Years of experience in car finance are enabling us to do things differently. For us, ‘modern’ means offering the latest and the best to our customers.
To be always one step ahead of your competitors. In 2004 ELG started as a leasing company with investments on the territory of Bulgaria and Macedonia, and to date 7 companies are working successfully in ELG
Our development as a company has gone through various processes and stages. In such moments we were building step by step our identity, team and image.
ELG's financial statements can be found here.
Since its incorporation, ELG has established several successful businesses in the leasing sector. In recent years, the company's development has taken a new direction, driven by changing consumer needs and the dynamic market. Today, ELG offers all vehicle financing options as well as a full range of services.
Find out about the companies in the ELG family - the modern car operator!1. INTRODUCTION
This Policy aims to confirm the obligation of EUROLEASE GROUP EAD (the “Organization”) to protect the personal data processed by it and to guarantee the rights of the subjects as required by the General Data Protection Regulation (the “Regulation”).
According to the Regulation, any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person is defined as PERSONAL DATA.
This policy defines the procedures to be followed when processing personal data. Procedures and principles set forth herein must be respected at any time by the Organization, its employees, contractors or other parties working on its behalf.
The Organization is committed not only to the content of the Regulation but also to its spirit, and pays great attention to the proper, lawful and fair treatment of all personal data, while respecting the legal rights, privacy and trust of all individuals and stakeholders.
2. DATA PROTECTION PRINCIPLES
This Policy aims to ensure compliance with the Regulation. It defines the following principles that must be respected by all parties processing personal data. All personal data shall be:
2.1. processed lawfully, fairly and in a transparent manner in relation to the data subject;
2.2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest or statistical purposes shall not be considered to be incompatible with the initial purposes;
2.3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
2.4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay;
2.5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;
2.6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3. LAWFUL, FAIR AND TRANSPARENT DATA PROCESSING
The Regulation aims to ensure that personal data are processed lawfully, fairly and transparently, without prejudice to the rights of the data subject. The Regulation states that processing shall be lawful only if at least one of the following applies:
3.1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
3.2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3.3. processing is necessary for compliance with a legal obligation to which the controller is subject;
3.4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
3.5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3.6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
4. PROCESSING FOR SPECIFIC, EXPLICIT AND LAWFUL PURPOSES
4.1 The Organization shall collect and process the personal data specified in item 21 of this Policy. This may include personal data obtained directly from data subjects (e.g. contact data used when the data subject communicates with us) and data obtained from third parties (e.g. recruitment agencies, insurers, occupational medicine services, public authorities, various registers).
4.2 The Organization shall process personal data only for the specific purposes specified in item 21 of this Policy (or for other purposes expressly permitted by the Regulation). Data subjects shall be informed of the purposes for which we process personal data at the time they are collected directly from them or as soon as possible (not more than one calendar month) after collection if the data are obtained from a third party.
5. ADEQUATE, RELEVANT AND LIMITED DATA PROCESSING
The Organization shall collect and process personal data only for and to the extent necessary for the particular purpose(s) for which the data subjects have been informed as outlined in item 4 above.
6. ACCURACY OF DATA AND KEEPING DATA UP-TO-DATE
The Organization shall ensure that all collected and processed personal data are kept accurate and up-to-date. Accuracy of the data shall be verified at the time they are collected and then at scheduled intervals. Where inaccurate or outdated data are detected, all reasonable steps shall be taken immediately to modify or delete such data, as appropriate.
7. TIMELY PROCESSING
The Organization shall not store personal data for longer than necessary in relation to the purposes for which these data were originally collected and processed. When data are no longer required, all reasonable steps shall be taken to delete the data without delay.
8. PROTECTION DURING PROCESSING
The Organization shall ensure that all collected and processed personal data are protected from unauthorized or unlawful processing and from accidental loss, destruction or damage. Further details on data protection measures and organizational measures to be taken are provided in items 22 and 23 of this Policy.
