SPARK CAR SHARING S.R.L.
PRIVACY POLICY
Bucharest
November 2023
Contents
3. PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF PROVIDING AN ELECTRIC CAR SHARING SERVICE
4. PROCESSING OF BIOMETRIC DATA FOR THE PURPOSE OF UNIQUELY AND ACCURATE IDENTIFICATION
5. PROCESSING OF PERSONAL DATA FOR DIRECT MARKETING PURPOSES
6. DATA PROCESSING BY USING GOOGLE ANALYTICS FOR ADVERTISING PURPOSES
7. DATA COLLECTED BY THE MEANS OF THE MOBILE APPLICATION
11. DATA TRANSFER OUTSIDE THE EU
13. RIGHTS OF THE DATA SUBJECTS
16. PROCEDURE FOR MANAGING PERSONAL DATA SECURITY BREACHES AND DEALING WITH SUCH BREACHES
16. TECHNICAL AND ORGANIZATIONAL MEASURES FOR PERSONAL DATA SECURITY
1.1. `GDPR` means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
1.2. `Relevant laws` means all and any legal provisions that applies in Romania at the time being, concerning the processing of Personal Data;
1.3. `Data/Personal Data` means any information related to an identified or identifiable individual (Data Subject); an identifiable individual is an individual who can be identified directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
1.4. `DPA` means a data processing agreement to be entered into with each Processor in accordance with the terms set out in section 3 below;
1.5. `Recipient` means the individuals or legal entity, public body, agency, or other structure to which the Personal Data is disclosed, whether or not it is a third party;
1.6. `Data subject` means a User or employee of the Controller as well as any other person whose Personal Data is processed by the Controller;
1.7. `Processing` means any operation or set of operations performed on Personal Data or a set of Data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution, or other way in which the data is made available, arranged, or combined, restricted, deleted or destroyed;
1.8. `Processor` means individuals or legal entities, public bodies, agencies, or other structures that processes Personal Data on behalf of the Controller;
1.9. `Controller` means, for the purpose of this Policy, SPARK CAR SHARING S.R.L., a limited company legally registered under the Romanian laws, having its registered office in Bucharest, District 1, 175 Calea Floreasca, 5th Floor, B side, www.espark.ro, email: office@espark.ro, registration no within the Trade Register: J40/17015/2018, VAT code: RO40219027;
1.10. `User` means, for the purpose of this Policy, the individual the Services are provided to by the Controller, as per the Service Contract, alone or along with the Vehicle Use Agreement (if and when the latter is concluded);
1.11. `Mobility Monitoring` means the collection and processing of information about the persons using the Vehicles belonging to the Controller, whether the data is recorded in a file or not;
1.12. `Policy` means this Privacy Policy, which includes information about all Data the Operator collects, processes, stores, or transfers, directly or indirectly;
1.13. ‘Mobile Application’ means the SPARK CAR SHARING app, which is intended for a mobile device running on a specific operating system (i.e., Android or IOS), and may be downloaded free of charge from App Store or Google Play;
1.14. `Owner of the Mobile Application` means UAB SPARK TECHNOLOGIES, a limited liability company established under the laws of Lithuania, with its registered office in Vilnius, 7 Aukštaičių St., Lithuania, and registration no 304953141;
1.15. ‘Website’ means espark.ro;
1.16. `Payment Processor` - Adyen N.V., a legal person registered with the Dutch Chamber of Commerce under the number 34259528, with its registered office in the Netherlands, Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam, www.adyen.com;
1.17. `Identity check service provider` – JUMIO Corporation, a legal person registered under the laws of the USA, with its registered office at 395 Page Mill Road, Ap. 150, Palo Alto, CA 94306, www.jumio.com;
1.18. `Cookies policy` means the document that contains a list of all the cookies used on a Website, along with detailed information about each; it helps users understand how their data is used, how long the cookies will remain on their device, and more.
1.19. For the purposes of this Policy, the other terms which are not specifically defined above shall be read and construed according to the Service Contract, the GDPR, and the Relevant Laws.
2.1. The Controller processes certain Personal Data for the purposes of conducting its activity, exercising its rights and legal interests, and complying with its legal and contractual obligations.
2.2. This Policy contains the basic principles and procedures for the processing of Personal Data of the Data Subjects of the Website and the Mobile Application. Before starting to use the Website and/or Mobile Application, the Data Subjects should carefully read and familiarize themselves with this Policy. By continuing using the Website and/or Mobile Application, the Data Subjects confirm that they read, understood, and agree with this Policy.
2.3. In cases where the Data Subjects do not agree with the Policy, as a whole, or with the relevant part thereof, it is strongly recommended that they should not use the Website and/or the Mobile Application.
