ARVAL DATA PROTECTION NOTICE
Last updated 16.07.2020
The protection of your personal data is important to Arval and to the BNP Paribas Group[1] which have adopted strong principles in that respect in its Personal Data Protection Charter available at https://group.bnpparibas/uploads/file/bnpparibas_personal_data_privacy_charter.pdf.
This Arval Data Protection Notice provides you (as further defined in section 2) with transparent and detailed information relating to the protection of your personal data by Arval Service Lease Polska Sp. z o.o. (“we”).
We are responsible, as a controller, for collecting and processing your personal data in relation to our activities. The purpose of this Arval Data Protection Notice is to let you know which personal data we collect about you, the reasons why we use and share such data, how long we keep it, what your rights are and how you can exercise them.
Further information may be provided where necessary when you apply for a specific product or service.
In this Arval Data Protection Notice, the following terms shall have the following meaning:
- Vehicle(s): refers to all types of vehicles leased by Arval (e.g. cars, motorcycles, bicycles and scooters, electric or not)
- Motor Vehicle(s): refers specifically to cars and motorcycles, thermal and/or electric, with the exception of bicycles and scooters.
- WHICH PERSONAL DATA DO WE USE ABOUT YOU?
We collect and use your personal data, meaning any information that identifies or allows to identify you, to the extent necessary in the framework of the provision of our products and services such as mobility products and services (corporate Vehicle leasing, fleet management, private Vehicle lease) and to achieve a high standard of personalised products, services and mobility solutions. We may contact you in order to inform you about your rights but also in case of emergency or untypical situation: assistance, accident, unpredictable event related to the Vehicle (anomaly, availability of service, recall of Vehicle by OEM for safety reason, security issue, etc.).
Depending among other things on your data subject category and on the type of products, services or mobility solutions we provide to you or your company, directly or indirectly, we may collect various types of personal data about you, including:
- identification information (e.g. full name, identity (e.g. ID card, passport information, driving licence, etc.), nationality, place and date of birth, gender, photograph, IP address);
- contact information (e.g. postal address and e-mail address, phone number);
- family situation and family life (e.g. marital status, number and age of children, place of residence);
- economic, financial and tax information (e.g. tax ID, tax status, income and other revenues, value of your assets);
- education and employment information (e.g. level of education, employment, employer’s name, location);
- banking and financial information (e.g., bank account details, declared investor profile, credit history, payment incident);
- transaction data (including full beneficiary names, address and details including communications on bank transfers of the underlying transaction);
- data relating to the Vehicle leasing contract and the related Vehicle (e.g. client identification number, contract number, Vehicle identification number, Motor Vehicle registration plate);
- data relating to insurance contracts and related claims (e.g. insurance claims history, including repairs and compensations paid, liability assessment, expert and assessors reports, victims identification and injuries);
- data relating to you, your habits and preferences e.g. :
- data which relate to your use of our products, services and mobility solutions;
- data which relate to the repartition between professional and private usage;
- data from your interactions with us: (e.g. our branches, our internet websites, our apps, our social media pages (connection and tracking data such as cookies, connection to online services, IP address), meeting, call, chat, email, interview, phone conversation; and
- video protection (including CCTV) and geolocation data (e.g. to identify the location of the nearest branch or service suppliers for you or enabling the provision of specific services such as car sharing);
- Information about your device (IP address, technical specifications and uniquely identifying data);
- login credentials used to connect to Arval or BNP Paribas’ website and apps.
We may collect the following sensitive data only upon obtaining your explicit prior consent:
- health data: for instance for the conclusion and the performance of some insurance contracts; this data is processed on a strict need-to-know basis.
In addition, we will process data relating to criminal convictions and offences in relation to fines for traffic offences as part of the “Fines Management” service to the extent legally authorised.
We never ask for any other sensitive personal data such as data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data or data concerning your sex life or sexual orientation, unless it is required through a legal obligation.
- WHO IS CONCERNED BY THIS NOTICE AND FROM WHOM DO WE COLLECT PERSONAL DATA?
