Personal data processing policy
The operator of personal data is SC AUTOREVOLUTION SRL (hereinafter referred to as “ExpediCAR”).
I. MEANING OF SOME TERMS
To ensure a better understanding of the information contained in this document, we have included below a breakdown of the key concepts used in it.
These definitions are taken from EU Regulation no. 679/2016 on the protection of individuals in regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR Regulation), in force since 25.05.2018. In addition, we have added some explanatory notes to make it easier to understand.
- "personal data" means any information relating to an identified or identifiable individual ("data subject"); an identifiable individual is a person who can be identified, directly or indirectly, in particular by reference to an identifying element, such as a name, an unique identification number, location data, an online identifier, or to one or more several specific elements, specific to his physical, physiological, genetic, mental, economic, cultural or social identity.
Note 1: for example, we mention that there are considered personal data, among others: e-mail address, telephone number, computer ID, date of birth, address, unique identification number, etc.
Note 2: the unique identification number may consist of: the personal identification number (CNP), the series and number of the identity document, the number of the passport, of the driving license, the social health insurance number, as the case may be.
- "sensitive / special data" means personal data revealing racial or ethnic origin, political opinions, religious denominations or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the unique identification of an individual, data concerning the health or sex life or sexual orientation of an individual, as well as data on criminal convictions and offenses or related security measures.
- "processing" means any operation or set of operations performed on personal data or personal data sets, with or without the use of automated means, such as the collection, recording, organization, structuring, storage, adaptation or modification, extracting, consulting, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, restricting, deleting or destroying.
Note: for example we mention that the simple storage of data (even unused) or the simple consultation of personal data, can enter the notion of processing.
II. WHAT ARE THE TYPES OF PERSONAL DATA that ExpediCAR processes in connection with you
You directly provide us with personal data. For example, we receive information from you in the following situations:
- When you subscribe to the newsletters, you communicate to us: social status (Mrs., Ms., Mr.), First name, Last name, Address, E-mail, telephone
We do not collect or otherwise process sensitive data, included in the General Data Protection Regulation in special categories of personal data. We may also collect and further process certain information about your behavior while visiting our website, in order to personalize your online experience and provide you with offers tailored to your profile. On our website we may store and collect information from cookies and similar technologies, in accordance with the Cookies Policy.
III. What are the PURPOSES and GROUNDS of the processing
We will use your personal data for the following purposes:
- To perform the services you acquire from us, such as:
a). Order processing, including car rental, providing the services, technical assistance and invoicing as well as resolving any order issues;
b). Providing support services, including providing answers to your questions about your orders or regarding the services of ExpediCAR or its partners.
The processing of your data is, in most cases, necessary for the conclusion and performance of a contract between ExpediCAR and you. Certain processing subject to these purposes is also required by applicable law, including tax and accounting law.
- To improve our services
We always want to offer you the best quality services. For this purpose, we may collect and use certain information about your behavior as a customer, we may invite you to fill out satisfaction questionnaires subsequent to a car rental service we provided and related activities, or we may conduct, directly or through partners, studies and market research.
We base these activities on our legitimate interest in doing business, always making sure that your fundamental rights and freedoms are not affected.
- For marketing
We want you to be constantly informed about the best offers for the services that interest you. Thus, we may send you messages (such as: e-mail / SMS) containing information about our services, offers or promotions, as well as other commercial communications such as market research and surveys.
We always make sure that these processings are carried out in compliance with your rights and freedoms and that the decisions taken on their basis do not have legal effects on you and do not affect you in a similar way to a significant extent.
As a rule, we base our marketing communications on your prior consent. You can change your mind and withdraw your consent at any time by:
- Contacting the Operator by e-mail at: firstname.lastname@example.org.
In addition to the above, we may send you marketing communications using your email address if you do not object to such communications. If you have changed your mind and no longer wish to receive messages from us, you may request this at any time, by the means described above, to stop the processing of your personal data for marketing purposes, and we will process your request.