2.4. The Controller values and respects the privacy of the Personal Data. This Policy explains the ways of collecting and using the Personal Data and the rights of the Data Subjects.
2.5. Use of third-party services, such as Facebook, Google, the Payment Processor, the Identity Check Provider, etc. are subject to their terms and conditions. For example, all Facebook users and visitors are subject to their Data Privacy Policy. Therefore, for the purpose of using the services of third parties, it is recommended that the Data Subjects familiarize themselves with their applicable terms as well.
2.6. The Controller shall ensure that, as it its activity of Processing is concerned and during such activity, either is performed directly or indirectly, it complies with the following basic data protection principles:
2.6.1. Personal Data are processed lawfully, in good faith and in a transparent manner with respect to the Data Subjects (lawfulness, good faith and transparency);
2.6.2. Personal Data is collected for specific, explicit, and legitimate purposes and is not processed in a way that is incompatible with these purposes; the subsequent processing of Personal Data for the purposes of archiving in the public interest, scientific or historical research or statistical purposes is not considered incompatible with the original purposes (purpose limitation);
2.6.3. Personal Data must be relevant, relevant, and limited to what is necessary in relation to the purposes for which it is processed (data minimisation);
2.6.4. Personal Data must be accurate and, if necessary, updated; all reasonable steps must be taken to ensure that Personal Data which are inaccurate, having regard to the purposes for which they are processed, are deleted, or rectified immediately (accuracy);
2.6.5. Personal Data stored in a form that allows the identification of Data Subjects is stored no longer than is necessary for the purposes for which the Personal Data is processed; Personal Data may be stored for longer periods insofar as they will be processed solely for the purpose of archiving for public interest, scientific or historical research or statistical purposes in accordance with Article 89, paragraph 1 of the GDPR provided that appropriate technical and organizational measures required by the GDPR to protect the rights and freedoms of the Data Subject (restriction of storage);
2.6.6. Personal Data is processed in a way that ensures adequate protection of Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (integrity and confidentiality);
2.6.7. The Controller is responsible and should be able to prove compliance with the principles set out above (accountability).
2.7. Users of the Mobile Application must expressly read and agree to the Controller’s Privacy Policy as well as the Cookies Policy, before registering to use the Mobile Application and/or the Website.
2.8. The Data is stored for the periods indicated for each type of Personal Data provided for in this Policy. Storage is carried out in accordance with the procedures provided in this policy.
2.9. The rights of the Processor to access the Data shall be revoked in the event of termination of the DPA concluded with the Controller or upon expiry of the term of the agreement.
2.10. The Data is transferred to other Recipients when the legal acts provide the right and/or the obligation to do so on the relevant grounds.
2.11. The Controller will have the right to provide Personal Data to the state and/or local authorities for the purposes of administrative, civil, criminal proceedings, as evidence, or in other cases established by law.
3.1. The Controller provides its Users with the service of sharing the use of electric cars, for the provision of which the following groups of Data are processed:
3.1.1. First name;
3.1.2. Last name;
3.1.3. Personal identification number;
3.1.4. Date of birth;
3.1.5. Place of domicile or residence (address);
3.1.6. E-mail address;
3.1.7. Phone number;
3.1.8. Driving license number, date and place of issue/issuing authority, validity;
3.1.9. Certain data about the payment cards used by the User, received from the company providing the card processing service, namely the card type and part of the card number; under no circumstances and by no means, the Controller retains, stores, or archives the whole card number and/or the CVV number, and has any access to such information before and after the moment the User Account registration application is submitted.
3.2. The data specified in paragraphs 3.1.1 - 3.1.9 are usually received directly from the User; however, part of the data recorded in the system might also be received from the User's employer or similar, if the latter contracted the services of the Controller.
3.3. For the purposes of registration, recording and reporting of Users, conclusion, administration and execution of a contract, compliance with legal obligations (e.g. cars to be provided only to legally competent persons, compliance with accounting reporting requirements, reporting of violations, ensuring the accuracy of data), protection and control over the assets owned by the company, the Controller additionally processes the following Data:
3.3.1. Categories of vehicles that the Data Subjects have the right to drive, the date this right was granted and the date it expires;
3.3.2. Vehicle location, distance travelled, date, time, vehicle speed and duration of vehicle use;
3.3.3. time of unlocking and locking the Vehicle;
3.3.4. change in the vehicle's battery charge level while the User is using the Vehicle;
3.3.5. Fee charged;
3.3.6. Obligation data / Payments due;
3.3.7. Transaction data such as history of services used, data on obligations (level of obligation, amount of obligation, date of occurrence of obligation, deadline, date of payment) credit rating, accumulated eGo points, referral programmes points, rewards;
3.3.8. Correspondence regarding complaints, requests, opinions, evaluation of the services or of other users, etc.;
3.3.9. IT management data such as IP address, operating system, communication data and other metadata from the use of the Mobile Application, location of the mobile device while in use;
3.3.10. Data related to legal or insurance claims: data on damage to the electric vehicles, security incidents/traffic accidents or other violations in case they occurred while you were using the electric vehicles (date, place, time of the traffic accident/violation, amount of damages, faults, etc.), unpaid debts, accrued penalties, etc.