We collect data directly from you as a customer, prospect, customers’ or prospects’ employees, (when you contact us, visit us, our website or our apps, use our products and services, participate to a survey or an event with us) but also regarding other individuals indirectly. Thus, we collect information about individuals whereas they have no direct relationship with us but are related to you, customer or prospect, such as for instance your:
- Family members of Vehicle drivers;
- Guarantors;
- Beneficiaries of your payment transactions;
- Beneficiaries of your insurance contracts or policies and trusts;
- Ultimate beneficial owners;
- Company shareholders;
- Representatives of a legal entity;
- Staff of service provider and commercial partners.
When you provide us with third party personal data such as the one listed above, please do not forget to inform them we process their personal data and direct them to the present Data Protection Notice.
In order to verify or enrich our database, we may also obtain personal data from:
- other BNP Paribas entities;
- our customers (corporate or individuals) ;
- our business partners (including OEM);
- payment initiation service providers and aggregators (account information service providers);
- third parties such as credit reference agencies and fraud prevention agencies or data brokers which are responsible for making sure that they gather the relevant information lawfully;
- publications/databases made available by official authorities or third parties (e.g. the French Official Journal, databases operated by financial supervisory authorities) ;
- websites/social media pages of legal entities or professional customers containing information made public by you (e.g. your own website or social media);
- public information such as information from the press.
- WHY AND ON WHICH BASIS DO WE USE YOUR PERSONAL DATA?
3.1 If you are corporate clients’ and prospects’ employees or representatives (as the case may be)
We may process personal data among others for the following purposes (notwithstanding other usages as described in section 3.3 hereafter):
To fulfil our legitimate interest
- For Vehicles management and associated services: we may process personal data to provide you with services related to the preparation, delivery or use and the management of Vehicles including:
- for configuring and quoting your Vehicle;
- for delivering your Vehicle at the place of your choice, possibly with equipment related to electric Vehicle charging devices in partnership with selected providers;
- for OEMs recall campaigns in case of defect;
- for repairs, maintenance and tyres;
- for accident management and insurance purposes;
- for roadside assistance;
- For fuel cards, mobility cards and tolls. We may process personal data to provide you with fuel card (to pay your fuel), mobility cards (to provide you with multi mobility solutions);
- For drivers training. We may process personal data in order to raise your awareness of the impact of your driving on the environment or if you want to improve your safety on the road;
- To manage traffic and parking fines and offences related to the use of the Vehicle as part of the “Fines Management” service to the extent legally authorised;
- To manage our client’s account. We may process personal data to manage our clients’ accounts, to manage the contractual relationship with our corporate clients of whom you are an employee or to keep you informed about the development of our services;
- For client reporting. We may process personal data in order to provide you with fleet management services related to the Vehicles habits (kilometres travelled, fuel or alternative energy consumption, …);
- To provide you with an access to our digital platform. We may process personal data when you use our digital platforms for several purposes (to manage your personal information or data related to Vehicles or to get an access to travel information for example);
- To manage resolution of disputes and assist you and answer your requests and complaints;
- To provide access to the Arval premises and assets. We may process personal data when you visit us in our premises in order to maintain appropriate access and security control;
- To communicate with you. We may process personal data when you want to contact us, when you request us some information about our company or our services or when the contract needs to be updated;
- To handle billing, invoicing and recovery.
3.2 If you are private lease prospects or clients
We may process personal data amongst others for the following purposes (notwithstanding other usages as described in section 3.3 hereafter):
To perform a contract or to take steps at your request before entering into a contract with you
We use your personal data to enter into and perform our contracts as well as to manage our relationship with you, including:
- To define your credit risk score and your reimbursement capacity;
- To evaluate (e.g. based on your credit risk score) if we can offer you a product or service and under which conditions (including price);
- To assist you in particular by answering your requests;
- To provide you with products, services, specific installation (such EV charging station) or mobility solutions;
- To manage outstanding debts.
