I-Share - Privacy Policy

Introduction

Leasys S.p.A. (hereinafter "Leasys" and/or the "Data Controller") ensures that the processing of personal data (hereinafter the "Personal Data" and/or the "Data” for short) collected will take place in full compliance with the applicable legislation on the protection of personal data, and in particular Regulation (EU) 2016/679 (hereinafter "GDPR") and Legislative Decree 196/03, novated by Legislative Decree 101/2018 (hereinafter "Italian Personal Data Protection Code"), (GDPR and Italian Data Protection Code hereinafter will be collectively referred to as "Privacy Regulations") and informs you that the Data provided by you, as defined below, in relation to the I-SHARE service (hereinafter the "Service"), will be processed in accordance with the Privacy Regulations for the purposes set out below in paragraph 3.

This policy (hereinafter the "Policy") relates solely to the processing of Data provided by the user (hereinafter the "User" and/or "Users") – with the term User referring to the person who, upon registration, uses the IT platform to access the I-SHARE service - or otherwise obtained following the utilization of the relevant application (hereinafter the "Application" and/or "App" for short).

The terms defined with a capital letter have the same meaning as those in the definitions contained in the document "Terms and Conditions of use of the I-SHARE service", the acknowledgement of which is a pre-condition for access to the Service.

  1. Data Controller

The Data Controller is Leasys S.p.A., with registered office in Turin - Corso Orbassano n. 367.

  1. Type of Data processed

2.1 Data provided voluntarily by the User

After reading the Policy, Users may provide on the App their personal Data to access the Service offered by the App.

Personal Data will be processed only in case of activation of the Service.

Processing will always take place:

1. in full compliance with existing legislation, based on the information provided and in a fair and transparent manner;

2. by collecting a minimum amount of Data and, in any case, by collecting only the Data necessary for the performance of the requested Service;

3. in an accurate and updated manner;

4. keeping the Data only for the time necessary for the Service.

 2.2) Navigation Data

The information systems and software procedures used to operate the App collect, during their normal operation, personal data whose transmission is implicit in the use of Internet communication protocols. Such data are not collected in order to be associated with identified data subjects, but by their very nature could, through processing and association with data held by third parties, allow Users to be identified. This category of Data includes IP addresses, browser type, operating system, domain name and addresses of Web sites accessed or exited from, information on pages visited by Users within the site, access time, length of stay on a single page, internal path analysis and other parameters relating to the User's operating system and computer environment. Such technical/computer Data are collected and used in an aggregate and anonymous manner for the sole purpose of:

1. improving the quality of the service and optimizing the operation of the App;

2. understanding user behavior to improve online communication;

3. preparing statistical information regarding the use of the App.

These Data may also be used:

a. to comply with national and European Union regulations, as well as with instructions issued by Supervisory and Regulatory Authorities, also in relation to obligations to monitor operating and credit risks at Banking Group level; and

b. to ascertain responsibility in the event of computer crimes against the site and for investigations in the event of litigation.

The provision of the Data described above is necessary for the performance of the Service requested within the App, and any refusal to provide such Data will make it impossible to carry out the activities related to the Service.

The Data provided will be processed for the time necessary to perform the operations described herein.

3. Purpose of Processing

Personal Data will be collected solely in case of request of the Service offered with the App and will be processed for

a) purposes of registration and access to the Reserved Area of the site: the personal Data voluntarily provided by the User will be processed in order to manage the sign-up, registration and subsequent recognition of the User during the login phase to facilitate access to the Service;

b) purposes related to the Service: the Data voluntarily provided by Users during the relevant sign-up and registration phase will be processed solely to allow them to utilize the Service.

The provision of the Data requested for the purposes referred to in these paragraphs is necessary for the conclusion of the contract and the use of the Service.

The Data provided may also be used for internal administrative and management purposes, such as reporting, control and/or internal audit activities, study for the definition of new products, for the management of complaints and claims, as well as for Service improvement activities.

The processing activities related to fleet management and maintenance do not require the User's consent as they are based on the legitimate interest of the Data Controller.

The Data provided will be processed until the end of the contract and, in any case, up to ten years from the date of the last registration (pursuant to art. 2220 c.c.).

c) Geolocation

The APP includes features that may involve the collection of Data relating to geographical location (GPS, WiFI, GSM network). The processing of these Data enables Users, for example, to utilize the vehicle tracking service, necessary to locate the vehicle at the time of booking and pick-up.

Data may be collected when the APP is functioning and Users have activated the vehicle tracking services during the booking process. The vehicle tracking services can be deactivated at any time by accessing the appropriate section of the tracking consent section of the operating system of the Users’ devices.

The provision of the data requested for the purposes referred to in this paragraph is necessary for the conclusion of the contract and for the use of car booking services.

Leasys does not carry out any processing of such data, but only forwards them to the manager of the service installed on the device: Geolocation data are used in order to detect the position of the Vehicle at the time of its pick-up.

