Disclosure pursuant to Article 13 of the UE Regulation 679/2016 regarding the protection of personal data Information regarding processing of personal data for Clear Box services

1. LeasePlan and Clear Box services

As a data controller, the company LeasePlan Italia S.p.A. (“LeasePlan”) informs the driver of LeasePlan vehicles of the following. LeasePlan has installed Clear Box devices (so-called black boxes) in vehicles available for operational leasing, in order to provide research services regarding the vehicle in case of theft and crash management. This disclosure relates to the personal data processing of the driver of the vehicle in case of activation of Clear Box services. It integrates the privacy documentation provided for the customer by LeasePlan for renting the vehicle. A copy of this disclosure is available in the vehicle and on the LeasePlan website www.leaseplan.com, which can also be requested at any point by contacting LeasePlan. Personal data processing in relation to Clear Box services has been the subject to prior ruling and thus is also subject to evaluation by the Authority for the Protection of Personal Data. LeasePlan will continue to carry out processing operations of personal data, in compliance with the freedom and fundamental rights of the person concerned, as well as in accordance with the general rules for personal data processing as established in the UE Regulation 679/2016 (“GDPR”). The data not required for the implementation of services, or for the purposes which are relevant from time to time, are destroyed or made anonymous, in line with the specifications in this disclosure.

The Clear Box devices permit the detection and transmission of vehicle information for LeasePlan, for example, in verifying accidents, vehicle location and other information which is set out below in detail. As described below, the services provided by the Clear Box are intended to provide drivers with greater security and a better service, and optimize LeasePlan’s fleet management and protect the assets and possessions of LeasePlan.

  1. Vehicle theft: after charges are pressed in the case of theft or misappropriation of the vehicle, a specific procedure is initiated, based on the location of the vehicle in view of its subsequent recovery by the police. This is in order to improve the protection of corporate assets and possessions in the face of possible illegal acts. The data used for this service consist of technical information about the vehicle (e.g. number plate, brand, model, colour, location data), which is used in order to find and recover said vehicle. For this service, the data is kept for no longer than is strictly necessary to identify and recover the vehicle, and until the end of the contract concerning the provision of Services to fulfil administrative and legal requirements, under the terms of the applicable statute of limitations.

  2. Crash management: The crash management service is automatically activated when crash or mini-crash alarms go off (i.e. in the case of accidents with other vehicles, collisions against fixed obstacles, overturning or going off the road), according to predefined parameters that imply an accident has occurred. The information gathered concerns the location of the vehicle and some operating parameters (e.g. speed, driving direction, frontal and lateral acceleration) and is used to support and improve the management of accidents of vehicles; from the information gathering phase to the settlement and management of disputes. This information also helps to more easily reconstruct the sequence of events, to gather possible evidence, and prevent possible fraud. The acquired data will be disclosed to third parties (such as judicial authorities and insurance companies) only to the extent permitted by applicable law and according to what is necessary for the execution of the contract for the provision of Services. These data are stored by LeasePlan beyond the expiry of the contract, specifically for the period strictly necessary for accident reconstruction and to establish relative liability, in line with the statute of limitations in force. However, even if a crash alarm goes off, no information is stored in the Clear Box from since it is programmed to delete and overwrite data at intervals of no more than 30 seconds.

2. Purposes and methods of data processing

LeasePlan uses the drivers’ data for the following purposes:

a) to provide its customers with the services listed above;
b) to fulfil the laws, regulations and legislation arising from the contract with the customer, for example, fulfilment of accounting, tax, administrative and insurance obligations;
c) to provide higher safety levels for drivers and any third parties involved in accidents;
d) to avoid scams, fraud and to protect corporate assets and possessions, in particular the LeasePlan transport fleet;
e) to improve the management process in the case of theft, misappropriation and accidents;
g) to manage relationships with third parties that are necessary for the proper execution of the operational leasing agreement and the provision of services chosen by the customer, e.g. relationships with businesses and insurance companies, and the relevant authorities;
h) to exercise rights in court.

The data are mainly processed by electronic and automated means. However, data processing without the use of electronic devices is provided for, such as by manually processing data on paper. Data processing is organized according to operating procedures and functional reasoning for the purposes listed above, in accordance with the measures specified by the relevant and applicable privacy law to ensure the security and confidentiality of data. Information systems and computer programs are configured to minimize the use of personal and identification data, which are processed only when necessary for the processing objectives pursued from time to time.

3. Special categories of data being processed

For Theft services, the data relevant to locating the vehicle do not include information about the driver, who as a result of theft has lost material availability of the vehicle. In the case of embezzlement or other illegal activities, the locating data may relate to the driver. In this case the data are processed for the time needed to recover the vehicle and for exercising rights in court, including the handling of possible fraud or offences and the relevant judicial proceedings.

For Crash Management services, data relating to the location of the vehicle – activated automatically in the event of an accident – are necessary, especially from a kinematic perspective, so as to assess the various aspects of any accidents, in view of exercising and defending rights in court. For both services, the driver’s consent to the processing of data is not needed, in accordance with Article 6, par. 1 lett f) in the GDPR.

