Information regarding Clear Box services
Information regarding processing of personal data for Clear Box services Article 13 of Legislative Decree no. 196 of 30 June 2003, (“Privacy Code”)
1. LeasePlan and Clear Box services
As a data controller, the company LeasePlan Italia S.p.A. (“LeasePlan”) informs the driver of LeasePlan vehicles of the following. LeasePlan has installed Clear Box devices (so-called black boxes) in vehicles available for operational leasing, in order to provide research services regarding the vehicle in case of theft and crash management (“Services”). This disclosure relates to the personal data processing of the driver of the vehicle in case of activation of Clear Box services. It integrates the privacy documentation provided for the customer by LeasePlan for renting the vehicle. A copy of this disclosure is available in the vehicle and on the LeasePlan website www.leaseplan.it, which can also be requested at any point by contacting LeasePlan at the address indicated in the following point 7. Personal data processing in relation to Clear Box Services has been the subject to prior ruling and thus is also subject to evaluation by the Authority for the Protection of Personal Data (prior checking - Article 17 of the Privacy Code). LeasePlan will continue to carry out processing operations of personal data, in compliance with the freedom and fundamental rights of the person concerned, as well as in accordance with the general rules for personal data processing as established in Article 11 of the Privacy Code. The data not required for the implementation of services, or for the purposes which are relevant from time to time, are destroyed or made anonymous, in line with the specifications in this disclosure. The Clear Box devices permit the detection and transmission of vehicle information for LeasePlan, for example, in verifying accidents, vehicle location and other information which is set out below in detail. As described below, the Services provided by the Clear Box are intended to provide drivers with greater security and a better service, and optimize LeasePlan’s fleet management and protect the assets and possessions of LeasePlan.
1) Vehicle theft: after charges are pressed in the case of theft or in case of events attributable to a theft or an attempted theft or in case of misappropriation of the vehicle, a specific procedure is initiated, based on the location of the vehicle in view of its subsequent recovery by the police. This is in order to assure the protection of corporate assets and possessions in the face of possible illegal acts. The data used for this service consist of technical information about the vehicle (e.g. number plate, brand, model, colour, location data), which is used in order to find and recover said vehicle. For the operation of this service, the data is kept for no longer than is strictly necessary to identify and recover the vehicle to fulfil administrative and legal requirements, under the terms of the applicable statute of limitations.
2) Crash management: The Crash Management service is automatically activated when crash or mini-crash alarms go off (i.e. in the case of accidents with other vehicles, collisions against fixed obstacles, overturning or going off the road), according to predefined parameters that imply an accident has occurred. The information gathered concerns the location of the vehicle and some operating parameters (e.g. speed, driving direction, frontal and lateral acceleration) and is used to support and improve the management of accidents of vehicles; from the information gathering phase to the settlement and management of disputes. This information also helps to more easily reconstruct the sequence of events, to gather possible evidence, and prevent possible fraud. The acquired data will be disclosed to third parties (such as judicial authorities and insurance companies) only to the extent permitted by applicable law and according to what is necessary for the execution of Crash Management service. These data are stored by LeasePlan for the period strictly necessary for accident reconstruction and to establish relative liability, in line with the statute of limitations in force. However, even if a crash alarm goes off, no information is stored in the Clear Box from since it is programmed to delete and overwrite data at intervals of no more than 30 seconds.
2. Purposes and methods of data processing
LeasePlan uses the drivers’ data for the following purposes:
a) to provide its customers with the services listed above;
b) to fulfil the laws, regulations and legislation arising from the contract with the customer, for example, fulfilment of accounting, tax, administrative and insurance obligations;
c) to provide higher safety levels for drivers and any third parties involved in accidents;
d) to avoid scams, fraud and to protect corporate assets and possessions, in particular the LeasePlan transport fleet;
e) to improve the management process in the case of theft, misappropriation and accidents;
f) to manage relationships with third parties that are necessary for the proper execution of the operational leasing agreement and the provision of services chosen by the customer, e.g. relationships with businesses and insurance companies, and the relevant authorities, etc.);
g) to exercise rights in court.
The data are mainly processed by electronic and automated means. However, data processing without the use of electronic devices is provided for, such as by manually processing data on paper. Data processing is organized according to operating procedures and functional reasoning for the purposes listed above, in accordance with the measures specified by privacy law to ensure the security and confidentiality of data. Under Article 3 of the Privacy Code (the principle of necessity in data processing), information systems and computer programs are configured to minimize the use of personal and identification data, which are processed only when necessary for the processing objectives pursued from time to time.
3. Special categories of data being processed
For Theft service, the data relevant to locating the vehicle do not include information about the driver, who as a result of theft has lost material availability of the vehicle. In the case of embezzlement or other illegal activities, the locating data may relate to the driver. In this case the data are processed for the time needed to recover the vehicle and for exercising rights in court, including the handling of possible fraud or offences and the relevant judicial proceedings. For Crash Management services, data relating to the location of the vehicle – activated automatically in the event of an accident – are necessary, especially from a kinematic perspective, so as to assess the various aspects of any accidents, in view of exercising and defending rights in court. For both services, the driver’s consent to the processing of data is not needed, in accordance with Article 24, sub-section f) of paragraph 1 in the Privacy Code.
4. Nature of data provision and consequences of failure to provide data
The provision of personal data for the purposes indicated above in point 2 is necessary for the rendering of Services provided by Clear Box. This is to fulfil legal obligations as well as to exercise and defend rights in court; any refusal to provide LeasePlan with data would prevent the proper operation of such Services. For such purposes the consent of the driver of the vehicle is therefore not necessary.
