Information Notice of Personal Data Controller

Information for the client (contract cocluded offline, Prime Car Management).

Prime Car Management S.A., based in Gdańsk (80-308) ul. Polanki 4 (“Company”) hereby states that with respect to your personal data acquired by the Company, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/WE (hereinafter accordingly: “personal data” and “GDPR”), the Company has become and remains the controller of such acquired personal data.

The Company has appointed a data protection officer who can be contacted at the following address:
– Data Protection Officer, Prime Car Management S.A. ul. Polanki 4, 80-308 Gdańsk,
– e-mail address: iodo@masterlease.pl.

The Company processes your data (including such data categories as forenames, surname, company name, identification numbers, address details, contact details, and data for telecommunication tools used) in connection with the intention to conclude a contract for a product or service offered by the Company (hereinafter: “Contract”), or the performance of such a contract already concluded.

The Company may also obtain, supplement, verify or update your data based on:

1. publicly available registers, business and credit information offices or other bases which may be used by the Company pursuant to the provisions of the applicable law or your consent;
2. information about you, including personal data, held by other companies of the capital group of PKO Bank Polski S.A.; the basis for the exchange of data within this Group is your consent, while for risk management – the statutory or legitimate interests of companies subject to the exchange, in connection with the applicable regulations of the common law.

Legal bases for data processing

The personal data obtained are processed lawfully, and their processing legal basis may be:

1. consent – i.e. your voluntary consent to the processing of your data under Article 6(1)(a) of the GDPR;
2. contractual requirements – i.e. processing is necessary for the performance of the concluded Contract, as specified in Article 6(1)(b) of the GDPR;
3. statutory requirements – i.e. processing is necessary for the Company to comply with its legal obligations under the legal provisions, as specified in Article 6(1)(c) of the GDPR;
4. legitimate interests of the controller – i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller, as specified in Article 6(1)(f) of the GDPR.

Purpose of data processing

Based on the above legal bases for data processing, the Company processes or may process your data for the following purposes:

1. for the purposes indicated in the consent – on the basis of such consent – in this case you may withdraw your consent at any time, which will not affect the legality of the processing performed on the basis of your consent before its withdrawal; the refusal to consent or its withdrawal will prevent the Company from processing your data for the purposes indicated in the consent;

2. for the purpose of performing the Contract – based on contractual requirements;

3. for the purpose of predicting your ability to perform the Contract concluded, including by building and analysing your profile as well as making predictions – based on legitimate interests of the controller;

4. for the purpose of complying with anti-money laundering and anti-terrorist financing regulations and obligations imposed on obligated institutions, also for the purpose of complying with legal regulations, e.g. tax settlements – based on statutory requirements;

5. for the purpose of performing the Contract, including the handling of inquiries and complaints, executing your orders, e.g. assignment and conclusion of accompanying contracts, e.g. a contract for the purchase of a leased asset, a contract securing the Company’s receivables – based on contractual requirements;

6. for the purpose of asserting and defending against claims relating directly or indirectly to the Contract – based on legitimate interests of the controller;

7. for the purpose of marketing the Company’s products and services (including, in particular, financing services, as well as insurance mediation services), which may be in certain cases preceded by the establishment of your profile and its analysis by the Company, during the term of the contract – based on legitimate interests of the controller or after the expiry/termination of the contract;

8. for the purpose of handling requests sent using the contact form or other available communication channels – based on pre-contractual requirements or based on legitimate interests of the controller, depending on the subject matter of a request;

9. for the purpose of enabling the use of the eMaster Customer Service Panel as well as managing permissions and access to this panel – based on contractual requirements;

10. for the purposes of ensuring the effectiveness, legality and security of the business activity carried out by the controller and the processing of personal data, in certain cases related to the building and analysing your profile – based on legitimate interests of the controller;

12. for the purposes of securing acquired financial resources (e.g. as part of a securitisation agreement entered into by the Company) – based on legitimate interests of the controller.

The period of processing

The period of processing of the collected personal data is related to the purposes indicated above. In view of the above, personal data will be processed for the longer of the following periods:

1. for the period in which data must be stored under legal regulations or

2. for the period of limitation for any claims, the pursuit of which requires data availability.

Entities to whom data may be disclosed

Personal data obtained may be disclosed in the course of their processing for the purposes indicated above – to entities other than the Company, i.e.:

1. to companies of the PKO Bank Polski S.A. Capital Group, of which the Company is a member; the current list of such entities is available at www.pkobp.pl, in particular to PKO Leasing S.A. based in Łódź, al. Marszałka E. Śmigłego-Rydza 20 or PKO Bank Polski S.A. based in Warsaw at ul. Puławska 15, for the following purposes:

a) administration of human resources as well as conducting analyses and implementing process solutions relevant to the optimisation of the business activity of the capital group, based on terms and conditions established in the agreements concluded between entities within the capital group;

b) execution of legitimate interests of the PKO Bank Polski S.A. Capital Group, resulting from the rights of the entities from this group to exchange information to prevent fraud or effective risk management and financial reporting within the capital group, in connection with the applicable laws;

c) indicated in your consent to the processing of personal data.

