Privacy Policy English

DRIVALIA PRIVACY STATEMENT

This privacy policy describes the way in which DRIVALIA Lease Belgium SA - subsidiary in Belgium of DRIVALIA S.p.A. ("hereinafter: DRIVALIA") collects and processes personal data, taking into account the applicable legislation. Personal data means information concerning an identified or identifiable natural person. It is information that can reasonably be traced back to an individual.

1. MANAGER RESPONSIBLE FOR THE DATA AND SUBCONTRACTORS

DRIVALIA (Avenue Hermann Debroux 54, 1160 Auderghem), the Belgian subsidiary of DRIVALIA S.p.A. Corso Orbassano 367, Turin, Italy, is responsible for processing personal data. The competent person is the Chief Executive Officer.

The personal data you have provided may be processed by subcontractors, including external service providers, but only for specific purposes.

2. THE PERSONAL DATA WE PROCESS

2.1. DRIVALIA may obtain your personal data in various ways:

because you personally provide us with your data when concluding a contract, whether or not through an employer or its fleet manager, a dealer or an intermediary;
when you use our products or services, or contact us and provide us with certain information in this way.
when you allow us to record certain data about your interests, behaviour and preferences;
via databases held by official authorities as part of the fight against over-indebtedness, we also have access to data relating to your overall level of indebtedness;
Via third parties such as credit reference agencies, anti-fraud agencies or data brokers.

2.2. The data provided to us, directly or indirectly, is mandatory in certain cases, which is indicated when the data is collected. If this mandatory data is not communicated to us, we will not be able to provide the requested service, conclude the contract or meet our contractual obligations.

2.3 Processing of personal data in the context of a contract.

If you enter into a contract with DRIVALIA, DRIVALIA may require the following personal data about you:

a. name, postcode and address
b. contact details (telephone numbers, e-mail addresses);
c. Date of birth;
d. gender;
e. financial data (bank account information, finance applications, offers, invoices, salary slips for consumers, annual reports for business customers, CCP credit information);
f. copy of proof of identity;
g. Dealer or service partner preferences;
h. customer number(s);
i. national register number;
j. your family and financial situation (income, expenses, other outstanding debts, etc.) and professional situation (employer, position, length of service), your bank details, including a copy of your bank card;
k. your driving licence.

2.4. In addition to the personal data mentioned above, DRIVALIA processes, within the framework of the performance of a contract to which you are a party or to provide you with a service, the following data which are (can be) qualified as personal data:

a. the chassis number and model of the vehicle;
b. the vehicle number plate;
c. the vehicle's ownership history (registration details);
d. other data relevant to the contract concerned.
e. geolocation data: the vehicles are equipped with systems that make it possible to geolocate the position of the vehicle in the event of theft or hijacking of the vehicle, or to obtain useful information for the reconstruction of any accident reported by the user or the related insurance company, or for the fulfilment of legal obligations, including those of a tax or accounting nature, or for the protection of any rights before the competent courts, as well as the fulfilment of legal and regulatory obligations arising from European legislation, or recommendations issued by the authorities and supervisory bodies.

2.5. If you use DRIVALIA's services or if you are in contact with us, we may process the following data as part of our services - depending on the precise use you make of them:

a. data relating to your peripheral equipment, in particular a MAC address, an IP address or other numbers;
b. your communication preferences and settings;
c. data that we associate with certain patterns, for example a status in the profile we draw up of you on the basis of your consumption behaviour (for example: the frequency with which you visit our website, make a purchase or buy a service);
d. browsing behaviour, established on the basis of our own observations or cookies (see also article 6 of this privacy statement);
e. data relating to customer satisfaction;
f. data relating to your use of our customer service.

3. LEGAL BASIS FOR PROCESSING PERSONAL DATA

Your personal data is processed on the following legal grounds:

a. consent
b. performance of a contract with you;
c. legal obligation;
d. to protect your vital interests and those of another natural person;
e. a legitimate interest of DRIVALIA or a third party.

Legitimate interests include: credit assessment, physical protection, (fraud) prevention, IT management and protection, examination and analysis of our own products or services, corporate policy, legal affairs, internal (central) management.

The legal obligations to which DRIVALIA is subject include assessing the customer's creditworthiness, combating money laundering and the financing of terrorism and combating tax fraud.

