RIDE SHARE BULGARIA EAD
PRIVACY POLICY
Sofia
2024
Content
KEY DEFINITIONS
GENERAL PROVISIONS
PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF PROVIDING AN ELECTRIC VEHICLE SHARING SERVICE
PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF DIRECT MARKETING
MOBILITY MONITORING
DATA STORAGE PERIODS
DATA PROTECTION OFFICER
PROCEDURE FOR MANAGING PERSONAL DATA SECURITY BREACHES AND DEALING WITH SUCH BREACHES
TECHNICAL AND ORGANIZATIONAL MEASURES FOR PERSONAL DATA SECURITY
FINAL
PROVISIONS
1. KEY DEFINITIONS
1.1. “Responsible Person” means the employee of the Data Controller who, by the nature of his work, is entitled to perform the specific functions related to the processing.
1.2. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
1.3. "Employee" means a person who has concluded an employment contract or similar contract with the Personal Data Controller.
1.4. "Data/personal data" means any information related to an identified or identifiable individuals (data subject); an identifiable individuals is an individual who can be identified directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.5. "DPA" means a data processing agreement to be entered into with each Personal Data Processor in accordance with the terms set out in section 3 below.
1.6. "Recipient" means the individuals or legal entity, government body, agency or other body to which the personal data is disclosed, whether or not it is a third party.
1.7. "Data subject" means a customer or employee of the Data Controller or any other person whose personal data is processed by the Data Controller.
1.8. "Processing" means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or other way in which the data is made available, arranged or combined, restricted, deleted or destroyed.
1.9. "Processor of personal data" means a individuals or legal entity, public body, agency or other structure that processes personal data on behalf of the Controller.
1.10. "Data Controller" means Ride Share Bulgaria EAD, registration number of the legal entity 204787918, registered at the address: Sofia, p.c. 1612, “Krasno selo” district, “Yunak” Str. No. 11-13, floor 4. Insofar as the SPARK mobile application is used in the processing of personal data of registered users on the territory of the Republic of Bulgaria, "Ride Share Bulgaria" EAD acts as a joint data controller with the mother company - owner of the mobile application, specified in item 1.14.
1.11. "Customer" means a person who uses or has used the services provided by the Data Controller.
1.12. "Mobility Monitoring" means the collection and processing of data about employees and customers using the vehicles belonging to the Data Controller, whether or not the data is recorded in a file.
1.13. "Policy" means this Privacy Policy.
1.14. “Owner of the Mobile Application" means UAB SPARK TECHNOLOGIES, a limited liability company established and existing under the laws of Lithuania, legal entity code 304953141, Vilnius, Lithuania. As far as the processing of personal data of registered users on the territory of the Republic of Bulgaria use the SPARK mobile application, Ride Share Bulgaria EAD acts as a joint data controller with the mother company - owner of the mobile application.
1.15. “Owner of the site" means Ride Share Bulgaria EAD, registration number of the legal entity 204787918 with headquarters in the city of Sofia, post code 1612, "Krasno selo" district, "Yunak" Str. No. 11-13, fl. 4.
1.16. For the purposes of this Policy, the remaining terms correspond to the terms used in the GDPR, the Bulgarian Personal Data Protection Act (hereinafter referred to as "DPRA") and the Bulgarian Electronic Document and Electronic Signature Act (hereinafter referred to as "EDESA").
2. GENERAL PROVISIONS
2.1. The Data Controller collects certain personal data for the purposes of administration, conducting its own activity and exercising legal obligations.
2.2. This policy contains the basic principles and procedures for the collection, processing and storage of personal data of the users of the website http://spark.bg/, administered by the Data Controller (hereinafter referred to as the "website") and the SPARK mobile application (hereinafter referred to "mobile application") (client). Before starting to use the Website and/or Mobile Application, you should carefully read and familiarize yourself with this policy. By using the services provided by the Data Controller, you confirm that you agree to comply with this Policy.
2.3. The data subject is not entitled to use the Website and/or the Mobile Application if he has not familiarized himself with the Policy and does not accept it. In cases where the Data Subject does not agree with the Policy or the relevant part thereof, he should not use the Website and/or the Mobile Application. Otherwise, it is considered that the Customer has familiarized himself with and unconditionally accepted the Policy, which he expressly agreed to upon registration.
2.4. The Data Controller should respect the privacy of personal data. This policy explains the acceptable practice regarding privacy at our company. It explains the ways of collecting and using your Personal Data and the rights exercised by you.
2.5. Use of third-party services, such as the services of the social network Facebook, may be subject to third-party terms and conditions. For example, all Facebook users and visitors are subject to the Data Privacy Policy. Therefore, for the purpose of using the services of third parties, it is recommended that you familiarize yourself with their applicable terms.