3.4. Unless otherwise prescribed herein or within the Service Contract and the Vehicle Use Agreement, the Controller shall not transmit to the Recipients the above-mentioned data of the Users, except the case when they are requested by the entitled authorities or are provided to the said authorities according to the relevant laws.
3.5. The legal grounds for the processing of Personal Data for the purposes specified in item 3.1. and 3.3 above, are mainly Article 6, paragraph1, letter “b” and Article 6, paragraph1, letter “c” of the GDPR, as well as Article 6 paragraph 1, letters ‘’a’’ and ‘’f’’, as the case may be.
3.6. On the basis of the Controller's legitimate interest in business development (Article 6, paragraph 1, letter “f” of the GDPR), anonymized aggregated data about the services used by Users may also be used for the purposes of statistical analysis and marketing research after complete removal of the identifying Users Personal Data.
3.7. With the consent of the Data Subjects, data on the location of their mobile device may also be obtained while using the Mobile Application for the purpose of notification of available electric vehicles in the immediate vicinity and reporting of services while using the Mobile Application. The Data Subjects have the right to withdraw their consent so given at any time by changing the settings of their mobile device.
3.8. In order to verify the validity of the driving license, the Controller must provide certain Personal Data (such as the driving license number and personal identification number) to the Processors responsible for verifying the registered Personal Data and for technical and administrative User support.
3.9. When providing Services and ensuring their proper performance, the Owner of the Mobile Application provides to and receives from RUPTELA UAB (a company registered under the Lithuanian laws, having its registered office at 6 Perkūnkiemio Str, LT-12130 Vilnius, Lithuania, LT100003432316, www.ruptela.com, info@ruptela.com) and to LEMATICS UAB (a company registered under the Lithuanian laws, having its registered office at 25 Lvovo Str, LT-09320, Vilnius, Lithuania, LT100010749217, www.lematics.com, info@lematics.com), as Processors, information that allows to establish the location of the vehicle, the period and the location of its parking/stopping, the speed of the Vehicles, the distance travelled, the date, the time and duration of the use of the Vehicles, the time the Vehicle are unlocked/locked, the charge level of the Vehicles’ battery at the start/end of the Vehicle Use Period, as well as while the Users are using the Vehicles, information whether the Vehicles are being charged and whether the Vehicles’ doors are closed.
3.10. In order to ensure a smooth and high-quality payment settlement for the services provided, the Owner of the Mobile Application entered into a subcontract with the Payment Processor Adyen N.V. (a company registered with the Dutch Chamber of Commerce under number 34259528 and having its seat at Simon Carmiggeltstraat 6-50, 1011 DJ in Amsterdam, the Netherlands, www.adyen.com), which processes the payment operations.
3.11. The Owner of the Mobile Application also contracted Amazon Web Services as a Processor to perform the server rental and installation services.
3.12. The Controller concluded an agreement with the Owner of the Mobile Application, which defines the respective responsibilities for the protection of Personal Data. According to this agreement, SPARK CAR SHARING S.R.L. is responsible for providing the information required by law and for processing the requests of Data Subjects, provided for in the GDPR, in Romania.
3.13. The Controller confirms that, in order to ensure data protection, all available and reasonable justified technical and organizational data protection measures have been implemented.
