PERSONAL DATA PROTECTION POLICY FOR mobileWEB



CVS MOBILE, informacijske rešitve d.d.

Valid from: 1st January 2019

1. INTRODUCTORY INFORMATION

CVS MOBILE, informacijske rešitve d.d., seated at Ulica Gradnikove brigade 11, 1000 Ljubljana, Slovenia (hereinafter referred to as “CVS MOBILE”, “we”, “us”) is a leading provider of innovative telematics and fleet management solutions and services in Central and Eastern Europe and is also the owner of the mobileWEB cloud-based platform, mobileCHAT application, mobileMAP application, mobileNET application and other CVS MOBILE applications.

At CVS MOBILE we respect your right to privacy and take personal data protection extremely seriously, as we would like to provide you with the highest level of protection of the personal data that you have trusted us.

This Personal Data Protection Policy (hereinafter referred to as: “Policy”) is based on relevant legislation on the protection of personal data, in particular the Personal Data Protection Act and the EU General Data Protection Regulation.

In this Policy, we define ways of collecting your personal data, the purposes for which we collect it, the security measures we use to protect it, the persons with whom we share it, and your rights regarding the protection of personal data.

This general policy is limited to the processing of personal data associated with the use of our cloud-based platform mobileWEB available at https://mobileweb.cvs-mobile.com/.

We tried to write our entire Personal Data Protection Policy as understandable as possible. If you still have any questions concerning personal data, do not hesitate to contact us.

In order to enable you to quickly and efficiently find information you need, we have created an interactive index, designed to provide you with information about a topic that you are interested in in one click:

  • 1. INTRODUCTORY INFORMATION
  • 2. WHO COLLECTS AND PROCESSES MY PERSONAL DATA?
  • 3. FOR WHOM IS THIS POLICY INTENDED?
  • 4. BASIC CONCEPTS
  • 5. PROCESSING OF PERSONAL DATA
  • 6. PROTECTION OF YOUR PERSONAL DATA
  • 7. TRANSMITTING OF PERSONAL DATA
  • 8. RIGHTS OF INDIVIDUALS
  • 9. FINAL PROVISIONS

2. WHO COLLECTS AND PROCESSES MY PERSONAL DATA?

Controller of the personal data (as specified in this privacy policy) being processed within our cloud-based platform mobileWEB is CVS MOBILE, informacijske rešitve d.d., seated at Ulica Gradnikove brigade 11, 1000 Ljubljana, Slovenija.

As a data controller, CVS MOBILE shall be responsible for processing and storing of your personal data.

In order to further upgrade the level of personal data protection, CVS MOBILE has appointed an authorized person for the protection of personal data, which ensures that the handling of personal data is at all times consistent with the relevant legislation.

In CVS MOBILE, we appointed the following person as an authorized person for the protection of personal data: Mr. Bojan Jelen. The authorized person for the protection of personal data can be reached through the following e-mail: support@cvs-mobile.com.

If you have any questions regarding the use of this Policy or with regards to the exercise of your rights arising from this Policy, please contact us through the email defined above.

3. FOR WHOM IS THIS POLICY INTENDED?

This Policy is for:

  • - all users of our cloud-based platform mobileWEB https://mobileweb.cvs-mobile.com/ (hereinafter referred to as the “platform” or “cloud-based platform”),
  • - signing up for our newsletter about the latest news from our offer,
  • - inquiries about our offer, via telephone, e-mail or online forms.

We remind you that this Policy does not directly apply to the use of applications issued by CVS MOBILE, which are only available to registered users (defined in Chapter 4 of this policy). The protection of personal data relating to the download and use of these applications is subject to the Privacy Policy for these applications, which are available at http://docs.cvs-mobile.com/privacy-policy/.

When reading this policy Users and Clients must distinguish between the Controller (CVS MOBILE) as defined in this Policy and the Controller of personal data regarding information they put in our platform when and for the use of the Client. In relation to data, that Clients and users enter into our platform while using services that we offer, CVS MOBILE is treated as data processor. Data processing is based on Data processing agreement. For any questions regarding information that Users and Clients enter into our platform, users should contact directly the Client (which is the Controller of this data as defined in Chapter 4: “Content of Clients”).

4. BASIC CONCEPTS

Here you can find an explanation of the basic concepts that we use in our Policy.

Each particular concept defined below has the meaning within this Policy as defined in this section.

