Disclosure on personal data processing (Data Protection Code - Italian Leg. Decree No. 196 dated 30 June 2003 - Article 13)
The companies Europcar Italia S.p.A, a sole shareholder company, subject to the management and co-ordination of Europcar Interna-tional SASU, Europcar International SASU and Europcar Information Services (hereinafter, together, the “Companies”) provide disclosure that they are the data controllers of your information qualified as personal data in accordance with the Code for the protection of personal data (Italian Leg. Decree No. 196 dated 30 June 2003 - Data Protection Code) and that they will proceed with the related processing for the purposes and using the methods indicated further on.
This disclosure provided pursuant to Article 13 of Italian Legislative Decree No. 196 dated 30 June 2003 (Data Protection Code), will permit you to gain awareness of all our processing policies for the data we collate, both so as to comprehend how your personal information is handled when you use our services (care of the commercial premises and our rental office) and when you use the on-line service made available in all the sections of the website www.europcar.it (hereinafter “Website”) where you are requested to provide personal data. Thus for the purpose of permitting you to grant express, informed, aware and specific consent for the processing of your personal data irrespective of the communication means and the purposes for which you come into contact with the Companies.
With regard to the collation of the data on this Website, you are hereby reminded that in the various sections where we collate your personal data, additional and specific disclosure is also published pursuant to Article 13 of the Data Protection Code (or pursuant to the specific legislative provisions contained in the General Provisions of the Data Protection Authority) for your necessary perusal before the provision of the requested data.
The information and the data provided by yourself or otherwise acquired within the sphere of use of the Website will be subject to processing in observance of the provisions of the Data Protection Code (the full version of which you can find on the website of the Data Protection Authority www.garanteprivacy.it), the Recommendations of the European Data Protection Authority Group No. 2 dated 17 May 2001 and the confidentiality obligations which inspire the activities of the Companies.
The processing of personal data is understood to be any operation or series of operations, also carried out without the aid of electronic instruments, concerning the collation, registration, organisation, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, disclosure, cancellation and destruction of the data, even if not registered in a database.
We hereby inform you therefore, that this data will be processed manually and/or using computerised or on-line means for the following purposes.
A. Primary purposes of the personal data processing.
The access to and navigation of the Website are unrestricted, but the possibility of availing of certain on-line services available on the Website and/or on third party website which can be reached from the Website is permitted solely if the data subject registers. The registration process involves the compilation of an on-line form in which the data subject is requested to indicate their personal data - some must be input on a mandatory basis - for the activation of the authentication credentials (login + password) by means of which the data subject will subsequently access all the areas and the services of the Website reserved for the registered data subjects.
Therefore, in the first instance, the primary purposes of the processing are represented by the need to permit activation of various types of user profiles on the Website (e.g. creation of the “driver profile”, creation of the customer profile so as to make the reservation for the vehicles on-line on the Website, etc.). The registered users, once authenticated on the site, are then enabled to use specific services made available on-line on the Website. The primary and principle purposes of the processing of the user’s data are to permit the same to access the web pages of the Website where it is possible to use on-line services and pre and post-contractual assistance services for the handling of each consequent contractual, administrative, technical or legal profile. With reference to this latter processing, the purpose is also that of handling any type of request for assistance - technical, commercial and/or contractual in nature - received by the Companies and provide the related responses to the customers.
The processing we intend to carry out also has the purposes which follow and which do not pertain solely to the collation of the data on-line, but also refer to all the means, procedures and services - including off-line - used by the Companies to collate your personal data:
a) establishing and executing the obligations deriving from the rental and/or resale agreements relating to second-hand vehicles (remarketing) and/or from the provision of the main services or those which are accessory or associated with the type of contract requested;
b) handling of the payments (with related processing - as per the legal terms - of the payment data, including the identifying details of the credit cards if this payment instrument is chosen by the customer) for the services requested and any accessory charges for the services, on the basis of the matters envisaged by the General Rental Terms and Conditions and/or other specific contractual conditions published in the Website or made available to the customer in another manner;
c) fulfilment of legal, accounting, tax, administrative and contractual obligations connected to the relationships existing, or to be established, or the provision of the services requested;
d) handling of the dealings with third party bodies for the purposes associated with insurance relationships or relationships - in a general sense - inherent to the administrative or legal documentation which concerns the vehicles (e.g. transfers of ownership) or with relationships with suppliers (e.g. repair shops, etc.);
e) handling of dealings with third party bodies represented by sector and/or category associations;
f) handling of dealings with authorities and third party public bodies for purposes associated with particular requests, the fulfilment of legal obligations or particular procedures (e.g. re-notification to the effective offender of notices of contestation of violation of the norms of the Highway Code);
g) drawing up of measures inherent to protection against credit risk, including the activities aimed at identifying the customer, ascertaining the veracity of the data provided, their economic reliability/solvency, also during the relationship;
h) drawing up of measures inherent to the protection of company assets (e.g. vehicle fleet);
i) drawing up of measures inherent to the protection of the staff of the companies against any acts carried out by customers and which are illicit or fraudulent or in any event in violation of the contract or the provisions of the law or the principles of correct conduct in the commercial relationships, including the activities and the processing aimed at identifying the individual responsible for these acts and keeping the related information for subsequent legal protection decisions or those of another type by the Companies;
j) collation, conservation and processing of your data for carrying out statistical analysis in anonymous and/or aggregate form, without the possibility of identifying the user, aimed at checking the quality of the services offered;
k) collation and conservation of your data within the sphere of the checks on the quality of the service provided to the user, including therein the data collated indirectly by means of registration of the telephone calls of the user to the call centres of Europcar (for example for the purposes of telephone reservation of the Companies’ services), telephone contacts which are recorded and subsequently examined by sample check to verify the quality of the services provided by the operators of the call centre contacted (the Europcar call centres, if abroad, in any event have headquarters in European Union nations and the related companies supplying the services are appointed as Data supervisors).