- To protect our legitimate interest
We have the right to protect our interests and commercial activity and we may process certain data for this purpose. For example, we mention:
- for the prevention and detection of fraud, theft, loss, misuse and the like on devices, systems, software, databases, servers, e-mails, and in general on the goods and means used by ExpediCAR;
- for the protection of ExpediCAR's assets, employees, collaborators, partners and customers;
- to ensure a good and correct development of our activity (for example for the correct and complete identification of the activity provided, for the invoicing of services to the client, to prevent the permanent loss of data);
- to ensure the security and proper use of the databases and, in general, of personal data, processed by ExpediCAR for itself or for third parties.
The general basis for such processing is our legitimate interest in conducting our business in the best possible conditions and in protecting our business interests, ensuring that all measures we take guarantee a balance between our interests and your fundamental rights and freedoms.
Also, in some cases we base the processing on legal provisions such as the obligation to ensure the protection of goods and values, provided by the applicable legislation in this matter.
IV. WHAT TO REMEMBER about data processed BY CONSENT
In general, your data is not processed on the basis of consent, but on the basis of other grounds described above.
In limited cases where data processing is based on your consent, we inform you that:
- you are not obliged to provide us with the respective data or to give your consent for their processing;
- the lack of consent will not affect the contractual relations with us, that are based on different grounds;
- the lack of consent will not allow us to offer you real-time information about certain services of interest to you, about special offers or discounts;
- if you have given your consent, you may subsequently withdraw it at any time by a simple written notification sent to e-mail address: email@example.com, or transmitted to ExpediCAR’s contact details. You do not have to justify your decision;
- withdrawal of consent means that we will no longer be able to process such data later, using consent as a basis. However, depending on the circumstances, we may continue to process such data for limited purposes on other grounds, for example in order to preserve, exercise or defend our rights in court, to fulfill certain legal obligations or in other similar cases which are closely related to the initial processing;
- please also note that the withdrawal of consent will not affect the processing we have previously carried out on its basis, nor the data processing that is not carried out on the basis of consent.
V. How long we STORE your personal data
As a general rule, we will store your personal data for the duration of the contract. You may request the deletion of certain information from us at any time and we will comply with such requests, subject to the retention of certain information, including after the termination of the contract, where applicable law or our legitimate interests require.
VI. Data UPDATES
We want to process personal data that is accurate, complete and up to date. Therefore, to the extent that personal data changes or if you notice errors in relation to this data, please let us know as soon as possible so that we can update that data.
VII. WITH WHOM WE SHARE personal data
The personal data referred to in this Policy may be provided to affiliated entities, partners, employees of ExpediCAR or other independent legal entities, such as:
- affiliates or partner entities, collaborators with whom ExpediCAR has concluded service contracts or other types of contracts (ex: distributors, suppliers, manufacturers, couriers, banks or payment service providers, marketing service providers, market research service providers, insurers, IT service providers, etc.);
- individuals or legal entities empowered by ExpediCAR in various fields related to the conclusion, registration or performance of the contract;
- accountants, auditors, lawyers, bailiffs and/ or other external professional consultants;
- public authorities, persons invested with public power, public institutions, relevant courts, etc. from Romania or from abroad - in case of control, at their request or on our own initiative, in accordance with the applicable legislation.
We will conclude with each of the mentioned entities the contractual clauses imposed by law aimed at ensuring the protection of your personal data, including the security and confidentiality of your data.
VIII. WE DO NOT SHARE data outside the European Union
At the date of issue of this Policy, ExpediCAR does not share and does not intend to transfer your personal data to entities or persons outside the European Union or international organizations.
The suppliers, partners, collaborators mentioned in the above section to which we transmit personal data are Romanian individuals / legal entities, but also foreign entities. However, we cannot rule out the possibility that abovementioned will not transmit your data to other states, which may or may not be members of the European Union (for example, if they have servers located in the United States). In the contractual clauses that we will conclude with them, we will ensure that these entities / individuals assume the existence of adequate security measures and guarantees designed to ensure the confidentiality and proper protection of your personal data.
