INFORMATION ON THE PROCESSING OF PERSONAL DATA
Pursuant to Regulation (EU) 2016/679 (“GDPR”), DRIVALIA S.p.A. (hereinafter the “Data Controller”) hereby provides information on the processing of personal data processing, so that you may be aware of DRIVALIA’s personal data processing activities in connection with the E+Share Drivalia service, understand how this information is managed when you use our services and provide an express and informed consent to the processing of your personal data in the sections of the website eplushare.drivalia.com and/or on the App where you might be asked to provide such data.
1. Data Controller
The Data Controller is DRIVALIA S.p.A., with registered office in Torino, Italy, Corso Orbassano 367, which can be contacted through the Customer Care of DRIVALIA S.p.A. at the following email address: firstname.lastname@example.org
2. Purposes of the processing and legal basis of the processing
a) Legal purposes: processing necessary for the Data Controller to fulﬁl a legal
Your personal data can be processed without your consent whenever doing so is necessary to meet obligations arising from civil and tax laws, EU rules and regulations, as well as provisions, codes or procedures approved by Authorities and other competent Institutions.
Moreover, your personal data may be processed to pursuant to requests by competent administrative or judicial authorities and, more generally, public authorities in accordance with the law.
b) Pre-contractual or contractual purposes: processing necessary for the Data Controller to fulﬁl a contractual obligation or to comply with a speciﬁc request by the data subject.
Your personal data will be processed for purposes related to and/or connected with the provision of services by DRIVALIA, including in particular:
These data – whose transfer is necessary for the operational, economic and administrative execution of the service – will be processed with electronic tools, entered in specific databases and used strictly and solely within the scope of the existing contractual relationship.
As the transmission of your data for the foregoing purposes is necessary to maintain and provide all the services related to the contract, failure to complete such transmission will prevent the provision of the services in question.
c) Commercial and marketing purposes: processing based on the legal basis of the consent
Your personal data can also be processed, based on your consent, for the following further purposes functional to the activities of the Data Controller or a third party:
c.1) receiving promotions concerning the various types of products oﬀered by DRIVALIA.
This processing includes traditional and non-conventional marketing activities, telemarketing, infomercials, submission of advertising material or market research, direct sale activities or interactive commercial communication on products, services and other activities of the Data Controller and refers to any product already active at the time of subscription or launched in future.
The provision of data is optional and failure to give one’s consent for this processing is prejudicial to the performance of the foregoing activities.
You may revoke at any time your consent given with reference to the purposes under this paragraph in the manner indicated in paragraph 7 hereinbelow.
The data necessary for the activity will be processed until the 36th (thirty-sixth) month after termination of the contract and will eventually be anonymized or eliminated.
c.2) receiving solely promotions more attuned to your preferences and habits.
This processing includes the analysis of personal data gathered to assess and predict specific personal aspects, including professional performance, financial condition, preferences, interests, behaviours, location or travels to limit promotional activities to compatible products or campaigns on the basis of prior analysis.
The transfer of data is optional and failure to give one’s consent to such processing is prejudicial to the above-described activities.
You may revoke the consent previously given with reference to the purposes hereunder in the manner described in article 7 hereinbelow. The data necessary for the activities shall be processed for up to 12 (twelve) months after termination of he contractual relationship and will eventually be anonymized or eliminated.
c.3) receiving commercial promotions concerning products and services provided by other companies
This processing includes the communication of personal data to partners of the Data Controller – including, but not limited to, vehicle manufacturers and sales companies, third parties and/or other companies of the DRIVALIA Group, the CA AUTO Bank S.p.A. group, CA Auto Bank S.p.A. and Crédit Agricole Italia S.p.A., as well as the Data Controller’s dealer or sales agent of reference, and/or the car manufacturer – for traditional and non-conventional marketing purposes or for telemarketing or commercial information purposes, to forward advertising material or for the performance of market research and direct sale activities or for interactive commercial communication on products, services and other activities regarding products of third parties and/or other companies of the DRIVALIA Group, the CA AUTO Bank S.p.A. group, CA Auto Bank S.p.A. and Crédit Agricole Italia S.p.A.
The transfer of data is optional and failure to give one’s consent to such processing is prejudicial to the above-described activities. You may revoke the consent previously given with reference to the purposes hereunder in the manner described in article 7 hereinbelow.
d) Defence of a right in a court of law
In addition, your personal data shall be processed whenever it is necessary to ascertain, exercise or defend a right of the Data Controller or of any company controlled by the Data Controller in a court of law.
e) Data Controller’s legitimate interest
The Data Controller may process, without your consent, your personal data in the following cases:
3. Consent to processing and obligation to communicate data
For the processing of the foregoing optional data, the Data Controller requests your consent solely for the purposes indicated at the time of registration with E+Share Drivalia.
In the absence of your explicit consent to the processing of the above data held, and obtainable in the future, by the Data Controller, please be informed that you might be excluded from the benefits and/or eﬀects linked to the processing of the data, without this having any consequence for the contract in place and for the services provided by DRIVALIA.
