Privacy and Personal Data Protection Policy

Privacy and Personal Data Protection Policy

Preamble

We respect your privacy and treat your personal data in a responsible way.

The information contained in this document is primarily intended for those of you who, in relation to any of the W.A.G. Group companies, act as one of the following:

  • customer (potential customer),
  • statutory representative or our (potential) customer’s employee,
  • another user of our products (e.g. a private entrepreneur working for our customer),
  • supplier, supplier’s statutory representative or employee, or person cooperating in another manner,
  • job/co-operation applicant, where applicable.

In accordance with the valid legislation, we would like to inform you that the W.A.G. Group companies (a list of which is available here) may process your personal data. This document describes what type of data we process and when and explains important terms (listed here) and your rights (listed here). Please read the document thoroughly. You can also find the full version at www.eurowag.com, where an updated version is always available.

The processing of your personal data is governed by the following principles:

  • we only process your personal data
    • for a purpose determined in a clear and comprehensible manner (i.e. we assess the purpose of your personal data processing),
    • to the extent necessary for the purpose, and
    • for such period as is necessary for the purpose;
  • we always inform you about the processing of your personal data;
  • your personal data are processed in a transparent manner (we e.g. inform you of your rights);
  • we protect your personal data against:
    • abuse, theft or other unauthorized processing; and
    • accidental change, destruction or damage;
  • we comply with the appropriate technical and organizational measures to ensure security of personal data.

If, after reading this document, you do not understand certain parts or terms or you are not sure whether and how specific information about your personal data processing relates to you, please contact us at compliance@eurowag.com.

Who holds your personal data?

The W.A.G. Group company that received your personal data from you or collected your personal data for one or more purposes shall always be your personal data controller.

The personal data controller will collect and handle your personal data and be responsible for their due and lawful processing. Please contact your personal data controller if you want to exercise any of your rights.

Your data are typically managed by the company that you are a client of or cooperate with, most often the company that you have already signed a contract with. If the contractual cooperation involves multiple W.A.G. Group companies, then each of them may use your personal data for predetermined purposes.

If you are not sure, ask us.

Who can your personal data be transferred to?

We may share your personal data within the W.A.G. Group especially for the purposes of ensuring top quality customer service, internal management and reporting (if you change your address, you do not have to contact the sales representative and the billing department separately).

The W.A.G. Group companies may act as controllers and processors of your personal data vis-?-vis each other, especially when you use a large range of our products or you use our products in multiple countries.

By sharing selected personal data within the W.A.G. Group, we can ensure that your data always remain up to date. Thanks to that, you will receive quick and high quality services because we will be able to properly identify you and set up the products you use so as to suit your needs (e.g. a well-established billing system).

We may only transfer your personal data outside the W.A.G. Group if it is required by the offered service, if it is stipulated by law, or if you allow us to do so. On the other hand, the W.A.G. Group companies may act as data processors for other personal data controllers outside the W.A.G. group (drivers' employers).

Some of our services may be provided in collaboration with entities (companies or individuals - controllers, processors) outside the W.A.G. Group. If your personal data are shared with another entity, we always check what type of personal data is provided and why. We also verify whether the other entity is able to provide sufficient guarantees and has sufficient expert knowledge to handle the personal data.

If we entrust another party with the performance of a certain activity that constitutes part of our services, the relevant personal data may be processed in the performance of such activity. In some cases, such suppliers may become personal data processors. The processor may solely handle the data for the purposes for which the processor was authorized by us. In such case, your consent is not required for the performance of the processing activities.

If we use cloud repositories (see glossary of terms), we always strive to use those located within the EU and always emphasize ensuring a high level of personal data security.

If you are our client’s employee, typically a driver, the W.A.G. Group company only acts as the processor of your personal data for your employer who uses our products/services.

