Disclosure on the processing of personal data pursuant to Article 13 of Legislative Decree No. 196 of 30 June 2003 - Code on the Protection of Personal Data.
By means of this policy, drawn up under Article 13 of Legislative Decree No. 196 of 30 June 2003, Code on the Protection of Personal Data (hereinafter the “Code”), LeasePlan Italia S.p.A., with registered office in Rome, Viale Alessandro Marchetti 105, in its capacity as Data Controller (hereinafter “LeasePlan” or “Data Controller”), intends to provide any and all useful information in regard of the processing of personal data of users of the mobile Application LeasePlan (hereinafter the “APP”).
LeasePlan Italia Spa Privacy Officer is Mr. Giulio Foldes legal address c/o company’s head officein Rome, Viale Alessandro Marchetti 105.
1.1 Operation of the APP and Purpose of Processing
The APP is designed to provide users with a fast and intuitive interface for the management of all the services offered by LeasePlan under the contract signed with the latter. Therefore, it is a tool through which customers may easily forward requests to LeasePlan and manage their personal position by using their smartphones, tablet or any other mobile device, also by means of the creation of a personal account accessible with specific credentials.
Since the APP is public, it may also be downloaded and used for limited functions by third parties who are not bound by any contractual relationship with the Data Controller, without any obligation arising therefrom for the latter to perform the services that require the prior subscription of a car rental contract (including, but not limited to, the service for reporting accidents and booking servicing). Any requests that may be received from such users will, therefore, be rejected.
The data of users are collected and processed exclusively for the following purposes:
- allow the Data Controller to provide the services required by the users, including, in particular, follow up on reports of accidents and bookings of servicing and promptly process, modify and track any other requests forwarded to customer service, collect and process information requests, also with regard to services connected to the APP;
- obtain aggregated statistical information on the use of the APP;
- check the correct operation of the APP and provide for any bug fixes.
Any processing of data which cannot be traced to, or is otherwise unnecessary for, the achievement of the purposes mentioned above will only be carried out provided the users have previously given their specific consent thereto.
One such case could be the dispatch of communications from the Data Controller having an advertising or commercial nature through:
- automated calling systems without an operator;
- emails, text messages, MMS, fax messages, push notifications and other automated means.
It is understood that any consent of the users to receive commercial and promotional communications through automated tools will absorb and will be considered as extended to the use of traditional means (such as mail in hard copy and calls made by operators), as stated by the Authority for the Protection of Personal Data (hereinafter the “Authority”).
It is also understood that the APP is set in order to send push notifications to the user, who, at any time, can have them off by changing the settings of the operating system in use.
1.2 Secondary Profiling Purposes
The processing of personal data for profiling purposes will be based on the acquisition of a prior specific consent from the user. With the prior consent of the user, relevant data and non-excessive data on individuals may be collected and stored for profiling purposes or in order to improve the services being offered according to the users’ needs and derive information on their behavior and habits in the field of long-term rental.
Profiling may relate to “individual” personal data. Such processing can be carried out by using personal data that are also aggregated according to predefined parameters depending on business needs and may include the collection of information on the opening of emails and links contained in them sent by LeasePlan Italia Spa and/or the download of the relative content to the user in order to measure the effectiveness of our email messages and assign specific scores to users including to improve the match between the email messages and the actual tastes / preferences of the users themselves.
The provision of personal data for the purposes outlined above is optional and failure to provide them will not determine consequences other than the impossibility for LeasePlan Italia Spa to proceed to the aforementioned profiling.
Even in case the user has provided consent to authorize LeasePlan Italia Spa to pursue profiling purposes, the same will remain free at any time to withdraw it by sending a specific notice to the following e-mail address email@example.com.
Any data processed for profiling purposes will be stored in an appropriate manner to minimize data dissemination to what is strictly necessary, restricting to a minimum the number of working staff with possible access to the information.
2. Types of Data Being Processed
The only data collected through the APP will be those strictly necessary to achieve the purposes and carry out the activities described in paragraph 1 above. By way of example, without limitation, the users’ first and last name, email address and phone number will be in any case required, as well as the license plate number of the vehicle used. Without them, the Data Controller cannot act on any of the requests made by its users.
In addition to the data mentioned above, the customer will be asked to provide further information, often of a personal kind and, from time to time necessary for the performance of the service required, such as details of the accident in case of forwarding the relevant report to LeasePlan through the special features of the APP.
Providing such data should be considered optional, as well as giving consent to their processing. It is however understood that in the absence of such items, LeasePlan may be unable to provide, or properly perform, the services required.
In this latter regard, it should be pointed out that while some data may solely be provided by the data subject, other data can be loaded directly by the Data Controller in reference to users who have previously registered with LeasePlan systems. For this reason, some forms of the APP may appear partially or completely filled out in advance. This is done to speed up the request and optimize the service.
2.1. Data Concerning the Users’ Geographical Location
The possible use of geolocation tools, unless otherwise specified, is exclusively aimed to allow the optimization and/or provision of the services required. The APP is in fact capable of collecting data relating to the users’ geographical location in order to provide, or increase the efficiency of, the services based on the same.
If the users would, for example, like to forward a booking request to customer service for servicing, the data concerning their location will be used to find and subsequently display the nearest garages in the APP.
The processing of such data will, however, remain conditional upon obtaining the data subject’s specific consent, which may at any time be revoked by means of the appropriate operating system settings.
