Data Protection Notice

ARVAL DATA PROTECTION NOTICE

The protection of your personal data is important to the BNP Paribas Group – to which Arval belongs – and which has adopted strong principles in that respect for the entire Group in its Group Data Protection Notice.

This Arval Information Data Protection Notice provides you with detailed information relating to the protection of your personal data by Arval AB, Vendevägen 89, 182 32 Danderyd - Box 80, 182 11 Danderyd (legal representative: Sébastien Valy) (”we”).

We are responsible, as a controller, for collecting and processing your personal data in relation to our activities. The purpose of this Arval Data Protection Notice is to let you know which personal data we process about you as a driver (being either our client or our corporate clients’ employee) or as a representative of our corporate client, the reasons why we use such data, how long we keep it, what your rights are and how you can exercise them.

Further information may be provided where necessary when you apply for a specific product or service.

1. WHICH PERSONAL DATA DO WE USE ABOUT YOU?
2. SPECIFIC CASES OF PERSONAL DATA COLLECTION, INCLUDING INDIRECT COLLECTION
3. WHY AND ON WHICH BASIS DO WE USE YOUR PERSONAL DATA?
4. WHO DO WE SHARE YOUR PERSONAL DATA WITH?
5. TRANSFERS OF PERSONAL DATA OUTSIDE THE EEA
6. HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
7. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?
8. HOW CAN YOU KEEP UP WITH CHANGES TO THIS DATA PROTECTION NOTICE?
9. HOW TO CONTACT US?
 

1. WHICH PERSONAL DATA DO WE USE ABOUT YOU?

We collect and use your personal data to the extent necessary in the framework of our activities and to achieve a high standard of personalised products and services.

Depending on the product/service, we may collect various types of personal data about you, including:

  • identification information (e.g. name, ID card, passport, driving licence, nationality, place and date of birth, gender, photograph, IP address);
  • contact information (e.g. postal address and e-mail address, phone number);
  • family situation (e.g. marital status, number of children);
  • tax status (e.g. tax ID, tax status);
  • employment information (e.g. employment, employer’s name, location);
  • banking, financial and transactional data (e.g. credit card number, bank account details, payment data);
  • data relating to the vehicle leasing contract or other mobility solutions (e.g. client identification number, contract number, vehicle identification number);
  • data relating to insurance issues (e.g. insurance claim history including paid indemnities and expert reports, information about victims);
  • data relating to you, your habits and preferences :
    • data which relate to your use of our products and services and transactional data;
    • data from your interactions with us: our internet websites, our apps, our social media pages, meeting, call, chat, email, interview, phone conversation;
  • video surveillance (including Arval’s CCTV) and
  • geolocation data (e.g. showing locations to identify the location of service suppliers for you or enabling the provision of specific services such as car sharing).

Depending on the product/service, we may collect the following sensitive data only upon obtaining your explicit prior consent:

  • biometric data : e.g. fingerprint, voice pattern or face pattern which can be used for identification and security purposes;
  • data relating to criminal convictions and offences in relation to fines for traffic offences as part of the “Fines Management” service.

These data may nevertheless be processed without your consent if necessary to comply with applicable laws and regulations.

We never ask for personal data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data or data concerning your sex orientation, unless it is required through a legal obligation.

The data we use about you may either be directly provided by you or be obtained from the following sources in order to verify or enrich our databases:

  • publications/databases made available by official authorities (e.g. the official journal);
  • our corporate clients and/or their branches and affiliates (e.g. your employer) or service providers;
  • third parties such as credit reference agencies and fraud prevention agencies or data brokers in conformity with the data protection legislation;
  • websites/social media pages containing information made public by you (e.g. your own website or social media); and
  • databases made publicly available by third parties.

 

2. SPECIFIC CASES OF PERSONAL DATA COLLECTION, INCLUDING INDIRECT COLLECTION

In certain circumstances, we may collect and use personal data of individuals with whom we have, could have (such as prospects), or used to have a direct relationship.