5. Communication and dissemination of personal data
Personal data can be accessed by those appointed by LeasePlan to be in charge of data processing, who require access to the data in order to perform their duties (e.g. LeasePlan staff and any external persons in charge of data processing and who deal with the management of Clear Box services) and data processors, as indicated below. The updated list of data processors and subjects to whom LeasePlan transmits the data is available at any point when requested from LeasePlan at the addresses listed below. Personal data can be transmitted and processed on behalf of LeasePlan by companies and professionals appointed by LeasePlan to carry out specific technical and organizational services for the provision of services delivered by the Clear Boxes and for other processing purposes indicated above in point 2. LeasePlan shall only inform such third parties of the information required for the provision of related services. Such parties are appointed by LeasePlan as data processors and act according to the instructions provided by LeasePlan. Personal data can be communicated to the following third parties, acting as data controllers, data processors or persons in charge of data processing, as appropriate, for the purposes indicated above in point 2 and in compliance with applicable laws:
• insurance companies and insurance intermediaries, e.g. in dealing with accidents;
• consultants and professionals, operating in association with others, for example, legal advisors;
• companies and agencies managing response activities and road assistance;
• judicial authorities, police forces, official bodies and public authorities for their respective institutional purposes, for example, in the case of a stolen vehicle or road accident, or in legal proceedings
• the legitimate recipients of communications on the basis of a law or regulation.
LeasePlan can access the personal data of the driver (when a different person from the LeasePlan customer) only to the extent that it is strictly necessary for the implementation of Services, in order to fulfil legal obligations or for protection purposes of any LeasePlan rights. The personal data of the driver of the vehicle are communicated to the LeasePlan customer (when the driver and the customer are different people) for Crash Management services. This is limited to the necessary data to fulfil the operational leasing agreement in place with the customer, to fulfil legal requirements and to exercise rights in court, and only in one of the following circumstances: (i) where the driver has been proved to be fraudulent (e.g. falsely reporting an accident); (ii) gross negligence on the part of the driver in their operation of the vehicle. For Theft services LeasePlan does not communicate the driver’s details to its customer. Personal data will not be circulated under any circumstances, except in cases of specific provision of law.
6. Safety measures and period of time for data storage
LeasePlan has taken physical, technical and organizational security measures in order to maintain security and confidentiality of processed data, in compliance with the requirements of Article 31 et seq. and of Annex B to the Privacy Code – Technical Regulations regarding minimum security and other applicable provisions . Personal data are stored for as long as necessary in order to achieve the purposes indicated above in point 2. This usually lasts until the end of the contract relating to the vehicle, or until required for exercising and defending rights in court, in line with the terms of the applicable statute of limitations, which may allow for a longer period of time. Personal data are stored after the duration of the contract relating to the vehicle when they are necessary for the fulfilment of legal obligations or for exercising rights in court. With regard to location data for the Crash Management service, in the absence of an accident, data are erased by overwriting at intervals of 30 seconds maximum. Where an accident has taken place, the data are retained for the amount of time needed to deal with claims (accident reconstruction and verification of relative liabilities).
7. Data Controller and Data Processors
The data controller is LeasePlan Italia SpA, with its registered office in Via Alessandro Marchetti, 105, Rome 00148. The data processor already appointed at the time of preparation of this disclosure is: LeasePlan Information Services, LeasePlan House - Level 2 Central Park, Leopardstown Dublin 18, Dublin (Ireland) for the management of LeasePlan’s servers.
The list of other data processors is available at data controller’s premises. The interested parties can ask to access these information by sending a written request to the data controller, without specific formalities, to its office in in Via Alessandro Marchetti, 105, Rome 00148 or by sending an email to: firstname.lastname@example.org.
8. Privacy Rights of those concerned
Article 7 of the Privacy Code (a copy of which is available below, as currently in force) recognizes certain rights regarding the processing of personal data. You may at any time exercise these rights by contacting LeasePlan or data processors at the above address. We also remind you that it is possible to request access to your digitally signed personal data.
Article 7 of Legislative Decree no. 196, 30 June 2003 (Privacy Code)
Right of access to personal data and other rights
1. You have the right to obtain confirmation of the existence (or lack thereof) of personal data about you and their dissemination in a comprehensible form, even if the data are not yet registered.
2. You have the right to obtain information regarding:
a) the source of personal data;
b) the purposes and methods of data processing;
c) the reasoning applied in case of data processed using electronic means;
d) details identifying the data controller, data processors and the representative appointed under article 5, paragraph 2;
e) subjects concerned or categories of subjects to whom the data may be communicated or who may find out about said data in their capacity as a designated State representative, as a data processor or person in charge of data processing.
3. You have the right to obtain:
a) updates, modifications or, if of interest, the integration of data;
b) cancellation, anonymization or blocking of unlawfully processed data, including data that need not be kept for the purposes for which they were collected or subsequently processed;
c) confirmation that the operations in letters a) and b) (also as regards their content) have been brought to the attention of those to whom the data were communicated or disclosed, except where such compliance is impossible or requires the use of means which are clearly disproportionate to the right being protected.
4. You have the right to object, in whole or in part:
a) for legitimate reasons against the processing of personal data, even those which are pertinent for collection purposes;
b) against the processing of personal data for advertising or direct sales purposes, or for carrying out market research or commercial communication.
Last update: June 2016