E+Share Drivalia

INFORMATION ON THE PROCESSING OF PERSONAL DATA

Pursuant to Regulation (EU) 2016/679 (“GDPR”), DRIVALIA S.p.A. (hereinafter the “Data Controller”) hereby provides information on the processing of personal data processing, so that you may be aware of DRIVALIA’s personal data processing activities in connection with the E+Share Drivalia service, understand how this information is managed when you use our services and provide an express and informed consent to the processing of your personal data in the sections of the website eplushare.drivalia.com and/or on the App where you might be asked to provide such data.

1. Data Controller

The Data Controller is DRIVALIA S.p.A., with registered office in Torino, Italy, Corso Orbassano 367, which can be contacted through the Customer Care of DRIVALIA S.p.A. at the following email address: dpo-italia@drivalia.com

2. Purposes of the processing and legal basis of the processing

a) Legal purposes: processing necessary for the Data Controller to fulﬁl a legal

Your personal data can be processed without your consent whenever doing so is necessary to meet obligations arising from civil and tax laws, EU rules and regulations, as well as provisions, codes or procedures approved by Authorities and other competent Institutions.

Moreover, your personal data may be processed to pursuant to requests by competent administrative or judicial authorities and, more generally, public authorities in accordance with the law.

b) Pre-contractual or contractual purposes: processing necessary for the Data Controller to fulﬁl a contractual obligation or to comply with a speciﬁc request by the data subject.

Your personal data will be processed for purposes related to and/or connected with the provision of services by DRIVALIA, including in particular:

to fulfil obligations deriving from the General Terms and Conditions and/or the provision of services ancillary and/or related to such In these cases, please be informed that pursuant to the regulations on personal data, your consent is not required if the processing is necessary to fulfil obligations arising from a contract, nor is your consent required if the processing is necessary to meet specific requests on your part before the conclusion of the contract;
to provide the services required by customers with the registration on the website and/or the App and the creation of their account and profile, including the collection, storage and processing of data to establish and eventually manage operationally, technically and administratively the relationship (and the customer’s account and profile) - as well as to submit notices - related to the provision of the services;
for the registration of pick up and return points of the vehicle by the customer to bill the service properly;
to manage payments (with related processing – in accordance with the law – of the payment data, including the details of the credit card or the prepaid card) for the services required and any ancillary charges, based on the Terms and Conditions and/or other specific contractual provisions published on the website or otherwise made available to the customer; or to fulfil legal, accounting, tax, administrative and contractual obligations related to the provision of the services required;
to manage relations with the authorities and other public entities for purposes related to specific requests, to fulfil legal obligations or special procedures (e.g. notify to the actual oﬀender the fines received for breaching the Rules of the Road);
to prepare measures against credit risk, including the activities designed to identify customers and determine their creditworthiness/ solvency, also during he term of the contract. In the preliminary phase DRIVALIA will check your data through databases of the CA AUTO Bank S.p.A. Group with the specific purpose to prevent frauds, insolvencies and the like. In case of negative outcome of the above analysis, the E+Share Drivalia service will not be

These data – whose transfer is necessary for the operational, economic and administrative execution of the service – will be processed with electronic tools, entered in specific databases and used strictly and solely within the scope of the existing contractual relationship.

As the transmission of your data for the foregoing purposes is necessary to maintain and provide all the services related to the contract, failure to complete such transmission will prevent the provision of the services in question.

c) Commercial and marketing purposes: processing based on the legal basis of the consent

Your personal data can also be processed, based on your consent, for the following further purposes functional to the activities of the Data Controller or a third party:

c.1) receiving promotions concerning the various types of products oﬀered by DRIVALIA.

This processing includes traditional and non-conventional marketing activities, telemarketing, infomercials, submission of advertising material or market research, direct sale activities or interactive commercial communication on products, services and other activities of the Data Controller and refers to any product already active at the time of subscription or launched in future.

The provision of data is optional and failure to give one’s consent for this processing is prejudicial to the performance of the foregoing activities.

You may revoke at any time your consent given with reference to the purposes under this paragraph in the manner indicated in paragraph 7 hereinbelow.

The data necessary for the activity will be processed until the 36th (thirty-sixth) month after termination of the contract and will eventually be anonymized or eliminated.

c.2) receiving solely promotions more attuned to your preferences and habits.

This processing includes the analysis of personal data gathered to assess and predict specific personal aspects, including professional performance, financial condition, preferences, interests, behaviours, location or travels to limit promotional activities to compatible products or campaigns on the basis of prior analysis.

The transfer of data is optional and failure to give one’s consent to such processing is prejudicial to the above-described activities.

