The protection of your personal data is important to the BNP Paribas Group – to which Arval entities belong. The BNP Paribas Group has adopted strong principles in respect of the protection of personal data for the entire Group in its Group Data Protection Notice which is available on the BNP Paribas website.
This Notice provides you with detailed information relating to the protection of your personal data by Arval UK Limited (“we”).
We are responsible for collecting and processing your personal data in relation to our activities. The purpose of this Notice is to let you know which personal data we collect about you, the reasons why we use and share such data, how long we keep it, what your rights are, and how you can exercise them.
Further information on the protection of your personal data may be provided where necessary when you apply for a specific product or service.
1. WHICH PERSONAL DATA DO WE USE ABOUT YOU?
We collect and use your personal data to the extent necessary when conducting our business activities and to achieve a high standard of personalised products and services.
We may collect various types of personal data about you, including:
- identification information (e.g. name, ID card, passport, driving licence, nationality, place and date of birth, gender, photograph, IP address);
- contact information (e.g. postal address and e-mail address, phone number);
- family status (e.g. marital status, number of children);
- tax status (e.g. tax ID, tax status);
- employment information (e.g. employment, employer’s name, location);
- banking, financial and transactional data (e.g. credit card number, bank account details, payment data);
- data relating to the vehicle leasing contract (e.g. client identification number, contract number, vehicle identification number);
- data relating to insurance issues (e.g. insurance claim history including paid indemnities and expert reports, information about victims); and
- data relating to you, your habits and preferences :
- data relating to your use of our products and services and transactional data;
- data from your interactions with us: our branches (contact reports), our internet websites, our apps,
- our social media pages, meetings, calls, chat, email, interviews, phone conversations; and
- video surveillance (including CCTV) and geolocation data (e.g. showing locations to identify the location of service suppliers for you or enabling the provision of specific services such as car sharing).
Depending on the product/service, we may collect biometric data (e.g. fingerprint, voice pattern or face pattern which can be used for identification and security purposes) with your explicit prior consent.
In addition, we will process data relating to criminal convictions and offences in relation to fines for traffic offences as part of the “Fines Management” service to the extent legally authorised.
We never ask for personal data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data or data concerning your sexual orientation, unless it is required because of a legal obligation.
The data we use about you may either be collected from you directly or from any of the following sources to verify or enrich our databases:
- publications/databases made available by official authorities (e.g. the official journal);
- our corporate clients and/or their branches and affiliates (e.g. your employer), or service providers;
- third parties such as credit reference agencies and fraud prevention agencies or data brokers in conformity with the data protection legislation;
- websites/social media pages containing information made public by you (e.g. your own website or social media); or
- databases made publicly available by third parties.
2. SPECIFIC CASES OF PERSONAL DATA COLLECTION, INCLUDING INDIRECT COLLECTION
In certain circumstances, we may collect and use personal data of individuals with whom we have, could have, or used to have a direct relationship (eg. prospects).
We may also collect information without a direct relationship in circumstances where your employer provides us with information about you or your contact details are provided by one of our clients, for example, if you are:
- family members;
- co-borrowers / guarantors;
- legal representatives (e.g. under a power of attorney);
- beneficiaries of payment transactions made by our clients;
- beneficiaries of insurance policies and trusts;
- ultimate beneficial owners;
- clients’ debtors (e.g. in case of bankruptcy);
- company shareholders;
- representatives of a legal entity (which may be a client or a vendor); or
- staff of service providers or commercial partners.
3. WHY AND ON WHICH BASIS DO WE USE YOUR PERSONAL DATA?
a. To comply with our legal and regulatory obligations
We use your personal data to comply with various legal and regulatory obligations, including banking and financial regulations, which may require us to:
- set up security measures to prevent abuse and fraud;
- detect transactions which deviate from the normal patterns;
- define your credit risk score and your reimbursement capacity;
- monitor and report risks that Arval UK or other members of the BNP Paribas Group could incur;
- record, when necessary, communications such as phone calls, chats and emails;
- reply to official requests from duly authorised public or judicial authorities (e.g. to identify the driver and communicate the data to the relevant public authorities);
- prevent money-laundering and financing of terrorism;
- comply with legislation relating to sanctions and embargoes; and
- fight against tax fraud and fulfil tax control and notification obligations.
b. To perform a contract, or to take steps at your request before entering into a contract with you
Where you are a driver, who is also an individual client:
We use your personal data to enter into and perform our contracts with you, including to:
- evaluate if we can offer you a product or service, and under what conditions;
- provide you with information regarding our products and services;
- schedule and manage our services such as (i) the delivery, return, maintenance and repair of the vehicle (including car recalls from manufacturers), (ii) value-added services (e.g. fuel and toll cards) and (iii) buying back the vehicle from you;
- manage the resolution of disputes (e.g. for debt collection) and to assist you with queries, requests and complaints (including insurance claims);
- ensure and facilitate your mobility with access to some of our services via our mobile applications; and
- handle billing, invoicing and recovery.
c. To fulfil our legitimate interest
Where you are a driver who is also a client or an employee/ representative of one of our corporate clients:
We use your personal data to deploy and develop our products or services, manage the contractual relationship with our clients to improve our risk management and to defend our legal rights.