2.6. The Data Controller should ensure that it complies with the following basic data protection principles:
2.6.1. Personal data are processed lawfully, in good faith and in a transparent manner with respect to the Data Subject (lawfulness, good faith and transparency);
2.6.2. Personal data is collected for specific, explicit and legitimate purposes and is not processed in a way that is incompatible with these purposes; the subsequent processing of personal data for the purposes of archiving in the public interest, scientific or historical research or statistical purposes is not considered incompatible with the original purposes (purpose limitation);
2.6.3. Personal data must be relevant, relevant and limited to what is necessary in relation to the purposes for which it is processed (data minimisation);
2.6.4. Personal data must be accurate and, if necessary, updated; all reasonable steps must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified immediately (accuracy);
2.6.5. Personal data stored in a form that allows the identification of data subjects is stored no longer than is necessary for the purposes for which the personal data is processed; Personal data may be stored for longer periods insofar as they will be processed solely for the purpose of archiving for public interest, scientific or historical research or statistical purposes in accordance with Article 89, paragraph 1 of the GDPR provided that appropriate technical and organizational measures required by the GDPR to protect the rights and freedoms of the Data Subject (restriction of storage);
2.6.6. Personal data is processed in a way that ensures adequate protection of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (integrity and confidentiality);
2.6.7. The Data Controller is responsible and should be able to prove compliance with the principles set out above (accountability).
2.7. Data is processed by sending proper notification to the Data Subjects. Users of the mobile application must expressly read and agree to the Data Controller's privacy notice before registering to use the mobile application and/or site.
2.8. The data is stored for the periods indicated for each type of personal data provided for in this policy. Storage is carried out in accordance with the procedures provided in this policy.
2.9. The rights of the Data Processor to access the data shall be revoked in the event of termination of the personal data processing contract concluded with the Data Controller or upon expiry of the term of the agreement.
2.10. The data is transferred to other Data Controllers and recipients when the legal acts provide the right and / or the obligation to do so on the relevant grounds.
2.11. The Data Controller will have the right to provide personal data to the authorities of the investigation, the prosecutor's office or the court for the purposes of administrative, civil, criminal proceedings as evidence or in other cases established by law.
3. PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF PROVIDING AN ELECTRIC CAR SHARING SERVICE
3.1. The Data Controller provides its Customers with the service of sharing the use of electric cars, for the provision of which the following groups of Customer Data are processed:
3.1.1. Name;
3.1.2. Sure;
3.1.3. Personal identification number;
3.1.4. Date of birth;
3.1.5. Place of residence (address);
3.1.6. E-mail address;
3.1.7. Phone number;
3.1.8. Driving license photo, number, date and place of issue, validity;
3.1.9. Certain data about the payment cards used by the Customer, received from the company providing the card processing service (card type, part of the card number);
3.1.10. Biometric data – photo of Clients’ face.
3.2. The data specified in paragraphs 3.1.1 - 3.1.10 are received directly from the Client, but part of the data recorded in the system can also be received from the Client's employer, if the latter uses the services of the Data Controller as a client or employee of the relevant company. In order to provide services, The Controller must collect afore-mentioned Data.
3.3. For the purposes of registration, recording and reporting of Customers, conclusion, administration and execution of a contract, compliance with legal obligations (e.g. cars to be provided only to legally competent persons, compliance with accounting reporting requirements, reporting of violations, ensuring the accuracy of data), protection and control over the assets owned by the company, the Data Controller additionally provides the following Data:
3.3.1. Number, date and place of issue and expiry date of the identity card (where other identification measures are not sufficient, they were unreliable etc.).
3.3.2. Categories of vehicles that the Data Subject has the right to drive, the date this right was granted and the date it expires;
3.3.3. Vehicle location, distance traveled, date, time, vehicle speed and duration of vehicle use;
3.3.4. Moment of unlocking and locking the vehicle;
3.3.5. A change in the vehicle's battery charge level while the Customer is using the vehicle;
3.3.6. Fee charged;
3.3.7. Obligation data / Payments due;
3.3.8. Transaction data such as history of services used, data on obligations (level of obligation, amount of obligation, date of occurrence of obligation, deadline, date of payment) credit rating, accumulated eGo points equal to kilometers traveled, rewards;
3.3.9. Correspondence regarding complaints, requests, opinions, evaluation of the services or of other users, etc.;
3.3.10. IT management data such as IP address, operating system, communication data and other metadata from the use of the application, location of the mobile device while in use;
3.3.11. Data related to legal or insurance claims: data on damage to the electric vehicle, security incidents/traffic accidents or other violations in case they occurred while you were using the electric vehicle (date, place, time of the traffic accident/violation, amount of damages, faults, etc.), unpaid debts, accrued penalties, etc.;
3.3.12. Data on debts (level of the debt, amount of the debt, date of incurring the debt, time limit, date of payment).
3.4. The Data Controllers shall not transmit to the recipients the above-mentioned data of the Customers. The data of the former Customers is provided only to the law enforcement authorities according to the procedure established by law.
3.5. The legal grounds for the processing of personal data for the purposes specified in item 3.1. and 3.3 above, are Article 6, paragraph1, letter “b” and Article 6, paragraph1, letter “c” of the GDPR.