The following entities outside the W.A.G. Group may particularly act as personal data processors, controllers or joint controllers:

  • toll service providers,
  • providers cooperating in securing tax refunds,
  • fuel point operators, washing service operators, parking service operators, etc. (contractual partners within the acceptance network),
  • IT and Telco service providers,
  • receivable collection entities,
  • lawyers, consultants,
  • marketing agencies,
  • providers of print and postal services, including courier services,
  • credit registers,
  • HR and accounting service providers.

Under certain circumstances, we may be bound to disclose your personal data to various governmental and international authorities, but only to the extent required by the applicable legislation.

Your personal data may be processed on the territory of the Czech Republic and of other countries of the European Union or, where applicable, on the territories of the countries in which the W.A.G. Group has its presence. Concerning the countries outside the EU, we provide adequate safeguards of the protection of personal data.

What is our source of your personal data – do you have to provide us with the information?

Most often, we collect your personal data from you because their processing is necessary for the execution and performance of the contract (the provision of products/services), the fulfillment of our legal obligations or the protection of our legitimate interests. Depending on the situation, we may also process personal data that are available from public sources and registers (trades, business, insolvency registers) and, in some cases, data from third parties (about our customers’ employees, such as an accountant’s or dispatcher’s phone number or selected personal data of drivers, as well as data from the state administration, or information from the persons listed as references in your application in the selection proceedings). In all these cases, you are required to provide us with your personal data because we would be unable to cooperate with you without such data.

In some cases, you have provided us with your personal data based on your voluntary consent. A voluntary consent means that you are not required to provide us with your personal data and that you may withdraw your consent at any time.

Persons under the age of 18

Our customers or suppliers regularly do not include persons under the age of 18. Such persons may, however, be willing to join us for internship training period or temporary job. Their personal data are therefore used for restricted purposes.

Why do we hold your personal data and how do we use them?

We can process mainly the following categories of personal data, especially for the purposes listed below. Our processing is governed by the valid legislation and always subject to verification of the legal grounds for processing.

The scope of collected personal data varies according to the purposes for which the personal data are needed. You can learn more from the examples provided further in this document.

Categories and scope of personal data:
Basic data = Identification and contact data

We need to identify you to make sure you are the person we are dealing with. That is why we may collect your basic identification and personal contact data via electronic, phone, written or personal communication.

The basic data include especially the following information: first name, surname, other names, date of birth, nationality, address, e-mail address, telephone number, identity card number, identity card photo, bank account number, company identification number (IČO), tax identification number (DIČ), personal number, if it has been assigned, vehicle registration plate number and VIN.

Data such as your name, surname, address, e-mail and account number may be part of the agreement you enter into for the use of our products. Your name, surname and phone number may be recorded during a phone call. When setting up an account on the client website, we may, in addition to contact and identification data, also collect the IP addresses or URL. In e-mail communication, we may collect your e-mail address, IP address, or the language you use.

Data relating to products/services

We may process personal data that are closely related to the manner in which you use our products/services or the data that you communicate or otherwise make available to us during your use of the products/services and may take this information into consideration in e.g. setting up the payment scheme.

We can, for example, investigate how often you use our services/products and for which fleet, or information about your payment history demonstrating your creditworthiness and reliability.

These may include offers provided to you, financial limits, payment reports and other similar information.

Data from our communication

We may collect information about how you access our services, from what devices and for what purpose. This helps us optimize and further develop our platforms, as well as improve the security of communication channels.

These data may include the IP address, device browser and hardware information, your chosen form of communication - phone, email, mail, online chat, Facebook, Twitter, LinkedIn, whether it is a response to a business communication, or information from surveys.

We are interested in hearing your opinion; we may therefore collect information that can be used to improve our services, offer you products that are best suited for you and deliver these products in the manner that is most convenient for you.

We can also process feedback, comments, suggestions and results of non-anonymous surveys as personal data.

Such information may include information on the use of our websites and applications, information about our mutual contact via any contact point (for how long, which topic was

discussed and which communication channel was used), including settlement of complaints and service requests.