9. RESPONSIBILITY
9.1 The data protection officer at EUROLEASE GROUP EAD shall be Mihaela Krasteva.
9.2 The Organization must keep written internal records for the collection, possession and processing of all personal data that include the following information:
9.1.1. the name and data of the Organization, its data protection officer and all applicable data controllers from third parties;
9.1.2. the purposes for which the Organization processes personal data;
9.1.3. details of the categories of personal data collected, stored and processed by the Organization; and the categories of subjects to which those personal data relate;
9.1.4. details (and categories) of third parties who shall receive personal data from the Organization;
9.1.5. details of all transfers of personal data to non-EEA countries, including all security mechanisms and safeguards;
9.1.6. details of the period for which the Organization shall retain personal data; and
9.1.7. detailed descriptions of all technical and organizational measures taken by the Organization to ensure the security of personal data.
10. RISK ASSESSMENT IN RELATION TO PERSONAL DATA PROCESSING
The Organization shall perform impact assessments of personal data, as required by the Regulation. The assessment shall be controlled by the data protection officer of the Organization and shall cover the following important areas:
10.1 Purpose(s) for which personal data are processed and processing operations carried out with such data;
10.2 Details of the legitimate interests pursued by the Organization;
10.3 Assessment of the necessity and proportionality of data processing in relation to the purpose(s) for which they are processed;
10.4 Risk assessment for individual data subjects; and
10.5 Details of the measures applied to minimize and manage risks, including safeguards, data security and other data protection measures and mechanisms sufficient to demonstrate compliance with the Regulation.
11. RIGHTS OF THE DATA SUBJECT
The Regulation defines the following rights applicable to data subjects:
11.1. right to be informed;
11.2. right of access;
11.3. right to rectification;
11.4. right to deletion (also known as “right to be forgotten”);
11.5. right to to restriction of processing;
11.6. right to data portability;
11.7. right to object;
11.8. rights in relation to the automated decision-making and profiling.
12. INFORMATION TO BE PROVIDED WHERE PERSONAL DATA ARE COLLECTED FROM THE DATA SUBJECT
12.1 Where personal data are collected, the Organization shall ensure that each data subject is provided with the following information:
12.1.1. details of the Organization, including, but not limited to, the identity of its data protection officer;
12.1.2. the purpose(s) for which personal data are collected and processed (as described in detail in item 21 of this Policy) and the legal basis justifying such collection and processing;
12.1.3. where applicable, the legitimate interests with which the Organization justifies the collection and processing of personal data;
12.1.4. where personal data are not obtained directly from the data subject, the categories of personal data collected and processed;
12.1.5. where personal data must be transferred to one or more third parties, details of those parties;
12.1.6. where personal data must be transferred to a third country outside the European Economic Area (EEA), details of such transfer, including, but not limited to, existing safeguards (see item 24 of this Policy for further details on the transfer of data to third countries);
12.1.6. details of the period of storage of personal data by the Organization (or, if there is no predefined period, details of how this period will be determined);
12.1.7. details of the rights of the data subject under the Regulation;
12.1.8. details of the right of the data subject to withdraw his/her consent to the processing of personal data at any time;
12.1.9. details of the right of the data subject to file a complaint with the Commission for Personal Data Protection (CPDP) (the “supervisory authority” under the Regulation);
12.1.10. where applicable, details of any legal or contractual requirement or obligation requiring the collection and processing of personal data and details of the consequences of failure to provide them;
12.1.11. details of any automatic decision-making that will be made using personal data (including, but not limited to profiling), including information on how decisions will be made, the significance of these decisions and their consequences.
12.2 The information listed in item 12.1 above shall be provided to the data subject at the following applicable time:
12.2.1 When personal data are obtained directly from the data subject, at the time of collection;
12.2.2 When personal data are not obtained directly from the data subject (i.e. from another party):
• if personal data are used to communicate with the person to whom they relate, during the first message; or
• if personal data must be disclosed to another party, before disclosure; or
• in any case, not later than one month following the date on which the Organization has obtained the personal data.
13. ACCESS TO PERSONAL DATA
13.1 A data subject may at any time request access to his or her personal data (‘RAD’) in order to understand more about the information that the Organization holds about him/her. The Organization shall seek to respond to a RAD within one month of receiving it (this may be extended by up to two months in case of complex and/or multiple requests, and in such cases the data subject shall be informed of the need to extend the term).