3.6. On the basis of the Data Controller's legitimate interest in business development (Article 6, paragraph 1, letter “f” of the GDPR), anonymized aggregated data about the services used by customers may also be used for the purposes of statistical analysis and marketing research after complete removal of the identifying customers personal data.
3.7. With the consent of the data subject, data on the location of the mobile device may also be obtained while using the mobile application for the purpose of notification of available electric vehicles in the immediate vicinity and reporting of services while using the mobile application. The data subject reserves the right to withdraw the consent so given at any time by changing the settings of his mobile device.
3.8. To ensure the quality of the services provided, to promptly respond to the Clients' questions, the employees of the Data Controller acting as customer service specialists are responsible for the Clients' calls and provide consultations by phone 24/7. The data manager records the records of conversations between the data manager and the client, which are kept for 180 (one hundred and eighty) days
3.9. In order to verify the validity of the driving license, the Data Controller must provide certain Personal Data (such as the motor vehicle driving license number and personal identification number) to the Processors responsible for verifying the registered personal data and for technical and administrative Customer support.
3.10. When providing services and ensuring their proper performance, the owner of the mobile application must hire RUPTELA UAB as a Data Processor, providing information that allows to establish the location of the vehicle, the period of parking, the speed of the vehicle, the distance traveled, the date , the time and duration of the use of the vehicle, the time the vehicle is unlocked and locked, the change in the charge level of the vehicle's battery while the Customer is using the vehicle, information whether the vehicle is being charged and whether the vehicle door is closed.
3.11. In order to ensure smooth and high quality settlement for the provided services, the Controller shall subcontract the payment operation administrators Adyen and Paysera which mediate in performance of the payment operations. The Controllers have implemented payment card security standard (PCI DSS). For the accounting purposes the Controller shall subcontract accountants and internal accountant systems.
3.12. In cases where the Client violates the car use contract and/or does not pay for the services provided by the Data Controller and has other overdue payments, and the Data Controller seeks to recover the incurred debt, the Data Controller collects data about the debtor (name, surname, personal identification number, e-mail, phone No., address,) and data on indebtedness (debt amount, amount of debt, date of occurrence, term, date of payment, account or claim number) are transferred to Data Processors - debt collection companies with whom separate personal data processing agreements have been concluded. For this purpose, the Data Controller may transfer the data of the Client and his debt to the following Data Processors: eCollect AG, with address Neuhofstrasse 21, 6340 Baar, Zug, Switzerland, with registration number: CHE – 180.481.291., represented by Mark Schillinger in his capacity of the Executive Director.
3.13. The Data Controller confirms that, in order to ensure data protection, all technical and organizational data protection measures have been implemented.
3.14. The Mobile Application Owner also subcontracts Amazon Web Services Limited as a Data Processor to perform the server rental and installation services. This sub-Processor is located and operates in the United States of America, so the data might be transferred outside the European Economic Area. This Data Processor is certified according to the requirements of the data protection agreement between the European Union and the United States of America (also known as Privacy Shield). Amazon Web Services Limited certification can be found by clicking on the following link:https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active.
3.15. The Data Controller concludes an agreement with the owner of the mobile application as joint Data Controllers, which defines the respective responsibilities for the protection of personal data. According to this agreement, "Ride Share Bulgaria" EAD is responsible for providing the information required by law and for processing the requests of data subjects, provided for in the GDPR and described in this notification, for users in the territory of the Republic of Bulgaria.
3.16. The Data Controller and/or the owner of the mobile application enter into agreements with all Data Processors on behalf of the Data Controller. Data processors process personal data only on behalf of the Data Controller for the purposes set out in these data protection agreements. In particular, each Processor shall:
- process Personal Data only in accordance with the Data Controller's documented instructions, including in relation to the transfer of Personal Data to a third country or international organization, unless required to deviate from such instructions to comply with the requirements of the applicable EU Data Protection Regulation , to which the Processor is subject. In such a case, the Processor must, without unreasonable delay, inform the Data Controller of the relevant requirement prior to the processing of personal data;
- ensure that the persons authorized to process the personal data have undertaken an obligation of confidentiality and compliance with the applicable data protection regulation within the EU or are bound by an appropriate legal obligation of confidentiality;
- support the Data Controller upon his express written request, with a view to ensuring the fulfillment of his legal obligations, such as those related to data security with the Data Controller, the assessment of the impact on data protection and prior consultation laid down in the GDPR, and, in particular, to implemented appropriate technical and organizational measures to protect the Personal Data covered by the Data Processing Agreements from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the Personal Data. For the avoidance of doubt, the parties expressly agree that the Processor shall be obliged to perform all of its obligations as a Personal Data Processor, in full compliance with the Personal Data Protection Regulation, at its own expense;