Profile data

In automatic data processing mode, we can process your basic characteristics, business information and risk data. These data will enable us to offer you products/services that suit your needs and to ensure both our and your safety.

We can use the data for profiling that involves tracking, analyzing and storing personal data in databases to create personal profiles, even in an automated mode. Thus processed personal data may serve to create business recommendations so that we can offer you tailor-made products and services. Such information, particularly after its generalization, may also be used to create marketing campaigns. Such data also allow us to set up more advantageous services for you. Automated personal data processing does not mean that an automated decision was made having specific consequences for you. Even automated data processing always involves a human factor, either initially when selecting the data or groups of data, or when controlling the output.

Such data may include, for example, the scope of services ordered, payment transactions or financial or cyber risk assessment.

Other data

The use of certain services is connected with the processing of geolocation data. These data are used to determine (or reverse verify) the current location of the device used for the provided service. Typically, we process these data for our customers and only serve as a data processor bound by the customers’ instructions.

These services mainly include Fleet Management Services (Telematics) and may constitute part of OBU units. Geolocation data can be used by our customers to better plan fleet capacity or shifts or to prevent vehicle theft.

For security reasons, we can record your movement from our Truck Parks and Truck Points, including payment point records. Such records are used to protect our property. In some cases, these records can be made available to our customers if they want to protect their property (e.g. upon suspected employee fraud). Our role (as processors) then depends on the customers to whom personal data are made available.

If your car is damaged, the camera record may be provided to the police.

We may also make and keep records of phone calls and online chats, yet exclusively for our own needs.

We can use this information for the purposes of ensuring good quality customer service, especially for handling your requests or suggestions. Records may also be temporarily stored and used as evidence in the event of a dispute.

What makes us authorized to process your personal data and what particular purposes your data can be processed for.