13.2 All received requests for access must be sent to the data protection officer of the Organization at e-mail dpo@euroleasegroup.com
13.3 The Organization shall not charge a processing fee for usual RADs, but reserves the right to charge reasonable fees for additional copies of data already provided to the data subject and for requests that are manifestly unfounded or excessive, especially when such requests are repeated.
13.4 Identification of the data subjects when submitting requests:
13.4.1. Upon receipt of an email with a request for access, the responsible person must match it with the email address provided by the subject in the contact details. If the email addresses match, this may be considered a sufficient proof of the legitimacy of the request.
13.4.2. Upon receipt of a request for access by the subject made in person, the responsible person or the person directly contacting the client shall request an identity card by the data subject as a method of identification. Upon a request made by an agent in this way, the responsible person shall request the identity card of the agent and the power of attorney where the right to request such data of the principal is clearly stated.
13.4.3. For all other types of requests for access made by telephone, by email other than that provided in the person's contact details, etc., the responsible person shall request the following identification:
- an email containing a copy of the identity card of the data subject requesting personal data;
- for requests made by an agent: a copy of the agent's identity card and a copy of the power of attorney where his/her right to request such data of the principal is clearly stated;
- the request to be made personally, where the procedure described in item 13.4.2 above applies.
14. RECTIFICATION OF PERSONAL DATA
14.1 If a data subject informs the Organization that the personal data stored by it are inaccurate or incomplete and requires rectification thereof, the personal data in question shall be rectified and the data subject shall be informed of that rectification within one month from receipt of the notification (this may be extended by up to two months in the case of complex requests, and in such cases the data subject shall be informed of the need for an extension).
14.2 If all personal data concerned have been disclosed to third parties, these parties shall be informed of any rectification of such personal data.
15. DELETION OF PERSONAL DATA
15.1 Data subjects may request from the Organization to delete the personal data it holds in relation to them in the following circumstances:
15.1.1. It is no longer necessary for the Organization to keep personal data in relation to the purpose for which they were originally collected or processed;
15.1.2. The data subject wishes to withdraw his/her consent to the possession and processing of his/her personal data by the Organization;
15.1.3. The data subject objects that the Organization is in possession and processes his/her personal data (and there is no overriding legitimate interest to allow the Organization to continue to do so) (see item 18 of this Policy for further details on the right of data subjects to object to processing);
15.1.4. Personal data have been processed unlawfully;
15.1.5. Personal data must be deleted in order for the Organization to comply with a specific legal obligation; or
15.1.6. Personal data are stored and processed for the purpose of providing an ‘information society service’, meaning a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament;
15.2 Unless the Organization has reasonable grounds to refuse to delete personal data, all requests for deletion must be met and the data subject shall be notified of the deletion within one month of receipt of the data subject's request (this may be extended by up to two months in the case of complex requests, and in such cases the data subject shall informed of the need to extend the term).
15.3 If personal data to be deleted in response to a request by the data subject have been disclosed to third parties, these parties shall be informed of the deletion (unless this is impossible or would require a disproportionate effort to do so).
16. PROHIBITION FOR DATA PROCESSING
16.1 Data subjects may request from the Organization to discontinue the processing of personal data it holds in relation to them. If a data subject makes such a request, the Organization shall retain only the amount of personal data relating to that data subject that is necessary to ensure that further processing of his/her personal data will not take place.
16.2 In the event that all personal data concerned are disclosed to third parties, these parties shall be informed of the applicable restrictions on their processing (unless this is impossible or would require a disproportionate effort to do so).
17. DATA PORTABILITY
17.1 The Organization processes personal data by automated means, namely:
17.1.1. integrated software for automating human resources and wage management (Omex);
17.1.2. specialized registers for data stored in protected arrays;
17.1.3. calls recording through a telephone exchange.
17.2. When data subjects consent to the processing of their personal data by the Organization in such a way or processing is necessary for the performance of a contract between the Organization and the data subject, the subjects shall have the legal right under the Regulation to receive a copy of their personal data and use them for other purposes (namely, to transmit them to other data controllers, such as other organizations).
17.3. In order to facilitate data portability, the Organization shall provide all applicable personal data to the data subjects in the following format:
17.3.1. Structured—the structural link between the elements is embedded in the way data is stored in a database or register.
