PRIVACY POLICY

We inform you that, pursuant to Art. 13 of Regulation EU no. 2016/679 (hereinafter the “GDPR”), Locauto Rent S.p.a. (hereinafter “Locauto” or the “Controller”) will process the data provided by you in compliance with the applicable laws on the subject and in accordance with the provisions set forth below.

1. SUBJECT OF PROCESSING
The Controller processes the personal and identification data (for example, first name, last name, company name, address, telephone number, e-mail, bank account and payment information, hereinafter the “personal data” or also the “data”) communicated by you at the time of conclusion of the rental agreement.

2. PURPOSE OF PROCESSING
Your personal data are processed:
Without your express consent, in compliance with the provisions of Art. 6, letters b), e) and f) of the GDPR, for the following Service Purposes:
(a) access to and use of the Locauto rental service, including the collection, retention and processing of the data to establish the relationship and for its subsequent operational, technical and administrative management and to make the communications relating to performance of the services;
(b) execution of the obligations deriving from the General Rental Conditions;
(c) management of payments (with relative processing of payment data in accordance with law, including details for identifying credit cards and/or prepaid cards);
(d) fulfillment of legal, accounting, tax, administrative and contractual obligations linked to provision of the services requested;
(e) management of relations with authorities and independent public entities for purposes related to particular requests, performance of legal obligations or particular procedures (e.g. renewal of service on actual violator of written notices of violation of the Highway Code);
(f) claims management;
(g) implementation of measures aimed at protecting against credit risk, including activities aimed at identifying the customer and their financial reliability/solvency, also during the course of the contractual relationship. Incomplete or inaccurate communications, or failure to communicate the data necessary for registration shall entail the impossibility to complete the procedure and the consequent impossibility to use the service;
(h) exercise of the Controller’s rights, for example the right to defense in legal proceedings;
(i) for legitimate interests in carrying out direct marketing and for the purpose of determining the level of satisfaction with the quality of the services provided.
The communications indicated in point (i) above may take place by traditional means (e.g. regular mail, telephone calls with operator), automated means (e.g. telephone calls without operator) and similar methods (e.g. fax, e-mail, SMS, MMS) based on the data provided at the time of stipulation of the agreement.
Only with your specific and clear consent (in compliance with the provisions of Art. 7 GDPR) for the following additional purposes:
(k) sending by Locauto, its parent companies, subsidiaries and affiliates, of sales communications and/or advertising material on products or services offered by entities other than the Controller;
(l) conduct of market surveys and administration of questionnaires to determine satisfaction levels with the quality of services offered by entities other than the Controller;
(m) profiling of user’s personal data to offer personalization based on purchasing preferences.
The communications indicated in the points above may take place by traditional means (e.g. regular mail, telephone calls with operator), automated means (e.g. telephone calls without operator) and similar methods (e.g. fax, e-mail, SMS, MMS) based on the data provided at the time of stipulation of the agreement.

3. METHODS OF PROCESSING
The processing of your personal data takes place through the operations indicated in Art. 4, no. 2) GDPR, and specifically: collection, registration, organization, retention, consultation, elaboration, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction of the data. Your personal data are subject to both paper and electronic and/or automated processing. The Controller shall process the data for the time necessary for the purposes indicated above, and in any event for no more than 10 years after termination of the relationship for the Service Purposes and no more than 5 years from collection of the data for Marketing Purposes.

4. ACCESS TO DATA
Your data will be made available for the purposes indicated in Art. 2), letters a) to i), and if allowed from letters k) to m):
- to employees, associates, affiliates and franchisees of the Controller or the companies in the Locauto Group, in their capacity as external authorized persons and/or processors and/or system administrators;
- to independent companies and other entities (insurance companies responsible for claims payments; companies specialized in claims recovery; companies specialized in the management of commercial or credit information, or advertising promotion; other companies contractually linked to Locauto that perform claims management activities, sub-vendors, subcontractors and/or financial intermediaries, professional firms that provide assistance and consulting for our companies and banks, data processing centers and public entities, for the granting of contributions and assistance of any kind linked to the performance of the services) that perform activities on assignment or by order from the Controller, in their capacity as external data processors.
Your data will also be made accessible for the purposes in Art. 2), letters a) to i), and if allowed, from letters k) to m):
- to EAN Data Services UK Ltd., Enterprise Holdings, Inc. and its affiliates and/or subsidiaries; those entities will process the data in their capacity as autonomous data controllers. For further details, we invite you to view EHI’s Privacy Policy, including the information regarding data retention, at the site https://www.enterprise.co.uk/en/privacy-policy.html

5. COMMUNICATION OF DATA
Without the need for express consent (pursuant to Art. 6, letters b) and c) GDPR), the Controller may communicate your data for the purposes in Art. 2), letters a) to i) to: police forces, armed forces and other public administrations, oversight bodies, judicial authorities, insurance companies, and entities to which communication is mandatory under law for the fulfillment of the cited purposes. Those entities shall process the data in their capacity as autonomous data controllers. Your data will not be disclosed to others.