You may revoke the consent previously given with reference to the purposes hereunder in the manner described in article 7 hereinbelow. The data necessary for the activities shall be processed for up to 12 (twelve) months after termination of he contractual relationship and will eventually be anonymized or eliminated.

c.3) receiving commercial promotions concerning products and services provided by other companies

This processing includes the communication of personal data to partners of the Data Controller – including, but not limited to, vehicle manufacturers and sales companies, third parties and/or other companies of the DRIVALIA Group, the CA AUTO Bank S.p.A. group, CA Auto Bank S.p.A. and Crédit Agricole Italia S.p.A., as well as the Data Controller’s dealer or sales agent of reference, and/or the car manufacturer – for traditional and non-conventional marketing purposes or for telemarketing or commercial information purposes, to forward advertising material or for the performance of market research and direct sale activities or for interactive commercial communication on products, services and other activities regarding products of third parties and/or other companies of the DRIVALIA Group, the CA AUTO Bank S.p.A. group, CA Auto Bank S.p.A. and Crédit Agricole Italia S.p.A.

The transfer of data is optional and failure to give one’s consent to such processing is prejudicial to the above-described activities. You may revoke the consent previously given with reference to the purposes hereunder in the manner described in article 7 hereinbelow.

d) Defence of a right in a court of law

In addition, your personal data shall be processed whenever it is necessary to ascertain, exercise or defend a right of the Data Controller or of any company controlled by the Data Controller in a court of law.

e) Data Controller’s legitimate interest

The Data Controller may process, without your consent, your personal data in the following cases:

in case of corporate actions such as mergers, sale or spin-oﬀ of a business unit, to enable the preparation of due diligence and other activities preliminary to the sale. It is understood that only strictly necessary data shall be processed, and in as an aggregate/anonymous form as
analysis of the vehicle sharing services used, to identify habits and propensity to consume, to improve the services provided and to meet customers’ specific requirements, or preparation of initiatives linked to the contractual relationship to improve the services provided, including any surveys to obtain customers’ suggestions;
preparation of a vehicle/corporate asset geolocation system and any measure to protect them against any illegal or fraudulent actions by customers/users;
check of customer/user’s driving style (e.g. acceleration/deceleration; change of direction; speed, crashes) for road safety purposes and to protect company assets.

3. Consent to processing and obligation to communicate data

For the processing of the foregoing optional data, the Data Controller requests your consent solely for the purposes indicated at the time of registration with E+Share Drivalia.

In the absence of your explicit consent to the processing of the above data held, and obtainable in the future, by the Data Controller, please be informed that you might be excluded from the benefits and/or eﬀects linked to the processing of the data, without this having any consequence for the contract in place and for the services provided by DRIVALIA.

When DRIVALIA requests your personal data, it will specify the mandatory or optional nature of the transfer of the required data.

4. Recipients of the data

personal data: to pursue the purposes under article 2, the Data Controller may communicate your personal data to third parties, including, but not limited to, members of the following parties or groups of parties:
police corps, armed forces and other government entities, to fulfil the obligations provided or by laws, regulations or EU provisions. In these cases, based on the applicable rules on data protection, the Data Controller shall not be required to obtain the data subject’s prior consent for these communications;

companies of the DRIVALIA p.A. group, or otherwise its subsidiaries and associated companies;
companies producing and selling vehicles;;
credit collection companies;
companies specializing in the management of commercial or credit information, or advertising;
other companies engaged in vehicle sharing and/or ancillary services with which the Data Controller has various types of arrangementsin place;
other companies under contract with the Data Controller that perform claim management activities;
insurance companies for the management of claims;
parties that obtain, work on and process data obtained from customers to carry out instructions from customers;
automobile documentation agencies and motor vehicle bureaus;
parties that provide services to manage the information and telecommunication network system (including electronic mail);
parties that engage in transmittal, enveloping, shipping and sorting activities with the data subject;
parties that file documents and perform data entry activities;
parties that perform customer care services (e.g.: call centre, customer service, );
companies that manage national and international anti-fraud systems – firms or companies in connection with assistance and consulting activities;
credit collection companies;
parties that promote and sell the Data Controller’s products/services;
subjects carrying out control activities (such as, but not limited to, control and/or counter-terrorism activities) also on behalf of the parent company CA Auto Bank, review and certification of the Bank’s activities also in the interest of customers.

The Data Controller shall ensure that the provision of your personal data to the foregoing recipients concerns only the data necessary to achieve specifically the intended purposes.

Lastly, please be informed that your personal data shall not be disseminated, save as otherwise determined above and/or required by law.