In certain circumstances, we may also collect information about you although you do not have a direct relationship with us. This may happen for instance when a client (e.g. your employer), a service provider or a commercial partner provides us with information about you, if you are, for example, a :

  • family member;
  • co-lessee, co-driver, co-borrower / guarantor;
  • (legal) representative of a legal entity (power of attorney);
  • beneficiary of payment transactions made by one of our clients;
  • beneficiary of insurance policies;
  • landlord;
  • ultimate beneficial owner;
  • client’s debtor (e.g. in case of bankruptcy);
  • shareholder;
  • staff member of a service provider or a commercial partner.

 

3. WHY AND ON WHICH BASIS DO WE USE YOUR PERSONAL DATA?

  1. To comply with our or BNP Paribas Group’s legal and regulatory obligations

We use your personal data to comply with various legal and regulatory obligations, including:

  • banking and financial regulations in compliance with which we:
    • set up security measures in order to prevent abuse and fraud;
    • detect transactions which deviate from the normal patterns;
    • define your credit risk score and your reimbursement capacity;
    • monitor and report risks that we could incur; and
    • record, when necessary, phone calls, chats, emails, etc.
  • reply to an official request from a duly authorised public or judicial authority (e.g. to identify the driver and communicate the data to the relevant public authorities);
  • prevention of money-laundering and financing of terrorism;
  • compliance with legislation relating to sanctions and embargoes; and
  • fight against tax fraud and fulfilment of tax control and notification obligations.
  1. To perform a contract or to take steps at your request before entering into a contract with you

Applicable to you as a driver also being our individual client

We use your personal data to enter into and perform our contracts, including to:

  • evaluate if we can offer you a product or service and under which conditions;
  • provide you with information regarding our products and services;
  • schedule and manage (i) the delivery, return, maintenance and repair of the vehicle (including vehicle recalls from manufacturers), (ii) value added services (e.g. fuel and toll cards) and (iii) the purchase of the vehicle (in second hand);
  • manage the resolution of disputes (e.g. for debt collection), assist you and answer your requests and complaints (including insurance claims);
  • ensure and facilitate your mobility by allowing you to access easily some services directly on your smartphone with our mobile applications; and
  • handle billing, invoicing and recovery.
  1. To fulfil our legitimate interest

We use your personal data in order to deploy and develop our products or services, manage the contractual relationship with our individual clients and corporate clients of whom you are an employee, to improve our risk management and to defend or exercise our legal rights, including:

  • proof of transactions;
  • fraud prevention;
  • rolling out prevention campaigns, e.g. creating alerts in connection with traffic or road hazards;
  • response to official requests from public authorities of third countries (located outside EEA);
  • IT management, including infrastructure management (e.g. shared platforms) & business continuity and IT security;
  • establishing individual statistical models, based on the analysis of transactions, for instance in order to help define your driver profile;
  • establishing aggregated statistics, tests and models, for research and development, in order to improve the risk management of our group of companies or in order to improve existing products and services or create new ones;
  • training of our personnel by recording phone calls;
  • personalising our offering to you and that of other BNP Paribas entities through:
    • improving the quality of our products or services (including via client satisfaction surveys);
    • advertising products or services that match with your situation and profile.
      • This can be achieved by :
        • segmenting our prospects and clients;
        • analysing your habits and preferences in the various channels (visits to our offices, emails or messages, visits to our website, etc.);
        • matching the products or services that you already hold or use with other data we hold about you.

Applicable to you as an employee of our corporate clients

  • evaluate if we can offer a product or service and under which conditions;
  • provide information regarding our products and services;
  • schedule and manage (i) the delivery, return, maintenance and repair of the vehicle (including vehicle recalls from manufacturers), (ii) value added services (e.g. fuel and toll cards) and (iii) the purchase of the vehicle (in second hand);
  • manage the resolution of disputes (e.g. for debt collection), assist and answer requests and complaints (including insurance claims);
  • deliver a digital platform that allows you (i) to easily access some services directly on or through your smartphone or our website(s), (ii) to manage or make use of specific mobility services or (iii) to use a pool of vehicles for car sharing in order to increase the vehicle utilisation rate;
  • deliver the fleet status and trends reporting to the person in charge of fleet management (e.g. reporting on maintenance, fuel consumption, toll cards usage); and
  • handle billing, invoicing and recovery.