3.14. The Controller and/or the Owner of the Mobile Application, on behalf of the Controller, enter/s into agreements with Processors, which process Personal Data only on behalf of the Controller for the purposes set out in the DPAs. In particular, each Processor shall:
- process Personal Data only in accordance with the Controller's documented instructions, including in relation to the transfer of Personal Data to a third country or international organization, unless required to deviate from such instructions to comply with the requirements of the GDPR and/or other mandatory legal requirements to which the Processor is subject. In such a case, the Processor must, without unreasonable delay, inform the Controller of the relevant requirement prior to the processing of Personal Data;
- ensure that the persons authorized to process the Personal Data have undertaken the obligation of confidentiality and compliance with the applicable data protection regulation within the EU or are bound by an appropriate legal obligation of confidentiality;
- support the Controller upon its express written request, with a view to ensuring the fulfilment of its legal obligations, such as those related to data security with the Controller, the assessment of the impact on data protection and prior consultation laid down in the GDPR, and, in particular, to implemented appropriate technical and organizational measures to protect the Personal Data covered by the DPA from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the Personal Data. The Processor shall be obliged to perform all of its obligations as a Personal Data Processor, in full compliance with the relevant laws, at its own expenses;
- support the Controller by implementing appropriate technical and organizational measures to fulfil the Controller's obligations in this capacity, namely: to respond to requests to exercise the rights of Data Subjects under the GDPR. The Processor must immediately notify the Controller of any request made by any Data Subject and not respond to the relevant request before receiving the Controller's instructions;
- provide the Controller with all the information necessary to prove compliance with the obligations of the Processor as specified in the DPAs and in the GDPR, and to allow and assist in audits, including inspections carried out by the Controller or another auditor authorized by the Controller;
- maintain accurate records of all processing activities under the DPAs in accordance with the requirements set out in the GDPR and provide the Controller with the relevant records within ten (10) working days of receiving the request from the Controller;
- ensures that no Personal Data is transferred, released, assigned, disclosed or otherwise made available to a third party without the prior express written consent of the Controller;
- ensures that data protection obligations similar to those set out in this document are imposed on other Processors of Personal Data who are engaged by the Processor by means of a contract. The Processor is responsible to the Controller for the fulfilment of these obligations by the other Processors;
- shall inform the Controller immediately if an instruction of the Controller violates the Data Protection Regulation or if Personal Data is or will be processed in violation of the Data Protection Regulation or the Agreement and informs the Controller immediately about complaints or audits by data protection supervisory authorities of the data related to the processing of Personal Data;
- shall inform the Controller without undue delay (but no later than 48 hours) after becoming aware of any security breach of Personal Data, which means, for instance, any security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Data that is transmitted, stored or otherwise processed. The notification must describe the nature of the violation, the number of Data Subjects affected, the likely consequences of the violation, the measure taken or proposed, as well as other data related to the violation listed in Article 33, paragraph 3 of the GDPR; and
- upon termination of the processing contract or at the Controller's written request, to destroy or return all Personal Data, unless otherwise provided for in the GDPR or mandatory national legislation within the EU to which the Processor is subject.
4.1. The Controller processes, directly or indirectly, through Processors, the Users’ biometric Data, namely their photos for the purpose of uniquely and accurate identification of the Users during the User’s Accounts' registration procedures.
4.2. The legal grounds for processing biometric data are the establishment and exercise of legal claims (Article 9, paragraph 2, letter f) of the GDPR).
4.3. For the purpose of collecting, processing and storing Users' biometric data, the Owner of the Mobile Application entered into a biometric data processing contract with JUMIO Corporation (395 Page Mill Road, Suite 150, Palo Alto, CA 94306, USA, www.jumio.com), which is certified with the PCI DSS data protection certificate and provides a high level of protection equivalent to bank protection information.
4.4. The Processor is obliged to process the data solely for the purposes of accurate User identification and for no other purposes. Although the check for data validation and confirmation of the Users’ identities is done by automated means, decisions to refuse registration are made only after human intervention and additional validation of documents.
5.1. The Controller processes Personal Data of the Users for direct marketing purposes, exclusively, when:
5.1.1 The Data Subject has given his/her consent to the processing of his/her Data for this specific purpose, in compliance with Art 6 para 1 pt. a) and Art 7 of the GDPR; the request for consent is presented in a form which clearly distinguishes it from the other aspects; no part of that statement, which constitutes a breach of the GDPR, if and when the case, is binding;
5.2. Data Subjects have the right to object at any time to the processing for direct marketing purposes of their Personal Data, including to profiling, insofar as it is related to such direct marketing. If the Data Subject objects to processing for the purpose of direct marketing, the Data are no longer processed for this purpose.
5.3. In order to receive direct marketing communications (i.e. special offers, messages within promotional campaigns, advertisements, coupons and/or other similar messages) for the Services provided by the Controller, the Users have the option to express their consent, in the Mobile Application, for the processing of Data for direct marketing purposes, at the time or after registering the Account and/or to subscribe to receive newsletters on the Website.
Account registration, conclusion and/or execution of the Service Contract, the Vehicle Use Agreement, including the provision of Services are not conditioned by consent to the processing of Personal Data for direct marketing purposes.
5.4. Communications, regardless of how they are transmitted, including newsletters, whereby Users and Service Recipients are duly informed, from time to time, about changes to the General Terms and Conditions, the Rules, the Price List, the Vehicle Use Agreement, and/or the Privacy Policy, as well as those relating to temporary limitations on access to the Mobile Application and/or the Website, safety and/or similar issues are not and will not be considered and/or construed as direct marketing communications. In this case, processing is necessary for the performance of the contract between the Parties (Art 6(1), point (b) of the GDPR), for compliance with legal obligations under customer protection legislation which the Controller is subject to (Art 6(1), point (c) of the GDPR), as well as for the purposes of the legitimate interests pursued by the Controller (Art 6 (1), point (f) of the GDPR).