4. PURPOSES FOR WHICH WE PROCESS PERSONAL DATA

4.1. DRIVALIA processes your personal data for the purposes mentioned below. The letter indicated after each purpose described below corresponds to the basis mentioned in article 3 of this privacy statement.

a. The establishment and maintenance of the customer relationship between you and DRIVALIA, on the one hand, but also with the importer of your vehicle with whom we work together and the dealers or intermediaries from their distribution network, related intermediaries and (financial) service providers Basis: b / e;
b. the handling of complaints and related requests. Grounds: b;
c. carrying out market research and customer satisfaction surveys with a view to improving our management, our brands, services and products and in order to identify customer desires. Basis: e;
d. to approach customers with offers, invitations to events, information, surveys or other commercial information by e-mail, SMS, post or telephone. To this end, you are always free to unsubscribe, or to withdraw your consent insofar as the processing is based on it. For all communications, we indicate how you can proceed. Basis: a / e;
e. improving the content of our communication with you by focusing on your personal preferences. Basis: a;
f. to comply with legal obligations (such as the fight against money laundering and the financing of terrorism, the fight against tax fraud, compliance with banking and financial regulations, responding to official requests from legal authorities, etc.), to settle disputes and to protect our rights. Basis: c / d / e;
g. to associate and analyse information with customer data known to us in order to tailor the content of our communication to your preferences as closely as possible. Basis: a;
h. In order to decide whether a rental contract can be concluded: we have a legal obligation to assess your solvency and your ability to meet your contractual obligations. This assessment may be made on the basis of profiling (automated processing of personal data). The result of this processing will determine the acceptance or refusal of the credit or finance lease application. The customer will always have the right to ask DRIVALIA at the e-mail address privacy-be@drivalia.com for human intervention in the context of this decision or to be heard in order to express his point of view and to contest the decision resulting from the automated processing of his data Basis: a/b/c;
i. Transfer of data to third parties for their own marketing communications: Basis: a Your personal data collected in the context of a consumer credit agreement may never be transferred to third parties for the purposes of commercial canvassing, even if you have given your consent to this effect.

5. THIRD PARTIES INVOLVED IN PROCESSING

5.1 In certain cases, DRIVALIA communicates your personal data to third parties who are independent "data processors". Only data that is strictly necessary to fulfil the tasks of these third parties will be passed on. Below, we explain when this is the case and why. he letter indicated corresponds to the basis mentioned in article 3 of this privacy statement. DRIVALIA may share data:

a. with the importer of your vehicle with whom we work and with the dealers or intermediaries in their distribution network. Grounds: a / b / e;
b. if we suspect a violation of the rights of third parties, punishable offences or abuse, we may provide personal data to third parties who have a legitimate interest in the matter, to supervisory authorities or research bodies. We may also disclose your data to the competent legal authorities when required to do so by law. Basis: c / d / e;
c. with other divisions within CA Auto Bank S.p.A., for the performance of a contract with you or for justified business interests, for example the organisation of central administration or customer service and the analysis of the service we provide to you. Basis: b / e;
d. with parties who assist DRIVALIA with its service and are not subcontractors (think, for example, of accountants and (legal) advisors). Basis: e;
e. for operational purposes (such as the possible sale of the business or shares or a reorganisation). Basis: e;
f. with parties who support DRIVALIA in (direct) marketing activities. Basis: a.

5.2 The provision of personal data to the above-mentioned third parties will only take place for the purposes as set out in this privacy statement and only to the extent that this is mandatory or permitted under the applicable laws and regulations.

5.3 DRIVALIA also uses the services of so-called "subcontractors" (e.g. hosting providers, software providers or parties who organise or carry out actions and research for DRIVALIA). DRIVALIA is required to enter into a subcontractor agreement.

5.4. Within the framework of its contractual relations, DRIVALIA can communicate the data to entities located in countries outside the European Economic Area (EEA), including their recording in databases which are managed by entities which act on behalf of DRIVALIA. The management of the databases and the processing of the data are linked to the purposes of the processing and are carried out in accordance with the applicable data protection legislation, which must ensure an adequate level of protection.

If Data is transferred outside the EEA, DRIVALIA will take all appropriate contractual measures to ensure adequate protection of the Data, including contracts based on the standard contractual clauses adopted by the European Commission to regulate the transfer of personal data outside the EEA.