- To enter into a contract with you. We may process personal data in order to register you as a new client, enter into a contract and perform it with you;
- To handle billing, invoicing and recovery;
- To carry out surveys: We may process personal data when we send you a survey in order to improve our services and products by requesting your feedback and measuring your satisfaction;
- For Vehicles management and associated services: We may process personal data to provide you with services related to the preparation, delivery or use and the management of Vehicles:
- for configuring and quoting your Vehicle;
- for delivering your Vehicle at the place of your choice, possibly with equipment related to electric Vehicle charging devices in partnership with selected providers;
- for OEMs recall campaigns in case of defect;
- Repairs, maintenance and tyres;
- For accident management;
- For roadside assistance;
- For ancillary services further to your own choice;
- For fuel cards, mobility cards and tolls. We may process personal data to provide you with fuel card (to pay your fuel), mobility cards (to recharge your electric Vehicle);
- For drivers training. We may process personal data in order to raise your awareness of the impact of your driving on the environment or if you want to improve your safety on the road;
- To manage traffic and parking fines and offences related to the use of the Vehicle as part of the “Fines Management” service to the extent legally authorised;
- To provide you with an access to our digital platforms. We may process personal data when you use our digital platforms for several purposes (to manage your personal information or data related to Vehicles or to get an access to travel information for example);
- To manage resolution of disputes and assist you and answer your requests and complaints;
- To provide access to the Arval premises and assets. We may process personal data when you visit us in our premises in order to maintain appropriate access and security control;
- To communicate with you. We may process personal data when you want to contact us, when you request us some information about our company or our services or when the contract needs to be updated;
- To evaluate (e.g. based on your credit risk score) if we can offer you a product or service and under which conditions (including price).
3.3 If you are either (i) clients’ or prospects’ employees or legal representatives or (ii) private lease prospects or clients
To comply with our or BNP Paribas Group’s legal and regulatory obligations
We use your personal data to comply with regulations in particular with the banking and financial ones:
- manage, prevent and detect fraud;
- monitor and report risks (financial, credit, legal, compliance or reputational risks, default risks etc.) that we and/or the BNP Paribas Group could incur;
- record, when necessary, phone calls, chats, email, etc.;
- prevent and detect money laundering and financing of terrorism and comply with regulation relating to sanctions and embargoes through our Know Your Customer (KYC) process (to identify you, verify your identity, screen your details (you or your company as applicable) against sanctions lists and determine your profile);
- detect and manage suspicious orders and transactions;
- contribute to the fight against tax fraud and fulfil tax control and notification obligations;
- record transactions for accounting purpose;
- exchange information for the purposes of tax law;
- prevent, detect and report risks related to Corporate Social Responsibilities and sustainable development;
- detect and prevent bribery;
- report different operations, transactions or orders or reply to an official request from a duly authorised local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies.
To fulfil our legitimate interest
We use your personal data, including your transaction data, for:
- Risk management purpose:
- proof of transactions including electronic evidence;
- management, prevention and detection of fraud, including the establishment of a fraud list and the inclusion of fraudster in such list;
- monitoring of transactions to identify those which deviate from the normal routine.;
- debt collection;
- assertion of legal claims and defence in case of legal disputes;
- development of individual statistical models in order to help defining your creditworthiness;
- consultation and exchange of data with credit agencies to identify credit risks.
- Personalisation of our offering to you and that of other BNP Paribas entities to:
- improve the quality of our products, services or mobility solutions;
- advertise products, services or mobility solutions that match with your situation and profile;
- deduct your preferences and needs to propose you a personalised commercial offer;
- push you some suggestions to contribute to the reduction of CO2 or other pollutants emissions as well as cost reductions opportunities;
This personalisation can be achieved by:
-
- segmenting our prospects and clients;
- analysing your habits and preferences in our various communications channels (visits to our branches, emails or messages, visits to our website, etc.);
- sharing your data with another BNP Paribas entity, notably if you are – or are to become – a client of that other entity in particular to speed up the on boarding;
- matching the products or services that you already hold or use with other data we hold about you;
- considering common traits or behaviors among current customers, and seeks others individuals who share those same characteristics for targeting purposes.