2.2. Personal Data of Third Parties Shared with the Users
Users, in their capacity as independent data controllers, will assume all liabilities with regard to sharing personal data of third parties, such as counterparties or witnesses of accidents, through the APP, ensuring that they have the full rights to the processing thereof and expressly indemnifying and holding LeasePlan harmless from any complaints, damages, claims, reimbursements, or disputes in connection with or resulting from possible infringement of the Code rules in such circumstances.
By way of example, without limitation, the data relating to any counterparty to a claim will be processed by using the APP under the sole responsibility of the user who uploaded them using the appropriate forms without any involvement of the Data Controller.
2.3. System Logs
For requirements linked to the operation and maintenance of the APP, LeasePlan may collect system logs, i.e. files that record the interactions of users, often containing personal data such as the IP address used.
2.4. Sensitive Data
LeasePlan does not request, or collect, sensitive data via the APP (such as, for example, information that could reveal racial or ethnic origin, political, philosophical or religious beliefs, sexual habits or medical data).
If the achievement of the purposes referred to in paragraph 1 above makes it necessary to process this specific type of data, it will be the responsibility of the Data Controller to request the users’ prior written consent or equivalent.
3. Processing Methods
The users’ personal data are processed by taking all the appropriate security measures to prevent access, disclosure, alteration or unauthorized destruction of personal data. All of LeasePlan employees who have access to the databases connected to the APP have been duly designated as persons in charge of processing and each of them is authorized only to process the information needed to perform their job tasks.
Processing is mainly carried out by means of IT and/or electronic tools, with organizational methods and procedures strictly related to the purposes mentioned above.
In addition to the Data Controller, in some cases, other entities involved in the management and delivery of the services on offer, appointed by the Data Controller, if necessary, as data processing supervisors pursuant to Article 29 of the Code, may have access to the data, following notice from LeasePlan.
Such entities will exclusively process the data for activities functional to, or closely related to, the performance of the services requested, it being understood that the Data Controller is required to obtain the users’ explicit consent if it intends to pursue different purposes, including through the above.
The updated list of data processing supervisors may be requested at any time by writing to firstname.lastname@example.org.
4. Place and Period of Storage
The users’ personal data are stored in Rome, Viale Alessandro Marchetti 105, at the premises of the Data Controller, as well as at the premises of providers of electronic communications services to which LeasePlan may have entrusted any processing in connection with the APP.
In any case, in compliance with the principles of proportionality and necessity, the data will not be stored for longer periods than necessary for the achievement of the purposes described above and thus for the diligent performance of the services requested by the users.
In particular, personal data processed for contractual purposes are processed for the time strictly necessary to achieve the purposes for which they were collected and can be kept for a period of 10 (ten) years from the loss of effectiveness of the contract in order to manage and respond to the requests of the competent authorities, manage eventual judicial and / or extrajudicial claims, and manage and respond to any requests for compensation. Based on the advice of the Authority for the protection of personal data, the data processed for marketing purposes may be retained for a period of time not exceeding 24 (twenty-four) months from their registration, while the data processed for the purposes of profiling for a period of time not exceeding 12 (twelve) months from registration. Subsequently, these data must be irretrievably deleted or made anonymous. In any case and depending on the specific purposes of the processing and type of data processed, the data could be further kept in compliance with any legal obligations or for the protection of hypothetical rights in court and to manage any extrajudicial disputes.
5. Cross-Border Data Transfer
For the sake of clarity, it should be pointed out that no processing connected to the APP requires or necessitates the transfer of the users’ personal data outside the European Economic Area (EEA). Should this become necessary, it will be the responsibility of the Data Controller to acquire specific consent from the data subjects or implement one of the alternative protection devices provided for by the Code.
6. Rights of Users
Under Article 7 of the Code, users have the right to obtain the updating, correction or supplementation of their data, in addition to their cancellation or transformation into anonymous form.
They may also object to any processing, including in particular the sending of marketing or commercial communications by the Data Controller, by simply writing to email@example.com or to LeasePlan Italia S.p.A., Viale Alessandro Marchetti 105, 00148 Rome.
Any objection to processing for the above purposes, when carried out through automated contact methods, must be considered as extended to traditional ones, such as mail in hard copy and/or calls by operators. The users’ ability to exercise such a right only in part, pursuant to Article 7, paragraph 4, letter b), of the Code, will remain without prejudice, for example, by only objecting to the dispatch of promotional communications by automated means. In this case, LeasePlan will continue to contact the person using traditional methods.
As a result of violations or abuses committed by using the APP, or in the course of its use, the users’ personal data may be used by the Data Controller to defend or enforce its rights in court, or in the stages leading to the possible commencement of legal proceedings. Users therefore expressly declare to be aware that, in such cases, LeasePlan may reveal their data to the competent Authorities.
The user has the authority to make a complaint to the Authority for the Protection of Personal Data to lament a possible violation of rules on protection of personal data (Art. 141, paragraph 1, lett. A) of the Privacy Code) and to request an audit. The complaint can be subscribed directly by the user or by the associations that represent him/her. In the latter case, the user must give a written proxy. The proxy must be lodged with the Authority for the protection of personal data, together with all the documents relevant to the assessment of the complaint presented. The complainant will submit the act using the procedures it deems appropriate, and delivering by hand to the office of the Guarantor (the address indicated below) or by submitting:
a) A / R addressed to the Authority for the protection of personal data, Piazza di Monte Citorio, 121 00186 Rome;
c) fax: 06 / 69677.3785.
Therefore, please consult this page frequently, taking the date written at the bottom of the same as a reference for the latest changes.
Last Update: March 2017