Procedure for exercising natural persons’ rights
Procedure for exercising natural persons’ rights and for dealing with breaches of processed data protection.
Preamble
1. The Masterlease Group shall ensure the rights of natural persons set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), i.e.:
A. the right of access,
B. the right to rectification,
C. the right to erasure,
D. the right to restrict processing,
E. the right to data transfer,
F. the right to object,
G. the right to withdraw consent,
H. the right not to be subject to a decision based solely on automated processing, including profiling.
2. A natural person who has concluded or intends to conclude a contract with the Masterlease Group may file in a request with respect to the exercise of the rights set forth in the Preamble, section 1 items A – H.
3. The Masterlease Group shall ensure handling of the reported requests and execution of the natural persons’ rights according to the principles described in this procedure.
I Basic definitions
1. A Controller shall mean a natural or legal person, public authority, agency, or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The Controller shall be the company of the Masterlease Group with which the contract has been concluded, which has been covered by the contract application, with which correspondence has been carried out (regardless of the method) in order to conclude the contract.
2. The Masterlease Group is composed of:
a) Prime Car Management S.A., based in Gdańsk at ul. Polanki 4,80-308 Gdańsk, entered in the Entrepreneurs’ Register of the National Court Register kept by the District Court of Gdańsk-Północ [Sąd Rejonowy Gdańsk-Północ] in Gdańsk, VII Economic Division of the National Court Register under KRS number 0000013870, designated by: NIP [tax identification number] 957-07-53-221 and REGON [statistical number] 191888626, with its paid-in share capital of PLN 23,817,680.
b) Futura Leasing S.A., based in Gdańsk at ul. Polanki4, 80-308 Gdańsk, entered in the Entrepreneurs’ Register of the National Court Register kept by the District Court of Gdańsk-Północ [Sąd Rejonowy Gdańsk-Północ] in Gdańsk, VII Economic Division of the National Court Register under KRS number 0000069348, designated by: NIP [tax identification number] 584-102-74-54 and REGON [statistical number] 190917030, with its paid-in share capital of PLN 1,689,320.
c) Masterlease Sp. z o.o., based in Gdańsk at ul. Polanki4, 80-308 Gdańsk, entered in the Entrepreneurs’ Register of the National Court Register kept by the District Court of Gdańsk-Północ [Sąd Rejonowy Gdańsk-Północ] in Gdańsk, VII Economic Division of the National Court Register under KRS number 0000362287, designated by: NIP [tax identification number] 584-26-99-948 and REGON [statistical number] 221068509, with its paid-in share capital of PLN 7,905,000.
d) MasterRent24 Sp. z o.o., based in Gdańsk at ul. Polanki 4, 80-308 Gdańsk, entered in the National Court Register kept by the District Court of Gdańsk-Północ [Sąd Rejonowy Gdańsk – Północ] in Gdańsk, VII Economic Division of the National Court Register under KRS number: 0000247010, designated by: NIP [tax identification number] 521-33-70-054 and REGON [statistical number] 140354130, with its paid-in share capital of PLN 2,850,000.00.
3. Personal data shall mean information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, internet identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
4. Processing shall mean an operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.
5. A Processor shall mean a natural or legal person, public authority, unit, or another entity, which processes personal data on behalf of the Controller.
6. A breach of personal data protection shall mean a breach of safety leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
II Submission and handling of natural persons’ rights
1. Requests from natural persons concerning the exercise of the rights set out in the Preamble, section 1 items A–H may be addressed to the Controller:
a) in writing to the address: 80-308 Gdańsk, ul. Polanki 4,
b) by e-mail to: odo@masterlease.pl.
2. A request by a natural person for the exercise of rights shall include:
a) details concerning the natural person (forename, surname) who is the subject of the request and the person making the request,
b) a description of the request submitted, with an indication of any objections,
c) signature of the person submitting the request in writing,
d) power of attorney if a proxy is acting on behalf of the submitting person,
e) information on the preferred form of response, if the response channel is to be different from the request submitted.