6. TRANSFER OF DATA
The personal data are kept on servers located in the Microsoft Azure cloud infrastructure in Ireland, inside the European Union. It is any event understood that should it become necessary, the Controller shall have the right to move the servers outside of the European Union. In such a case, the Controller hereby warrants that the transfer of the data outside of the EU will take place in compliance with applicable provisions of law, subject to stipulation of the standard contractual clauses required by the European Commission.

7. NATURE OF PROVISION OF DATA AND CONSEQUENCES OF REFUSAL TO REPLY
The provision of the data for the purposes in Art. 2), letters a) to i) is obligatory. In the absence of that data, we cannot guarantee the Services as per Art. 2, letters a) to i).
The provision of the data for the purposes in Art. 2), letters k) to m), on the other hand, is optional. You may thus decide not to provide any data or to subsequently deny the possibility to process data already provided.

8. GEOLOCATION, SATELLITE NAVIGATION AND INFOTAINMENT SYSTEMS
We also inform you that Locauto vehicles may be subject to geolocation. Geolocation activity will take place in accordance with applicable laws; the processing of data collected in that way will take place anonymously. Locauto Rent will not collect or process any sensitive data relating to customers. Locauto vehicles may be equipped with satellite navigation and infotainment systems, the latter managed directly and independent of Locauto by the manufacturer of the vehicle. In the event of use of a satellite navigator and infotainment systems, you will be responsible for the information entered into them. Locauto does not warrant the confidentiality of that information, that you shall be responsible for deleting from the devices used. If you fail to do so, that data may be visible to the next user of the vehicle.

9. DATA SUBJECT’S RIGHTS
In your capacity as data subject, you have the rights set out in Art. 15 GDPR, and specifically the rights to:
- obtain confirmation of the existence or absence of personal data concerning you, even if not yet registered, and their communication in an intelligible form;
- obtain the indication of:
a) the origin of the personal data;
b) the purposes and methods of processing;
c) the logic applied in the case of processing by electronic means;
d) the identification details of the controller, processors, and representative designated pursuant to Art. 3, paragraph 1, GDPR;
e) the recipients or categories of recipients to whom the personal data can be communicated or who can learn of it in the capacity as designated representative in the territory of the State, or as processors or persons in charge of processing;
- to obtain:
a) the updating, rectification, or when the data subject has an interest, the completion of the data;
b) the erasure, anonymization or restriction of data processed in violation of law, including that for which retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
c) the certification that the operations in letters a) and b) were brought to the attention, including as regards their contents, of those to whom the data were communicated or disclosed, excepting cases in which said requirement is impossible or involves disproportionate effort compared to the protected right;
- to object, in full or in part:
a) for legitimate reasons, to the processing of personal data concerning you, even if pertinent to the purpose of the collection;
b) to the processing of personal data concerning you for the purpose of sending advertising or direct sales materials or for conducting market research or sales communications, through the use of automated calling systems without the intervention of an operator, by e-mail and/or by traditional marketing methods by telephone and/or ordinary mail.
We note that the data subject’s right to object, presented in point b) above, for purposes of direct marketing by automated means, also extends to traditional means and in any event the data subject maintains the right to exercise the right to object also only partially. Therefore, the data subject may decide to receive communications only by traditional means or only automated communications or by neither of the two means of communication. Where applicable, the data subject also has the rights under Arts. 16-21 GDPR (Right to rectification, right to be forgotten, right to restriction of processing, right to data portability, and right to object) and the right to submit complaints to the Data Protection Authority.

10. METHOD OF EXERCISING RIGHTS
You may exercise your rights at any time by sending:
- a registered letter with return receipt to Locauto Rent SPA – Operational offices in Milan, Via Gustavo Fara, 39;
- an e-mail to the address privacy@locautorent.it

11. CONTROLLER, PROCESSORS AND PERSONS IN CHARGE OF PROCESSING
The Controller of the processing is Locauto Rent SPA (Tax code/VAT no. 04367650969), with registered office at Piazza Silvio Pellico n. 5 - 38122 Trento (TN) and operational offices at Via Gustavo Fara, 39, Milan (CAP 20124), tel. 02.430201; e-mail: dpo@locautorent.it
The Controller of the processing has designated a Data Protection Officer (DPO) pursuant to Art. 37 GDPR, who may be contacted for all questions relating to the processing and protection of personal data and the exercise of the data subject’s rights at the Controller’s registered office or by writing to the address privacy@locautorent.it

The updated list of the processors is kept at the Controller’s registered office.