INFORMATION ON THE PROCESSING OF PERSONAL DATA
Dear Customer,
The Data Controller is Drivalia S.p.A. (hereinafter the "Data Controller" and/or "Drivalia"), with registered office in Turin, corso Orbassano 367, partiva IVA 05406791003.
As detailed in the following sections, your personal data (hereinafter "Data") will be processed for the following macro purposes:
A) execution and management of the contractual relationship;
B) geolocation activity;
C) caring and marketing activities.
A) Performance and management of the contractual relationship
The Data collected during the course of the contract investigation, the signing of the contract, as well as those collected during the contractual relationship with Drivalia, will be processed for purposes strictly related and instrumental to the performance of the pre- andcontractual and/or contractual, the protection of the rights of the Data Controller, as well as the fulfilment of regulatory and regulatory obligations, imposed by the Authority empowered by law, by Supervisory and Control Bodies.
Drivalia reserves the right, at the preliminary stage, to carry out checks and verifications on the Data you provide to the extent permitted by law, through the use of public databases to which the companies of the CA Auto Bank Group have access.
In case of failure of the checks described above, it will not be possible to provide the rental service requested.
In order to prevent the risk of fraud and identity theft, the Data Controller is also authorized to request from its parent company CA Auto Bank S.p.A. . by virtue of a mandate given to the same and in order to carry out a check on the documentation you presented, to interrogate SCIPAFI, System of Protection Against Identity Theft Fraud of which the Ministry of Economy of Finance (MEF) is the owner, managed by Consap S.p.A. with registered office in Rome, via Yser 14, and to use information legitimately held by CA Auto Bank S.p.A. for the same purpose.
The provision of the data required for the purposes referred to in this point is necessary for the conclusion of the contract, and any refusal to provide them will make it impossible to carry out the activities required for the execution of the contract itself.
In addition, the personal data you provide may also be used for internal administrative and management purposes, such as reporting, control and/ or internal audit, study for the definition of new products, as well as for the management of claims and claims or for the improvement of products and services already distributed on the legal basis of legitimate interest.
The Data provided will be processed as strictly necessary for the contractual purposes, in compliance with the principle of proportionality and necessity provided for by the law on the protection of personal data and, after termination of the Contract, for a period of 10 (ten) years, subject to compliance with the deadlines dictated by legal obligations and without prejudice to the different retention periods provided for by the Contract, by another indication of the Owner, by law or by industry regulations.
The collected Data are acquired by Drivalia and its Data Processors both during the subscription and the request of the services offered. In particular, by way of example and not exhaustive, through:
• websites operated by Drivalia;
• telephone calls made by customers to Drivalia booking and/or service centres;
• the request for information necessary to complete the rental contracts concluded within the national and international circuit of Drivalia;
• the request for information necessary to complete the registration forms for the loyalty programs of the Drivalia circuit;
• the websites and/or computer reservation systems used by Italian and foreign travel agencies;
• reports and/or incident reports on rentals;
• communications from other companies linked to the Drivalia circuit by commercial agreements for the purposes of promotion and sale of the Owner’s services.
If you have hired a vehicle equipped with telematic devices, installed in the vehicle, that generate diagnostic data, as well as data regarding the vehicle itself and services that allow connectivity to info entertainment platforms, in order to benefit from the services connected to the aforementioned devices made available by the manufacturer, it is necessary to combine your data with those of the vehicle, therefore Drivalia, in its capacity as Data Controller, will transmit to the manufacturer or to the person appointed by the manufacturer, your identification data, such as, by way of example and not exhaustive, name, surname and email address, necessary to allow you, after appropriate registration, to use the same services.
At the time of returning the vehicle Drivalia will disable the user of the rented vehicle.