Within the sphere of the afore-mentioned primary purposes of the processing as per letter (h) above, we hereby inform you that in the event of use of the vehicle rental services, the vehicle may be equipped with an “event data recorder” type satellite device with geolocalisation and georeferencing functions which albeit referring to the vehicle could in any event involve - also indirectly - processing of personal data of the driver by means of subsequent identification of the same.
In such possible cases, Europcar Italia S.p.A. intends to pursue the following processing ends:
a) optimisation of its vehicle fleet, for the purpose of increasing the safety of its assets represented by the fleet against illegal acts (e.g. theft, damage, etc.);
b) increase the safety of the customers and the drivers (e.g. prompt assistance and intervention based on geolocalisation in the event of accidents);
c) optimisation of the financial management, with a view to reducing the costs (e.g. the recovery of stolen vehicles directly affects the costs and the assets in the event of self-insurance; the monitoring of information makes it possible to improve the business operations with important savings in terms of business costs);
d) improve the relationship with the customers reducing cases of dispute in the event of accident and optimise the insurance operations (the appraisal of the damage and the precise awareness of the dynamics of the accident via information collected from the event data recorder permit - on the one hand - the correct assignment of the same as well as the precise allocation, and on the other hand the checking of the accidents, with a view to civil liability, simplifies the allocation, appraisal and damage settlement procedures in dealings with the insurance companies);
e) optimise the life cycle of the vehicles by means of statistical analysis (distances, mileage, etc).
The processing of the associated personal data would possibly be performed with the aid of electronic (including therein the event data recorder) and on-line instruments made available by external supplier companies, appointed specifically as external data processing supervisor and equipped with detailed instructions for the purpose of defining the sphere of permitted processing.
We hereby inform you that the operations of the event data recorder system with regard to personal data processing are authorised without the need for the customer’s consent by a specific provision issued by the Data Protection Authority vis-à-vis Europcar Italia S.p.A. further to the accomplishment of the prior checking procedure envisaged by Article 17 of the Data Protection Code.
A.1. Communication and divulgation of the personal data for the pursuit of the primary purposes of the processing.
In all the cases illustrated above - and on the basis of the applicable regulations of the Data Protection Code - the Companies may communicate the personal data externally to all the parties whose intervention in the processing is necessary on the basis of the services requested by the data subject.
Furthermore, for the pursuit of the primary purposes, the data may be communicated to any other external third party when the communication is mandatory by virtue of the law or for the correct fulfilment by the Companies of contractual, pre-contractual and post-contractual services (e.g. technical assistance and request for support or forwarding of complaints presented by the customer vis-à-vis an outside supplier of goods and/or services associated with the rental relationship).
With reference to the sphere of communication of your data, we hereby inform you that the information provided may be communicated to, or be made known to, the following parties or categories of parties:
1. law enforcement agencies, armed forces and other public administration bodies, for the fulfilment of obligations envisaged by the law, by regulations or by EU legislation. This sphere of communication also includes the legal communications to the relevant authorities - pursuant to the matters envisaged by Article 126 of the Highway Code or by the Circular of the Home Office No. 300/A/1/44248/109/16/1 dated 12 August 2003, as amended further to the sentence of the Constitutional Court 27/2005 (and including any subsequent amendment and integration) - in the event it is necessary to re-notify or arrange for the re-notification by third parties (in the cases for example of re-notification carried out by third party companies with which the Companies have rental agreements for vehicles - owned by said companies - which are subsequently rented to its customers by the Companies) to yourself of sanctions applied further to violation of the provisions of the Highway Code during use by yourself of a vehicle which Europcar is the registered owner of and with respect to which you emerge as the effective driver;
2. associated and/or subsidiary companies of the Companies, as well as parent companies (possibly with headquarters abroad), as well as enterprises, consortiums and/or other corporate bodies in which the companies participate in the capacity of shareholder/partner;
3. consultants and/or partners of the Companies, including the companies or other bodies with which agreements or arrangements are in force for the rental of vehicles subsequently intended for use by employees or another type employed by said companies or said bodies;
4. the insurance companies responsible for the settlement of the claims;
5. companies, bodies, consortiums and associations which exercise credit protection activities;
companies and parties contractually tied to the Companies which carry out claims handing activities.
