DISCLOSURE ON THE PROCESSING OF PERSONAL DATA,
pursuant to Regulation (EU) 2016/679 (“GDPR”), Articles 13 and 14, and national regulations resulting therefrom
The purpose of this document (“Disclosure”) is to provide you with information concerning the processing of your personal information by the Lessor for purposes detailed below. In particular, this Disclosure is provided pursuant to the provisions of Regulation EU no. 679/2016 (“GDPR”), and subsequent national regulations resulting therefrom.
Data Controller’s Status and Contact Data
Data Controller status is shared among three companies operating under the Riolo Rent brand: Nicolò Riolo S.p.a, Riolo Automobili S.r.l., R Motors S.r.l.
Categories of Personal Data Processed
Within the parameters of the purposes and methods described in this Disclosure, processing involves information qualified as (i)as “standard personal data”, namely, personal details, bank details, contact details (such as, for example, mobile number and email address, hereinafter, collectively, “Personal Data”). For reference purposes, “Personal Data” used herein is understood as any personal data, unless otherwise specified.
Data Processing Methods
Data will be processed by personnel duly instructed to comply with the GDPR, either manually or with the support of electronic tools suitable to ensure data safety and confidentiality.
In addition to cases in which it becomes necessary to contact you for car rental-related issues, we may reach out to you via email, sms, through any equivalent electronic tool, by paper mail or operator call, provided that you gave your consent to data processing for purposes related to points 4 and 4.1 above.
Likewise, in light of such consent, your data will be made visible and stored in a computerized archive called Customer Relationship Management(CRM)
Data Processing Purpose and Legal Basis
Your Personal Data will be processed for the purposes and by virtue of the following legal bases:
Data Processing Purpose and Legal Basis
point 4, lett. a): for the management of your contractual relationship or to execute pre-contractual measures (such as, for example, request for information or price quote). In this case, you have the option to provide your information; however, failure to provide such data will make it impossible establish a business relationship with you and deliver services you requested. Processing is necessary to execute a contract to which you are a party
point 4, lett. b)subject to your specific consent to be contacted at the addresses provided for the completion (and subsequent use) of surveys and/or market researchcarried out in the pursuit of the Data Controller’s and to determine your satisfaction with services providedpoint 4, lett. c): subject to your specific consent, to send you (i) remindersconcerning promotional communications on the activities of Riolo Rent; (ii)communication relating to events organized by the Data Controller or its commercial partners (“marketing purposes”)
Scope of Personal Data Communication – Dissemination
Your personal data will not be disclosed.
In addition, the information may also be shared whenever it is deemed necessary to comply with requests issued by Judicial or Law Enforcement Authorities. Data collected will not be disclosed.
Data Retention Period (Determination Criteria)
The following provisions apply to Personal Data retention (or determination criteria):
point 4, lett. a)(contract management) – For the entire duration of contract performance, and for 10 years thereafter (statutory requirement). In addition, contact information and vehicle ID information can be stored for (i) 40 years from the date of vehicle production, for information related to chassis master data and recall campaigns; (ii) 20 years from the date of vehicle production, for warranty claims; (iii) 10 years from the date of vehicle delivery, or 5 years from the last contract entered into (i.e., 5 years from the last complaint), for contracts to extend the warranty coverage. In any case, the data retention period is consistent with the time required to pursue the relevant professional purposes and to manage the business relationship between you and the Data Controller, without prejudice to the need to comply with contractual, administrative, fiscal, accounting or statutory requirements that have become effective after the delivery of contract services. point 4, lett. b -c -d)Your personal data processed for purposes set forth under point 4 b-c-d will be stored until you revoke your consent to data processing;
in particular, your profiling data will be stored for a period not exceeding 24 months from the moment you have given your consent.
We point out that you can exercise rights afforded to you by the GDPR including, by way of example, the right to (i)access your Personal Data (and know origin and purposes of processing, data concerning subjects to whom data are provided, data retention schedule or criteria useful to determine such schedule);(ii)request data amendment; (iii)request the deletion (“right to be forgotten”) of data that are no longer needed, are incomplete, incorrect or have been collected in violation of the law; (iv)request that processing be limited to information concerning you; (v)to the extent deemed technically feasible, receive data in a structured format, or transmit your information to you or to third parties indicated by you (so-called “portability” of information voluntarily provided by and concerning you); (vi)revoke your consent at any time, if consent is the basis of processing. In any case, withdrawal of consent does not adversely affect the lawfulness of processing, on the basis of consent provided by you prior to revocation. In addition, you have the right to object to the processing of your personal data, including profiling. The aforementioned rights may be exercised by written request to the Data Controller.
When such request is received, the Data Controller shall proceed without undue delay and, in any case, at the latest within one month of receiving the request. If warranted by circumstance, the deadline may be extended by two months, to accommodate the complexity and number of requests received by the Data Controller. In such cases, the Data Controller will inform you of the reasons requiring an extension, within one month of receiving your request.
The Data Controller reminds you that, where you believe that a reply to your requests was not satisfactory, you can contact and submit a complaint to the Authority for the Protection of Personal Data (http://www.garanteprivacy.it/), in the manner provided for in the GDPR.