In addition, if you have hired electric vehicles or if you need to use the charging service or other similar services via the Drivalia charging columns, for the use of which you must activate the applications installed on the on-board devices (hereinafter "APP")owned by third parties, we inform you that, in the event of any anomalies or malfunctions of the aforementioned APP, you can contact Drivalia’s first level customer service or the company call center, by Drivalia delegate, at the dedicated telephone number (06652111); in this case your requests and/or complaints may be transferred, in compliance with the principles of lawfulness, fairness and transparency referred to in art. 5 of the GDPR. third parties, which, as independent owners, will provide the services related to the use of the APPS or other telematic devices. We therefore invite you to read their privacy policy, if you want to know how your personal data are processed.
The data will be stored by third parties for a period of time not exceeding that necessary for the provision of the requested service. You will always have the right to obtain access to your personal data, rectification or deletion of the same, the limitation of the related processing, the right to object to the processing and the right to data portability.
B) Attività di geolocalizzazione
I veicoli del Titolare sono dotati i dispositivi di antifurto satellitare capaci di geolocalizzare la movimentazione del veicolo.
Il trattamento dei Dati mediante tecniche di geolocalizzazione viene effettuato da Drivalia per la verifica e il controllo della localizzazione del veicolo in caso di furto, smarrimento e/o appropriazione indebita, per la verifica degli adempimenti di obblighi contrattuali (quali ad esempio l’obbligo di utilizzare il veicolo all’interno del territorio italiano e/o nei casi di mancato adempimento al pagamento dei canoni di noleggio), per la tutela dei diritti in sede giudiziaria, nonché per tutela del patrimonio aziendale (ad esempio in caso di mancata riconsegna alla scadenza pattuita). Il trattamento, in quanto finalizzato alla gestione e alla tutela della flotta. non richiede il consenso dell'Interessato in quanto basato sul legittimo interesse del Titolare.
Al fine di tutelare la sicurezza dei conducenti in caso di sinistro, il Titolare tratterà i dati di geolocalizzazione, acquisendo gli elementi utili alla ricostruzione di eventuali sinistri denunziati dal Cliente e/o dalla compagnia assicuratrice di controparte, per localizzare e recuperare il veicolo noleggiato e ricostruire la dinamica di un eventuale sinistro.
For the purposes described above and in order to allow the Customer to use the services of claims management, route monitoring, mileage, assistance and operations center in cases of theft and crash, as well as the stolen vehicle recovery service, Drivalia will use the support of third-party companies, which provide services related to telematic devices, which in any case will not have access to the personal data of customers and will operate according to the instructions given by the Data Controller, reported in the act of appointment as external data controller. In addition, in order to prevent the risk related to the occurrence of the above events, these companies may also provide Drivalia with information, derived from their systems, including geofencing, timefencing, driving style, type of routes and combinations of the above information with telematic data.
The collected data may include, but is not limited to, vehicle identification data (license plate and/or VIN, model, date of registration), GPS coordinates, information on the location of the vehicle in use.
The geolocation data will be stored for 12 (twelve) months from its collection, subject to special requirements of further preservation related to specific requests related to the submission of complaints/complaints and/or investigative needs of the Judicial Authority or the Judicial Police. At the end of the retention period, the data will be permanently deleted, with methods to make them not reusable.
We also remind you that you can always exercise the right of opposition, pursuant to art. 21, paragraph 2, of the GDPR, to the processing of your data by telephone communications by any means carried out, either by operator or by automated call or call systems without the intervention of an operator or by paper mail for the purpose of sending advertising material or direct sales or for the performance of market research or commercial communication, by registering with the Public Register of Oppositions, established by D.P.R. 178/2010 and regulated by D.P.R. 26/2022.
C) Caring and marketing activities
Drivalia, according to the needs assessed on a case-by-case basis and after balancing the activity with the rights and freedoms of the Data Subject, reserves the right to carry out "Caring" activities (by way of example, activities to improve transparency on products for which the Customer has already signed a contract, communication and information activities to the Customer on the advantages it could obtain with respect to the contractual policy it has already signed, carrying out surveys and/or analyses aimed at improving the quality of the services provided and/or the product, etc...)by sending useful documentation to the Customer, who will always be free to exercise the rights mentioned in point H) of this Policy.