Also in the event of communication/transfer abroad of the data, the related handling will take place in complete observance of the matters envisaged by Articles 42-45 of the Code, by the European Union Directive No. 46/95/EEC for transfer within the EU, and by the current General Authorisations relating to the transfer abroad of personal data to third party countries not belonging to the European Union.
It may occur that, in relation to specific activities associated with the execution of the rental agreement (e.g. claims handing), the Companies may proceed with the collation and processing of your sensitive data, as defined by Article 4.1, letter (d) of the Code. In detail, Europcar could go ahead with the processing of medical data or that suitable for revealing your state of health. In such cases, which your written consent is required for, we hereby inform you that the Companies will proceed with the processing in complete observance of the matters envisaged by the Code and by the General Authorisations of the Date Protection Authority in force applicable with regard to sensitive data processing. Your sensitive data, which will not be disclosed in any way, may be communicated only to the following categories of parties:
1. law enforcement agencies, armed forces and other public administration bodies, for the exclusive fulfilment of obligations envisaged by the law, by regulations or by EU legislation, cases in which Article 26 of the Code excludes the obligation to acquire the prior consent of the data subject;
2. insurance companies responsible for the settlement of the claims;
3. companies or parties contractually tied to Europcar which carry out claims handling activities.
Pursuant to Article 13.1, letter d), we hereby inform you also with regard to the parties or the categories of parties to whom your personal data may be communicated or who may become aware of the same, for the same purposes specified herein, in the capacity of Data supervisors or Individual in charge of processing: employees of the Companies, outside individuals in charge of processing operating care of rental units throughout Italy and with whom the Companies have entered into a franchising relationship, managers and operators of the website www.europcar.it, agents of the Companies, franchisees, all subject to the same confidentiality obligations. The data may also be made available to the parent company Europcar International SASU with headquarters in Paris (France) or other companies belonging to the Holding Company or in any event associated or subsidiary companies, for the same purposes specified herein.
In conclusion, your personal data will not be subject to divulgation, unless in the cases envisaged by law.
A.2. Mandatory or optional nature of the consent for the pursuit of the primary purposes of the personal data processing.
In all the cases illustrated above in Sections A and A.1 (for the hypotheses of communication to third parties) - and on the basis of the applicable regulations of the Data Protection Code - the Companies are not obliged to acquire the specific consent to process from the data subject. All the processing illustrated above in fact pursues primary purposes for which Article 24 of the Data Protection Code excludes the needs to acquire the specific consent of the data subject, either because the processing is necessary for fulfilling an obligation envisaged by the law, by a regulation or by EU legislative or because the processing is necessary for fulfilling obligations deriving from a contract which the data subject is party to or for fulfilling, before the finalisation of the contract, specific requests of the data subject or, in conclusion, because the exchange of the information concerns the communication of data between parent, subsidiary or associated companies pursuant to Article 2359 of the Italian Civil Code or with companies subject to joint control for administrative-accounting purposes. Given that “administrative-accounting purposes” are understood to be the processing associated with the performance of the organisational, administrative, financial and accounting activities, irrespective of the nature of the data processed and that, specifically, the internal organisational activities pursue the same purposes along with those functional for the fulfilment of the contractual and pre-contractual obligations, the keeping of the accounts and the application of the tax-related provisions, the data subject is understood as specifically informed of such processing (e.g. accounting fulfilment for payments made, tax fulfilments on services acquired in the Website, administrative management of the user positions, etc.) as required by Article 24.1, letter i-ter).
If the data subject does not intend in any event to confer the personal data required and necessary on the basis of the matters stated above, it will consequently be impossible to establish contractual relations as per the services offered by the Companies, as well as the impossibility - for the activities on this Website - to proceed with registration on the Website and use all the services for which the registration and/or conferral of the data are in any event technically and contractually mandatory (however it would remain possible to navigate the Website as unregistered and anonymous user and view just the contents and materials available without registration).
B. Secondary purposes of the personal data processing for promotional, advertising and marketing ends.
The personal data collated may also be processed, both in hard copy mode (e.g. compilation of forms, coupons and similar care of the physical premises of the companies and subsequent use electronically on the Website) and using automated/computerised methods, for the following purposes which are specified below as required by the General Provisions of the Data Protection Authority dated 4 July 2013 containing the Guidelines for contrasting spam: commercial promotion, advertising communication, consumer buying habit canvassing, market research, surveys (including telephone, on-line or via forms), statistical processing (in identification form) and marketing in a general sense (including prize competitions, games and other similar prize initiatives not falling under the discipline as per Italian Pres. Decree No. 430/2001) for products and/or services referable to the Companies (hereinafter, jointly, “Processing for Marketing Purposes”). By means of the granting of consent to Processing for Marketing Purposes - on the basis of the procedures available from time to time or on this Website in the specific sections or care of the commercial premises for the gathering of the specific marketing consent in format - the data subject specifically takes due note of these promotional, commercial and marketing ends of the processing in a general sense (including the consequent operational and administrative activities) and expressly authorises - once the consent has been given on the basis of the envisaged procedures - said processing both pursuant to Article 23 of the Data Protection Code (in that the Companies intend to use means for the Processing for Marketing Purposes such as the telephone with operator or other non-electronic, non-online means or not supported by automatic, electronic or on-line mechanisms and/or procedures, including therein manual means of contact or via snail mail) and also as per Article 130 of the Data Protection Code (since the Companies intend to use means for the Processing for Marketing Purposes such as e-mail, fax message, SMSs, MMSs, automatic systems without operator and similar, including electronic platforms and other on-line means).