Depending on the person who uses the Vehicle, the processing of such data takes place in different ways:

• for the Fleet Manager, the party delegated to carry out Vehicle management activities, in order to support bookings by Users and to analyse the relative uses, with the exception of the moment in which the Vehicle is utilized by actual Users;

• for the actual user of the vehicle, in order to view the position of the Vehicle at the time of the relative booking and solely at the time of the pick-up of the Vehicle.

The geolocation Data will be stored for one year from the date of their collection, except for special needs of further storage related to specific investigative requests by the Judicial Authority or the Judicial Police.

At the end of the storage period, the records will be automatically deleted, including by over-recording, in such a way that the Data cannot be reused.

4) Recipients of personal data

For the various purposes described above, Users' personal Data may be transmitted, always in compliance with the rights and guarantees provided for by the regulations in force, to:

• Leasys employees and consultants who, within the scope of their duties, act as persons authorized, and instructed, by the Data Controller to process such Data;

• companies of the Leasys, Stellantis and Crédit Agricole groups, or otherwise subsidiaries or associates of these groups;

• parties that provide financial and insurance services in collaboration with the Data Controller for purposes strictly related to the performance of the Site registration service. Therefore, through Leasys, Users may see their Data transmitted to the parties indicated above, which will process the Data as autonomous Data Controllers for the sole purpose of providing the requested Service;

• parties that collect, process and compile Data necessary to fulfil the contract;

• parties that provide services for the management of the Data Controller's information system and telecommunications networks (including electronic mail);

• parties that perform document filing and data entry activities;

• parties that carry out customer care activities (e.g.: call centers, customer services, etc.);

• parties that inspect, review and certify the activities carried out by the Data Controller, also in the interest of customers.

Geolocation data may be communicated to third parties that perform support activities related to the provision of the Service and for storage purposes.

5) Manner of processing

Data processing for each of the aforementioned purposes may take place using automated and computerized methods and, in particular, by ordinary or electronic mail, telephone (including automated calls, SMS, MMS etc.), fax and any other electronic channel (e.g. websites, mobile apps) and on paper, for the time strictly necessary to achieve the purposes for which the Data were collected and, in any case, with the adoption of specific security measures to avoid any Data breach, such as loss of data, illegal or incorrect use and unauthorized access..

6) Data storage time

As a general rule, Leasys will keep the Data at the company only for the time necessary to achieve the purposes listed above in accordance with the principle of proportionality and necessity provided for by the Privacy Law.

Once the storage period has elapsed, Leasys will delete or transform the Data into anonymous form.

9) Data Protection Officer

For any direct contact - formal and urgent, other than the exercise of the rights provided for in paragraph 7) - Users may contact the Data Protection Officer at the email address: leasys-italia-dataprotectionofficer@fcagroup.com, as well as through the other contact channels provided for in paragraph 10) of this Privacy Policy.

10) Users’ rights

In relation to the above Data processing activities, Users may request:

• confirmation as to whether their personal Data are being processed and, if so, obtain access to such Data, as well as the origin of such Data, the purposes, methods of processing and the rationale applied in the event of processing carried out by electronic means;

• the update, supplementation, rectification, cancellation to the extent permitted by law or transformation into anonymous form of their personal Data;

• to limit or object to the processing of their personal Data;

• to receive in a structured, commonly used and machine-readable format, their personal Data or the transmission of such Data to another data controller (so-called right to portability);

• attestation that the requested operations have been brought to the attention of those to whom the Data have been communicated or disseminated.

Users may also exercise their rights by contacting Leasys Customer Care at the following addresses:

• Phone: 800 33 44 22;

• Email: dataprotection-italia@leasys.com;

• Ordinary mail: Leasys S.p.A., C.so Orbassano n. 367 - 10137 Turin, Italy.

The Data Controller will respond to requests within 30 (thirty) days of receipt, with the possibility of an extension of 60 (sixty) days, due to the complexity and number of requests. Once the above deadlines have elapsed, Users will have the right to lodge a complaint with the Italian Data Protection Authority in the forms and manner provided for by current legislation.

11) Data transfer outside the European Economic Area

User Data will not be transferred by Leasys to non-EU countries or to an international organization, except in exceptional and strictly necessary cases. If necessary, for technical or operational reasons, the same Data may be processed in countries outside the European Union, in the presence of an adequate level of protection, for which there is a specific adequacy decision by the European Commission. Any transfer of your Personal Data to non-EU countries, in the absence of an adequacy decision by the European Commission, will be possible only if adequate contractual or agreement-based warranties, including standard Data protection clauses, are provided by the Data Controllers and Processors involved. The transfer of Data to non-EU countries, in the absence of an adequacy decision or other appropriate measures as described above, will be made only where strictly necessary and in the cases provided for by the GDPR and will be processed in the interest of the User.

12) Updates to this Policy

In case of changes or due to possible updates or modifications, this Policy is provided through periodic communications or can be found on the App in the specific section dedicated to Data Protection and upon User's request.