Information Notice of Personal Data Controller

Information for the consenting spouse.

Prime Car Management S.A., based in Gdańsk (80-308) ul. Polanki 4 (“Company”) hereby states that with respect to your personal data acquired by the Company, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/WE (hereinafter accordingly: “personal data” and “GDPR”), the Company has become and remains the controller of such acquired personal data.

The Company has appointed a data protection officer who can be contacted at the following address:
– Data Protection Officer, Prime Car Management S.A. ul. Polanki 4, 80-308 Gdańsk,
– e-mail address: iodo@masterlease.pl.

The Company processes your data (including such data categories as forenames, surname, company name, identification numbers, address details, contact details, data for telecommunication tools used, data concerning employment, business as well as obligations applied for and dealt with) in connection with the intention to conclude a contract for a product or service offered by the Company (hereinafter: “Contract”), or the performance of such a contract already concluded.

The Company may also obtain, supplement, verify or update your data based on:

1. publicly available registers, business and credit information offices or other bases which may be used by the Company pursuant to the provisions of the applicable law or your consent;

2. information about you, including personal data, held by other companies of the capital group of PKO Bank Polski S.A.; the basis for the exchange of data within this Group is your consent, while for risk management – the statutory or legitimate interests of companies subject to the exchange, in connection with the applicable regulations of the common law.

Legal bases for data processing

The personal data obtained from you are processed lawfully, and their processing legal basis are:

1. statutory requirements – i.e. processing is necessary for the Company to comply with its legal obligations under the legal provisions, as specified in Article 6(1)(c) of the GDPR; 

2. legitimate interests of the controller – i.e. processing is necessary for the purposes of the legitimate interests pursued by the controller, as specified Article 6(1)(f) of the GDPR.

Purpose of data processing

Based on the above legal bases for data processing, the Company processes your data for the following purposes:

1. for the purpose of analysing the possibility of concluding the Contract:
a) covered by the request submitted by your spouse, or
b) secured by your spouse,
based on legitimate interests of the controller;

2. for the purpose of performing the Contract concluded between your spouse and the controller – to which you have given consent – in the scope necessary for asserting claims, as necessary (including requests and complaints), following from the Contract – based on legitimate interests of the controller;

3. for the purpose of complying with anti-money laundering and anti-terrorist financing regulations and obligations imposed on obligated institutions and, in the event of concluding the Contract, also for the purpose of complying with legal regulations, e.g. tax settlements – based on statutory requirements;

4. for the purpose of asserting and defending against claims relating directly or indirectly to the Contract – based on legitimate interests of the controller;

5. for the purposes of ensuring the effectiveness, legality and security of the business activity carried out by the controller and the processing of personal data, in certain cases related to building and analysing your profile – based on legitimate interests of the controller.

The period of processing

The period of processing of the collected personal data is related to the purposes indicated above. In view of the above, personal data will be processed for the longer of the following periods:

1. for the period in which data must be stored under legal regulations or

2. for the period of limitation for any claims, the pursuit of which requires data availability.

Entities to whom data may be disclosed

Personal data obtained may be disclosed in the course of their processing for the purposes indicated above – to entities other than the Company, i.e.:

1. to companies of the PKO Bank Polski S.A. Capital Group, of which the Company is a member; the current list of such entities is available at www.pkobp.pl, in particular to PKO Leasing S.A. based in Łódź, al. Marszałka E. Śmigłego-Rydza 20 or PKO Bank Polski S.A. based in Warsaw at ul. Puławska 15, for the following purposes:
a) administration of human resources as well as conducting analyses and implementing process solutions relevant to the optimisation of the business activity of the capital group, based on terms and conditions established in the agreements concluded between entities within the capital group;
b) execution of legitimate interests of the PKO Bank Polski S.A. Capital Group, resulting from the rights of the entities from this group to exchange information to prevent fraud or effective risk management and financial reporting within the capital group, in connection with the applicable laws;
c) indicated in your consent to the processing of personal data.

As a result of making such data available by the Company, the entity from the capital group receiving these data will become, from the moment of their reception, an independent controller and will process these data for the purposes indicated in this point. With respect to PKO Leasing S.A. and PKO Bank Polski S.A., the principles of data processing and your rights resulting from this fact are described on the websites of PKO Leasing S.A. and PKO Bank Polski S.A. in the tabs dedicated to personal data protection (GDPR).

2. to entities providing services to the Company which are important for the Company to conduct business activity, e.g. IT or operational service providers, auditors, advisors (including legal advisors), and to entities that are entitled to obtain information on the basis of legal regulations.

3. to the entities of Masterlease Capital Group to which the Company belongs, the current list of the entities being found at www.masterlease.pl/grupa, each based at ul. Polanki 4 in Gdańsk, in order to analyse and implement process solutions relevant for optimising business operations and to pursue legitimate interests in the exchange of information for fraud prevention, effective risk management as well as financial reporting and contract handling. 

Data processing principles

The processing of your data by the Company is based on a voluntary basis; however, the refusal to provide data may make it impossible to take the actions you have requested. e.g. to perform the contract.

Realization of data persons’ rights

In cases and on principles set out in the provisions on the protection of personal data, you have the right to access, rectify or delete your data, restrict the processing of your data, object to the processing of personal data based on a legal basis in the form of legitimate requirements of the controller, as well as transfer of personal data.

If you do not agree with the content of the decision taken by automated means, you have the right to reconsider the subject matter of the analysis, taking into account additional information provided by you and with the participation of a substantively competent representative of the Company.

You can exercise these rights by sending a relevant request by post to the following address:
– ul. Polanki 4, 80-308 Gdańsk or
– by e-mail to: odo@masterlease.pl.

Transfer data outside the European Economic Area (EEA)

Please be advised that it may also be necessary to transfer your personal data outside the European Economic Area (EEA), due to the potential possibility of some of our suppliers or auditors being the recipients of the data to operate there.

In any such case, before transferring the data, however, we will ensure that, as part of ensuring data security, our suppliers or auditors guarantee a high level of personal data protection by obliging these entities to use standard contractual clauses adopted by the European Commission and confirming the existence of effective data protection enforcement mechanisms, required by the European Union law.

You have the right to request us to provide you with a copy of the appropriate security measures (protection measures) that we apply in connection with the transfer of your data outside the EEA, by directing your inquiry to the above-mentioned address of the Data Protection Officer.