Pursuant to the General Provisions of the Data Protection Authority dated 15 May 2013 entitled “Consent to personal data processing for “direct marketing” purposes using traditional and automated contact instruments”, the attention of the data subjects is specifically drawn to the fact that:
- the consent possibly given for the sending of commercial and promotional communications, on the basis of Article 130, sections 1 and 2, of the Code (in other words by means of the use of e-mail, fax message, SMSs, MMSs, automatic systems without operator and similar, including electronic platforms and other on-line means), will imply the receipt of said communications, not only via said automated contact methods, but also via traditional methods, such as hard copy mail or calls via operator;
- the data subject’s right to oppose the processing of their personal data for “direct marketing” purposes by means of the afore-mentioned automated contact methods, will extend in any event to traditional methods and, also in this case, the possibility of exercising this right in part is unaffected, as envisaged by Article 7.4 of the Code, both with respect to specific means and with respect to specific processing;
- the possibility for the data subject - who does not intend to give their consent as indicated above - to show their possible desire to receive communications for the afore-mentioned marketing purposes exclusively via traditional contact methods, where envisaged, remains unaffected; this wish may be exercised free-of-charge by sending an e-mail to the following address: email@example.com.
- For the purposes of the principle of fulfilment of the privacy obligations for the data controller in observance of the principles of simplification of said fulfilments (Article 2 of the Code) and pursuant to the General Provisions of the Data Protection Authority dated 15 May 2013 entitled “Consent to personal data processing for “direct marketing” purposes using traditional and automated contact instruments”, the Companies hereby inform you that the specific consent formula available on the basis of the procedures for gathering consent envisaged from time to time will be single and comprehensive and will make reference to all the possible means of marketing processing, as per Articles 23 and 130 of the Code, without prejudice to the possibility for the data subject to inform the Companies care of the following address: firstname.lastname@example.org of a different wish both with regard to the use of certain means and not of others for the receipt of the marketing communication subject to consent. Furthermore, again for the purposes of the principle of fulfilment of the privacy obligations for the data controller in observance of the principles of simplification of said fulfilments (Article 2 of the Code), the Companies also hereby inform you that the specific consent formula will be single and comprehensive and will also make reference to all the different and possible marketing purposes clarified herein (without in other words multiplying the consent formulas for each distinct marketing purpose pursued by the data controller) without prejudice to the possibility for the data subject to inform the Companies, also subsequently, of a different selective wish both with regard to consent or refusal of consent for individual marketing purposes.
In order to go ahead with the Processing for Marketing purposes, it is mandatory to acquire specific, separate, express, documented, prior, informed, free and entirely optional consent.
Consequently, if the data subject decides to provide specific consent, they must be informed in advance and be aware that the processing purposes pursued are of a specific commercial, advertising, promotional and marketing nature in a general sense. With a view to absolute transparency, we therefore inform you that the data will be collated and subsequently processed on the basis of specific granting of consent:
- for sending the data subjects who have provided their informed consent, advertising or informative material (e.g. Newsletters), of a promotional nature or in any event for commercial canvassing purposes, as per Articles 23 and 130 of the Data Protection Code;
- for carrying out direct sales activities or those for the placement of products or services of the Companies;
- for sending commercial information; making interactive commercial communications also pursuant to Article 58 of Italian Legislative Decree No. 206/2005 via the use of e-mail;
- for drafting studies, research, market statistics and carrying out surveys, polls and similar both via telephone and using electronic communication mediums;
- for sending unsolicited commercial communications as per Article 9 of Italian Legislative Decree No. 70 dated 9 April 2003 acknowledging the so-called Directive on E-Commerce 2000/31/EEC, which envisages that unsolicited commercial communications must be immediately and unequivocally identifiable as such and contain indication that the recipient of the message can oppose receipt of such communication in the future;
With reference to the sending of Newsletters via e-mail which you may possibly consent to, we hereby inform you that the electronic contents of these communications of a promotional nature may be assisted by software (such as cookies or web beacons) capable of informing the Companies of a series of parameters such as by way of example: moment of opening the Newsletter, pages of Newsletter viewed, links clicked on inside the Newsletter, links to the websites of the Company directly from the Newsletter. These parameters, which will not represent profiling of the recipient, have the aim of informing the Companies with regard to certain statistical data regarding bookings of services generated from various sources.
Therefore, by providing optional consent, the data subject specifically takes due note and authorizes this additional, possible secondary processing.