- Research & Development (R&D) and analytics consist of establishing individual statistical/predictive models to:
- optimise and automate our operational processes (e.g.: creating FAQ chatbot);
- offer products, services or mobility solutions that will best meet your needs or protect your own interest as a client and/or user
- adapt products, services and mobility solutions distribution, content and pricing in accordance with your profile and in respect of your interest as client and/or user;
- create new offers;
- prevent potential security failures, improve customer authentication and access rights management ;
- enhance security management;
- enhance risk and compliance management
- enhance the management, prevention et detection of fraud;
- enhance the fight against money laundering and financing of terrorism.
- Security reasons and IT systems performance, including:
- manage IT, including infrastructure management (e.g. : shared platforms), business continuity and security (e.g. internet user authentication);
- prevent personal injury and damages to people and goods (for instance video protection).
- More generally:
- inform you about our products, services and mobility solutions ;
- carrying out financial operations such as debt portfolio sales, securitisations, financing or refinancing of the BNP Paribas Group;
- organise contests and games, price competitions, lotteries or any other promotional operations ;
- perform client and driver satisfaction and opinion surveys;
- improve process efficiency (train our staff by recording phone calls in our call centres and improve our calling scenario);
- implement process automation of our processes such as application testing, automatic filling complaints handling, etc.
In any case, our legitimate interest remains proportionate and we verify according to a balancing test that your interests or fundamental rights are preserved. Should you wish to obtain more information about such balancing test, please contact us using the contact details provided in section 9 “How to contact us” below.
To respect your choice if we requested your consent for a specific processing
For certain personal data processing, we will give you a specific information and invite you to consent such processing. Note that you may request to revoke your consent at any time.
- WHO DO WE SHARE YOUR PERSONAL DATA WITH?
4.1 Sharing of information within the BNP Paribas Group
We are part of the BNP Paribas Group which is an integrated bank insurance group, i.e. a group of companies working closely together all over the world to create and distribute various banking, financial and leasing, mobility solutions, insurance services and products.
We share personal data through the BNP Paribas Group for commercial and efficiency needs such as:
- based on our legal and regulatory obligations
- sharing of the data collected for anti-money laundering, terrorism financing, sanctions, embargoes and for the “know your customer” procedure;
- risk management including credit and operational risks (risk rating /credit scoring/etc.);
- based on our legitimate interest:
- prevention, detection and fight against fraud;
- R&D activities in particular for compliance, risks and communication and marketing purposes;
- global and consistent overview of our clients;
- offering the full range of products and services of the Group to enable you to benefit from them;
- personalisation of products, services and/or mobility solutions’ contents and pricing for the client.
4.2 Disclosing information outside the BNP Paribas Group
In order to fulfil some of the purposes described in this notice, we may disclose from time to time your personal data to:
- service providers which perform services (e.g. IT services, logistics, printing services, telecommunication, debt collection, advisory and consulting and distribution and marketing);
- banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transaction (e.g. banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries);
- credit reference agencies;
- local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies, we or any member of the BNP Paribas Group is required to disclose to pursuant to:
- their request;
- defending or responding to a matter, action or proceeding;
- complying with regulation or guidance from authority applying to us or any member of the BNP Group;
- service payment provider(s) (information on your payment account(s)) based on the authorisation granted by you to this third party;
- certain regulated professionals such as lawyers, notaries, rating agencies or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to actual or proposed purchaser of the companies or businesses of the BNP Paribas Group or our insurers;
- your employer, if you are a corporate clients’ and prospects’ employees or representatives.
4.3 Sharing aggregated or anonymized information
We share aggregated or anonymised information within and outside the BNP Paribas Group with partners such as research groups, universities or advertisers. You won’t be able to be identified from this information.
Your data may be aggregated into anonymised statistics that may be offered to professional clients to assist them in developing their business. In this case your personal data will never be disclosed and those receiving these anonymised statistics will be unable to identify you.