- support the Data Controller by implementing appropriate technical and organizational measures to fulfill the Data Controller's obligation as a Personal Data Controller, namely: to respond to requests to exercise the rights of Data Subjects under the Data Protection Regulation. The Processor must immediately notify the Data Controller of any request made by any Data Subject and not respond to the relevant request before receiving the Administrator's instructions;
- provide the Data Controller with all the information necessary to prove compliance with the obligations of the Processor of personal data specified in these data processing agreements and in the GDPR, and to allow and assist in audits, including inspections carried out by the Data Controller or another auditor authorized by the Data Controller;
- maintain accurate records of all processing activities under the data processing agreement in accordance with the requirements set out in the GDPR and provide the Data Controller with the relevant records within ten (10) working days of receiving the request from the Data Controller;
- ensures that no personal data is transferred, released, assigned, disclosed or otherwise made available to a third party without the prior express written consent of the Data Controller;
- ensures that data protection obligations similar to those set out in this document are imposed on other Processors of personal data who are engaged by the Processor by means of a contract. The Processor is responsible to the Data Controller for the fulfillment of these obligations by the other Processors;
- shall inform the Data Controller immediately if an instruction of the Data Controller violates the Data Protection Regulation or if personal data is or will be processed in violation of the Data Protection Regulation or the Agreement and informs the Data Controller immediately about complaints or audits by data protection supervisory authorities of the data related to the processing of Personal Data;
- shall inform the Data Controller without undue delay (but no later than 48 hours) after becoming aware of a security breach of personal data, which means a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal data that is transmitted, stored or otherwise processed. The notification must describe the nature of the violation, the number of Subjects affected, the likely consequences of the violation, the measure taken or proposed, as well as other data related to the violation listed in Article 33, paragraph 3 of the GDPR; and
- upon termination of the processing contract or at the Data Controller's written request, or destroy or return all Personal Data, unless otherwise provided for in the GDPR or national legislation within the EU to which the Processor is subject.
3.17. In order to ensure functioning of the electric car rental system of the appropriate quality, the Controller shall subcontract Processors which shall carry out administration of the electric car rental platform, system programming and maintenance works.
3.18. In order to prevent fraud and ensure high quality of the providing services and security of the assets belonging to the Controller, the Controller shall ask to provide Data Subject his selfie and the photo of driving license in accordance with identification of Data Subject. This data is not stored by the Data Controller. To achieve this goal, the Data Controller has used the Data SubProcessor JUMIO Corporation, which has implemented the security standard (PCI DSS). When the Client's account is cancelled, the biometric data is securely deleted from JUMIO's systems. The Controller shall not transmit the Data to the third parties.
3.19. The data Sub-Processor JUMIO Corporation is located and acting in the United States of America, thereof the Data is transmitting over European Union boundaries. Such Data transmit is executed by providing high quality Data security. Data Controller and Processor is implemented the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council. A copy of these terms and conditions may be obtained by contacting the Data Controller by contacts specified in this Policy.
4. PROCESSING OF BIOMETRIC DATA FOR THE PURPOSE OF ACCURATE IDENTIFICATION
4.1. The Data Controller may process the customer's photo/s with biometric data for the purpose:
· accurate identification of customers that registered users are legally competent to drive a vehicle and identical to the driver of the electric vehicle;
· guaranteeing the accuracy of the Clients' personal data, their security and the security of third parties;
· the prevention of fraud and traffic accidents, the protection and control of the company's property and the establishment and exercise of legal claims.
4.2. The legal grounds for processing biometric data is the establishment and exercise of legal claims (Article 9, paragraph 1, letter e) of the GDPR).
4.3. For the purpose of collecting, processing and storing customers' biometric data, the owner of the mobile application enters into a biometric data processing contract with JUMIO, which is certified with the PCI DSS data protection certificate and provides a high level of protection equivalent to bank protection information.
4.4. The data processor is obliged to process the data solely for the purposes of accurate customer identification and for no other purposes. Although the check for data validation and confirmation of the customer's identity is done by automated means, decisions to refuse registration are made only after human intervention and additional validation of documents.
5.1. PROCESSING OF PERSONAL DATA FOR DIRECT MARKETING PURPOSES
5.1.1. The Data Controller carries out direct marketing in relation to the Customers.
5.1.2. In order to receive proposals for the services provided by the Data Controller, the Customer must give his consent to the processing of Data for the purposes of direct marketing at the time of registration or enter his personal profile and select the function of receiving a newsletter.
5.1.3. The Data Controller processes the following personal data of the Customers for the purposes of direct marketing:
5.1.3.1. Name;
5.1.3.2. Surname;
5.1.3.3. Email address;
5.1.3.4. Phone number;
5.1.3.5. Address.
5.1.4. The Data Controller also carries out direct marketing (sending newsletters and offers by e-mail) to persons who have entered their e-mail address on the Data Controller's web site www.spark.bg and/or in the Mobile Application and have expressed a desire to receive such communications. In such a case, the Data Controller processes the e-mail address of the relevant person.
5.1.5. The data subject can withdraw his consent at any time and refuse to receive newsletters by clicking on the "unsubscribe" link in the e-mail messages we send, changing the notification settings from his account, or sending a targeted message requesting this.
5.1.6. The data processed for the purposes of direct marketing is not transmitted by the Data Controller to the recipients.
