DATA PROTECTION POLICY
Introduction and references to legislation
Pursuant to article 13 of Regulation EU 2016/679 of the European Parliament and Council of 27 April 2016 The Rental Company hereby informs you that, when you sign up for services, the personal data you provide will be processed in full compliance with the data protection legislation (Regulation EU 2016/679 of the European Parliament and Council of 27 April 2016, hereinafter GDPR 679/2016) relating to the protection of natural persons. Accordingly, we hereby provide below the necessary information pertaining to the procedures for processing data that is provided.
Pursuant to articles 4 and 24 of GDPR 679/2016 the Data Controller is:
Via Nervi, 11 • 07026 Olbia (SS)
Administrative and operational headquarters:
Via dei Panettieri, 9 • 07026 Olbia (SS)
General principles on the processing of personal information
The personal information of our customers will be collected, archived, processed and transmitted in compliance with the criteria established by Vettura S.r.l. and by the applicable laws, regulations and rules on the processing of data. The principles relating to the processing of the personal information of our customers are the following:
• The personal information of our customers will be processed correctly and lawfully;
• The personal information of our customers will be collected for specific, explicit and legitimate purposes and will subsequently be processed in a manner that is compatible with these purposes;
• The personal information we collect from our customers will be relevant, complete and proportionate to the purposes they are collected for;
• The personal information we collect from our customers will be accurate and, if necessary, updated to the best of our ability;
• The personal information of our customers will be protected against unauthorised access and processing through commercially and technically reasonable technical and organisational security measures and controls;
• The personal information we collect from our customers will be stored as personal data for no longer than the period of time that is necessary for pursuing the purposes this personal information was collected for.
Type of data processed
In the context of requests that are made and services that are agreed the following type of data will be processed:
• Data of a personal nature, i.e. (pursuant to article 4) any information regarding a natural person that is identified or identifiable (by way of example and not of limitation, depending on the request that is sent or the service that is requested: biographical data of the requesting party, the holder and renter of the vehicle, tax code, data relating to residence, domicile, driving licence details, email address, mobile phone number, etc.);
• Special categories of data, i.e. (pursuant to articles 9 and 10) data or information that could reveal racial or ethnic origin, data relating to citizenship, data relating to health for the management of any claims, as well as data of a judicial nature, relating to road traffic violations, fines, etc.)
Data that are collected will be used exclusively for the following purposes:
• To comply with legal obligations deriving from tax and accounting regulations and any other applicable legislation;
• To enable users to carry out registration procedures to access specific sections of the website www.vettura.eu;
• Requests for contact, information, quotes, contracts, administrative and accounting activities related to and resulting from the management of the range of services offered by the Controller;
• In the event of the rental of a vehicle, remote monitoring of the latter in order to identify and recover the vehicle in the event of theft or other illegal activities
• Sending of commercial and advertising correspondence on products, services and other activities carried out by the Controller (MARKETING purposes)
• Sending of commercial correspondence based on choices in terms of consumption, habits, preferences (PROFILING purposes)
• Communication of data to third-party companies that are contractually related to or controlled by the Controller including for statistical and/or promotional purposes.
Provision of data
Pursuant to article 6 of GDPR 679/2016 processing for the purposes in points a) to d) is carried out by the Controller during the course of its legitimate activities and in compliance with the obligations set forth by laws, regulations and the EU legislation, or by provisions established by authorities with legal power and by supervisory and control bodies. The provision of data is therefore obligatory. Any refusal to provide data or part thereof will make it impossible to establish or implement contractual obligations, where said data are necessary for the performance of a contract.
Following your express consent, until any opposition, the provision of data is OPTIONAL for the purposes in points e) (MARKETING), f) (PROFILING) and g) (COMMUNICATION OF DATA TO THIRD PARTY COMPANIES). In the event of refusal there will be no consequences of any kind; if you do not provide your consent you will be unable to receive information on our offers, promotions, discounts, etc.
Processing procedures and data security
The use of your personal data shall take place with the support of printed, computer or electronic tools for the purposes specified below, with procedures and instruments for guaranteeing the utmost security and confidentiality, by parties expressly appointed for said purposes in compliance with the provisions of article 32 of GDPR 679/2016.
Your personal data will be archived in secure databases on our servers, or on the servers of our trusted suppliers acting in their capacity as data processors, and will be processed mainly with automated procedures.
In any case, your personal data shall be processed in compliance with the provisions pertaining to the confidentiality of personal data contained in the Code, Regulations and Provisions issued by the Supervisory Authority.
Data that are collected will only be handled by authorised staff. All staff with access to your data shall be appointed as data processors, in accordance with the provisions of the applicable regulations.
Data that are collected may be periodically updated with information that is required during the course of the relationship that is established.