As a result of making such data available by the Company, the entity from the capital group receiving these data will become, from the moment of their reception, an independent controller and will process these data for the purposes indicated in this point. With respect to PKO Leasing S.A. and PKO Bank Polski S.A., the principles of data processing and your rights resulting from this fact are described on the websites of PKO Leasing S.A. and PKO Bank Polski S.A. in the tabs dedicated to personal data protection (GDPR).

2. to the entities of Masterlease Capital Group to which the company belongs, the current list of the entities being found at www.masterlease.pl/grupa, to analyse and implement process solutions relevant for optimising business operations and to pursue legitimate interests in the exchange of information for fraud prevention, effective risk management as well as financial reporting and contract handling.

3. to insurance companies cooperating with the Company, to its agents and reinsurers, to the extent necessary to prepare the calculation of financial terms and conditions of property or personal insurance offered in connection with the Contract, if such an obligation or right of the Company arises from the Contract or is permitted under applicable law, and in case you have given the appropriate consent.

4. to entities providing services to the Company which are important for the Company to conduct business activity, e.g. IT or operational service providers, auditors, advisors (including legal advisors), entities dealing with debt collection as well as with the recovery of contractual objects in the event that a situation justifying the recovery of contractual objects arises, property appraisers, insurance brokers, insurance agents and motor claims adjusters (for the purpose of verifying the terms and conditions of your insurance policy and the settlement of motor claim), in addition to entities that are entitled to obtain information on the basis of legal regulations.

5. to an insurance agent, insurance broker and insurance companies, for the purpose of providing an insurance offer, concluding and performing an insurance contract, verifying the terms of an insurance contract concluded by the Company at your expense in connection with the Contract.

6. to the providers of items financed under the Contracts concluded and to the providers of maintenance services specific to such items where such services are provided for in the relevant Contract.

7. to entitled entities that file in a credible claim in connection with violation of traffic regulations or rules of use of toll road infrastructure and parking zones by the user of leased assets.

8. to entities providing fuel cards – for the purpose of executing a fuel sales agreement in a cashless system with the use of fleet cards, if such a contract has been concluded with the Company.

Data processing principles

The processing of your data by the Company is based on a voluntary basis, however, the refusal to provide data may make it impossible to take the actions you have requested, e.g. the processing of an application for a Contract or the execution of such a Contract, or enabling the use of the eMaster Customer Service Panel.

Your personal data may be processed using analytical models in an automated manner, including profiling, for risk analysis and marketing purposes. As a result, we will be able to apply to you a simplified processing procedure or implement solutions that support liability servicing, protect the assets of the Company and its stakeholders or present you with a customized offer of products and services offered by the Company.

Realization of data persons’ rights

In cases and on principles set out in the provisions on the protection of personal data, you have the right to access, rectify or delete your data, restrict the processing of your data, object to the processing of personal data based on a legal basis in the form of legitimate requirements of the controller, as well as transfer of personal data.

If you do not agree with the content of the decision taken by automated means, you have the right to reconsider the subject matter of the analysis, taking into account additional information provided by you and with the participation of a substantively competent representative of the Company.

You can exercise these rights by sending a relevant request by post to the following address:
– ul. Polanki 4, 80-308 Gdańsk or
– by e-mail to: odo@masterlease.pl.

Right to lodge a complaint

Notwithstanding the foregoing, you have also the right to lodge a complaint with the competent supervisory authority (President of the Office for Personal Data Protection), specified in the currently applicable act regulating the principles of personal data protection.

Transfer data outside the European Economic Area (EEA)

Please be advised that it may also be necessary to transfer your personal data outside the European Economic Area (EEA), due to the potential possibility of some of our suppliers or auditors being the recipients of the data to operate there.

In any such case, before transferring the data, however, we will ensure that, as part of ensuring data security, our suppliers or auditors guarantee a high level of personal data protection by obliging these entities to use standard contractual clauses adopted by the European Commission and confirming the existence of effective data protection enforcement mechanisms, required by the European Union law.

You have the right to request us to provide you with a copy of the appropriate security measures (protection measures) that we apply in connection with the transfer of your data outside the EEA, by directing your inquiry to the above-mentioned address of the Data Protection Officer.