Without prejudice to the activities referred to in the previous legitimate interest purposes referred to in point C) that do not require the prior consent of the interested party, personal data will be processed, subject to your consent, for the following purposes:
1) receive promotions regarding the various types of products offered by Drivalia.
This processing includes traditional and unconventional marketing, telemarketing, commercial information, sending of advertising material or carrying out market research, direct sales activities or interactive commercial communications on products, services and other activities of the Data Controller, and refers to any product already active at the time of subscription or activated in the future.
The provision of data is optional and the lack of consent for such processing affects the performance of the activities described above.
You have the right to revoke at any time the consent previously given with regard to the purposes referred to in this paragraph through the methods indicated in letter H).
The Data necessary for the activities referred to in this paragraph will be processed up to 36 (thirty-six) months after their provision or the termination of the contractual relationship and will then be anonymized or deleted.
2) receive only the promotions closest to your preferences and habits.
Such processing includes the analysis of personal data collected in order to evaluate and predict certain personal aspects including the economic situation, preferences, interests, the behaviour, location or movement to limit promotional activities to similar products or promotions based on previous analysis.
The provision of data is optional and the lack of consent for such processing affects the performance of the activities described above.
You have the right to revoke at any time the consent previously given with regard to the purposes referred to in this paragraph through the methods indicated in letter H).
The Data necessary for the activities referred to in this paragraph, will be processed up to 12 (twelve) months after their provision or the termination of the contractual relationship and will then be anonymized or deleted.
3) receive commercial promotions related to products and services offered by other companies.
This processing includes the communication of personal data to partner companies of the Data Controller - including, but not limited to, companies producing and selling vehicles, third parties and/or other companies of the CA Auto Bank Group, and the Crédit Agricole Group, as well as to your reference dealer or dealer and/or manufacturer - for traditional and unconventional marketing purposes, telemarketing, commercial information, sending of advertising material or carrying out market research, direct sales activities or interactive commercial communications about products, services and other activities with regard to third party products.
The provision of Data is optional and the lack of consent for such processing affects the performance of the activities described above.
You have the right to revoke at any time the consent previously given with regard to the purposes referred to in this paragraph through the methods indicated in letter H).
The data necessary for the activities referred to in this paragraph will be processed up to 36 (thirty-six) months after their provision or the termination of the contractual relationship and will then be anonymized or deleted.
We also remind you that you can always exercise the right of opposition, pursuant to art. 21, paragraph 2, of the GDPR, to the processing of your data by telephone communications by any means carried out, either by operator or by automated call systems or by 6 calls without the intervention of an operator or by paper mail for the purpose of sending advertising material or direct sales or for the performance of market research or communication commercial, subscribing to the Public Register of Oppositions, established by the D.P.R. 178/2010 and regulated by the D.P.R. 26/2022.
D) Types of data processed
Drivalia collects the following Customer Data for the purpose of completing the rental agreement in the course of its driverless car rental business:
• name, surname, address, telephone number, e-mail address, place and date of birth, driver’s license details, identity document and tax code.
• company where you work, employee identification and/or registration number.
• information about membership in companies, associations, loyalty programs for the purposes of applying the agreed rates.
• information on the place and time of pick-up and drop-off of the rental vehicle, airlines and flight details used.
• information about past and current solvency related to consumer and/or company surveys.
• information related to incidents that occurred during the rental (also with regard to the data of any counterparties, Public Security Authorities and/or subjects involved in various capacities).
• geolocation data only within the limits of paragraph B) of this policy.
• data relating to the prevention of fraud and identity theft, as referred to in point A above).
