PRIVACY POLICY

PERSONAL DATA PROTECTION NOTICE FOR POTENTIAL CUSTOMERS OR CUSTOMERS
Pursuant to Articles 13 and 14 of EU Regulation 2016/679 and Legislative Decree 196/2003 (PRIVACY CODE) as amended

The protection of customers’ personal data plays a central role for Locauto Rent S.p.a. (hereinafter “Locauto”). This Data Protection Notice (hereinafter also the “Notice”) is intended to provide clear and complete information regarding the methods of processing your personal data by the Company. As the data controller, Locauto is responsible for the collection and processing of personal data carried out as part of its activities. The purpose of this Notice is to allow for an understanding of which personal data regarding potential customers or customers are processed, as well as the purposes for which such data are used and shared, the applied retention periods, the rights recognized to customers, and the methods for their exercise.

1. DATA CONTROLLER
The Data Controller is Locauto Rent S.p.a. (Tax Code/VAT No. 04367650969) with registered office in Piazza Silvio Pellico n. 5 - 38122 Trento (TN), reachable via e-mail at the address privacy@locautorent.it

2. DATA PROTECTION OFFICER
The Data Controller has appointed, pursuant to Art. 37 GDPR, a DPO (Data Protection Officer or Responsabile per la Protezione dei Dati) who can be contacted at the e-mail address: dpo@locautorent.it

3. PERSONAL DATA PROCESSED
The GDPR defines “personal data” as “any information regarding an identified or identifiable natural person”. The GDPR also precisely defines what is meant by “processing”, namely “any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, deletion or destruction”.
To provide its services, Locauto Rent S.p.A. may process the following personal data:

• identification data (e.g. name, surname, place and date of birth, Tax Code, identity card, driver's license...)
• contact data (e.g. e-mail, telephone number...)
• image data
• banking and financial data (e.g. credit card number, IBAN...)
• data relating to the vehicle rental agreement (e.g. contract number, vehicle license plate, customer identification number...)
• data relating to geo-localization
• judicial data pursuant to art. 10 of the Privacy Regulation relating to criminal convictions or offenses, provided by the judicial authority or other subjects authorized by law as part of their requests;

Locauto never asks for personal data relating to racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data or data relating to the sexual orientation of the potential customer or customer, unless this is necessary to comply with legal regulations. Data may be provided directly by the potential customer or customer or obtained from the following sources:

• publications/databases made available by authorities
• databases made publicly accessible to third parties

4. THE LEGAL BASES FOR DATA PROCESSING BY LOCAUTO RENT S.P.A.
The GDPR establishes that any processing of personal data must be founded on a legal basis. The legal bases are listed in art. 6 of the GDPR and are:

• art.6, comma 1, lett. a) Consent: the data subject has expressed consent to the processing of their personal data for one or more specific purposes;
• art. 6, comma 1, lett. b) Fulfillment of a contract or pre-contractual measures: processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures adopted at the request of the data subject;
• art. 6, comma 1, lett. c) Legal obligation: processing is necessary to fulfill a legal obligation to which the data controller is subject;
• art. 6, comma 1, lett. d) Protection of vital interests: processing is necessary for the protection of the vital interests of the data subject or of another natural person (not applicable to the Company's reality);
• art. 6, comma 1, lett. e) Public interest or public powers: processing is necessary for the performance of a task in the public interest or connected to the exercise of public powers with which the data controller is invested (not applicable to the Company's reality);
• art. 6, comma 1, lett. f) Legitimate interest: processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data do not prevail, in particular if the data subject is a minor.

5. PURPOSES AND LEGAL BASIS OF DATA PROCESSING
5.1. Providing the rental service. Locauto uses the personal data provided for the management of the rental contract or to fulfill a request before the conclusion of a contract with the customer, as well as to carry out technical and logistical assistance activities, including by telephone; to activate and provide extra services, to plan vehicle maintenance activities, for the operational management of the vehicle fleet, for activities necessary for the recovery of the vehicle at the end of the rental contract, to provide insurance services and other contractual guarantees, to manage the resolution of disputes (e.g. for debt collection), for the management of claims (including insurance requests) and for the management of invoicing.
Legal Basis: Performance of a contract to which the data subject is a party or performance of pre-contractual measures adopted at the request of the customer.