5.5 DATA PROCESSING FOR ITSME ® : This process involves the use of "itsme®". itsme® is a Belgian identification application that allows users to confirm their identity and approve transactions. To carry out remote recognition, the potential customer must already have an itsme account. Identity information is obtained by the potential customer's access to the application and subsequent authorisation.

The exchange of information between the application and InfoCert, located at Piazza Sallustio 9, 00187 Rome, acting as data processor, takes place in a reliable and secure manner.

To carry out this process, InfoCert, relies on eID Easy (an Estonian company founded in 2016 and part of the InfoCert Group, acting as InfoCert's secondary subcontractor).

The types of personal data processed by InfoCert within its-me are: Identification data, document data and address data.

The purpose of the processing of personal data in the process is the remote recognition of the customer.

You have the right to obtain from InfoCert: access to your personal data, rectification or erasure, restriction of processing, the right to object to processing and the right to data portability.

InfoCert keeps your data in a form that allows identification for a period that does not exceed the fulfilment of the purposes for which the data were collected.

You will always exercise your rights in accordance with the following articles: Article 15 (Data subject's right of access), 16 (Right of rectification), 17 (Right to erasure of data ("right to be forgotten" ), 18 (Right to restriction of processing), 19 (Obligation to notify rectification or erasure of personal data or restriction of processing), 20 (Right to data portability), 21 (Right to object) and 22 (Automated individual decision-making, including profiling) of EU Regulation 2016/679.

5.6 PROCESSING DATA FOR BELGIAN E-ID: This process involves the use of an "e-ID", the eID is a Belgian electronic identity document (with a chip) that enables you to carry out electronic transactions. The e-ID process is a digital identity system notified under the eIDAS regulation.

The elements required for this process are the e-ID, the PIN supplied by the Belgian government and the specific software installed on the user's computer.

Once the potential customer has consented, the identification data is sent to InfoCert, located at Piazza Sallustio 9, 00187 Rome, which acts as data processor, to validate the user's identity. To carry out this process, InfoCert relies on its partner Connective, which acts as InfoCert's sub-processor. The types of personal data processed by InfoCert as part of the Belgian eID solution are as follows: Identification data, document data and address data.

AI is not used in data processing.

The purpose of processing personal data as part of the e-ID process is remote customer recognition.

You have the right to obtain from InfoCert: access to your personal data, rectification or erasure, restriction of processing, the right to object to processing and the right to data portability.

InfoCert retains your data in a form that allows identification for a period that does not exceed the fulfilment of the purposes for which the data was collected.

6. RIGHTS OF DATA SUBJECTS

You may exercise the following rights:

Right to information: you have the right to know that your data is being processed and why.
Right to consult your data: you may at any time ask an organisation to consult the data it holds on you. You can even request a copy to check that your data is correct.
Right of rectification: you can have incorrect data rectified or incomplete, irrelevant or prohibited data deleted free of charge.
Right to have your data transferred: you can request that your data be transferred from one organisation to another. The first organisation cannot object.
Right to withdraw your consent: have you given your consent to the processing of your data in the past? If so, you may withdraw your consent at any time. No further explanation is required.
Right to erasure of data: the data of the person making the request must be erased as soon as possible.
Right to object to the processing of your personal data and to automatic decisions: you may request that your data no longer be used, unless there are compelling reasons for doing so.
Right to restrict processing: this right may be exercised in three cases: you dispute the accuracy of your data, your data has been obtained unlawfully and the organisation in question no longer needs your data.

Data subjects may exercise the aforementioned rights by sending a dated and signed letter, together with a copy of both sides of their identity card, to DRIVALIA, Avenue Herrmann Debroux 54, 1160 Auderghem, or by sending an e-mail to:
privacy-be@drivalia.com.

You may only exercise your privacy rights to the extent that the law grants them to you, which is limited to the extent to which the performance of the contract remains possible or if this is not contrary to legitimate interests. You may also lodge a complaint with the Data Protection Authority, rue de la Presse, 35, 1000 Brussels, enclosing with your letter all the information required to examine your request.