E) Recipients of Personal Data
For the various purposes described above and for the related control described above, the Data Controller may communicate your data, always in compliance with the rights and guarantees provided by current legislation, to:
• companies of the Drivalia Group or in any case subsidiaries or associates;
• companies of the CA Auto Bank Group and the Crédit Agricole Group ;
• vehicle manufacturers and vehicle sales companies;
• Your dealer or commercial reference, in his capacity as an entity affiliated with the Owner;
• authorities and supervisory and control bodies and in general subjects, public or private, with functions of public importance, Tax Registry, Judicial Authorities and police forces;
• claims insurance companies;
• persons carrying out data acquisition, processing and processing services necessary for the execution of the orders received from customers;
• vehicle registration agencies and public offices;
• entities providing services for the management of the information system and telecommunications networks (including electronic mail);
• subjects carrying out activities of transmission, bagging, transport and sorting of communications with the interested party;
• subjects who carry out documentation archiving and data entry activities;
• subjects that carry out activities of assistance to the customers (es.: call center, services customers, etc.);
• companies managing national and international systems for fraud control - studies or companies within assistance and advisory relationships;
• entities performing debt collection activities;
• subjects who carry out activities of promotion and sale of products/services of the Owner;
• persons carrying out surveys and/or market research aimed at monitoring the level of quality of services rendered;
• subjects carrying out control activities (such as, but not limited to, control and/or counter-terrorism activities) also on behalf of the parent company CA Auto Bank, review and certification of the activities carried out by the Bank also in the interest of customers;
• subjects to whom the Owner delegates the recovery of the vehicle in case of default of the Customer.
Where necessary, the subjects indicated will be appropriately appointed Data Processors in the forms required by current legislation.
Sharing aggregate or anonymous information
Drivalia may share aggregate or anonymized information within and outside the CA Auto Bank Group with partners such as research groups, universities or advertisers.
Your Data may be aggregated into anonymous statistics that may be offered to professionals to assist them in developing their business. In this case your personal data will never be disclosed and those who receive these anonymous statistics will not be able to identify it.
F) Methods of processing
The processing of data for each of the above purposes will take place by automated and telematic means, and, in particular, by ordinary or electronic mail, telephone (through automated calls, SMS, MMS etc.), and any other computer channel (e.g. websites, mobile apps) and on paper.
G) Data Protection Officer
For any direct contact - formal and urgent, other than exercising your rights under paragraph H) - you may contact the Data Protection Officer via the following contact details:
Email dpo-italia@drivalia.com
H) Exercisable rights
In relation to the processing of personal data listed above, you may request:
• confirmation that personal data concerning you are being processed or not and in this case obtaining access to personal data and the origin of such data, the purposes, methods of processing and the logic applied in the case of processing carried out with the help of electronic tools;
• the updating, integration, rectification, deletion or transformation into anonymous form of personal data concerning you;
• to restrict or oppose the processing of personal data concerning you;
• to receive in a structured, commonly used and machine-readable format, the personal data concerning you or the transmission of the same to another data controller (cd. right to portability);
• proof that the requested transactions have been brought to the attention of those to whom the data have been communicated or disseminated.
You can exercise your rights by contacting Drivalia Customer Care. at the following email address: privacy@leasysrent.it
The Data Controller shall reply to your requests within 30 (thirty) days from their receipt unless extended by 60 (sixty) days, taking into account their complexity and number; You have the right to lodge a complaint with the Authority for the Protection of Personal Data in the forms and ways provided for by current legislation.
I) Data Transfer outside the European Economic Area
Your Data will not be transferred to a third country outside the EU or an international organization, except in exceptional and strictly necessary cases.
If necessary, for technical or operational reasons, the same data may be processed in countries outside the European Union, provided that an adequate level of protection is guaranteed, for which there is a specific decision of adequacy of the European Commission. Any transfer of your personal data to non-EU countries, in the absence of a decision of adequacy of the European Commission, will be possible only if adequate guarantees of a contractual or contractual nature are provided by the Controllers and Processors involved, including standard contractual clauses on data protection or for the sake of brevity "SCC". The transfer of your Data to third countries outside the European Union, in the absence of an adequacy decision or other appropriate measures as described above, will be carried out only where strictly necessary and in the cases and in the manner provided by the GDPR.
L) Aggiornamenti della presente informativa
La presente Informativa in caso di cambiamento o per effetto di eventuali aggiornamenti o modifiche è fornita attraverso comunicazioni periodiche o può essere trovata nel sito web di Drivalia nell'apposita sezione dedicata alla protezione dei dati personali e a Sua richiesta.