5.2 Fulfilling regulatory, administrative, tax and accounting obligations. Managing relationships with third-party authorities and public bodies for purposes connected to specific requests, the fulfillment of legal obligations or specific procedures.
Legal Basis: Fulfillment of legal obligations. The Company will process personal data to comply with obligations of a legal and/or regulatory nature.

5.3 Responding to an official request from an authority. Responding to an official request from a financial, tax, administrative, criminal or judicial authority, local or foreign, duly authorized, or from arbitrators or mediators, law enforcement agencies, state agencies or public authorities (e.g. in order to identify the driver or the customer and communicate the data to the competent public authorities, following offenses, road accidents, etc.)
Legal Basis: Fulfillment of legal obligations. The Company will process personal data to comply with obligations of a legal and/or regulatory nature.

5.4 Collecting documentation relating to previous claims, prevention activities and verification of any fraud.
Legal Basis: Legitimate interest of the Controller.

5.5 Managing claims and related activities for vehicle recovery. Providing assistance to the customer in case of damage, opening the claim with the insurance company, managing compensation requests, processing and settlement of damage, exercising rights in court.
Legal Basis: Fulfillment of contractual measures (e.g. towards insurance companies) suitable for processing the data provided to define insurance files. Legitimate Interest: correctly reconstructing and managing damage or accident files, including the legitimate interest to exercise or defend legal rights in the management of damage and accidents.

5.6 Managing reports and penalties for violations of the Highway Code. E.g.: re-notification to the actual offender of reports of violation of the rules of the Highway Code.
Legal Basis: Fulfillment of legal obligations.

5.7 Asserting and defending its rights also in court, as well as in the context of debt collection and assignment of credits to authorized companies, also through third parties.
Legal Basis: Legitimate interest of the Controller.

5.8 Sending to Customers and/or Users, subject to consent, marketing communications on products and services, activities and events organized by or in collaboration with Locauto.
Legal Basis: consent. Processing for marketing purposes is based on the explicit, free, specific and optional consent of the Customer and/or User, easily revocable at any time.

5.9 Sending reminder communications via e-mail to the potential customer or customer in the event that they have started but not concluded the purchase process for products and/or services on the Locauto website, provided that the potential customer or customer has the right to object at any time to the receipt of such communications; in case of failure to complete the purchase order, Locauto will send no more than 3 reminder communications via e-mail no later than 7 days following the date of start and non-completion of the purchase process by the user (see relative notice). Legal Basis: Consent.

5.10 Sending advertising communications relating to services/products similar to those requested pursuant to article 130 paragraph 4 of the Privacy Code, without the need to acquire the User's consent, marketing communications exclusively via e-mail having as their object services and/or products similar to those provided by Locauto and which have already been purchased by the user (so-called “soft-spam”) without prejudice to the possibility for the data subject to object to the processing initially or on the occasion of subsequent communications, by following the instructions at the bottom of the email or by writing to the address privacy@locautorent.it.
Legal Basis: art. 130 paragraph 4 Privacy Code. This rule allows the Company to send communications, solely via e-mail, regarding services and/or products similar to those already purchased by the user, in the absence of the latter's consent.
The possibility for the data subject to object to the processing initially or on the occasion of subsequent communications remains firm, by following the instructions at the bottom of the email or by writing to the address privacy@locautorent.it.

5.11 Communicating data for marketing purposes to third-party companies, which will process them as independent data controllers, for commercial information purposes, statistical surveys, market research, direct offers of their products and services, carried out through traditional contact methods and through automated contact methods.
Legal Basis: Consent. Failure to provide the same does not entail consequences on contractual relationships. Consent can be revoked at any time by writing to the address privacy@locautorent.it.

5.12 For profiling purposes subject to explicit, free, specific and optional consent, Locauto may process the personal data voluntarily provided by the user, as well as those collected during the use of the services, in order to carry out analysis activities, both automated and manual, aimed at identifying preferences, choices and consumption habits, with the aim of improving the services offered and presenting commercial proposals more in line with the interests and expectations of the individual user.
Legal Basis: Consent. Failure to provide the same does not entail consequences on contractual relationships. Consent can be revoked at any time by writing to the address privacy@locautorent.it.