5.1.7. The legal grounds for data processing is Article 6, paragraph 1, letter “a” of the GDPR.
5.1.8. When processing data for direct marketing purposes, the Data Controller uses the Airship (Airship's data protection can be found here: https://www.airship.com/legal/dataprocessing-addendum/)platform, through which newsletters are sent to Data Subjects, as well as Amazon Web Services Limited as a data processor, perform the services of renting and installing servers.
5. 2. DATA PROCESSING BY GOOGLE ANALYTICS FOR ADVERTISING PURPOSES
5.2.1. The Data Controller, based on the need to segment and better understand its Clients and their use of Data Controller's services, uses Google Analytics 4 (formerly known as Google Universal Analytics) advertising features to display personalized ads to Clients in the Mobile application.
5.2.2. By using the Google Analytics 4, the Data Controller grants the right to collect Customer Mobile application data through the "Google Signals" controller. More information about Google's privacy and data collection can be found here: Google Safety Center - Stay Safer Online.
5.2.3. By using Google Analytics 4 and enabling the "Google Signals" controller, the Data Controller does not transmit any individual's Personal data to Google that could identify a specific person. For this specific purpose, the Data Controller only shares the following Client Mobile Application data:
5.2.3.1. Google-generated Client Mobile Application ID (hereinafter - Mobile Application ID);
5.2.3.2. The country where the Mobile Application is being opened based in the Mobile Application ID;
5.2.3.3. The date when the Mobile Application was first launched based on Mobile Application ID;
5.2.3.4. The date when the registration was made using the Mobile Application based on Mobile Application ID;
5.2.3.5. Information on whether a payment card is attached to the Mobile Application based on Mobile Application ID;
5.2.3.6. Information on whether a valid driver's license is attached to the Mobile Application based on Mobile Application ID;
5.2.3.7. Information on when the Mobile Application is opened based on Mobile Application ID;
5.2.3.8. Information on when the Mobile Application is logged in based on Mobile Application ID;
5.2.3.9. Information about payments made through the Mobile Application (amount, currency, purpose of payment (type of service, membership extensions, and suspensions)) based on Mobile Application ID.
5.2.4. In all cases, the Data Controller implements technical and organizational measures for the security of personal data, as specified in Section 14 of this Policy.
6.1. DATA COLLECTED BY THE MOBILE APPLICATION
6.1.1. The Data Controller allows the Mobile Application to collect and process the location of the Client's mobile device, but only for those Clients who have given the Mobile Application access to such information on their mobile device. Clients, controlling the processing of their personal data using the Mobile Application, can choose which mobile device data the Clients allows the Mobile Application to access or otherwise use. With the Client's permission, the Mobile Application only gets access to the location of the Client's mobile device.
6.1.2. The Data Controller collects data on the location of the Client's mobile device in order to increase and improve the availability of the services provided by the Data Controller.
6.1.3. Client mobile device location data is not transmitted to the Data Recipients.
6.1.4. In all cases, the Data Controller implements technical and organizational measures for the security of personal data, as specified in Section 14 of this Policy.
6.2. MOBILITY SURVEILLANCE
6.2.1. The Data Controller monitors the mobility of the vehicles provided to the Customer for use.
6.2.2. Mobility monitoring aims to ensure the security of the assets belonging to the Data Controller, the use of the services provided by the Customers in good faith and in an appropriate manner and the provision of the services with due quality, guaranteeing the security of the client and third parties.
6.2.3. Mobility monitoring is carried out by means of GPS transmitters installed in the vehicles belonging to the Data Controller. The data includes information about the distance traveled, speed, route and location of the vehicle.
6.2.4. Mobility monitoring data is not transmitted to recipients.
6.5. The legal grounds for data processing is Article 6, paragraph 1, letter “b” and Article 6, paragraph 1, letter “f” of the GDPR.
6.6. In order to carry out mobility monitoring, the Data Controller hires RUPTELA UAB as an administrator, providing information that allows determining the location of the vehicle, the route, the speed and the distance traveled.
7. AUTOMATED DECISION-MAKING
7.1. In order to provide high-quality services and rewards, the Data Controller uses automated decision-making to calculate e-Go points in a completely objective and non-discriminatory manner based on the Customer's kilometers traveled. The charged fee for the use of the services is also calculated in an automated manner based on the minutes for which the electric car is used. The administrator values the subjects' privacy and does not use the subjects' personal data to profile them.
8. DATA SHARING
8.1. The Data Controller protects the privacy of the subjects' personal information and does not disclose personal data to third parties, except with the subject's consent and in cases permitted by law.
8.2. With guaranteed protection and control measures, disclosure is possible with other companies part of our corporate group or with our service providers in order to ensure the smooth functioning of the electric car rental system and high quality of services (e.g. with server providers, telemetry services, data validation, technical and administrative customer support, EV mobility monitoring, car rental platform, statistical data analysis, etc.). In this case, the service providers we use are required to strictly comply with their contractual obligations and applicable data protection legislation, including taking the necessary measures to protect the confidentiality of the subjects' personal information.