5.5. The Controller might process the following Personal Data of the Users for direct marketing purposes:
5.5.1. First name(s);
5.5.2. Name;
5.5.3. Email Address;
5.5.4. Phone number;
5.5.5. Address.
5.7. Data processed for direct marketing purposes are not transmitted by the Controller to the Recipients.
5.8. The legal basis for data processing for direct marketing purposes is Art 6 para. 1 points a), with the application of Articles 7 and 21 of the GDPR.
5.9. When processing Data for direct marketing purposes, the Controller uses the specialized platform AIRSHIP (www.airship.com), through which newsletters are sent to Data Subjects, as well as AMAZON WEB SERVICES, both as Processors.
6.1. The Controller, based on the need to segment and better understand the Users behavior when accessing the Services, uses Google Analytics 4 (formerly known as Google Universal Analytics) advertising features, to display personalized ads to the Users in the Mobile Application.
6.2. By using the Google Analytics 4, the Controller grants to its developer/owner the right to process the data described below. More information about Google's privacy and data collection policies can be found here: Google Safety Center - Stay Safer Online.
6.3. By using Google Analytics 4 and enabling the `Google Signals` feature, the Controller does not transfer any information to their developer/owner that could identify a specific individual, as only the following data are shared:
6.3.1. Google-generated User Mobile Application ID (hereinafter - Mobile Application ID);
6.3.2. The country where the Mobile Application is being opened based on the Mobile Application ID;
6.3.3. The date when the Mobile Application was first launched based on the Mobile Application ID;
6.3.4. The date when the User Account registration was made using the Mobile Application based on the Mobile Application ID;
6.3.5. Information on whether a payment card is attached to the Mobile Application based on the Mobile Application ID;
6.3.6. Information on whether a valid driver's license is attached to the Mobile Application based on the Mobile Application ID;
6.3.7. Information on when the Mobile Application is opened based on the Mobile Application ID;
6.3.8. Information on when the User is logged in the Mobile Application based on the Mobile Application ID;
6.3.9. Information about payments made through the Mobile Application (amount, currency, purpose of payment (type of service, membership extensions, and suspensions)) based on the Mobile Application ID.
7.1. By the means of the Mobile Application there are collected and processed information about the location of the Users’ mobile devices, but only for those who allowed the access to such information on their mobile devices. The Users can control the way their Personal Data are processed while using and not using the Mobile Application, including the sort of Data are processed, by setting the relevant options, depending on the operating systems installed on their mobile devices.
7.2. The Controller collects data on the location of the Users’ mobile devices in order to increase and improve the availability of the Vehicles as well as the Services provided, based on the customers’ needs in specific areas, on specific periods of time, etc.
7.3. The Data on the mobile devices’ location are not transferred to the Recipients, except otherwise prescribed by mandatory laws.
8.1. The Controller monitors the mobility of the vehicles provided to the Users for use.
8.2. Mobility Monitoring aims to ensure the security of the assets belonging to the Controller, the use of the services provided, by the Users, in good faith and in an appropriate manner, and the provision of the services with due quality, guaranteeing the security of the Users and third parties.
8.3. Mobility Monitoring is carried out by means of GPS transmitters and Detectors, as defined within the Terms and Conditions, installed in the vehicles belonging to the Controller. The Data include information about the distance travelled, speed, route, and location of the vehicle, the driving way, smoking and smoke inside Vehicles, as well as the external damages to the Vehicles.
8.4. Mobility Monitoring data are not transmitted to Recipients, unless otherwise prescribed by the relevant laws and/or provided herein, the Service Contract and the Vehicle Use Agreement.
8.5. The legal grounds for data processing are Article 6, paragraph 1, letters “b” and “f” of the GDPR.
8.6. In order to carry out Mobility Monitoring, the Controller contracted LEMATICS UAB and RUPTELA UAB, afore-identified, and Robert Bosch GmbH, with its registered office in Germany, 70839 Gerlingen, Robert-Bosch-Platz 1.
9.1. In order to provide high-quality Services and rewards, the Controller uses automated decision-making to calculate e-Go points in a completely objective and non-discriminatory manner based on the distance travelled. The fees for the use of the services are also calculated in an automated manner based on the duration and the distance for which the Vehicles are used, as well as the zone where they are returned. The Controller values the Users' privacy and does not use the Users' Personal Data to profile them.