17.3.2. Frequently used format—a format that can be used on most computer configurations (e.g. Microsoft Office suite, etc.);
17.4. Where technically feasible, at the request of a data subject, personal data shall be sent directly to another data controller.
17.5. All requests for copies of personal data must be met within one month of the data subject's request (this may be extended by up to two months in the case of complex or multiple requests, and in such cases the data subject must be informed about the need for extension).
18. OBJECTIONS TO DATA PROCESSING
18.1 Data subjects shall have the right to object to the fact that the Organization processes their personal data on the basis of legitimate interests (including profiling), direct marketing and processing for scientific and/or historical research and statistical purposes.
18.2 When a data subject objects to the processing of his/her personal data by the Organization on the basis of his/her legitimate interests, the Organization shall immediately cease such processing unless it can be proved that the legitimate grounds of the Organization for such processing override the interests, rights and the freedoms of the data subject; or processing is necessary for making legal claims.
18.3 When a data subject objects to the processing of his/her personal data by the Organization for the purposes of direct marketing, the Organization shall immediately cease such processing.
18.4 When a data subject objects to the processing of his/her personal data by the Organization for scientific and/or historical research and statistical purposes, the data subject must ‘demonstrate grounds for the specific situation’ under the Regulation. The Organization shall not be obliged to comply with this objection if it processes the data for reasons of public interest.
19. AUTOMATED DECISION-MAKING
19.1. In the event that the Organization uses personal data for the purposes of automated decision-making and these decisions have a legal (or similarly significant) effect on data subjects, data subjects shall have the right to challenge such decisions under the Regulation by requesting intervention, expressing their own point of view and obtaining an explanation for the decision of the Organization.
19.2. The right described in item 19.1 shall not apply in the following circumstances:
19.2.1. the decision is necessary for the entry into or the performance of a contract between the Organization and the data subject;
19.2.2. the decision is permitted by law; or
19.2.3. the data subject has given his/her explicit consent.
20. PROFILING
When the Organization uses personal data for profiling purposes, the following conditions shall be met:
20.1. provide clear information explaining profiling, including the significance and probable consequences;
20.2. use appropriate mathematical or statistical procedures;
20.3. introduce the technical and organizational measures necessary to minimize the risk of errors and to allow easy correction of such errors; and
20.4. all personal data processed for profiling purposes must be secured in order to prevent the discriminatory impact resulting from profiling (see items 22 and 23 of this Policy for more details on data security).
21. PERSONAL DATA
The types of personal data stored and processed by the Organization are described in a Register of Processed Personal Data, where a data protection officer shall ensure that these data are up to date.
22. DATA PROTECTION MEASURES
The Organization shall ensure that the following measures are taken regarding the collection, possession and processing of personal data:
22.1. At least twice a year an inventory of expiring deadlines shall be done by each employee who works with the relevant documents, and following a consultation with the data protection officer and a lawyer, the documents shall be destroyed. Documents on paper shall be destroyed by a shredder and documents on electronic medium shall be deleted or erased.
22.2. A person authorized by the company shall have the right to delete data from software products.
22.3. In case of destruction of paper records, a destruction protocol shall be drawn up in accordance with the form /Appendix 1 to this Policy/.
22.4. All employees, contractors or other parties working on behalf of the Organization must be fully aware of their individual responsibilities as well as the responsibilities of the Organization under the Regulation and this Policy and shall be provided with a copy of this Policy;
22.5. Only employees, subcontractors or other persons working on behalf of the Organization who need access to and use of personal data to properly carry out their official duties shall have access to the personal data held by the Organization;
22.6. All employees working on behalf of the Organization processing personal data shall be appropriately trained to do so;
22.7. All employees working on behalf of the Organization working with personal data shall be duly supervised;
22.8. The methods for collecting, storing and processing personal data shall be evaluated and reviewed on a regular basis;
22.9. The work of these employees working on behalf of the Organization and processing personal data shall be regularly evaluated and reviewed;
22.10. All employees, contractors or other parties working on behalf of the Organization and processing personal data are required to do so in accordance with the principles of the Regulation and this Policy on a contractual basis;
22.11. All contractors or other parties working on behalf of the Organization and processing personal data must ensure that all their employees involved in the processing of data respect the same conditions and have the same obligations as the relevant employees of the Organization deriving from this Policy and the Regulation;
22.12. When a contractor or other party working on behalf of the Organization processing personal data fails to fulfil its obligations under this Policy, that party will indemnify and compensate the Organization for all costs, liability, damages, loss, claims or proceedings arising from this failure.