5.13 To carry out a survey on the degree of customer satisfaction for the improvement of the quality of Locauto's products and services.
Legal Basis: Legitimate interest.

5.14 To manage so-called “whistleblowing” reports as per specific notices available on the website www.locautorent.com to which reference is made.
Legal Basis: Legal obligation.

6. PROVISION OF DATA
The provision of data to Locauto is necessary in order to provide the requested services and to fulfill specific regulatory obligations. Failure to provide such data prevents the provision of the services requested by the Data Subject. Any refusal by the data subject to provide personal data may result in the impossibility (partial or total) of fulfilling legal obligations, or of stipulating or correctly executing the contract or service. In such event, without prejudice to the data subject's right not to provide their data, the Controller reserves the right to suspend, interrupt or not establish the contractual relationship. The provision of data based on consent is optional and failure to provide it does not compromise the provision of services.

7. SCOPE OF COMMUNICATION, SUBJECTS AUTHORIZED FOR PROCESSING
Data may be communicated to external subjects operating as independent data controllers, such as public or private subjects legitimate to process data: public administrations, banks and credit institutions, accountants, notaries, lawyers and other professionals or to companies for which Locauto provides services under a contractual relationship.
Data may be processed, on behalf of the controller, by external subjects designated as data processors, who perform specific activities on behalf of the controller. The list of data processors is constantly updated and available by writing to privacy@locautorent.it or at the registered office of Locauto. Data may be communicated to third-party companies or other subjects (such as insurance companies competent for the settlement of claims; companies specialized in debt collection; companies specialized in the management of commercial or credit information, or advertising promotion; other companies contractually linked to Locauto that carry out claims management activities, sub-suppliers, sub-contractors and/or financial intermediaries, professional firms providing assistance and consultancy activities to Locauto as well as banks, data processing centers, public subjects, for the granting of contributions and aids of any kind connected to the provision of services) that carry out activities on behalf and by order of the Controller, in their capacity as external data processors. Data may be processed by employees of the corporate functions responsible for the pursuit of the purposes indicated above; such employees have been expressly authorized for processing and have received adequate operational instructions; data may also be processed by collaborators, affiliates and franchisees of the
Controller in their capacity as authorized persons and/or external data processors and/or system administrators as well as by Locauto S.p.A. in light of the joint controllership agreement pursuant to art. 26 GDPR whose essential content is available upon request of the data subject. Data are not subject to dissemination.

8. PROCESSING OF DATA FOR CUSTOMERS OF ENTERPRISE RENT-A-CAR, ALAMO RENT A CAR, NATIONAL CAR RENTAL
In the case of customers booking through the brands Enterprise Rent-A-Car, Alamo Rent A Car and National Car Rental, Locauto will disclose Customer Personal Data to (i) Enterprise Rent-A-Car UK Ltd., (ii) Enterprise Holdings, Inc. and/or any of relevant subsidiaries (for details please see EHI’s Privacy Policy at https://www.enterprise.co.uk/en/privacy-policy.html) (together “EHI”), all acting as independent data controllers. Customer Personal Data will be shared for the following purposes:

8.1 Process Customer Personal Data to manage the rental and the commercial relationship, communicate with the Customer about or assist with his rental. EHI processes Customer Personal Data for this purpose on the basis of (i) contractual necessity (e.g. billing) or (ii) its legitimate interests in ensuring the effective delivery of the requested services, when these interests are not overridden by the Customer’s – and any applicable additional authorised drivers’ – data protection rights;

8.2 Store Customer Personal Data that relates to any incident arising from the Customer’s dealings or an additional authorised driver's dealings with EHI if it thinks that, as a result of such incident, the Customer or an additional authorised driver could be a risk for future rentals. EHI processes Customer Personal Data for this purpose on the basis of its legitimate interests in protecting its employees, other customers, the public and its property from safety or financial risks based on past customer conduct, when these interests are not overridden by the Customer’s – and any applicable additional authorised drivers’ – data protection rights;

8.3 Process Customer Personal Data in order to carry out electronic customer satisfaction surveys. EHI processes Customer Personal Data for this purpose on the basis of its legitimate interests in ensuring customer satisfaction of the services which it provides, when these interests are not overridden by the Customer’s – and any applicable additional authorised drivers’ – data protection rights;