8.3. It is also possible for customer data to be shared with third parties if there is a justified need:
• public bodies such as traffic police, Ministry of interior affairs, etc. in order to fulfill our legal obligations to report infringements, prevent fraud and traffic accidents or to fulfill our other legal requirements e.g. for accounting reporting;
• insurers, law firms, private bailiffs, debt collection companies (eCollect AG, with address Neuhofstrasse 21, 6340 Baar, Zug, Switzerland, with registration number: CHE – 180.481.291., represented by Mark Schillinger in his capacity of the Executive Director) etc. in order to enforce the general conditions of use of the mobile application and our contract with the customer and to guarantee the property of the company and our other rights and legal interests;
• to protect the security, rights and interests of our other users or third parties.
9. DATA TRANSFER OUTSIDE THE EU
9.1. Transfer of personal data to a third country or an international organization outside the European Union and the European Economic Area can only take place if one of the following conditions is met:
9.1.1. The company is based in the USA and is certified under the US-EU Privacy Shield (https://www.privacyshield.gov);
9.1.2. There is a decision of the European Commission regarding the adequate level of personal data protection that the third country in which the data is received provides;
9.1.3. There is an explicit consent of the data subject, after being informed of the possible risks associated with the transfer due to the absence of a decision on the adequate level of protection and of adequate guarantees;
9.1.4. The transmission is necessary for the performance of a contract between the data subject and the administrator or for the performance of pre-contractual measures taken at the request of the data subject;
9.1.5. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the Company/Group and another natural or legal person;
9.1.6. The transfer is necessary for the establishment, exercise or defense of legal claims;
9.1.7. The transmission is carried out by a public register.
9.2. In case of need for manual data verification during customer registration, data transfer is also done by the JUMIO validation service providers who have companies in the USA and India. The transfer is carried out on the basis of standard contractual clauses (Article 46, paragraph 2, letter “c”) of the GDPR) with the necessary level of data protection, insofar as JUMIO is certified according to the PCI DSS standard and is subject to an annual audit for its compliance.
10. DATA STORAGE PERIODS
10.1. The Data Controller applies different personal data storage periods depending on the categories of personal data processed and the purposes of processing.
10.2. If the registration process has not been successfully completed without the Customer being granted the right to use the electric car sharing services, his personal data is stored for a period of 3 years and is deleted (anonymized) immediately after the Customer has selected the "Forget me" button through the mobile application in the event that the Customer has not used the electric car sharing services.
10.3. Upon completion of a successful registration with the right to use the services for the shared use of electric cars, the Data Controller applies the following personal data storage periods:
No |
Personal Data Categories |
Storage period |
|
|
|
1. |
Data related to insurance and other claims |
5 years from the date of issue of the document or occurrence of the insured event. |
2. |
Personal data from the customer profile, processed for the purposes of providing the electric car sharing services |
2 years from the later of the following dates: the date of termination of the contract or the date of payment of the obligation. Or 2 years after the evaluation of the request to delete data or the date of redemption of the debt, which ever comes later. Data of customers whose accounts are not active will be stored for 3 years from the date of the last login. |
3. Д |
Biometric data |
The data is deleted immediately after establishing the identity / after the successful verification of the account from the database of the Administrator. The biometric data is then stored in specialized JUMIO servers for a period of 5 years, starting from the date on which the Customer's identity verification process was successfully completed. |
4. |
Data used for direct marketing purposes |
2 years from the date of the last login to the system. |
5. |
Mobility surveillance data |
2 years from the later of the following dates: the date of termination of the contract or the date of payment of the obligation. Data of customers whose accounts are not active will be stored for 2 years from the date of the last login. |
6. |
Client mobile device location data |
1 year from the last connection to the Mobile Application. |
7. |
Call conversation records |
180 days from the date of recording. |
8. |
Personal data processed for the pur-poses following with tax and ac-counting regulations and other legal acts |
Personal data contained in accounting docu-ments are kept in accordance with Article 12 et seq. of the Accounting Act of the Republic of Bulgaria and applicable Law on Financial Accounting. |
10.4. Exceptions to the above storage periods may be established insofar as the relevant deviations do not violate the rights of the Data Subjects, comply with legal requirements and are duly documented.
10.5. Documents and data about Customers, in respect of which the Data Controller has initiated administrative or judicial proceedings, are stored and destroyed according to the instructions of the legal department for a period of 5 years after the conclusion of the proceedings with an effective court decision or final payment of the debt.
10.6. After the expiration of the established terms, the data are anonymized or destroyed in a secure way by deleting them from the information systems or by shredding if they are on paper.