4. Nature of data provision and consequences of failure to provide data

The provision of personal data for the purposes indicated above in point 2 is necessary for the rendering of services provided by Clear Box. This is to fulfil legal obligations as well as to exercise and defend rights in court; any refusal to provide LeasePlan with data would prevent the proper operation of such services. For such purposes the consent of the driver of the vehicle is therefore not necessary.

5. Communication and dissemination of personal data

Personal data can be accessed by those appointed by LeasePlan to be in charge of data processing, who require access to the data in order to perform their duties (e.g. LeasePlan staff and any external persons in charge of data processing and who deal with the management of Clear Box services) and data processors, as indicated below. The updated list of data processors and subjects to whom LeasePlan transmits the data is available at any point when requested from LeasePlan at the addresses listed below.

Personal data can be transmitted and processed on behalf of LeasePlan by companies and professionals appointed by LeasePlan to carry out specific technical and organizational services for the provision of services delivered by the Clear Boxes and for other processing purposes indicated above in point 2. LeasePlan shall only inform such third parties of the information required for the provision of related services. Such parties are appointed by LeasePlan as data processors and act according to the instructions provided by LeasePlan.

As at the date of this disclosure, LeasePlan has appointed the following service provider as data processor: LeasePlan Information Services, LeasePlan House - Level 2 Central Park, Leopardstown Dublin 18, Dublin (Ireland).

Personal data can be communicated to the following third parties, acting as data controllers, data processors or persons in charge of data processing, as appropriate, for the purposes indicated above in point 2 and in compliance with applicable privacy laws:

  • insurance companies and insurance intermediaries, e.g. in dealing with accidents;
  • consultants and professionals, operating in association with others, for example, legal advisors;
  • companies and agencies managing response activities and road assistance;
  • judicial authorities, police forces, official bodies and public authorities for their respective institutional purposes, for example, in the case of a stolen vehicle or road accident, or in legal proceedings;
  • the legitimate recipients of communications on the basis of a law or regulation.

LeasePlan can access the personal data of the driver (when a different person from the LeasePlan customer) only to the extent that it is strictly necessary for the implementation of Services, in order to fulfil legal obligations or for protection purposes of any LeasePlan rights. The personal data of the driver of the vehicle are communicated to the LeasePlan customer (when the driver and the customer are different people) for Crash Management Services. This is limited to the necessary data to fulfil the operational leasing agreement in place with the customer, to fulfil legal requirements and to exercise rights in court, and only in one of the following circumstances: (i) where the driver has been proved to be fraudulent (e.g. falsely reporting an accident); (ii) gross negligence on the part of the driver in their operation of the vehicle.

For Theft services LeasePlan does not communicate the driver’s details to its customer.

Personal data will not be circulated under any circumstances, except in cases of specific provision of law.

6. Safety measures and period of time for data storage

LeasePlan has taken physical, technical and organizational security measures in order to maintain security and confidentiality of processed data, in compliance with the requirements of Article 32 in the GDPR.

Personal data are stored for as long as necessary in order to achieve the purposes indicated above in point 2, in compliance with the Privacy Policy. This usually lasts until the end of the contract relating to the vehicle, or until required for exercising and defending rights in court, in line with the terms of the applicable statute of limitations, which may allow for a longer period of time. Personal data are stored after the duration of the contract relating to the vehicle when they are necessary for the fulfilment of legal obligations or for exercising rights in court.

With regard to location data for the Crash Management service, in the absence of an accident, data are erased by overwriting at intervals of 30 seconds maximum. Where an accident has taken place, the data are retained for the amount of time needed to deal with claims (accident reconstruction and verification of relative liabilities).

7. Data Controller, Data Processors and DPO

The data controller is LeasePlan Italia SpA, with its registered office in Viale Adriano Olivetti, 13 – 38122 Trento.

The data processor already appointed at the time of preparation of this disclosure is: LeasePlan Information Services, LeasePlan House - Level 2 Central Park, Leopardstown Dublin 18, Dublin (Ireland) for the management of LeasePlan’s servers.

You may contact at any time the Data Protection officer via email privacy-officer@leaseplan.it.

8. Privacy Rights of those concerned

You can exercise at any time the rights that are recognized you by law, including that:

a) to request access to your personal data, obtaining evidence of LeasePlan purposes, categories of personal data involved, recipients to whom personal data may be disclosed, the applicable period for which the personal data will be stored, the existence of automated decision-making;
b) to obtain without delay the rectification of inaccurate your personal data;
c) to obtain, where applicable, the erasure of your personal data;
d) to obtain the restriction of processing of your personal data, where applicable;
e) to request the portability of your personal data which you have provided to LeasePlan, receiving those data in a structured, commonly used and machine-readable format, also to have the right to transim those data to another controller without hindrance from LeasePlan;
f) to lodge a complaint with the data protection authority.

You may at any time exercise these rights by contacting LeasePlan: (i) via email at privacy-officer@leaseplan.it or via written request at the LeasePlan offices at the above address.