We use commercially reasonable technical and organisational measures and controls to protect the personal information of users from losses, misuse and unauthorised access. Unfortunately, data that is transmitted or used over the Internet can never be 100% secure. Therefore, although we protect all personal information, we cannot ensure or guarantee that this personal information will be completely protected from unlawful use by hackers or criminals or in the event of hardware or software malfunctions in computers or telecommunication networks. The data controller will inform the user when it becomes aware of a security breach regarding his/her personal identity information in our possession (in accordance with that which is set forth in the event of "Data Breaches",
pursuant to the applicable regulations).
If a user decides to inform us of his/her email address for any reason, he/she expressly accepts to receive electronic notices in the event of a security breach.
Data retention period
Data that is collected will be processed for the period of time that is strictly necessary for fulfilling the purposes they were collected for; for the purposes in points e) (MARKETING) and f) (PROFILING) your personal data will be processed for a period of 10 years from the time you originally provide your consent and/or the respective express renewal in the event of registration or the signing of contracts.
The retention of data for which processing consent is optional and not obligatory, may be suspended in advance when the data controller receives a cancellation request from you.
Scope of communication and disclosure
Without prejudice to communications made in compliance with an obligation deriving from a law, rule or EU regulation, your data may be communicated to the following:
• Police forces, armed forces and other public authorities, to comply with obligations established by the law. In such cases, article 24 of the Code does not require the prior consent of the data subject to be acquired prior to making these communications;
• Companies, entities or associations, or parent companies, subsidiaries or connected companies pursuant to article 2359 of the Italian civil code or between
the latter and companies subject to joint control, and between consortia, networks of companies and temporary groupings and associations of enterprises and with parties who are members of the latter, solely with regard to communications made for administrative or accounting purposes;
• Companies managing services conducted through the use of credit cards;
• Parties providing services for the management of IT systems and telecommunication networks, companies appointed for the management of geopositioning services for vehicles;
• Insurance companies responsible for the settlement of claims;
• Companies specialising in the management of commercial information or credit information, or advertising promotion;
• Other companies that carry out vehicle rental activities and ancillary services with which Vettura has different types of agreements in place;
• Tomasi Auto S.r.l., a subsidiary of the Controller, including for statistical and commercial purposes;
• Other companies that are contractually linked to Vettura who carry out activities pertaining to the management of claims;
• Lawyers or debt recovery companies for legal assistance on contracts and the management of disputes.
Personal data that is collected and stored in Vettura's databases will be processed by the controller’s employees or co-workers or by persons appointed to process said data. This data will not be communicated to third parties, without prejudice to that which is set forth above and, in any case, up to the specified limits.
We reserve the right to appoint third parties for the processing of personal data on our behalf and, as a result, we may share personal data with said third parties. However, we require that said third parties comply with Vettura’s data protection principles and policy during the processing of users’ data. Finally, personal data will not be disclosed, except in cases where this is set forth by the law.
Rights of data subjects and exercising of rights
In compliance with the applicable legislation, you may at any time request:
• Confirmation of the existence or otherwise of your personal data;
• Know the content and origin, purposes and processing procedures;
• The criteria applied in the event of processing conducted with the use of electronic instruments;
• The identification details of the controller, the processors and the parties or categories of parties to whom your personal data may be communicated.
Moreover, it is your right to obtain:
• The updating, correction, supplementing, right to data portability;
• The cancellation, transformation to an anonymous form or the blocking of your data that is processed in breach of the law;
• The right to object, in any case, for legitimate reasons to the processing of data that is relevant for the purpose of the collection;
• Object to the processing of data for commercial purposes.
Pursuant to the Regulation, you also have the right to present a complaint to a supervisory authority.
To exercise these rights you may contact the data Controller:
Via Nervi, 11 • 07026 Olbia (SS)
Administrative and operational headquarters:
Via dei Panettieri, 9 • 07026 Olbia (SS)
If a user contacts us to access his/her personal information or to delete these from our systems and registers, in compliance with this data protection policy and the legal obligations, we shall, where possible, grant this request within the required period of time.
However, we hereby inform our customers that, because of technical constraints and backup procedures for our systems, users’ personal information may continue to reside in parts of our systems for a certain period after they are deleted.
The data controller reserves the right to refuse requests for access or the deletion of personal information if the requested disclosure or deletion of information is not permitted by the law.
To protect ourselves from unlawful access requests, we therefore reserve the right to ask for sufficient information to verify the identity of the party presenting a request before enabling a request or making corrections.
Transfer of data
Your personal data will be archived in databases on our servers, or on the servers of our trusted suppliers acting in their capacity as data processors, in the Italian territory, or in the countries of the European Economic Area or in Switzerland where approved contractual clauses are in force for the secure transfer of data. The information that is collected may reside in servers in the United States or in other countries.