- INTERNATIONAL TRANSFERS OF PERSONAL DATA
In case of international transfers originating from the European Economic Area (EEA) to a non-EEA country, the transfer of your personal data may take place. Where the European Commission has recognised a non-EEA country as providing an adequate level of data protection, your personal data may be transferred on this basis.
For transfers to non-EEA countries where the level of protection has not been recognised as adequate by the European Commission, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:
- Standard contractual clauses approved by the European Commission;
- Binding corporate rules.
To obtain a copy of these safeguards or details on where they are available, you can send a written request as set out in Section 9.
- HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
We will retain your personal data over the period required to comply with applicable laws and regulations or another period with regard to our operational requirements, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests. For example, most information about the customer is kept for the duration of the contract and thereafter for the period required to exercise or defend legal claims.
- WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?
In accordance with applicable regulations and where applicable, you have the following rights:
- To access: you can obtain information relating to the processing of your personal data, and a copy of such personal data.
- To rectify: where you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified accordingly.
- To erase: you can require the deletion of your personal data, to the extent permitted by law.
- To restrict: you can request the restriction of the processing of your personal data.
- To object: you can object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
- To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
- To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.
If you wish to exercise the rights listed above, please send a letter or e-mail to the following address privacy@arval.pl. Please include a scan/copy of your proof of identity for identification purpose when required.
In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.
- HOW CAN YOU KEEP UP WITH CHANGES TO THIS DATA PROTECTION NOTICE?
In a world of constant technological changes, we may need to regularly update this Data Protection Notice.
We invite you to review the latest version of this Data Protection Notice online and we will inform you of any material changes through our website or through our other usual communication channels (e.g.: on My Arval).
- HOW TO CONTACT US?
If you have any questions relating to our use of your personal data under this Data Protection Notice, please contact our data protection officer privacy@arval.pl, who will handle your query.
If you wish to learn more about cookies and security, please read our cookies policy.
- HOW IS MY PRIVACY PROTECTED WHEN I HAVE AN ARVAL CONNECTED MOTOR VEHICLE?
You will be informed if your vehicle is an Arval connected Motor Vehicle via a sticker in the vehicle or driver delivery kit, QR-code, Digital information through Mobile App, etc..
When your vehicle is an Arval connected Motor Vehicle, some data is collected by Arval via remote data transmission from the telematics equipment installed in the Motor Vehicle (the "Device"). Arval may process such data to serve its legitimate interests as described in the table below. The purposes of processing and the data retention time will not exceed the indications provided below.
DATA
|
PURPOSES
|
RETENTION PERIOD
|
Odometer mileage at the end of each day
|
Pro-active proposal of adjustment of the individual lease contract (duration and/or mileage)
Pro-active maintenance of the Motor Vehicle (alert about the next service and/or maintenance of the Motor Vehicle)
Detection of alteration of odometer mileage display
|
Contract duration + 1 year
|
The following pseudonymized* data:
- Trip data: Start & stop Timestamps, mileage, type of road (urban, road, motorway), type of environment (day, night, twilight)
- Driving events per trip (harsh braking, cornering, brutal lane change, speed, energy waste in braking, hard acceleration, idling) and related calculated scores
|
Research and Development in relation to:
- Consulting: Energy transition, benchmark, correlation between conditions of Motor Vehicle usage and TCO components / fuel and other energy or consumption
- Insurance: usage understanding, segmented offering
- Maintenance: uptime management, operational processes enhancements, preventive/pro-active maintenance, tyres cost reduction and usage optimization, cost optimization (oil, brake pads, etc…), battery potential defects, while evaluating End of Contract mileage, repairs etc…
- Marketing: usage understanding, segmented offering opportunities
|
10 years
|
Geolocation collected in real time (based on formal and traceable theft report)
|
Stolen Motor Vehicle recovery
|
GPS data collected until the theft claim is closed, then these data will be deleted 60 days after collection
|
* ‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.