You have signed or plan to sign a contract with us

  • o Conclusion and performance of a contract
    • Who may be concerned: Customers, suppliers
    • What type of personal data can be processed for particular types of contracts:
      • Supplier contract (we receive products/services) - name, surname, address, IČO number, DIČ number, account number, etc.
      • Customer contract (we provide products/services) – particularly the following data may generally be collected for all services: name, surname, address, IČO number, DIČ number, telephone number, e-mail, client section access data, account number, payment dates and amounts, information about other parties related to the customer (typically an accountant, dispatcher, driver ...), etc.
        • In addition, depending on the type of service used:
          • Refueling of vehicles: fuel volumes, registration plate numbers of vehicles used by you, card identification features - number, name,
          • Toll: vehicle registration plate number, weight and VIN of vehicles used by you,
          • Fleet Management Services (Telematics): geolocation data (see the glossary of terms) about the location of the vehicles used by you (these may include information about the vehicle movement, whether it is a business or private journey, where and how fast the vehicle is moving);
          • EWMC: information on financial transactions,
          • o Tax Refund Service: Information on specific tax duties;
    • Service requirements and other individual requirement solutions
      • Who may be concerned: Customers, suppliers
      • What type of personal data, in particular, we process: financial transaction data, SIM identification from the toll unit, etc.
    • Processing of cash transactions under a contractual relationship
      • Who may be concerned: Customers, suppliers
      • What type of personal data, in particular, we process: name, surname, address, DIČ and registered office of private entrepreneurs, e-mail, telephone, bank account number, financial transaction data and authorization terminal data, data on the recipient of the funds, amounts, dates of processing, performance, e.g. entering a payment order, where the drawdown was made and how much was drawn, etc.
    • Ensuring access to our website client (non-public) sections and applications
      • Who may be concerned: Customers, suppliers
      • What type of personal data, in particular, we process: name, surname, address, DIČ and registered office of private entrepreneurs, e-mail, telephone, IP address, access data, etc.
We have a legitimate interest in processing personal data.
Business activities
  • Collection of receivables and protection of our other rights
    • Who may be concerned: Customers, suppliers, statutory bodies, employees and co-operating parties of our customers or suppliers
      • What type of personal data, in particular, we process: name, surname, address, DIČ and registered office of private entrepreneurs, e-mail, telephone, bank account number, and financial transaction data: amounts, performance, etc.
      • These are, for example, situations where a customer is in default and in order to recover the amount due, the customer’s identification and financial transaction data serve as a basis for a court action.
    • Business partner relations management
      • Who may be concerned: Customers, suppliers
      • What type of personal data, in particular, we process: name, surname, address, DIČ and registered office of private entrepreneurs, e-mail, telephone, bank account number, and financial transaction data: amounts, performance, financial limits, billing dates, etc.
      • We process personal data in order to improve our relationships. These are, for example, situations where we discuss the transition from prepaid services to services paid retrospectively.
    • Telemarketing
      • Who may be concerned: Customers
      • What type of personal data: name, surname, business name, telephone.
      • When customers are contacted via a telephone (voice) line by the W.A.G. Group with an offer of our products/services, yet only by the company with which the customer has already been in contact before.
    • Communicating other important information
      • Who may be concerned: Customers
      • What type of personal data, in particular, we process: selected personal data related to business information, such as changes in business conditions, etc.
Security activities / risk management
  • Assessment of financial risk and creditworthiness
    • Who may be concerned: Customers, suppliers
    • What type of personal data, in particular, we process: information from the insolvency register, checking open items in the internal system.
    • We can validate such data on a continuous basis. If no risk is identified, the data are disposed of after the assessment.
  • CCTV camera records
    • Who may be concerned: Customers, suppliers, future employees
    • What type of personal data, in particular, we process: records of faces or figures, vehicle registration plate number
    • You can come across CCTV camera records at our petrol stations, in buildings and in their vicinity; they serve to protect our rights and our property or the rights and property of third parties (customers, suppliers, employees).
      Voice records
    • Who may be concerned: Customers, future employees
    • What type of personal data, in particular, we process: name, surname, telephone, or more extensive data dependingon the particular situation.
    • Voice recordings are made in selected cases when communicating over the phone; you are always alerted to thepossibility that the call can be recorded. The records serve, in particular, to improve the quality of service and to protect both your and our rights.
  • Profiling for business use
    • Who may be concerned: Customers
    • What type of personal data, in particular, we process: name, surname, address, business name, transactionhistory, vehicle registration plate number, etc. These are situations where personal data are processed especially forthe purposes of analyzing changes in customer behavior. The output of the profiling process itself has no direct impact on the customer and serves, primarily, as the basis for our sales representatives who can, based on such output, tailor the services to your real needs.
Internal processes
  • Product and service development, simulation and testing
    • Who may be concerned: Customers, future employees
    • What type of personal data, in particular, we process: various combinations of personal data needed to set up future products/services or improve current products/services.
  • Internal analysis and training of predictive models over historical data
    • Who may be concerned: Customers, suppliers, future employees
    • What type of personal data, in particular, we process: various combinations of personal data, such as name, surname, DIČ number, vehicle registration plate number, financial transaction, card number.
  • Accounting and Taxes
    • Who may be concerned: Customers, suppliers
    • What type of personal data, in particular, we process: name, surname, address, DIČ and registered office of private entrepreneurs, e-mail, telephone, bank account number, and financial transaction data: amounts, performance, billing dates, etc.
Other
  • Communication
    • Who may be concerned: Customers, suppliers, future employees
    • What type of personal data, in particular, we process: name, surname, address, DIČ and registered office of private entrepreneurs, e-mail, telephone, social media profiles, etc.
    • We can use personal information to answer your questions, requests or complaints. We can use data about your personal visit or records from telephone communication.
  • Employment
    • Who may be concerned: future employees
    • What type of personal data, in particular, we process: name, surname, address, e-mail, telephone, CV data, other persons' data in case of references, information you provide us during the interviews. We can keep this information for a period until the specific position is occupied and for a period until the selected candidate's trial period expires. We need this information to evaluate your interest in a specific position and to inform you about the course and outcome of the selection process.
We have acquired your consent

If we need your consent, we always explain what type of data we would use and why. Your consent is absolutely voluntary and it is up to you to decide whether you will provide your consent to us. Your failure to provide your consent to such processing shall not affect the scope of services you have ordered from us.