Personal data means any information that refers to a specific or identifiable individual (for example, the name, surname, e-mail address, telephone number and identifiers that are specific to the individual's physical, physiological, genetic, economic, mental, cultural or social identity, etc.).

Controller means a legal entity that determines the purposes and means of processing of your personal data.

Processor means a legal or natural person who processes personal data on behalf of the controller.

Processing means collecting, storing, accessing and all other forms of use of personal data.

EEA means the European Economic Area, which identifies all the Member States of the European Union, Iceland, Norway and Liechtenstein.

Client means a legal or natural person who signs a Contract (hereinafter referred to as “Contract”) for the use of the mobileWEB platform that is issued by CVS MOBILE. After an initial registration procedure, the Client receives master credentials to access in the mobileWEB platform. Master access in the mobileWEB platform enables the creation of new mobileWEB users and assign them specific access rights in mobileWEB platform.

User means any individual who has received an invitation via e-mail to access mobileWEB platform and has finished the registration procedure. Any User, who has the credentials to access mobileWEB platform, can use those credentials to access and use mobileMAP, mobileCHAT or others CVS MOBILE applications.

Entry point is any application function that an individual uses and where personal data is collected.

Content of Clients means any information, file or data published by clients in mobileWEB database, which is not under the control of CVS MOBILE. In relation to these data the Client designates CVS MOBILE as its personal data processor.

5. PROCESSING OF PERSONAL DATA

At CVS MOBILE, we process your personal data solely on the basis of clearly stated and legitimate purposes, securely and transparently.

We collect your personal data when you provide it to us (for example, using our platform, inquiring by e-mail, telephone or writing to our address or by any other means in which you provide us with your personal data).

Your personal data can also be obtained through your interaction with the platform; such information can be obtained by using cookies and a cookie-like technology that allows us to customize and personalize our platform to your needs.

5.1. WHAT CATEGORIES OF PERSONAL DATA DO WE COLLECT?

Your personal data can be obtained directly from you when you provide us with this information (for example, by registering and logging into a mobileWEB etc.). We can also obtain your personal data through the use of our services (e.g. e-news).

  • a) Personal data provided by Client
    • - Data necessary for creating client’s master accounts (company name, name and surname of contact persons, business telephone, business address, e-mail), - Data necessary for creating User’s accounts (e-mail), - Data we need for processing of Clients billing.
  • b) Data we collect indirectly through your use of our services

This data is obtained by using a cookie-like technology that identifies your device accessing a platform. With this technology, we can obtain the following information (the IP address of your device, data location, as well as the information about your use of our services, such as the content you have viewed on our platform, the time you have spent browsing the page, and the data regarding the response to our emails).

Certain cookie-like technology is indispensable for the operation of our platform (permanent cookies), but we also use other types of cookie similar technology to ensure the following features of our platform and other services:

  • - Edit preferences: Your browser settings preferences are included here when you use our platform (for example, the language of the platform). - Analytics and personalization: Analytics help us to understand your needs better and optimize and improve our platform. With personalization, however, we can tailor our platform and e-news to your needs and interests. In doing so, we can use technology to determine when and how often you use our platform and what content you have viewed.

To use certain technologies, we will ask for your consent, and you will be notified about it in advance in a separate notice.

At CVS MOBILE, we carefully protect the principle of the minimum amount of data provided by law, and therefore we collect only data that is appropriate, relevant and limited to what is necessary for the purposes for which they are processed. The purposes for which we collect personal data are defined in Chapter 5.3.

5.2. ON WHAT LEGAL BASIS DO WE COLLECT AND PROCESS YOUR PERSONAL DATA?

In accordance with the legislation governing the protection of personal data, we may process your personal data on the following legal bases:

  • - Contract. We process your personal data when such processing is required to complete the contract which Clients have concluded (for example, ensuring the operation of the mobileWEB platform).
  • - Legitimate interest. We process your personal data when CVS MOBILE has a legitimate interest in processing. We will expressly define within this Policy in what events we process the data on a legitimate interest basis.
  • - The law. When processing is necessary for the fulfillment of legal obligations (e.g. data that we keep for tax liabilities).

Is the provision of personal data mandatory?

The provision of personal data is mandatory in certain cases. In most cases, you provide us with personal data on a voluntary basis. It is obligatory to provide only the personal data that we collect on the basis of the requirements of the legislation.