In any event, also if the data subject has provided consent to authorise the Companies to pursue all the purposes mentioned from points 1 to 5 above, they will in any event remain free at any time to revoke the same, sending a clear communication in this sense without any formality to the Company at the following e-mail address: email@example.com. Further to receipt of this opt-out request, the Companies will be responsible for promptly removing and cancelling the data from the database used for the Processing for Marketing Purposes and informing any third parties to which the data has been communicated for the same cancellation purposes. The mere receipt of the cancellation request will be automatically valid as confirmation of cancellation.
B.1. Communication and divulgation of the personal data for the pursuit of the secondary purposes of the processing.
With regard to the same purposes as per numbers 1 to 5 in Section B above, the Companies disclose that the data could also be communicated to commercial third party partners. The consent to Processing for Marketing Purposes by the Companies who are the data controllers - if provided by the data subject - does not cover the different and additional marketing processing represented by communication to third parties of data for the same purposes. In order to proceed with this communication externally (currently not carried out by the Companies, but possible in the future) it is mandatory to acquire further, separate, additional, documented, express and entirely optional informed consent from the data subject.
As in fact clarified in the General Provisions of the Data Protection Authority dated 4 July 2013, containing the Guidelines for contrasting spam:
- relating to the communication to third parties for marketing purposes in general, the communication or transfer to third parties of personal data for marketing purposes cannot be based on the acquisition of a single and generic consent granted by the data subjects for said purpose;
- the data controller who intends to collate the personal data of the data subjects also so as to communicate the same (or transfer it) to third parties for their promotional purposes, must provide the same with suitable disclosure in advance which also identifies each of the third parties or, alternatively, indicates the categories (economic or commodity), they belong to;
- it is necessary that the data controller acquires specific consent for the communication (and/or transfer) to third parties of the per-sonal data for promotional purposes, as well as separate from that requested by the same data controller for carrying out promo-tional activities itself;
- if the data subject gives such consent for the communication to third parties, the latter may carry out promotional activities vis-à-vis the same using the automated methods as per Article 130, sections 1 and 2 of the Data Protection Code without having to acquire new consent for promotional purposes.
This communication externally could have the following characteristics, according to the circumstances:
- communication of the data of the data subject by the Companies to third parties in general who possibly collaborate with the Companies (for example within the sphere of co-branded marketing ventures) or are delegated on the basis of service contracts to forward the commercial communications to the data subject or are outsourcers appointed contractually (and appointed data supervisors) to perform the Processing for Marketing Purposes in the name and on behalf of the Data controllers; in this case, the recipients of the communication may base themselves in the same specific marketing consent (and on that to the communication to third parties for the same purposes) already possibly granted by the data subject to the Companies.
- permit the Companies (also pursuant to Article 16 of the Data Protection Code, for any reason - also onerous - to any third party and also within the sphere of commercial transactions concerning the sale or purchase of databases for the same commercial purposes specified above), to sell the databases (for the pursuit by third parties of purposes compatible with the original ends) containing personal data of the data subjects who have given their informed and aware consent.
Pursuant to the General Provisions of the Data Protection Authority dated 4 July 2013 containing the Guidelines for contrasting spam, the third parties receiving the communications of personal data of the data subjects for subsequent Processing for Marketing Purposes, can be identified with reference to the following commodity or economic category: publishing, sporting companies, suppliers of electronic communication services and goods, Internet service providers, communications agencies, companies which provide insurance and financial services, companies in the food and catering, clothing, ICT hardware and software industry, banks and lending institutions, travel agencies, companies which offer services in the tourism sector, companies which offer personal services and goods, including health-related goods and services, companies which supply goods and services in the Energy and Gas field.
The personal data will not be subject to divulgation.
In the event that - for the purposes illustrated above in section B and B.1 - a fixed or mobile telephone number is involved which the data subject has optionally indicated (where envisaged in the forms on the Website and where applicable) also giving optional and specific consent to the processing of this personal data for the purposes of commercial promotion and marketing in a general sense, we hereby inform you that the Companies and any third parties may legally use the telephone number for marketing purposes even if it is registered in the Public Register of Oppositions, since it is obtained from a source other than public telephone directories and covered by specific consent. For the utmost transparency and respect of privacy, the Companies therefore request the data subject to evaluate with particular attention the indication (in any event not mandatory) of telephone numbers on the forms.
B.2. Mandatory or optional nature of the consent for the pursuit of the secondary purposes of the personal data processing.
We specifically draw your attention to the fact that the conferral of the personal data to the Companies and the provision of both consent to the Processing for Marketing Purposes and distinct consent to communication to third parties for the Processing for Marketing Purposes (if carried out in the future) for the ends and as per the formalities illustrated above are absolutely optional (and in any event revocable without formality also subsequent to the concession sending an e-mail to firstname.lastname@example.org) and failure to grant such consent will not lead to consequences other than the impossibility for the Companies and any third party to proceed with the processing for marketing purposes mentioned.
In the event of refusal of marketing consent, there will be no interference with and/or consequence on the transactional, contractual or other types of relationships whose personal data processing falls within the primary processing purposes as per Section A.
C. Processing of the personal data of the data subjects for the commercial profiling of the same.
It is possible that for marketing purposes and improving the services and the functions of the Website, the Companies take steps to process so-called “profiling” data. On the basis of the matters indicated by the Data Protection Authority, the profiling activities may concern “individual” personal data or “aggregate” personal data deriving from detailed individual personal data.