In the eventuality that ExpediCAR transfers personal data to entities / individuals outside the European Union, we will ensure that appropriate personal data protection measures are put in place or we will ask for your consent to make such transfers, with your prior information on the potential risks involved. In exceptional situations where it will be necessary to transfer data outside the European Union and the above conditions are not met, we will ensure that the transfer will take place only in cases where the law allows express derogations (eg Article 49 of the GDPR Regulation).
IX. How do we PROTECT the security of your personal data
ExpediCAR is committed to ensure the security of personal data by implementing appropriate technical and organizational measures, according to industry standards.
Due to the way in which personal data are transmitted electronically, there may be a risk of interception, loss, copying of information by unauthorized persons, through the use of interception equipment or software. Upon notifying the users, ExpediCAR will take all the measures and will make available all the necessary files to the competent authorities empowered to solve this type of criminal activity. We cannot be held responsible for such vulnerabilities of the systems that are beyond our control.
The company cannot be held responsible for errors caused by the user's negligence regarding the security and confidentiality of his account and password.
Any access to the database with user’s personal information, including any unauthorized access attempt, will be recorded in an access file. The access files will make it possible for ExpediCAR to identify the persons who have accessed personal data without a legitimate reason, in order to notify the competent authorities. Any attempt to access another user's personal data, to modify the content of the site www.expedicar.ro or to affect the performance of the server on which the site is running, will be considered an attempt to defraud the site and will incur a criminal investigation against the person or persons who initiated this action.
X. WHAT ARE YOUR RIGHTS in regards to the processing of personal data
You have the following main rights regarding your personal data, rights that can be exercised, under the conditions established by law:
- the right to access data: you have the right to obtain information about the processing or non-processing of your personal data, the right to gain access to your data or a copy of this data we hold, and the right to obtain information about the type, processing and disclosure by us of this data or about the source of your personal data, if this data has not been collected directly from you.
You also have the right to request information about the existence of any automatic processing of your personal data, including the creation of profiles, as well as information about the logic used and the importance and expected consequences of such processing on you; in this case, if the processing is carried out by automatic means you have the right not to be subject to an individual decision.
- the right to data correction: you have the right to obtain the rectification of your data that we process or control, which are inaccurate; depending on the purposes for which the data are processed, you have the right to obtain the completion of data that is incomplete, including by providing additional statements.
- right to delete your data (“right to be forgotten”): you have the right to obtain from us the deletion of your data that we process or control, in the cases provided by law.
- the right to restrict data processing: you have the right to obtain from us the restriction of the processing of your data that we process or control, to certain limited data and purposes, according to the law (for example when you oppose the deletion of data, but instead request the restriction of their use).
- the right to opose to the processing: you have the right to object to the processing of your data by us or on our behalf, in the cases and within the limits provided by law; In certain situations permitted by law, we may continue to process your data after exercising this right.
- the right to data portability: you have the right to obtain the transfer to another controller of your data that we process or control in other situations provided by law (for example, processing based on consent, contract or by automatic means).
- the right to withdraw your consent at any time: in situations where we process your data based on your consent, you have the right to withdraw it; you can do this at any time, at least as easily as you initially gave us your consent; withdrawal of consent will not affect the lawfulness of the processing of your data that we performed before the withdrawal.
- the right to lodge a complaint with the supervisory authority: you have the right to lodge a complaint with the supervisory authority of the processing of personal data regarding the processing of your data by us or on our behalf. The Romanian Supervisory Authority is the The National Supervisory Authority for Personal Data Processing.
To exercise one or more of these rights or to address any questions or concerns regarding any of these rights, please contact us using the following contact details:
- Address: Johann Strauss street, No. 2, District 2, Bucharest
- E-mail: firstname.lastname@example.org
We are convinced that you will not exercise these rights unreasonably, excessively or otherwise abusively.
If you are not satisfied with the way we have resolved or responded to your request or complaint or you consider that the processing is done in violation of applicable law, you can file a complaint with the Romanian data supervisory authority: The Romanian Supervisory Authority is the The National Supervisory Authority for Personal Data Processing (ANSPDCP).
At the date of issuing these Privacy policies, ANSPDCP has the following contact details:
Headquarter: Bd. Gheorghe Magheru no. 28-30, Bucharest, District 1, zip code 010336, Romania