23. TRANSFERRING PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)
23.1. The Organization may in certain cases transfer personal data to non-EEA countries.
23.2. The transfer of personal data to a non-EEA country is only carried out if one or more of the following conditions are applied:
23.2.1. The transfer is to a country, territory or one or more specific sectors in that country (or international organization) that the European Commission has determined as ensuring an adequate level of personal data protection;
23.2.2. The transfer is to a country (or international organization) that provides appropriate safeguards in the form of a legally binding agreement between public authorities or structures; binding corporate rules; the standard data protection clauses adopted by the European Commission; compliance with a code of conduct approved by the supervisory authority (e.g. CPDP); certification under an approved certification mechanism (as provided for in the Regulation); contractual clauses agreed and authorized by the competent supervisory authority; or provisions introduced into administrative arrangements between public authorities or structures authorized by the competent supervisory authority;
23.2.3. The transfer is carried out with the informed consent of the data subject(s);
23.2.4. The transfer is necessary for the performance of a contract between the data subject and the Organization (or the pre-accession measures taken at the request of the data subject);
23.2.5. The transfer is necessary for important reasons of public interest;
23.2.6. The transfer is necessary for litigation;
23.2.7. The transfer is necessary to protect the vital interests of the data subject or other persons when the data subject is physically or legally incapable of giving consent; or
23.2.8. The transfer is carried out by a register which, under UK or EU law, is intended to provide information to the public and which is open to the public at large or otherwise to those able to demonstrate their legitimate interest for accessing the register.
24. NOTIFICATION OF PERSONAL DATA BREACH
24.1. All personal data breaches shall be reported immediately to the data protection officer. Reporting shall be done according to approved communication and incident reporting channels in the Organization or directly.
24.2. If a personal data breach occurs and this breach is likely to result in a risk to the data subjects' rights and freedoms (for example, financial loss, loss of confidentiality, discrimination, damage caused by bad reputation or other significant social or economic damage), the data protection officer must ensure that the CPDP is informed of the breach immediately and, in any case, within 72 hours of the Organization having discovered or been notified thereof.
24.3. If the personal data breach is likely to result in a high risk (i.e. a higher risk than that described in item 25.2) to the rights and freedoms of data subjects, the data protection officer must ensure that all the subjects of the data concerned are informed of the breach directly and without undue delay.
24.4. Data breach notifications shall include the following information:
• the categories and the approximate number of data subjects concerned;
• the categories and the approximate number of personal data records;
• the name and contact details of the data protection officer (or other person/contact point where more information can be obtained);
• the likely consequences of the breach;
• details of the measures taken or proposed to be taken by the Organization to address the breach, including, where appropriate, measures to mitigate the possible adverse effects.
25. Periods of time for processing your personal data
25.1. We process and store your personal data with due diligence for the entire term of the Contract you have concluded with us and store them for a period of ten years after the termination of the Contract in order to comply with the applicable legislation, the expiration of certain statutory deadlines for submitting claims or obligations, to provide information to the court, any competent state authorities, as well as for any other purposes provided for in the applicable legislation (10 years since the beginning of the calendar year, following the year of the termination of the relationship).
25.2. Upon the expiration of the periods stated above, the Company shall delete or anonymize your personal data, unless they are necessary for pending court or administrative proceedings or proceedings for examination of a complaint you have filed with us.
25.3. The sound recordings shall be stored for a period of 3 months. They can be stored for a longer period of time when: The recordings will be used as proof—for specific relationships or if a crime has been committed.
25.4. When data are processed for marketing purposes based on your consent—5 years.
POLICY IMPLEMENTATION
This Policy is effective from 25 May 2018. No part of this Policy shall have retroactive effect and will therefore only apply to issues that have occurred on or after that date.
This Policy has been approved by the Board of Directors of EUROLEASE GROUP EAD by a resolution of 22 May 2018.