8.4 Send the Customer marketing communications (for instance by post or electronic communications) about similar products or services which EHI thinks may be of interest to him. This can include the provision of targeted advertising on EHI sites, selected partner sites and social networks. EHI processes Customer Personal Data for this purpose on the basis of its legitimate interests in conducting such marketing, when these interests are not overridden by the Customer’s – and any applicable additional authorised drivers’ – data protection rights but, where required, will seek the Customer consent to do so at the time of data collection;

8.5 Compile statistics and analysis about the Customer – and any applicable additional authorised drivers’ – use of EHI products and services, including statistics based on anonymized data, which enable EHI to provide the Customer and other customers in the future with better customer service, products, features and functionalities.

EHI participates in and is responsible for the processing of personal data received under the EU-U.S. Data Privacy Framework. For more information regarding EHI’s data transfer compliance or if the Customer has an unresolved privacy or data use concern that EHI has not addressed to the Customer’s satisfaction, please see EHI’s Privacy Policy to find out more information on how to contact EHI’s third party dispute resolution provider.
Both Lessor and EHI retain Customer Personal Data for commercially reasonable periods of time or in accordance with specific laws or policies.

The Customer has the right to:

• access and port his personal data (including in certain cases in a commonly used, machine readable format)
• have his personal data rectified (where it is inaccurate or incomplete)
• have his personal data erased where Lessor or EHI no longer has any legitimate reasons to process it
• have his personal data restricted
• object to Lessor or EHI’s processing of his personal data in certain circumstances
• lodge a complaint with the applicable supervisory authority

If the Customer has any queries in relation to the above use of his personal data, he should contact Lessor in the first instance by e-mail privacy@locautorent.it

9. DATA PROCESSING METHODS
The processing of personal data may be carried out with the aid of both analog and electronic or in any case automated means, with methods and procedures strictly necessary for the pursuit of the purposes described above.

10. EXTRA-EU TRANSFER OF DATA

Provided personal data of a personal nature will not be transferred to non-EEA countries. In any case, it is understood that, where necessary, the Controller may transfer personal data also to non-EU countries, guaranteeing right now that the transfer of personal data outside the EU will take place in compliance with the provisions of the law and in particular with the provisions of art. 46 of the GDPR.

11. RETENTION PERIOD
Locauto retains the Customer's personal data for the time necessary to achieve the purposes for which it was collected or for any other related legitimate purpose. The data will be retained for up to 10 years and 6 months from the invoice date to fulfil contractual, accounting, and tax obligations, to manage any violations of the Highway Code, insurance claims, complaints, and legal disputes, without prejudice to any additional time necessary to ensure the exercise or defence of its rights. For the management of soft spam, marketing, data communication to third parties, and profiling, the data will be retained from the moment consent is given until its revocation.

12. RIGHTS OF THE DATA SUBJECT
The legislation on the protection of personal data (artt. 12-22 of EU Regulation 679/2016) guarantees the data subject a series of rights:

• Access: they can obtain information in relation to the processing of personal data, and a copy of such personal data.
• Rectification: in the event that the data are incomplete or have changed, they can request that such data be modified accordingly.
• Erasure: they can request the deletion of personal data, within the limits permitted by law.
• Limitation: they can obtain the limitation of the processing of personal data.
• Objection: the data subject may object to the processing of their personal data for reasons connected to the particular situation. They have the absolute right to object to the processing of their personal data for direct marketing purposes, including profiling connected with such direct marketing.
• Withdrawal of consent: where the data subject has provided their consent for the processing of personal data, they have the right to revoke it at any time.
• Data portability: in the cases provided for by law, they have the right to obtain the return of the data they provided to us, and where technically feasible, to obtain their transfer to a third party.

To exercise their rights and for more detailed information on data processing, the data subject may contact Locauto Rent S.p.A. by writing to the e-mail inbox: privacy@locautorent.it.

Where the data subject believes their rights have been violated, they may protect themselves by lodging a complaint before the Garante for the protection of personal data.

In the event of any discrepancies between the Italian text and translations of this document into other languages, the Italian text shall prevail. Translations into languages other than Italian (available on the Locauto website www.locautorent.com and available, upon the Customer's request, in hard copy at each of the Lessor's rental locations) are merely translations.