7. MARKETING, PROFILING AND COOKIES

7.1 DRIVALIA may use cookies (small text files that are placed on your computer) to analyse the route you take to access the DRIVALIA website. This allows us to record user activity on the website and to evaluate and improve our website so that it better meets your needs. You can set your browser so that it does not accept cookies or warns you when cookies are being sent

7.2 In addition to the above, the following applies. Our website uses Google Analytics, a web analysis service provided by Google Inc ("Google"). Google Analytics uses cookies to help the website analyze how users use the site. The information generated by a cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. We use this information to :

a. keep track of how you use the website;
b. compile reports on website activity for DRIVALIA;
c. provide other services relating to website activity and internet usage.

7.3 Google acts as DRIVALIA's subcontractor. However, Google may provide this information to third parties if it is legally obliged to do so or insofar as these third parties process this information on behalf of Google. Google will not combine your IP address with any other data held by Google.

7.4 You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. Please note, however, that if you do this you may not be able to use the full functionality of this website.

8. INTERACTION WITH SOCIAL NETWORKS

8.1. Customer support via social networks

You may also contact us via our social networking channels. For example, if you send us or post a message on our social networking pages, we may use the information contained in your message or post to contact you regarding the question/request. In order to provide you with the assistance requested, we may ask you to provide, by direct or private message, additional information such as details of the problem, your name, email address, vehicle identification number (VIN), telephone number, location (city/state) and/or the make, model and year of the vehicle. The information you provide will not be used for direct marketing purposes; market research aimed at improving services and products will only be carried out on the basis of aggregated (anonymous) data.

Please note that you must not include any sensitive data (such as information on racial or ethnic origin, political opinions, religious or philosophical beliefs, or health) in your message. When you publish a message on the public space of a social network, anyone can read it.

8.2. Links to social networks

Our website includes links to social networks.

In order to protect your personal data when you visit our website, we do not use social plug-ins. Instead, HTML links are integrated into the website, allowing easy sharing on social networks. The integration of such a link prevents a direct connection with the various social network servers when a page on our website is opened. By clicking on one of the buttons, a window opens in the browser and directs the user to the website of the social network concerned, where (after logging in) they can use the "Like" or "Share" button, for example.

For more information on the purpose and scope of data processing and the subsequent use of your personal data by the social networks and their websites, as well as your rights and possible settings to protect your privacy, please refer to the data protection information notices of each social network.

Facebook: http://www.facebook.com/policy.php

Twitter: https://twitter.com/privacy

Instagram: https://help.instagram.com/155833707900388

You Tube: https://www.google.de/intl/de/policies/privacy/

LinkedIn: https://www.linkedin.com/legal/privacy-policy

9. PROTECTION

We have taken appropriate technical and organisational measures to protect your personal data from unauthorised or unlawful processing, loss, destruction, damage, alteration or publication.

10. RETENTION PERIOD

We do not keep your personal data longer than is necessary for the purposes for which it was obtained, unless we are legally obliged to keep it longer or are entitled to do so if there is a need to do so.

Recordings of telephone and electronic communications (sms, e-mail, instant messaging, etc.) made by DRIVALIA in order to ensure the training and supervision of its employees will be kept for a maximum of one month. Such recordings made in order to provide proof of a commercial transaction or of remarks exchanged during these communications with DRIVALIA employees, credit or insurance intermediaries, call centres or other DRIVALIA subcontractors will be kept for the period during which the agreement concluded during storage may be challenged in court.

Data that is processed for Marketing and Marketing Profiling purposes is retained by the Company from the time you give your consent until the time you withdraw your consent. Once consent has been withdrawn, the data is no longer used for these purposes although it may still be retained by the Company, particularly if this is necessary to protect the Company's interests in relation to potential liability in connection with such processing, unless clarification is given by the Supervisory Authority.

We will normally delete your data within 10 years of ceasing to provide services to you, unless we are legally obliged to retain your personal data for longer or are entitled to do so if there is a need to do so.

11. CHANGES TO THIS PRIVACY STATEMENT

11.1 We reserve the right to unilaterally amend or supplement this privacy statement. We will inform you of any changes in an appropriate manner. We advise you to consult our privacy statement regularly.

This privacy statement was last updated on 20 August 2023.

12. CONTACT WITH DRIVALIA BELGIAN SUBSIDIARY OF DRIVALIA S.P.A.

If you have any questions or comments about this privacy statement or the processing of personal data, you can contact us by post:

DRIVALIA Lease Belgium SA

For the attention of the Complaints and Privacy Coordinator

Avenue Hermann Debroux 54

1160 Auderghem

or by e-mail at the following address: privacy-be @drivalia.com