If we ask you to give us your consent to the use of your personal data, you may decide whether the reason for the use of your personal data is important and acceptable to you and, based on the decision, you will/will not give us your consent.

If you grant us your consent, you are entitled to withdraw your consent at any time. The easiest way to withdraw your consent is described below in the section concerning your rights.

  • Marketing activities
    • Who may be concerned: Customers
    • What type of personal data, in particular, we process: name, surname, business name, e-mail, telephone number.
    • We will endeavor to obtain your consent to share these personal data with all companies in the W.A.G. Group (a list of which is available here).
    • At the same time, we will endeavor to obtain your consent, in particular, to send emails and text messages with product/service offers of individual W.A.G. Group companies.
  • Storing cookies
    • For this purpose, we process information on the devices from which you electronically access our services, your service setting preferences and the data you fill in on our website in order to ensure your user-friendly and convenient use of our website. We store certain data on your device in the form of “cookies” (see the glossary of terms). Cookies allow us to respect your choice of language and maintain the data entered by you in our online forms in case you want to return later. You are specifically alerted to our request to process cookies. How to handle cookies can be found in a separate document.
  • Consent to make copies/scans of your identity cards
    • For some products/services, we may request your consent to obtain a copy or scan of your identity card. You are not obliged to give us your consent; your consent will serve to facilitate the provision of the service, yet will not affect the decision on the actual provision/non-provision or use/non-use of the service.
  • Employment
    • Who may be concerned: future employees
    • What type of personal data, in particular, we process: name, surname, address, e-mail, telephone, CV data, other persons’ data in case of references, information you provide us during the interviews, etc.
    • If you are not successful in a selection procedure for a specific position, yet you remain interested in potential cooperation with us in the future, we will keep your CV for a period of 3 years or until you withdraw your consent; otherwise your personal data will be erased upon the expiry of the trial period of the selected candidate as, on that date, our legitimate interest, as described above, will expire.
The processing of personal data is required pursuant to valid legislation

We present below the most important legislation stipulating what type of personal data, how and for how long we may or must process.

  • o Prevention, control, evaluation and detection of money laundering
    • o Who may be concerned: customers, their representatives, members of statutory bodies, actual owners of legal entities
    • o What type of personal data, in particular, we process: name, surname, address, DIČ and registered office of private entrepreneurs, e-mail, telephone, bank account number and financial transaction data: amounts, performance, performance recipients, etc. In addition, for this purpose, we collect information about actual business owners, members of the corporate governance structure, customers’ and their related parties’ political exposure; to the extent necessary we also use software tools for information and transaction analyses.
  • o Processing of accounting and tax information
    • o Who may be concerned: customers, suppliers, etc.
    • o What type of personal data, in particular, we process: name, surname, address, DIČ and registered office of private entrepreneurs, e-mail, telephone, bank account number and financial transaction data: amounts, performance recipients, dates, etc., i.e. information regularly found in invoices, tax returns or transaction statements. We are obliged to maintain such information for up to 30 years

How long we keep the data

We only store your data for the necessary period of time; after the completion of processing, we archive the data in compliance with the requirements of the applicable legislation, delete or anonymize the data. We continually evaluate which data is still needed to be retained. For your information, we state below certain selected periods:

  • We generally keep personal data obtained on the basis of a contract or in connection with the performance of a contract for at least 5 years from the date of termination of the contract.
  • We have to store certain personal data pursuant to the requirements of anti-money laundering legislation; we have the obligation to archive such data for 10 years from the termination of the contractual relationship with the customer.
  • Tax and accounting regulations require us to archive selected personal data for up to 30 years.
  • On the other hand, certain purposes require minimum retention period; the period of personal data retention is determined with regard to the actual necessary period of processing of the data. For example, camera recordings stored for the purposes of protection of our rights and your rights can be stored for a maximum of one month according to the technical capabilities of the specific site where the recording was made. Where personal data are processed for internal purposes, such as product development, simulation and testing, then these personal data are typically used only once and are then erased or anonymized. The CVs we receive can be processed and stored for the period described above, then they are deleted or archived for 3 years or until withdrawal of your consent, whichever occurs earlier. Data about visitors to our branches are stored for 5 business days; after that they are deleted.

What are your rights related to personal data protections?

Right to information means that you have the right to receive information about which companies, how and why process your personal data and information about other facts contained in this information memorandum.

Right of access means that you have the right to know what type of information we process about you and why, who they are shared with (if applicable) and what is our source of your personal data.

Right to rectification means that you are entitled to request correction as soon as you find out that we do not have your updated personal data or use inaccurate data (misspelled name, old address…).

Right to erasure, also known as the right to be forgotten means that your personal data will be erased as soon as permitted by other legislation, particularly if the purpose for which the personal data were used was met (termination of contract, termination of selection procedure, etc.)

Right to restriction of processing means that we will not process your personal data in the period in which we, at your initiative, investigate the accuracy and completeness of your personal data, or if you explicitly wish that we do not delete your personal data for an important reason. This right may partly be exercised even without your explicit instructions (particularly if we find out that your personal data are not accurate). As soon as the reasons for restriction of processing no longer exist, we will inform you of the same.

Right to portability of data means that, if needed, you can request us to transfer your personal data to you or to another data controller in an electronic form. This only applies to your personal data held in electronic form, which we need to perform a contract with you or for the processing of which we received explicit consent from you.

Right to object against processing. You can exercise this right if you do not wish us to use your personal data for the purposes of direct marketing, or if you believe that we are not entitled to process your data.

Right to withdraw consent. You can use this right at any time if you decide that you no longer wish us to process your data for the purpose for which you gave us your consent. Withdrawal of your consent shall not affect the processing carried out prior to withdrawal of your consent.

Automated decision-making means that you have the right not to be the subject of a decision made without any human intervention, including in profiling.

We will do all that can be reasonably expected from us to allow you to exercise your rights. However, we are unable to meet your requirements in cases where we are unable to allocate the personal data to your person.

How can you exercise your rights?

You can exercise your rights with the W.A.G. Group company that carries out your personal data processing. Most often, it is the company that you provided your personal data to. You can exercise your rights via the W.A.G. Group’s joint email address: compliance@eurowag.com or customercare@eurowag.com.

In the event that the W.A.G. Group breaches any of your rights relating to personal data protection, you have the right to lodge a complaint with the data protection authority in the relevant country. You can find a list of these authorities at the following link (http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm).

Glossary of terms

Personal data – all data which may serve to identify a particular individual.

Data subject – any particular natural person (including private entrepreneurs as a particular person can be identified by certain data).

Controller – any person who collects, handles (processes personal or has personal data processed by a processor) and bears responsibility for the personal data; the person with whom you exercise your rights.

Processor – any person who processes personal data for the purposes for which it has been engaged by the data controller.

Purpose – the reason why the personal data are processed.

Processing – any operations carried out on personal data for a particular purpose.

Customers – future, current and former – natural persons/companies/private entrepreneurs having access to our client website, and natural persons/companies/private entrepreneurs using any of our products.

Suppliers – future, current and former – natural persons/companies/private entrepreneurs cooperating with the W.A.G. Group

Future employees – persons who show interest in working for the W.A.G. Group, including under agreements to complete a job, agreements to perform work or as temporary staff.

Cloud repository – virtual space for storing large quantities of data.

Geolocation data – data concerning location and movement.

Cookies and similar technologies - cookies are data files that a web site sends to your browser that stores it on the device you use to view the website.