The provision of personal data that we need to fulfill the Contract is voluntary. However, in the event that you do not provide us with all the personal data that we need to execute the Contract we will not be able to provide full services (for example we cannot create Client’s accounts without information on e-mail address).

5.3. PROCESSING PURPOSES

CVS MOBILE will only process your data for specified, explicit and legitimate purposes. We undertake not to process your personal data in a manner incompatible with the purposes defined in this Policy.

The purposes for which we can use your personal data are defined below. CVS MOBILE may use your personal data for one or more of the purposes identified below.

The purposes for which we will use your personal data are the following:

  • - Enabling registration and logging into our platform mobileWEB. Enabling registration and logging is carried out on the basis of the Clients contract.
  • - Communicating with you to provide quality responses to your inquiries. Communication is carried out on the basis of our legitimate interest to ensure effective communication with our customers as well as potential buyers.
  • - Processing of payments is carried out on the basis of the Clients contract.
  • - Informing about our services and offer. Information about our services and our offer is carried out on the basis of the law.
  • - Distribution of digital materials. We will occasionally offer the possibility of downloading digital material via our platform. Distribution of digital materials is carried out on basis of the contract.
  • - Transmission of personal data to third parties. We will only provide personal data to third parties as defined in Chapter 7 of this Policy.
  • - To enforce any legal claims and to settle disputes. Personal data can be disclosed in order to protect our business and to enforce and / or protect our rights. We will disclose your personal information only in the manner and under the conditions required by law.
  • - For the purposes of statistical analysis. In order to improve the user experience, we analyze the use of our platform. Statistical analyzes are carried out on the basis of our legitimate interest in providing an optimal and efficient platform.

In the event that there is a need for further processing of personal data (for a different purpose than for the purpose for which personal data were originally obtained), we will inform you in advance and, when necessary, request for consent.

5.4. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We keep your personal data in accordance with the relevant legislation. We will keep your personal data:

  • - only for as long as it is absolutely necessary to achieve the purposes for which we are processing (for the purposes for which we process personal data, please refer to Chapter 5.3 of this Policy),
  • - for a period prescribed by the law (we note here that the deadlines for the retention of personal data may also be prescribed by other laws, not only in the field of personal data protection, such as 10 years for the issued invoices, in accordance with the tax legislation),
  • - for the period necessary for the fulfillment of the contract, which includes guarantee periods and deadlines in which it is possible to enforce any claims on the basis of a concluded contract.

When personal data is obtained on the basis of your consent, we keep it permanently or until you revoke this consent. We will delete the information collected on the basis of your consent before your revocation, in case the purpose for which the data was collected has been achieved.

When the retention period for certain personal data expires, we will delete these personal data or anonymize them so that the reconstruction of personal data will no longer be possible.

The retention periods for each category of personal data are defined in Annex 1.

For any additional information, please contact us at any of the contact details defined in Chapter 2 of this Policy.

6. PROTECTION OF YOUR PERSONAL DATA

At CVS MOBILE we protect your personal data against illegal or unauthorized processing and/ or access, and against unintentional loss, destruction or damage. We undertake all measures according to our technological capabilities (including the cost of implementing certain measures) and the impact assessment on your privacy.

In order to ensure that your personal data is safe, we have undertaken the appropriate technical and organizational measures at CVS MOBILE, in particular:

  • - ensuring the regular updating and maintenance of the hardware, software and application equipment that we use for the processing of personal data,
  • - establishing a restriction on access to personal data,
  • - regular backup,
  • - ensuring the education of employees who process personal data at work,
  • - careful selection of processors that we trust for the processing of personal data;
  • - supervising both employees and processors and regular audits,
  • - establishing protocols for preventing or limiting damage in case of potential security incidents.

In the event of a violation of the protection of personal data, we will notify without delay about any such violation the competent supervisory authority, represented in Slovenia by the Information Commissioner. You can read more about the competent authority on their website https://www.ip-rs.si/.

If there is a suspicion of a criminal offense regarding the violation of personal data, CVS MOBILE will also report such violations to the police and the competent state prosecutor's office.

In the event of a violation of data protection that may cause a high risk to the rights and freedoms of individuals, we will inform you of such an event without undue delay.