In order to clarify what “profiling” involves, it is possible to make reference to the following parameters by way of example:
- the data is structured and co-ordinated on the basis of pre-defined parameters identified as and when, according to the business needs (irrespective of the marketing, contractual, administrative, etc., ends);
- the initial data, considered individually, can include personal data of a mixed nature, including data of a contractual nature and data relating to consumption made, but it is only after the profiling (in other words the structuring according to pre-established parameters) that it is possible to gather further indications referable to each data subject, further indications (in other words the “profile”, for example, consumer bracket, level of expense incurred, active services, commercial attitude, etc.) which would not derive from the mere informative attitude of the data singularly or separately considered. In other words, the profiling in a strict sense may lead to the availability of a wealth of information which goes well beyond the information considered individually and relating to each data subject;
- furthermore, the profiling in a strict sense provides an added value provided by the multiple correlations which it is possible to es-tablish between the individual datum collated, for the purpose of gaining additional useful information.
Elements underlying profile processing are therefore: 1) the pre-determination of the parameters for the structuring of the data con-sidered individually; 2) the comparison, the cross over, the placement in relation of said data together and the comparative analysis carried out on the basis of pre-defined parameters (in other words the cataloguing of the individual data in clusters); 3) the attainment of a profile by means of the above activities and which makes it possible to identify the data subjects and the additional analytical indications with respect to the individual datum relating to their personal sphere (tastes, preferences, habits, needs and consumer choices) and also permit the generation of the mapping/segmentation in standard groups of behaviour (dynamic creation of behavioural profiles).
The processing illustrated above will be defined hereinafter as “Profile Processing”.
In order to proceed with Profile Processing it is mandatory to acquire specific, separate (also from the marketing consent as per sections B and B.1. above), express, documented, prior and entirely optional consent. The Companies could proceed with the following Profile Processing, as in the case of:
- number and type of rentals carried out in the pre-established period of time;
- frequency of use of the services;
- other indices aimed at identifying the purchasing preferences and habits.
Consequently, if the data subject decides to provide specific consent, they must be informed in advance and be aware that the processing purposes pursued are of a specific commercial, advertising, promotional and marketing nature in a general sense, based on Profile Processing. Within a context of absolute transparency, we hereby inform you therefore that the data collated on the basis of specific granting of consent can be subject to Profile Processing for the same purposes as per section B and C of this disclosure, while the sphere of communication will possibly be the same already clarified for the Marketing Processing as per section B.1. It is hereby specified that at present the Companies do not take steps to communicate ordinary personal data to third parties because these carry out Profile Processing for the same purposes as per sections B and C of this disclosure. However, if in the future the Companies should make this communication to third parties, the related purposes are from this point on made known to the data subject by means of this disclosure.
We specifically draw your attention to the fact that the conferral of the personal data to the Companies and the provision of both consent to the Profile Processing and distinct consent to communication to third parties for Profile Processing (if carried out in the future) are absolutely optional (and in any event revocable without formality also subsequent to the concession sending an e-mail to email@example.com) and failure to grant such consent will not lead to consequences other than the impossibility for the Companies and any third party to proceed with the processing mentioned.
In the event of refusal of consent to Profile Processing, there will be no interference with and/or consequence on the transactional, contractual or other types of relationships whose personal data processing falls within the primary processing purposes as per Section A.
D. Use of technologies to acquire information filed in the computer equipment of the data subjects (“Cookies”).
With reference to the operations on the Website of the so-called cookies or similar technologies, please see the specific Cookies Disclosure.
E. Navigation data.
The IT systems and the software procedures tasked with the functioning of the Website acquire - during their normal running - certain personal data whose transmission is implicit in the use of Internet communication protocols.
This is information which is not collated in order to be associated with the parties identified, but which due to its very nature could, via processing and association with data held by third parties, permit the identification of the users.
This category of data includes IP addresses or the domain names of the computers used by the users who connect up to the Website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used for submitting the request to the server, the size of the file obtained in response, the numeric code indicating the status of the reply given by the server (successful, error, etc.) and other parameters relating to the operating system and the IT environment of the data subjects.
This data is used for the sole purpose of obtaining anonymous statistical information on the use of the website and to check the correct functioning thereof and is cancelled immediately after processing. The data could be used for ascertaining liability in the event of hypothetical cyber crimes to the detriment of the Website: without prejudice to this eventuality, as things stand the data on web contacts is not kept permanently, unless requests are made by the data subjects (e.g. access to the pages of the Website which summarise the services, used, the information requested, etc.).
F. Type of personal data processed.
It being understood that “personal data” is considered to be “any information relating to an individual, identified or identifiable, also in-directly, by means of reference to any other information, including therein a personal identification number” and that “sensitive information” is understood to be “the personal data suitable for revealing racial and ethnic origin, religious, philosophic and any other kind of convictions, political opinions, membership of parties, trade unions, association or organisations of a religious, philosophical, political or trade union nature, as well as the personal data suitable for revealing one’s state of health and sex life”, the Companies disclose the following.