When DRIVALIA requests your personal data, it will specify the mandatory or optional nature of the transfer of the required data.
4. Recipients of the data
The Data Controller shall ensure that the provision of your personal data to the foregoing recipients concerns only the data necessary to achieve specifically the intended purposes.
Lastly, please be informed that your personal data shall not be disseminated, save as otherwise determined above and/or required by law.
4.2. Vehicle data: CA Auto Bank Italy S.p.A. gathers – from the vehicles owned by DRIVALIA Spa and rented out on along-term basis by DRIVALIA S.p.A. – certain data linked to a device installed on board the vehicles called Datalogger, to identify, analyse and correct any qualitative problems of the vehicles while these are used on the road, including without limitation:
Installation of Datalogger on the vehicle makes it possible, depending on the services provided, the anonymous transmittal to CA Auto Bank Italy S.p.A. of the following:
Data of a diagnostic nature coming from the vehicle are transferred to CA Auto Bank for vehicle diagnostics, data analysis and statistics compilationpurposes, to improve the quality of the products made by CA Auto Bank.
Together with these types of data, the Data Controller sends to CA Auto Bank Italy S.p.A. a report containing anonymous data such as, among others, the average eﬀective use of the vehicle, the Postal Codes of the departure and arrival points, to conduct market research to improve the product.
5. Manner of processing
The processing of data for each of the foregoing purposes shall be automated and computerized and, in particular, by ordinary or electronic mail, telephone (through automated calls as well, SMS, MMS, etc.), facsimile and any other IT channel (e.g. websites, mobile apps) as well as in paper format.
6. Data Protection Officer
For every direct contact – formal and urgent, other than the exercise of rights under article 7) – you may get in touch with the Data Protection Officer at: email@example.com, as well as through the other channels indicated in article 7 hereinbelow.
7. Exercisable rights
As data subject, you have the following rights on the personal data gathered and processed by the Data Controller for the purposes outlined in article 2.
a) Right of access
You have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the right to lodge a complaint with a supervisory authority.
b) Right to rectification and erasure
You have the right to obtain he rectification of inaccurate personal data concerning you and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement
You also have the right to obtain the erasure of personal data concerning you where one of the following grounds applies: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data are processed unlawfully; (iii) you have withdrawn the consent on which the Data Controller had the right to process your data there is no other legal ground for the processing; (iv) you have objected to the processing and there are no overriding legitimate grounds for the processing; (v) the personal data have to be erased for compliance with a legal obligation.
However, DRIVALIA may refuse to comply with the foregoing to the extent that the processing is necessary for exercising the right of freedom of expression and information or to comply with a legal obligation or to defend a legal claim.
You also have the following rights:
a) Right to data portability
You have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.
B) Right to restriction of processing
You have the right to obtain from DRIVALIA restriction of processing where one of the following applies: (i) in case you contest the accuracy of your data, for a period enabling the Data Controller to verify the accuracy of the personal data; (ii) the data are processed unlawfully; (iii) even though your personal data are no longer needed for the purposes of the processing, they are required for the establishment, exercise or defence of legal claims; (iv) pending the verification whether the legitimate grounds of the Data Controller override your objection to processing.
You may exercise your rights by contacting di DRIVALIA S.p.A.’s Customer Care as follows:
The Data Controller shall reply within 30 (thirty) days of receipt, save for a 60-day (sixty-day) extension in light of the complexity and the number of your requests. Following expiration of the foregoing period, you have the right to lodge a complaint with the Italian Data Protection Authority in the form and manner provided for by the applicable law.
8. Transfer of data outside of the European Economic Area
We shall not transfer your data to an extra-EU country or an international organization, save for exceptional and strictly necessary cases. Where necessary, for technical or operational reasons, the same data can be processed in countries located outside the European Union, provided that a reasonable level of protection is assured, based on a specific adequacy decision by the European Commission. Any transfer of your data to non-EU countries, in the absence of an adequacy decision by the European Commission, shall be possible only if the Data Controllers and Processors involved provide adequate guarantees based on contracts or arrangements which provide for data protection. The transfer of your data to countries outside the European Union, in the absence of an adequacy decision or other adequate measures as described above, shall be carried out only where strictly necessary and in the cases provided for by the GDPR and shall be processed in your interest.
9. Data storage period
As a general rule, we store your data at the company only for the time necessary to achieved the above-listed purposes, in accordance with the principle of proportionality and necessity provided for by the laws on personal data protection. In setting the storage period, we refer to the laws applicable to the activities and sectors in which the company operates (for example, anti-money-laundering laws, laws on bookkeeping records) as well as guidance provided by the Italian Data Protection Authority on the protection of personal data through the applicable measures.
Following termination of existing contracts, DRIVALIA shall store your data for an additional ten-year period. As this period expires, we shall erase or anonymize the data. The data shall be kept for a period not longer than that necessary for the purposes for which they were gathered or subsequently processed in accordance with the law.
10. Updates of this information
In case of changes or updates or modifications, this information is provided from time to time or can be found on the web site in the specific section on personal data protection and upon your request.