4.2. Vehicle data: CA Auto Bank Italy S.p.A. gathers – from the vehicles owned by DRIVALIA Spa and rented out on along-term basis by DRIVALIA S.p.A. – certain data linked to a device installed on board the vehicles called Datalogger, to identify, analyse and correct any qualitative problems of the vehicles while these are used on the road, including without limitation:

lights and/or other types of signal due to malfunctioning that cannot be justified promptly;
unusual working of the vehicles and/or their

Installation of Datalogger on the vehicle makes it possible, depending on the services provided, the anonymous transmittal to CA Auto Bank Italy S.p.A. of the following:

distance travelled by the vehicle;
the hour the vehicle’s engine is on and oﬀ;
warnings, including without limitation: cut of battery cables, battery diagnostics, Datalogger’s buﬀer battery disconnected and/ or discharged, vehicle motion without key inserted, notice of presumed impact;
vehicle diagnostic data such as, among others, oil levels and battery energy, tyre pressure, state of the

Data of a diagnostic nature coming from the vehicle are transferred to CA Auto Bank for vehicle diagnostics, data analysis and statistics compilationpurposes, to improve the quality of the products made by CA Auto Bank.

Together with these types of data, the Data Controller sends to CA Auto Bank Italy S.p.A. a report containing anonymous data such as, among others, the average eﬀective use of the vehicle, the Postal Codes of the departure and arrival points, to conduct market research to improve the product.

5. Manner of processing

The processing of data for each of the foregoing purposes shall be automated and computerized and, in particular, by ordinary or electronic mail, telephone (through automated calls as well, SMS, MMS, etc.), facsimile and any other IT channel (e.g. websites, mobile apps) as well as in paper format.

6. Data Protection Officer

For every direct contact – formal and urgent, other than the exercise of rights under article 7) – you may get in touch with the Data Protection Officer at: dpo-italia@drivalia.com, as well as through the other channels indicated in article 7 hereinbelow.

7. Exercisable rights

As data subject, you have the following rights on the personal data gathered and processed by the Data Controller for the purposes outlined in article 2.

a) Right of access

You have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the right to lodge a complaint with a supervisory authority.

b) Right to rectification and erasure

You have the right to obtain he rectification of inaccurate personal data concerning you and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement

You also have the right to obtain the erasure of personal data concerning you where one of the following grounds applies: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data are processed unlawfully; (iii) you have withdrawn the consent on which the Data Controller had the right to process your data there is no other legal ground for the processing; (iv) you have objected to the processing and there are no overriding legitimate grounds for the processing; (v) the personal data have to be erased for compliance with a legal obligation.

However, DRIVALIA may refuse to comply with the foregoing to the extent that the processing is necessary for exercising the right of freedom of expression and information or to comply with a legal obligation or to defend a legal claim.

You also have the following rights:

a) Right to data portability

You have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.

B) Right to restriction of processing

You have the right to obtain from DRIVALIA restriction of processing where one of the following applies: (i) in case you contest the accuracy of your data, for a period enabling the Data Controller to verify the accuracy of the personal data; (ii) the data are processed unlawfully; (iii) even though your personal data are no longer needed for the purposes of the processing, they are required for the establishment, exercise or defence of legal claims; (iv) pending the verification whether the legitimate grounds of the Data Controller override your objection to processing.

You may exercise your rights by contacting di DRIVALIA S.p.A.’s Customer Care as follows:

email: dpo-italia@drivalia.com.

The Data Controller shall reply within 30 (thirty) days of receipt, save for a 60-day (sixty-day) extension in light of the complexity and the number of your requests. Following expiration of the foregoing period, you have the right to lodge a complaint with the Italian Data Protection Authority in the form and manner provided for by the applicable law.

8. Transfer of data outside of the European Economic Area

We shall not transfer your data to an extra-EU country or an international organization, save for exceptional and strictly necessary cases. Where necessary, for technical or operational reasons, the same data can be processed in countries located outside the European Union, provided that a reasonable level of protection is assured, based on a specific adequacy decision by the European Commission. Any transfer of your data to non-EU countries, in the absence of an adequacy decision by the European Commission, shall be possible only if the Data Controllers and Processors involved provide adequate guarantees based on contracts or arrangements which provide for data protection. The transfer of your data to countries outside the European Union, in the absence of an adequacy decision or other adequate measures as described above, shall be carried out only where strictly necessary and in the cases provided for by the GDPR and shall be processed in your interest.

9. Data storage period

As a general rule, we store your data at the company only for the time necessary to achieved the above-listed purposes, in accordance with the principle of proportionality and necessity provided for by the laws on personal data protection. In setting the storage period, we refer to the laws applicable to the activities and sectors in which the company operates (for example, anti-money-laundering laws, laws on bookkeeping records) as well as guidance provided by the Italian Data Protection Authority on the protection of personal data through the applicable measures.

Following termination of existing contracts, DRIVALIA shall store your data for an additional ten-year period. As this period expires, we shall erase or anonymize the data. The data shall be kept for a period not longer than that necessary for the purposes for which they were gathered or subsequently processed in accordance with the law.

10. Updates of this information

In case of changes or updates or modifications, this information is provided from time to time or can be found on the web site in the specific section on personal data protection and upon your request.

Privacy policy