulations.
In certain cases, authorized data processors may process Personal Data on behalf of Project 3 Mobility, strictly under contractual terms ensuring equivalent protection standards, including encryption, access control, and full compliance with GDPR.
Any transfer or storage of Personal Data outside the European Union is subject to appropriate safeguards, such as Standard Contractual Clauses or equivalent legal mechanisms.
Protection of Data
Data is protected by applying adequate Technical and Organizational Measures, ensuring data confidentiality, integrity, and availability throughout the data lifecycle. These measures include encryption, access controls, regular security assessments, and staff training.
Transfer of Data outside EU
Transfer of personal data outside the EU will be conducted in compliance with GDPR requirements, including the use of appropriate safeguards such as Standard Contractual Clauses or ensuring the receiving country has an adequate level of data protection.
Where Personal Data is transferred to processors located outside the European Economic Area, such transfers are safeguarded by the EU Standard Contractual Clauses and additional technical and organizational measures, ensuring an adequate level of protection for Data Subjects.
Data subjects rights
Please note that these rights are necessarily limited due to the fact that neither of the parties collates nor indexes Personal Data (there is no mechanism allowing, for example, a search through the clips database for a frame or frames containing any particular vehicle or individual). As a result, it is highly unlikely that a party would be able to identify a particular individual within its clips database unless that individual could provide additional information, such as the location and time at which he/she believes the relevant video clip or clips were collected. Nonetheless, corresponding party will review and respond to any requests on a case-by-case basis. In the unusual case where an individual registers an objection with the driver of a corresponding party-operated test vehicle in real or close-to-real time, drivers are instructed to make a record of such objections and to relay them for review. In such exceptional case, by contrast to the above, it would usually be possible to identify and delete the relevant video clip or clips.
As outlined in the General Data Protection Regulation (GDPR), Data Subjects have various rights concerning the processing of their Personal Data. These rights empower individuals to maintain control over their Personal Information and ensure that it is handled fairly and lawfully.
Below are the rights afforded to Data Subjects:
The Right to be Informed: Data Subjects have the right to be informed about the collection and use of their Personal Data. This includes the purposes for processing, the categories of Personal Data involved, and the recipients of the data.
The Right of Access: Data Subjects have the right to obtain confirmation from the Data Controller as to whether Personal Data concerning them is being processed, and, if so, to access that data and obtain additional information about its processing.
The Right to Rectification: Data Subjects have the right to request the correction of inaccurate or incomplete Personal Data concerning them. This ensures that Personal Data held by the Data Controller is accurate and up to date.
The Right to Erasure (Right to be Forgotten): Under certain circumstances, Data Subjects have the right to request the erasure of their Personal Data. This right applies when the Personal Data is no longer necessary for the purposes for which it was collected, or when the Data Subject withdraws consent and there are no overriding legitimate grounds for processing.
The Right to Restrict Processing: Data Subjects have the right to request the restriction of processing of their Personal Data under certain circumstances. This right may be exercised when the accuracy of the Personal Data is contested, or when the processing is unlawful, but the Data Subject opposes erasure.
The Right to Data Portability: Data Subjects have the right to receive a copy of their Personal Data in a structured, commonly used, and machine-readable format. This right applies when Personal Data is processed based on consent or for the performance of a contract, and the processing is carried out by automated means
The Right to Object: Data Subjects have the right to object to the processing of their Personal Data in certain situations. This includes processing based on legitimate interests or for direct marketing purposes. Upon objection, the Data Controller must cease processing the Personal Data unless compelling legitimate grounds for the processing override the interests, rights, and freedoms of the Data Subject.
Rights in Relation to Automated Decision-Making and Profiling: Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Exceptions apply if the decision is necessary for entering into or performance of a contract, authorized by law, or based on the data subject's explicit consent.
Data Subjects can exercise these rights by contacting the Data Controller using the contact information provided in this Data Protection Notice. The Data Controller will respond to requests within the timelines prescribed by the GDPR and will take appropriate measures to address the Data Subject's concerns.
Data Subjects also have the right to lodge a complaint with a supervisory authority if they believe that their rights under the GDPR have been infringed.
Vehicle Identification
Clip-collecting test vehicles are marked with a special sticker informing about data collecting activities and providing information about data control.
Contact Information
If you have any questions about this Data Protection Notice or wish to exercise any of your data protection rights, please contact us.
P3M Data Protection Office can be contacted at:
Project 3 Mobility d.o.o.
Ilica 31, 10000 Zagreb, Croatia
email: dpo@p3m.com
Mobileye Data Protection Officer can be contacted at:
Mobileye Vision Technologies Ltd.
Hartom 13, Jerusalem 9777513, Israel
email privacy@mobileye.com
Mobileye's representative within the European Economic Area, its affiliate:
Mobileye Germany GmbH
European Data Protection Officer
Lütticher Str. 132
40547 Düsseldorf
privacy@mobileye.com
Updates to this Notice
We may update this Data Protection Notice periodically to reflect changes in our data collection activities or legal requirements. We encourage you to review this Notice regularly for any updates. Thank you for trusting Project 3 Mobility and Mobileye as we collaborate to advance autonomous driving technology while protecting your privacy and data rights.
Future updates may also reflect changes in the list of processors engaged by Project 3 Mobility, while the overall responsibilities of Project 3 Mobility as Data Controller remain unchanged.
Effective Date
03rd of October 2025
Verne ®2025