10.1. The Controller protects the privacy of the Data Subjects and does not disclose Personal Data to third parties, except with the Data subjects’ consent and in cases permitted by law, the Privacy Policy, the Service Contract, and the Vehicle Use Agreement.
10.2. With guaranteed protection and control measures, disclosure is possible with other companies part of the Controller’s corporate group or with its service providers in order to ensure the smooth functioning of the electric car sharing system and high quality of services (e.g. with server providers, telemetry services, data validation, technical and administrative customer support, Mobility Monitoring, car sharing platform, statistical data analysis, etc.). In this case, the service providers are required to strictly comply with their contractual obligations and applicable data protection legislation, including taking the necessary measures to protect the confidentiality of the subjects' Personal Data.
10.3. It is also possible for Users’ data to be shared with third parties if there is a justified need:
• public bodies such as traffic and local police, courts, prosecutors, Users’ Protection National Agency, etc. in order to fulfil the Controller’s legal obligations, including to report possible law infringements, rimes, and misdemeanours, to prevent fraud and traffic accidents or to fulfil other legal requirements e.g. for accounting reporting;
• insurers, law firms, bailiffs, debt collection companies – e.g. eCollect AG, with address Neuhofstrasse 21, 6340 Baar, Zug, Switzerland, with registration number: CHE – 180.481.291, - etc., in order to enforce the Service Contract and the Vehicle Use Agreement and to guarantee the property of the Controller and its other rights and legal interests;
• to protect the security, rights, and interests of other Users and/or third parties.
11.1. Transfer of Personal Data to a third country or an international organization outside the European Union and the European Economic Area can only take place if one of the following conditions is met:
11.1.1. There is a decision of the European Commission regarding the adequate level of Personal Data protection that the third country in which the data is received provides;
11.1.2. There is an explicit consent of the Data Subject, after being informed of the possible risks associated with the transfer due to the absence of a decision on the adequate level of protection and of adequate guarantees;
11.1.3. The transmission is necessary for the performance of a contract between the Data Subjects and the Controller or for the performance of pre-contractual measures taken at the request of the Data Subjects;
11.1.4. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller or the group it is part of and another natural or legal person;
11.1.5. The transfer is necessary for the establishment, exercise or defence of legal claims;
11.1.6. The transmission is carried out by a public register.
11.2. In case of need for manual data verification during User’s registration, data transfer is done by the Identity check service provider which is registered in the USA. The transfer is carried out on the basis of standard contractual clauses (Article 46, paragraph 2, letter “c”) of the GDPR) with the necessary level of data protection, insofar as JUMIO is certified according to the PCI DSS standard and is subject to an annual audit for its compliance.
12.1. The Controller applies different Personal Data storage periods depending on the categories of Personal Data processed and the purposes of processing.
12.2. If the registration process has not been successfully completed and, so, the Users have not being granted the right to use the electric car sharing services, their Personal Data are usually stored for a period of 3 years since the application is rejected, unless the Controller justifies a legitimate interest in continuing their processing (e.g., to defence against complaints, etc).
12.3. Upon completion of a successful registration with the right to use the services for the shared use of electric cars, the Controller applies the following Personal Data storage periods:
No |
Personal Data Categories |
Storage period |
1. |
Data related to fiscal duties and accounting and insurance claims |
5 years starting from the 1st January of the next year after the date when the fiscal document is issued |
2. |
Data related to insurance claims |
2 years starting from the time when the right to file an action based on an insurance contract arose |
3. |
Personal Identification Data from the User User Account, processed for the purposes of providing the electric car sharing services |
3 years from the date of termination of the contract
|
4. Д |
Biometric Data |
The Data processed for the purpose of uniquely and accurate identification of the Users during the User’s Accounts' registration procedures are deleted immediately from the database of the Controller, after establishing the identity/after the successful registration of the account. The biometric Data are then stored in specialized JUMIO servers for a period of 5 years - unless a shorter term is prescribed within its relevant privacy policy -, starting from the date on which the User's identity verification process was successfully completed. |
5. |
Data used for direct marketing purposes |
2 years from the date of termination of the Service Contract
|
6. |
Mobility control data |
2 years from the date of termination of the Service Contract |
7. |
Users’ mobile devices’ location data |
1 year from the last connection to the Mobile Application |
12.4. Exceptions to the above storage periods may be established insofar as the relevant deviations do not violate the rights of the Data Subjects, comply with legal requirements and are duly documented.
12.5. Documents and Data about Users, in respect of which the Controller has initiated judicial proceedings, are stored according to the instructions of the legal department for a period of 3 years after the conclusion of the proceedings with an effective court decision or after the final payment of the debt, whatever occurs first.