Within the sphere of the commercial relationships established with the Companies, processing of your data could take place within the category of “sensitive” information as per Articles 4.1, letter d) and 26 of the Data Protection Code. In any event, beyond the hypotheses of departure as per Article 26.4 of the Code, this data can be processed only with the written or equivalent consent (“equivalent consent” is also the manifestation of on-line will by means of procedures such as clicking on web page buttons like “Accept”, “Send”, etc. or ticking boxes or similar alongside the terms “Accept”, etc.) of the data subject and in observance of the General Authorisations of the Data Protection Authority.
Specifically, besides requesting written consent or an equivalent as and when, our activities are authorised in advance by the General Authorisations 2, 4 and 5 in force in the reference year.
The purposes of the processing of sensitive data are associated with the handling of the rental relationship (data processing suitable for revealing the racial or ethnic origin in the event of indication of the name of an foreign customer who rents a vehicle, processing of medical data within the sphere of handling of claims with damages to the person, processing of data associated with a particular state of the driver within the sphere - for example - of notices of contestation served on Europcar for the violation of the provisions of the Highway Code relating to being over the alcohol limits for driving, and similar).
In other cases, the processing of the sensitive data can be implied by specific contractual relationships, as in the case of resale of a vehicle to differently-abled individuals. In such cases, for example, in order to be able to assess the different types of disability entitled to tax benefits (VAT reduced to 4%, road tax exemption, etc.), the data controller must always view the sensitive data indicated on the medical certificate (certificates of disability, handicap, etc.) disclosing case histories and illnesses of the customer-purchaser and maintain in its archives - for the legal timescales - all the hard copy documentation, suitable for demonstrating, in the event of inspection or dispute raised by the Italian Internal Revenue Offices, of the legitimacy of the conditions for having applied the concessions. In such cases, we hereby inform you that the processing will take place in observance of the indications contained in the Provisions of the Data Protection Authority dated 16 February 2011 entitled “Privacy: greater safeguards for the disabled who purchase a motor vehicle”.
Within the sphere of the commercial relationships established with the Companies, processing of your data could then take place within the category of “legal” information as per Articles 4.1, letter e) and 27 of the Data Protection Code, with particular reference to data suitable for revealing quality or situations relevant as per criminal legislation.
Pursuant to Article 27 of the Data Protection Code, the processing of legal data by private bodies is only permitted if authorised by ex-press legal provisions or by measures of the Data Protection Authority, the latter represented by General Authorisation No. 7 (in force in the reference year) with regard to legal data processing.
Pursuant to Section IV, point 1, letter a.3) of General Authorisation No. 7 on the processing of legal data, the authorised purposes of legal data processing are as follows:
a) assessment of responsibility in relation to accidents or events pertaining to human life;
b) co-operation in the assessment of situations of effective risk for the correct performance of insurance activities, in relation to offences directly associated with the same activities;
c) in order to enforce or defend a right also by a third party before the legal authorities, as well as in administrative proceedings or arbitration and settlement proceedings in the cases envisaged by the law, by EU legislation, by regulations or collective labour agreements, provided that the right to be enforced or defended is in standing equal to that of the data subject and the data is processed exclusively for such purposes and for the period strictly necessary for its pursuit.
In any event, Europcar Italia S.p.A. will process - if necessary - just the essential data for the purposes for which processing is permitted and which cannot be fulfilled, case by case, by means of processing anonymous data or personal data of a different kind.
G. Possible indication by the data subject of personal data to third parties.
The data subject duly notes that the possible indication (for example when compiling forms, also hard copies, such as rental agreements and/or forms also on-line in this Website) of personal or contact data of any third party other than the data subject represents processing of personal data with respect to which the same is an autonomous data controller, undertaking all the obligations and responsibilities envisaged by the Data Protection Code. In this sense, the data subject ensures the Companies that any third party data which will thus be indicated by the data subject (and which will consequently be processed as if the third party had personally provided informed consent for processing) has been acquired by said data subject in complete compliance with the Data Protection Code. In this connection, the data subject grants the widest release from liability with respect to any complaint, claim, request for damage compensation, etc. which should reach the Companies from any third party concerned due to the supply of the data indicated by the data subject in violation of the provisions on the protection of personal data applicable.
H. Conservation of data and security measures
The data will be kept for the time periods defined by reference legislation, essentially on servers located in France, care of the head-quarters of the Group Parent Europcar International SASU or care of the server of Europcar Information Services. In any event, the period for keeping your data will be exclusively represented by the period of time necessary to pursue the purposes specified above and will be equal to the duration of the service relationship between yourself and the Data controller, without prejudice to the need for contractual, administrative, tax-related, accounting or legal fulfilments subsequent to the termination of the relationship. Once the afore-mentioned fulfilments have been acquitted, your data will in any event be cancelled, subject to conservation on the basis of different legal timescales of the deed and/or the document which contains the data.