3. Prior to the execution of the request, the Controller may ask the data subject to verify their identity.
4. The Controller has implemented organisational and technical measures to ensure that the above rights are exercised without undue delay, not later than within one month of receiving the request from a natural person, in order to be able to execute the request of natural persons. In the case of a complicated request or a substantial number of requests submitted, the Controller shall, within one month of receiving the request from a natural person, notify the data subject of the extension of the time limit by no more than two months, stating the reasons for the delay.
5. If a natural person’s request cannot be taken into account, the Controller shall notify the natural person within the above-mentioned time limit of the refusal to execute the request, stating the reason therefor.
6. The Controller’s activities undertaken in response to the submitted requests are free of charge. Exceptionally, if a natural person’s requests are clearly excessive – the Controller has the right to charge a fee in the amount appropriate to the response costs.
7. The Controller informs that in some cases, even in the case of exercising the right to erase data, for the purposes of registration or completion of the request submission, they shall retain certain information that was initiated prior to submission of a specific request.
III Rules for exercising the rights of natural persons
A. Right of access (Art. 15 of the GDPR)
1. The right of access includes:
a) the right of access to data;
b) the right to information about:
i. the purposes of processing and categories of personal data concerned,
ii. the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
iii. the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing and the right to lodge a complaint with a supervisory authority,
iv. where the personal data are not collected from the data subject, any available information as to their source.
c) the right to information whether:
i. the Controller uses automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject,
ii. the data have already been or are to be disclosed to the recipients, and, if so, also the information on those recipients, whereas in a specific case, i.e. where they are transferred to a third country or to an international organisation, also information of the appropriate safeguards relating to the transfer.
d) the right to obtain a copy of processed personal data.
2. In the case of natural persons whose data are processed by the Controller – the right of access is exercised by providing the requested information in writing or by electronic means. When the information is provided by electronic means, the Controller shall ensure that the data transmitted are secured in an appropriate manner.
3. The Controller shall ensure that while exercising the rights related to access to data, they do not violate the rights of other persons, including trade secrets, intellectual property and copyrights to software.
B. Right to rectification (Art. 16 of the GDPR)
1. The right to rectification includes:
a) request for correction of inaccurate data,
b) request for completion of incomplete data,
c) request for data update.
2. The Controller shall verify whether the request for rectification of data does not lead to the disclosure of incorrect data or does not lead to excessive data collected – in such a case the request should be refused.
3. If a request for rectification is accepted, the Controller shall inform the recipients to whom the data has been disclosed, unless it is impossible or requires a disproportionate effort.
C. Right to erasure (“right to be forgotten”) (Art. 17 of the GDPR)
1. The right to erasure includes:
a) the right to request erasure of data,
b) the right to be forgotten – if the data is made public by the Controller.
2. The data subject has the right to request the erasure of data if:
a) the data are incomplete, outdated, or incorrect,
b) the data are no longer necessary in relation to the purposes for which they were collected,
c) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing,
d) the data subject objects to processing for direct marketing purposes, processing necessary for the performance of a task carried out in the public interest or processing on grounds of the legitimate interests of a controller or a third party,
e) the personal data have been unlawfully processed,
f) the personal data have to be erased for compliance with a legal obligation in EU or Member State law to which the Controller is subject,
g) the personal data have been collected in connection with the offering of information society services to a child.
3. If the data subject requests the erasure of data, a Controller who has made the personal data public should be obliged to inform the controllers that process such personal data that the data subject requests to erase any links to, or copies or replications of those personal data.
4. The Controller may refuse to fulfil the request for the exercising the right to erasure, in particular:
a) where processing is necessary for compliance with a legal obligation which requires processing by EU or Member State law (e.g. for processing of employee documents),
b) where processing is necessary for reasons of public interest in the area of public health (e.g. occupational medicine),
c) where processing is necessary for the establishment, exercise, or defence of legal claims.
D. Right to restriction of processing (Art. 18 of the GDPR)
1. The data subject shall have the right to demand restriction of processing in one of the following cases:
a) the accuracy of the personal data is questioned by the data subject – for a period enabling the Controller to verify the accuracy of the personal data;
b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the Controller override those of the data subject.