12.6. After the expiration of the established terms, the Data are anonymized or destroyed in a secure way by deleting them from the information systems or by shredding if they are on paper.
12.7 The cookies are processed according to the Cookies Policy set for by the Owner of the Website, on behalf of the Operator, for as long therein prescribed.
13.1. The Data Subjects have the right to exercise the following rights according to the procedure established in the GDPR and the additional relevant laws:
13.1.1. Right to information: before processing the Data, the Controller is obliged to provide the Data Subjects with information in the form of a privacy notice about what Personal Data it collects, on what grounds and for what purposes it uses it, with whom it shares it, the Controller's intention to transfer the Data to third countries outside the EU, if any, the storage period and security measures, the consequences of not providing the Data, the presence of automated decision-making, the rights of the Data Subjects, including their right to lodge a complaint with a supervisory authority. Before registering as a user and installing the Mobile Application, the Data Subject is obliged to read and agree to the Privacy Policy in order to be able to use the Mobile Application;
13.1.2. Right of access: this right enables the Data Subjects to obtain copies of the Personal Data that the Controller stores about them, as well as information related to the processing. The history of the services used by the Data Subjects and the Data provided during registration can be accessed through the User Account in the Mobile Application, and a special access request can also be submitted;
13.1.3. Right to erasure: this right enables the Data Subjects to request their Personal Data to be deleted when there is no valid reason for the Controller to continue processing it e.g. if the purpose for which the Data were collected has been achieved or if the Data Subjects have withdrawn consent. If the legal requirements are met, the Controller should delete the Personal Data within 1 month, unless other term prescribed by mandatory laws or there is a legal obligation to continue processing them or the retention of the Data is necessary for the establishment, exercise or defence of legal claims;
13.1.4. Right to have Personal Data concerning them rectified: this right enables the Data Subjects to request that any incomplete or inaccurate Data of them be corrected. The Data Subjects are obliged to promptly note any change in their Personal Data in their User Account and/or to notify the Controller thereof;
13.1.5. Right to restriction of Data processing: this right enables the Data Subjects to request the Controller to temporarily suspend the processing of Personal Data if, for example, they wish to establish the accuracy of the Data or the reasons for its processing
13.1.6. Right to Data portability: this right is limited to cases where the Data is processed in an automated manner and is provided by the Data Subjects on the basis of their consent or for the purposes of the performance of a contract, giving the possibility to require the Controller to provide the Personal Data stored in electronic form to the Data Subjects or a third party;
13.1.7. Right to object: in cases where the Controller relies on its legitimate interests as a basis for processing, the Data Subjects may object to this processing on grounds related to their particular situation. They also have the right to object when the processing is for direct marketing purposes or the Data is processed for statistical purposes;
13.1.8. Rights related to automated decision-making, including profiling: the Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which gives rise to legal consequences for the Data Subjects or similarly significantly affects them;
13.1.9. Withdraw of consent: the Data Subjects have the right to withdraw their consent at any time in case they have given it without affecting the processing up to that point. Where consent has been given for direct marketing purposes, the Data Subjects may opt-out of receiving newsletters at any time by clicking on the "unsubscribe" link in email messages sent by the Controller or by changing the settings of the Mobile Application. If the Data Subjects have provided access to their location through the mobile device in order to find electric vehicles in the vicinity, they can change the settings thus selected;
13.1.10. Lodging a complaint: If the Data Subjects believe that any of their rights have been violated, they have the right to file complaints with the Controller and/or with the Authority for Personal Data Protection - www.dataprotection.ro.
13.2. Requests may be submitted by the Data Subjects or any person authorized by the Data Subjects, with the Controller taking measures to confirm their identity, for the purpose of data protection. The Controller is obliged to process such requests within the following terms, unless otherwise prescribed by the relevant laws:
Request from the data subject |
Period |
Right to information |
When the data is collected (if the data is provided by the Data Subject) or within one month (if the data is not provided by the Data Subject) |
Right of access |
One month |
Right to update |
One month |
Right to erasure |
No undue delay |
Right to restriction of data processing |
No undue delay |
Right to data portability |
One month |
Right to object |
No undue delay |
13.4. The Controller has the right to reasonably deny the Data Subject the exercise of his/her rights or impose a reasonable fee under the conditions provided for in Article 12, paragraph 5 of the GDPR.
14.1. The rights and obligations of the Data Protection Officer are described in detail in the GDPR, the job descriptions, if the position is held by an employee of the Controller, or in the service contract, if the position of Data Protection Officer is held by an external service provider.