7. TRANSMITTING OF PERSONAL DATA

Your personal data may be, exclusively in order to achieve the purpose for which it was collected, transmitted, or we may just allow access to them to certain third parties defined below. Such third parties may only process your personal data for the purposes for which they were collected.

Accordingly, any third party to whom we transmit personal data is bound to comply with the applicable law as well as to the provisions of this personal data protection policy. With external processors, however, the protection of personal data is further defined by the contract.

Your personal data may be transmitted to:

  • 1. Our external processors who take care of the needs of CVS MOBILE (accounting services, law firms, companies that provide marketing services, etc.).
  • 2. When this is required by the law (e.g. tax authorities, courts, etc.).

We may transmit your personal data to third parties (defined above) outside the European Economic Area (EEA), where personal data processing occurs. In any transmission outside the European Economic Area, we will undertake specific additional measures to ensure the security of your personal data.

Such measures consist mainly of agreements with third parties on the establishment of binding rules in the field of personal data protection, verification that an approved certification mechanism is in place, which meets our standards for the protection of personal data and the conclusion of relevant contractual obligations that regulate the protection of personal data.

8. RIGHTS OF INDIVIDUALS

You have the following rights regarding the personal data processing:

  • 8.1. Access to personal data: You may request information from CVS MOBILE whether we are processing your personal data, and if we do, you can request access to your personal data and information about the processing (which data is processed and from where this data originated).
  • 8.2. Correction of personal data: you may request from CVS MOBILE to correct or complete your incomplete or inaccurate data being processed.
  • 8.3. Restriction of the personal data processing: you may request from CVS MOBILE a restriction of the processing of your personal data (when, for example, checking accuracy or the completeness of your personal data).
  • 8.4. Deletion of personal data: you may request from CVS MOBILE to delete your personal data (we cannot delete those personal data that we keep on the basis of legal requests or contractual relation).
  • 8.5. Printout of personal data: you may request from CVS MOBILE to provide you with the personal data that you have provided us with in a structured, widely used and machine-readable form.
  • 8.6. Objection to the processing of personal data: You have the right to object to the processing of your personal data when processing is for direct marketing purposes or in the event of transmitting your personal information to third parties for the purposes of direct marketing. You can also object processing when your data is used for direct marketing purposes using customized or individual offers ("profiling"). You can make an objection in any manner defined in Chapter 2 of this Policy.
  • 8.7. The right to data transmission: you have the right to request the printout of personal data that you have provided us with. We will provide you with information in a structured, widely used and machine-readable form. You are entitled to provide this data to another controller of your choice. Where technically feasible, you may request that your personal data be transmitted directly to another controller.

Contacts for the exercise of rights:

If you have any questions regarding the use of this Policy or with regards to the exercise of your rights arising from this Policy, please contact us at any of the following contacts:

You have the right to file a complaint against us with the Information Commissioner, who is the competent authority for the protection of personal data.

The integrity of personal data processed and regular updating is a priority for CVS MOBILE. Please kindly inform us of any change of your personal data to the above contacts. We will take care of the correction or supplementing your personal data in the shortest possible time.

In case of exercising any of the rights, we may require additional personal data (such as name, surname, e-mail address) for identification purposes. We will only need additional information when the information you provide is not sufficient for reliable identification (in this way, we want to prevent your personal data from being transmitted to a third party due to unreliable identification).

9. FINAL PROVISIONS

At CVS MOBILE, we can change this Policy at any time. We shall notify you of the change of the Policy on our web site. We shall consider that you agree with the new version of this Policy if, after the new version enters into force, you continue to use our platform and other services defined by this Policy.

The current version of this Policy will be available on our website:

http://docs.cvs-mobile.com/privacy-policy/.



Annex 1: Definition of retention periods

Processing purpose Legal basis Retention period
Enabling registration and logging for Clients into our platform mobileWEB Contract 10 years
Enabling registration and logging for Users into our platform mobileWEB Contract 10 years
Communicating with you to provide quality responses to your inquiries Legitimate interest 10 years
Processing of paymentss Contract In accordance with law
Informing about our services and offer Law Until revoked
Distribution of digital materials Contract 10 years
Transmission of personal data to third parties Contract 10 years
To enforce any legal claims and to settle disputes Law For the time of the procedure and
10 years from the finality
of a legal decision
For the purposes of statistical analysis Legitimate interest 10 years
© 2019 CVS Mobile, Inc.