For example, we have a legitimate interest in using your personal data for:
- proof of transactions;
- fraud prevention;
- rolling out prevention campaigns (e.g. creating alerts in connection with traffic or road hazards);
- responding to official requests from public authorities of third countries (located outside EEA);
- IT management, including infrastructure management (e.g. shared platforms), business continuity and IT security;
- establishing individual statistical models, based on the analysis of transactions, for instance to help define your driver profile;
- establishing aggregated statistics, tests and models, for research and development, to improve the risk management of our group of companies and to improve existing products and services or create new ones;
- training of our personnel by recording phone calls to our call centres;
- personalising our offers and those of other BNP Paribas entities through:
improving the quality of our products or services (including via client satisfaction surveys); and
advertising products or services that match with your situation and profile, by:
segmenting our prospects and clients;
analysing your habits and preferences in the various channels (visits to our offices, emails or messages, visits to our website, etc.);
matching the products or services that you already hold or use with other data we hold about you.
In addition, where you are a driver, and an employee or representative of one of our corporate clients:
We use your personal data for the following purposes:
- evaluate if we can offer a product or service, and under what conditions;
- provide information regarding our products and services;
- schedule and manage our services, such as (i) the delivery, return, maintenance and repair of the vehicle (including car recalls from manufacturers), (ii) value added services (e.g. fuel and toll cards) and (iii) buying back the vehicle;
- manage the resolution of disputes (e.g. for debt collection), assist you with queries, requests and complaints (including insurance claims);
- deliver a digital platform that allows you (i) access to some services directly via your smartphones and (ii) to use a pool of vehicles for car sharing;
- deliver fleet status and trends reporting to your employer’s car fleet management company (e.g. reporting on maintenance, fuel consumption, toll cards usage); and
- handle billing, invoicing and recovery.
Your data may be aggregated into anonymised statistics that may be offered to professional clients to assist them in developing their business. In these circumstances, your personal data will never be disclosed and those receiving the anonymised statistics will be unable to ascertain your identity.
d. To respect your choice and if we requested your consent for a specific processing
In some cases, we must have your consent to process your data, and in those circumstances, we will always obtain your consent first. If we need to carry out further processing for purposes other than those above in section 3, we will inform you and, where necessary, obtain your consent.
Where the above purposes lead to a solely automated decision (where no human has yet reviewed the outcome and criteria for the decision), you have a right for this decision to be reviewed by us. In which case, we will inform you separately about the logic involved, as well as the significance and the possible consequences.
4. WHO DO WE SHARE YOUR PERSONAL DATA WITH?
To fulfill the purposes listed in section 3. above, we only disclose your personal data to:
- BNP Paribas Group entities (e.g. so you can benefit from our full range of group products and services);
- service providers which perform services on our behalf;
- independent agents, intermediaries, brokers, banking and commercial partners, financial, regulatory and judicial authorities as well as state agencies and public bodies, upon request and to the extent permitted by law; and
- certain regulated professionals such as lawyers, notaries or auditors.
5. TRANSFERS OF PERSONAL DATA OUTSIDE THE EEA
Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA). We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA. Sometimes we are permitted to transfer to countries outside the EEA, for example where the country has its own adequate data protection laws or in limited circumstances, out of necessity (for example if we take/ receive a payment from you outside the EEA). We also have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. We also use standard contractual clauses approved by the European Commission and binding corporate rules where applicable.
To obtain a copy of these safeguards or details on where they are available, you can send a written request as set out in Section 9.
6. HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
Whenever we collect or process your personal data, we’ll only keep it for as long as it is necessary for the purpose for which it was collected (as set out above) or as required by law. In most circumstances this means we will retain your personal data for the longest period required to comply with our regulatory, legal and contractual obligations whilst at all times having regard to our operational requirements, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests, as well as balancing these requirements with your right to be forgotten. For instance, most of our client’s information is kept for the duration of the contractual relationship and after the end of the contractual relationship for the period needed to meet regulatory requirements and to ensure the exercise or defense of legal claims.
7. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?
In accordance with applicable regulations, you have the following rights:
- To access: you can obtain access to the personal data we hold about you, and a copy of such personal data, free of charge in most cases.
- To rectify: for out of date, inaccurate or incomplete, personal data to be corrected.
- To erase: you can require the deletion of your personal data, to the extent permitted by law.
- To restrict: you can request the restriction of the processing of your personal data.
- To object: you can object to the processing of your personal data, for reasons connected to your individual situation and we must stop unless we have a legitimate overriding reason to continue. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing. We must always comply with your request.
- To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
- To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party
If you wish to exercise the rights listed above, please send a letter or e-mail to the following address firstname.lastname@example.org. We will ask you to verify your identity before proceeding with any request.
You can also complete our online privacy request form.
If you feel that your data is not being handled correctly, or you are unhappy with our responses to any request, you have a right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1113 or go online to www.ico.org.uk/concerns.
8. HOW CAN YOU KEEP UP WITH CHANGES TO THIS DATA PROTECTION NOTICE?
In a world of constant technological changes, we may need to regularly update this Notice.
We invite you to review the latest version of this Notice online and we will inform you of any material changes through our website or through our other usual communication channels.
9. HOW TO CONTACT US?
If you have any questions relating to our use of your personal data or this Notice, please send a letter for the attention of the Arval UK Data Protection Correspondent at Arval UK Limited, Whitehill House, Windmill Hill Business Park, Swindon or contact us through email@example.com.
If you wish to learn more about cookies please refer to our cookies policy at https://www.arval.co.uk/cookies-policy, if you would like to understand more about our Arval’s information security please contact us through firstname.lastname@example.org.