Your data may be aggregated into global anonymised statistics that may be offered to professional clients to assist them in developing their business. In this case, your personal data will not be disclosed and those receiving these anonymised statistics will be unable to ascertain your identity.

  1. To respect your choice if we requested your consent for a specific processing

In some cases, we must require your consent to process your data, for example:

  • where the above purposes lead to automated decision-making, which produces legal effects or which significantly affects you. At that point, we will inform you separately about the logic involved, as well as the significance and the envisaged consequences of such processing;
  • if we need to carry out further processing for purposes other than those above in section 3, we will inform you and, where necessary, obtain your consent.

 

4. WHO DO WE SHARE YOUR PERSONAL DATA WITH?

Solely to the extent necessary to fulfill the aforementioned purposes and subject to the provisions of Section 3, we may disclose your personal data to:

  • BNP Paribas Group entities (e.g. you can benefit from our full range of group products and services);
  • Service providers which perform services on our behalf;
  • Independent agents, intermediaries or brokers, banking and commercial partners with which we have regular relationship (such as the insurance company providing motor vehicle insurances);
  • Financial or judicial authorities, state agencies or public bodies, upon request and to the extent permitted by law;
  • Certain regulated professionals such as lawyers, notaries or auditors;
  • Your employer if you are an employee of one of our corporate clients.

 

5. TRANSFERS OF PERSONAL DATA OUTSIDE THE EEA

In case of international transfers originating from the European Economic Area (EEA), where the European Commission has recognised a non-EEA country as providing an adequate level of data protection, your personal data may be transferred on this basis.

For transfers to non-EEA countries whose level of protection has not been recognised by the European Commission, we will either rely on a derogation applicable to the specific situation  or implement one of the following safeguards to ensure the protection of your personal data:

  • Standard contractual clauses approved by the European Commission; or
  • Binding corporate rules, where applicable.

To obtain a copy of these safeguards, you can send a written request as set out in Section 9.

 

6. HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?

We will retain your personal data for the longer of the period required to comply with applicable laws and regulations or another period with regard to our operational requirements, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests. For instance, most of clients’ information is kept for the duration of the contractual relationship and after the end of the contractual relationship for the period of time needed to ensure the exercise of our legal rights or the defense of legal claims.

 

7. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?

In accordance with applicable regulations, you have the following rights:

  • To access your personal data: you can obtain information relating to the processing of your personal data, and a copy of such personal data.
  • To rectify your personal data: where you consider that your personal data are inaccurate or incomplete, you can require that such personal data be modified accordingly.
  • To erase your personal data: you can require the deletion of your personal data, to the extent permitted by law.
  • To restrictthe processing of your personal data.
  • To object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
  • To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
  • To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.

If you wish to exercise the rights listed above, please send a letter or e-mail to the following address: Arval AB, DPO Office, Vendevägen 89, 182 32 Danderyd - Box 80, 182 11 Danderyd or privacy@arval.se. Please include a scan/copy of your identity card for identification purposes.

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

 

8. HOW CAN YOU KEEP UP WITH CHANGES TO THIS DATA PROTECTION NOTICE?

We invite you to review the latest version of this notice online and we will inform you of any material changes through our website or through our other usual communication channels.

 

9. HOW TO CONTACT US?

If you have any questions relating to our use of your personal data under this Data Protection Notice, please send a letter or e-mail to the following address: Arval AB, DPO Office, Vendevägen 89, 182 32 Danderyd - Box 80, 182 11 Danderyd or privacy@arval.se.  Our data protection officer will then investigate your query.

If you wish to learn more about cookies and our Security Assurance Plan, please contact us through privacy@arval.se.