2. When the request for restriction of processing is accepted, the Controller ensures that the personal data for which processing is restricted are secured in such a way that the system users do not have access to such data, and they are not subject to further processing or modifications.
3. The technical measures applied in sec. 2 shall also apply if a supervisory authority, within its corrective powers, obliges the Masterlease Group to restrict the processing of specific personal data (temporarily or definitively).
4. In the case of restriction of processing, personal data shall be processed only for the purposes of their storage. Data processing for another purpose is only possible:
a) when the natural person consents to another processing purpose,
b) for the establishment, exercise, or defence of legal claims,
c) for protection of the rights of another natural or legal person,
d) due to important public interest of the European Union or a Member State.
E. Right to data transfer (Art. 20 of the GDPR)
1. The right to data transfer includes:
a) the right to receive data from the Controller,
b) the right to transmit data without hindrance from the Controller,
c) the right to transmit data directly between the controllers, without intermediation of the data subject (where technically feasible).
2. The right to data transfer is granted only if the processing is based on consent of the natural person, on a contract or by automated means.
3. If the request for data transfer is accepted, the data will be made available in a structured, commonly used, and machine-readable format.
F. Right to object (Art. 21 of the GDPR)
1. A natural person has the right to object to the processing of personal data when the Controller processes data on the basis of a legally justified interest (Art. 6(1)(f) of the GDPR), including profiling.
2. The Controller may refuse to cease the processing of personal data, when there are:
a) compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject,
b) the grounds for the establishment, exercise, or defence of legal claims.
3. Where the data subject objects to processing for direct marketing purposes, including profiling insofar as processing is related to such direct marketing, the data subject’s request shall be met immediately and unconditionally. The Controller shall ensure that personal data will no longer be processed for this purpose.
G. Right to withdraw consent (Art. 7 of the GDPR)
1. Where processing is based on consent of a natural person, the data subject shall have the right to withdraw his or her consent at any time.
2. The withdrawal of consent shall not affect the lawfulness of processing based on consent before the withdrawal.
H. Right not to be subject to a decision based solely on automated processing, including profiling (Art. 22 of the GDPR)
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which renders legal effects concerning him or her or similarly significantly affects him or her.
2. The right not to be subject to automated individual decision-making, including profiling, shall not apply in particular when the decision:
a) is necessary for entering into or performance of a contract between the data subject and a data controller;
b) is authorised by EU or Member State law to which the Controller is subject and which lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests,
c) is based on the data subject’s explicit consent.
3. The Controller shall ensure that suitable measures are implemented to safeguard the data subject’s rights, freedoms, and legitimate interests and that the data subject has the right to express his or her views and contest the decision.
IV Breaches of personal data protection
1. In the event of personal data breach, any natural person who has become aware of such breach should report this to the Controller within 12 hours from finding out about the breach to the following e-mail address: incydenty@masterlease.pl.
2. A personal data breach notification must include at least:
a) date and time of the incident, its duration and location,
b) data concerning the natural person reporting the incident,
c) description of the nature and circumstances of the personal data breach, including information on the IT system affected by the breach (if the breach was in connection with the processing of data in the IT system),
d) category and approximate number of the individuals affected,
e) category and approximate number of records of the personal data affected by the breach,
f) description of the possible consequences of the personal data breach.
3. If a breach of personal data protection is found, the Controller shall, without undue delay, notify it to a supervisory authority competent under the applicable law, unless it is unlikely that the breach results in a risk of violating the rights or freedoms of natural persons.
4. The Controller shall document any breaches of personal data protection to be able to demonstrate compliance with applicable legal regulations.
5. If the breach of personal data protection results in a high risk of violating the data subject’s rights or freedoms, the Controller shall, without undue delay, notify the data subject of such breach, unless this is not required in accordance with the applicable laws.
V Final provisions
1. This procedure shall be effective as of 25 May 2018.
2. This procedure shall enter into force on the date of its publication. The Masterlease Group publishes this procedure on its websites under the link “Masterlease Group and personal data”. Any amendments to this procedure shall enter into force upon publication of the changed consolidated text of the procedure on the Masterlease Group’s websites.