11. RIGHTS OF THE DATA SUBJECT
11.1. The data subject has the right to exercise the following rights according to the procedure established in the GDPR and the DPA:
11.1.1. Right to information: before processing the data, the Data Controller is obliged to provide the data subject with information in the form of a privacy notice about what personal data it collects, on what grounds and for what purposes it uses it, with whom it shares it, the Administrator's intention to transfer the data to third countries outside the EU, the storage period and security measures, the consequences of not providing the data, the presence of automated decision-making, the rights of the data subject, including his right to lodge a complaint with a supervisory authority. Before registering as a user and installing the mobile application, the data subject is obliged to read and agree to the privacy notice in order to be able to use the mobile applicationе;
11.1.2. Right of access: this right enables the data subject to obtain a copy of the personal data that the Data Controller stores about him, as well as information related to the processing. The history of the services used by the subject and the data provided during registration can be accessed through the customer profile of the mobile application, and a special access request can also be submitted;
11.1.3. Right to erasure: this right enables the data subject to request their personal data to be deleted when there is no valid reason for the Data Controller to continue processing it e.g. if the purpose for which the data were collected has been achieved or if the data subject has withdrawn consent. If the legal requirements are met, the Data Controller should delete the personal data within 1 month, unless there is a legal obligation to continue processing them or the retention of the data is necessary for the establishment, exercise or defense of legal claims;
11.1.4. Right to have personal data concerning him or her rectified: this right enables the data subject to request that any incomplete or inaccurate information about him be corrected. The data subject is obliged to promptly note any change in his/her personal data in his/her profile or to notify us thereof;
11.1.5. Right to restriction of data processing: this right enables the data subject to request the Administrator to temporarily suspend the processing of personal data if, for example, he wishes to establish the accuracy of the data or the reasons for its processing
11.1.6. Right to data portability: this right is limited to cases where the data is processed in an automated manner and is provided by the data subject on the basis of his consent or for the purposes of the performance of a contract, giving the possibility to require the Data Controller to provide the personal data stored in electronic form to the subject of data or of a third party;
11.1.7. Right to object: in cases where the Data Controller relies on its legitimate interests as a basis for processing, the data subject may object to this processing on grounds related to his particular situation. He also has the right to object when the processing is for direct marketing purposes or the data is processed for statistical purposes;
11.1.8. Rights related to automated decision-making, including profiling: the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which gives rise to legal consequences for the data subject or similarly significantly affects him;
11.1.9. Withdraw of consent: the data subject has the right to withdraw his consent at any time in case he has given it without affecting the processing up to that point. Where consent has been given for direct marketing purposes, the data subject may opt-out of receiving newsletters at any time by clicking on the "unsubscribe" link in email messages sent by us or by changing the settings of their mobile application. If the data subject has provided access to his location through the mobile device in order to find electric vehicles in the vicinity, he can change the settings thus selected;
11.1.10. Lodging a complaint: If the data subject believes that any of his rights have been violated, he has the right to file a complaint with us and/or with the supervisory body Commission for Personal Data Protection - https://www.cpdp.bg/.
11.2. Requests may be submitted by the data subject or a person authorized by the data subject, with the Data Controller taking measures to confirm the identity of the data subject for the purpose of data protection. The administrator is obliged to process the requests of the data subjects, specified in items 10.1.2 - 10.1.9 hereof, are exercised within the terms set in the GDPR.
11.3. The aforementioned terms specified in the GDPR are as follows:
Request from the data subject |
Period |
Right to information |
When the data is collected (if the data is provided by the Data Subject) or within one month (if the data is not provided by the Data Subject) |
Right of access |
One month |
Right to update |
One month |
Right to erasure |
Without undue delay |
Right to restriction of data processing |
Without undue delay |
Right to data portability |
One month |
Right to object |
After receiving an objection |
Rights related to automated decision-making, including profiling |
It is not specified |
11.4. The Data Controller has the right to reasonably deny the Data Subject the exercise of his rights or impose a reasonable fee under the conditions provided for in Article 12, paragraph 5, letter “b” of the GDPR.
12. DATA PROTECTION OFFICER
12.1. According to the GDPR, in cases where the main activities of the Data Controller consist of processing operations that require regular and systematic monitoring of Data Subjects on a large scale or when the main activities of the Data Controller or the Processor consist of large-scale processing of special categories of personal data , the presence of a Data Protection Officer is mandatory.
12.2. The rights and obligations of the Data Protection Officer are described in detail in the GDPR, the annexes to the Policy, job descriptions, if the position is held by an employee of the Data Controller, or in the service contract, if the position of Data Protection Officer is held by an external service provider.
12.3. In general, the duties of the Officer include being responsible for the proper implementation of the Data Controller's personal data protection policy in accordance with the standards and requirements of the applicable legislation, participating in raising awareness and training of employees processing personal data, conducting the relevant audits, reports data processing risks, reacts to data security violations, assists the supervisory authority for personal data protection and data subjects in exercising their rights, keeps a register of processing activities, etc. tasks assigned to him by the Data Controller, insofar as they do not conflict with his duties as a data protection officer.
12.4. In view of the above-mentioned criteria and the activities carried out by the Administrator, the latter decides to appoint a Data Protection Officer with the following contact e-mail: privacy@spark.bg, with whom the data subjects can contact in case of questions regarding this notification and requests to exercise their rights.