14.2. In general, the duties of the DPO include being responsible for the proper implementation of the Controller's Privacy Policy in accordance with the standards and requirements of the applicable legislation, participating in raising awareness and training of employees processing Personal Data, conducting the relevant audits, reports data processing risks, reacts to data security violations, assists the Authority for Personal Data Protection and Data Subjects in exercising their rights, keeps a register of processing activities, etc. tasks assigned by the Controller, insofar as they do not conflict with his duties as a DPO.
14.3. For DPO related matters you can use the following e-mail address: gdpr@espark.ro.
15.1. If the Controller's employees having the right to access the Data notice or are notified of Data security violations (inaction or actions by persons that may lead to or have led to a risk to Data security), they are hold to notify immediately the Data Protection Officer and the immediate supervisor.
15.2. Taking into account the risk factors for breach of Data security, the degree of impact of the breach, damages and consequences, following the relevant internal procedures, the Controller makes decisions on the necessary measures to remedy the breach of data security and its consequences and to notify the Public Authority for the Data Protection and the affected individuals, if there is a high risk to their rights and freedoms.
16.1. The organizational and technical data security measures implemented by the Controller ensure a level of security that corresponds to the nature of the data processed by the Data Controller and the risk of data processing, including, but not limited to, the measures specified in this section.
16.2. Personal Data security measures include the following:
16.2.1. Administrative measures as implementing appropriate procedures for the security of documents and computer data and their archives and organization of work in various spheres of activity, mandatory training of Personal Data protection personnel currently employed and upon leaving work/dismissal, duties on confidentiality and prohibition of disclosure of Personal Data, procedures for providing access to data, etc.;
16.2.2. Technical and software protection measures as administration of servers, information systems and databases, workplace support, protection of operating systems, monitoring (control) of user access, protection from computer viruses, etc.;
16.2.3. Administration of information systems and databases, job support, protection of operating systems, protection from computer viruses, etc.;
16.2.4. Protections for communication and computer networks (technical and software measures for coding and transmission of data for general use, applications, Personal Data, filtering of unwanted data packets, etc.).
16.3. The above-mentioned measures for the protection of Personal Data ensure: 1) storage equipment for copies of operating systems and databases, control of the storage of copying equipment; 2) technology for continuous work with data (processing); 3) strategy for restoring the functioning of systems in emergency cases (management of uncertainties); 4) unique user identification and password system; 5) physical (logical) separation of the application testing environment from the processes in operational mode; 6) registered data use and data privacy.
16.4. The Controller set up a procedure for the recovery of Personal Data in case of accidental loss of Data. The Controller makes backup copies of the data available in the system. Data is retrieved according to the internal procedure using Amazon Web Services software from the backup equipment libraries. In all cases, data archives are stored without prejudice to the data storage period specified in the Policy.
16.5. The Controller applies other measures guaranteeing the security of Personal Data:
16.5.1. VPN technology is used to remotely connect to the Controller's internal network, and a digital certificate is used to identify the user;
16.5.2. Access to Personal Data through organizational and technical data security measures that register and control efforts to register and acquire rights are subject to due control;
16.5.3. The following records are kept when entering the database by the persons who are granted the right to process Personal Data: login identifier, date, time, duration, result of the entry (successful, unsuccessful). The above records are kept for at least 1 (one) year;
16.5.4. The security of the premises where Personal Data are stored (access to the relevant premises only by authorized persons, locking, etc.) is ensured;
16.5.5. Efforts are made to ensure the use of security protocols and/or passwords when providing Personal Data via external data transmission networks;
16.5.6. The Controller does its best efforts to ensure control over the security of Personal Data on external data carriers and e-mail and their deletion after use of Personal Data by transferring them to databases;
16.5.7 Urgent Personal Data recovery actions (when and who performed Personal Data recovery actions by automatic and non-automatic means) are recorded;
16.5.8. The Controller does its best efforts to ensure that the testing of information systems is not carried out with real Personal Data, except in cases where organizational and technical measures for the protection of Personal Data are used, guaranteeing real security of Personal Data;
16.5.9. Personal Data in portable computers, if the latter are not used in the data transmission network of the Controller are protected by appropriate measures appropriate to the risk of processing.
16.6. The Controller implements appropriate technical and organizational measures ensuring standardized processing of Personal Data that is necessary for the specific purpose of data processing. The above obligation applies to the corresponding amount of Personal Data collected, the scope of their processing, the period of storage of Personal Data and the accessibility of Personal Data.
17.1. The Controller can be contacted with questions related to this Policy and/or data protection in general using the following contact details:
Email: gdpr@espark.ro
Phone number: 0759888602
18.1. The policy shall be revised annually by the Controller and anytime else needed including in case of changes concerning the Relevant Laws.
18.2 The Policy and amendments to it come into force from the date of their publication on the Website.