You are also hereby informed that said data will be collated, processed and kept in full compliance with the matters envisaged by Article 31 et seq. of the Data Protection Code and the Technical Regulations - Attachment B to the Code - with regard to safety measures and - with regard to the companies Europcar International SASU and Europcar Information Services - on the basis of the applicable local regulations.
The data will also be processed in full observance of the self-regulation provisions concerning personal data processing contained in the sector Codes of Ethics in force.
I. Data controllers and supervisors.
The identifying details of the Companies in the capacity of the Data Controllers for the data of the data subject (in some cases the Companies may be joint-controllers of the same data and processing, in some cases they may adopt the capacity of autonomous and separate data controller) are as follows:
Europcar Italia S.p.A, sole shareholder company, subject to the management and co-ordination of Europcar International SASU.
Registered offices: Corso Italia 32, Bolzano, (39100), Italy
Administrative HQ: Via Cesare Giulio Viola 48, Rome, Italy
Enrolled in the Bolzano Companies’ Register No. 00836310151, VAT No. 05035331007
Certified E-mail Address: firstname.lastname@example.org
E-mail address for exercise of the rights as per Article 7 of the Data Protection Code: email@example.com
In any event, we hereby inform you that since the Website is housed on the servers of Europcar Information Services (and exclusively available to the same with regard to technical management) with headquarters in Paris – France and/or Europcar International SASU, in many cases of personal data processing it is Europcar Information Services and/or Europcar International SASU who pose as the exclusive and autonomous data controller subject to the restrictions of French data protection legislation. In other cases, Europcar Italia S.p.A. poses as the joint data controller for its data together with the Companies.
In any event, with a view to protection and facilitation of the relationship with the data subjects of Europcar Italia S.p.A., the latter can be taken as the point of reference with regard to requests and the handling of your personal data.
The up-dated list of the Data supervisors (if appointed) can be found care of the headquarters of Europcar Italia S.p.A, sole shareholder company, subject to the management and co-ordination of Europcar International SASU.
L. Exercise of rights by the data subject.
At any given time, you will be able - without any formality - to exercise the rights as per Article 7 of the Data Protection Code (also using the specific form for the request made available by the Data Protection Authority at www.garanteprivacy.it), which for the sake of utility is illustrated in full below. The exercise of the rights is not subject to any restriction with regard to form.
(Right to access personal data and other rights)
1. The data subject has the right to obtain confirmation of the existence or otherwise of personal data which concerns them, even if not yet registered, and communication of the same in intelligible form;
2. The data subject has the right to obtain indication:
a) of the origin of the personal data;
b) of the purposes and methods of the processing;
c) of the logic applied in the event of processing carried out with the aid of electronic instruments;
d) of the identifying details of the data controller, the data supervisors and the representative appointed as per Article 5.2;
e) of the parties or categories of parties to whom the personal data may be communicated or who may become aware of the same in the capacity of representative appointed in Italy, data supervisor or individual in charge of processing.
3. The data subject has the right to obtain:
a) the up-dating, adjustment or, when they have an interest in doing so, supplementing of the data;
b) the cancellation, transformation in anonymous form or the blocking of the data processed in violation of the law, including that whose conservation is not necessary in relation to the purposes for which the data has been collated or subsequently processed;.
c) the declaration that the operations as per letters a) and b) have been brought to the attention - also with regard to their content - of those to whom the data has been communicated or divulged, except in the cases where said fulfilment turns out to be impossible or involves the use of means manifestly disproportionate with respect to the right protected.
4. The data subject has the right to oppose, in full or in part:
a) the processing of the personal data which concerns them for legitimate reasons, even if pertinent to the purpose of the collation;
b) the processing of personal data which concerns them for the purpose of sending advertising or direct sales material or for the per-formance of market research or commercial communication.
I, the undersigned:
declare that I have read and fully accepted the General Terms and Conditions and the General Rental Conditions, and have taken due note of the Disclosure pursuant to Article 13 of the Data Protection Code. Remember to bring with you the retro-reflecting jacket envisaged by the Highway Code, so as not to incur the legal sanctions; should you lack such a jacket, you may request to rent one at a cost of € 3.05 (VAT inclusive).
I hereby give separate optional consent to the processing of my personal data for the purposes illustrated in Section B of the Privacy Disclosure so that the Data controller can draw up studies and research, statistics and market surveys, send advertising and disclosure material; carry out direct sales or product/service placement activities; send commercial information and commercial communications - including interactive - pursuant to Article 23 and 130 of the Data Protection Code and Article 9 of Italian Legislative Decree No. 70/2003 using manual communication mediums or by means of the use of telephone without operator, SMSs, MMSs, fax message, e-mail and similar means of communication (Direct Marketing).
I hereby give separate optional consent to the processing of my personal data for the purposes illustrated in Section C of the Privacy Disclosure so that the Data controller can go ahead with the profiling using various personal information, including by way of example but not limited to data relating to consumption, purchases made, purchasing habits and volumes, levels of procurement of goods and/or services, etc., from which it is possible to gain further indications referring to myself (Profiling).
I hereby give consent equivalent to that written for the processing of my sensitive personal data, including therein the communications necessary to third parties for the purposes specified in the Privacy Disclosure.