13. PROCEDURE FOR MANAGING PERSONAL DATA SECURITY BREACHES AND DEALING WITH SUCH BREACHES
13.1. If the Data Controller's employees having the right to access the data notice or are notified of data security violations (inaction or actions by persons that may lead to or have led to a risk to data security), they should notify immediately the Data Protection Officer and your immediate supervisor.
13.2. Taking into account the risk factors for breach of data security, the degree of impact of the breach, damages and consequences, following the relevant internal procedures, the Data Controller makes decisions on the necessary measures to remedy the breach of data security and its consequences and to notify the Commission for the protection of visible data and for the persons concerned if there is a high risk to their rights and freedoms.
14. TECHNICAL AND ORGANIZATIONAL MEASURES FOR PERSONAL DATA SECURITY
14.1. The organizational and technical data security measures implemented by the Data Controller ensure a level of security that corresponds to the nature of the data processed by the Data Controller and the risk of data processing, including, but not limited to, the measures specified in this section.
14.2. Personal data security measures include the following:
14.2.1. Administrative (establishing a procedure for the security of documents and computer data and their archives and organization of work in various spheres of activity, mandatory training of personal data protection personnel currently employed and upon leaving work / dismissal, duties on confidentiality and prohibition of disclosure of personal data, procedure for providing access to data, etc.);
14.2.2. Technical and software protection (administration of servers, information systems and databases, workplace support, protection of operating systems, monitoring (control) of user access, protection from computer viruses, etc.);
14.2.3. Administration of information systems and databases, job support, protection of operating systems, protection from computer viruses, etc.;
14.2.4. Protections for communication and computer networks (technical and software measures for coding and transmission of data for general use, applications, Personal Data, filtering of unwanted data packets, etc.).
14.2.5. Two-factor authentication (2FA), which acts as an additional security measure, is designed to ensure that the Client is the only person who can access their account, even if others know the Client's password. For all clients registered after 10th August 2022 2FA is mandatory, but after successful registration, the Client has the right to refuse it through the Mobile Application. Client registered until 10th August 2022 can turn on 2FA in Mobile application by going to my account → settings → turn on 2FA. If the 2FA is deactivated, the car-sharing services are not provided to the Client.
14.3. The above-mentioned measures for the protection of personal data ensure: 1) storage equipment for copies of operating systems and databases, control of the storage of copying equipment; 2) technology for continuous work with data (processing); 3) strategy for restoring the functioning of systems in emergency cases (management of uncertainties); 4) unique user identification and password system; 5) physical (logical) separation of the application testing environment from the processes in operational mode; 6) registered data use and data privacy.
14.4. The Data Controller should introduce a procedure for the recovery of Personal Data in case of accidental loss of Data. The administrator makes backup copies of the data available in the system. Data is retrieved according to the internal procedure using Amazon Web Services software from the backup equipment libraries. In all cases, data archives are stored without prejudice to the data storage period specified in the Policy.
14.5. The Data Controller applies other measures guaranteeing the security of personal data:
14.5.1. VPN technology is used to remotely connect to the Administrator's internal network, and a digital certificate is used to identify the user;
14.5.2. Access to personal data through organizational and technical data security measures that register and control efforts to register and acquire rights are subject to due control;
14.5.3. The following records are kept when entering the database by the persons who are granted the right to process personal data: login identifier, date, time, duration, result of the entry (successful, unsuccessful). The above records are kept for at least 1 (one) year;
14.5.4. It is necessary to ensure the security of the premises where Personal Data are stored (access to the relevant premises only by authorized persons, locking, etc.);
14.5.5. Requests to search the personal data provided must be aimed at identifying the person and verifying the validity of his driver's license;
14.5.6. Efforts must be made to ensure the use of security protocols and/or passwords when providing personal data via external data transmission networks;
14.5.7. It is necessary to ensure control over the security of personal data on external data carriers and e-mail and their deletion after use of Personal Data by transferring them to databases;
14.5.8 Urgent personal data recovery actions (when and who performed personal data recovery actions by automatic and non-automatic means) are recorded;
14.5.9. It is necessary to ensure that the testing of information systems is not carried out with real personal data, except in cases where organizational and technical measures for the protection of personal data are used, guaranteeing real security of personal data;
14.5.10. Personal data in portable computers, if the latter are not used in the data transmission network of the Data Controller should be protected by appropriate measures appropriate to the risk of processing.
14.6. Data Controller implements appropriate technical and organizational measures ensuring standardized processing of personal data that is necessary for the specific purpose of data processing. The above obligation applies to the corresponding amount of Personal Data collected, the scope of their processing, the period of storage of Personal Data and the accessibility of Personal Data.
15. CONTACT DETAILS
15.1. You can contact us with questions related to this policy and / or data protection in general using the following contact details:
Email: privacy@spark.bg
Phone number: 00 359 2 419 3476
16. FINAL PROVISIONS
16.1. The policy is revised annually at the initiative of the administrator and / or in case of changes in the legal acts regulating the processing of personal data.
16.2 The policy and amendments to it come into force from the date of their approval and publication on the Data Controller's website.