Processor privacy notice

General Data Protection Regulation

Last update 13/05/2022

By means of this Notice, Carya Group (Processor) unilaterally undertakes to process the Personal Data that it processes in the context of its services for its Clients (Controller)as set out below.

This notice can also be amended in the light of changing circumstances and partnerships.

1. Definitions

The terms used below and for this purpose are derived from the General Data Protection Regulation and have the following meanings:

• Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• Processing:any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• Controller:the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (‘Controller’);
• Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (‘Processor’);
• Data Subject: an identified or identifiable natural person to whom the Personal Data processed relate;
• Notice: this notice and its appendices;
• Agreement: the main agreement from which this Notice results;
• Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (‘Data Leak’);
• Data protection impact assessment: carrying out an assessment, prior to carrying out the processing, of the impact of the envisaged processing activities on the protection of the personal data.

2. Return of Personal Data and storage period

• After the termination of the Agreement, Carya Group will return the Personal Data. Any Personal Data left behind will be carefully and safely erased by Carya Group.
• The Personal Data that Carya Group processes according to this Notice will be erased at the request of the Client.

3. Formation, duration, and termination of this Notice

• This Notice shall enter into force on the date of publication on the website (on page https://www.caryagroup.eu/nl/processor-privacy-notice). Possible changes will also be published on the same web page.
• This Notice forms an integral part of the Agreement and will apply for the duration of the Agreement.
• If the Agreement ends, the obligations arising from this Notice shall also end.
• After termination of the Agreement, Carya Group’s current obligations, such as the reporting of Data Leaks, involving the Client’s Personal Data, and the duty of confidentiality will continue.

4. Processing Personal Data

• Carya Group will only process Personal Data on behalf of the Client and has no control over the Personal Data. Carya Group follows the instructions of the Client in this respect and may not process the Personal Data in any other way, unless the Client gives Carya Group prior consent or the order to do so.
• Appendix 1(Overview of Processing of Personal Data and Processing Purposes) contains a list of exactly which Personal Data Carya Group will process and for which processing purposes.
• Carya Group complies with the law and processes the data in a proper, careful, and transparent manner.
• The Personal Data provided by the Client to Carya Group may be shared by the latter with branches or companies belonging to the same group, with the sub-processors appointed by Carya Group, or with companies/branches necessary for the provision of services. The Client has all necessary consents to allow Carya Group to share data with the entities mentioned in this paragraph.
• The Client hereby grants Carya Group general permission to cooperate with sub-processors. Carya Group will inform the Client of the intended changes regarding the addition or replacement of processors. The notification concerning sub-processors is made via the website at the following link https://www.caryagroup.eu/nl/subverwerkers.
• The Client may object to this intended addition or replacement. This objection by the Client must be made by registered letter within 10 days (X+10/postmark date) after sending the communication.
• If Carya Group engages other organisations with the consent of the Client, they must at least meet the requirements set out in this Notice.
• If the Client receives a request from a Data Subject who wishes to exercise his or her privacy rights, Carya Group will cooperate within a period of 21 days. These rights consist of a request to access, rectify, supplement, erase or block, object to the processing of Personal Data, and a request for transferability of one’s own Personal Data.
• When the Client requests Carya Group to provide information, Carya Group will provide the information the Client needs to carry out a Data Protection Impact Assessment. The Client needs this to be able to estimate the risk of the Processing that Carya Group carries out on behalf of the Client.

5. Securing Personal Data

• Carya Group will ensure that it adequately secures the Personal Data. Carya Group takes appropriate technical and organisational measures to prevent loss and unlawful processing.
• These measures are tailored to the risk of processing. An overview of these measures and the policy on them are included in Appendix 2(Overview of security measures).
• The control of the overall processing of Personal Data by Carya Group is through self-assessment. At the request of the Client, Carya Group will provide a report in which the Client demonstrates that he or she complies with the law and the agreements in this Notice.
• If one of the Parties considers that it is necessary to change the security measures to be taken, the Parties shall enter into consultations about the change.
• In the communication with Carya Group such as but not limited to the use of the ticketing system, the Client will not provide any Personal Data to Carya Group.

6. Confidentiality

• Carya Group will keep the Personal Data provided to it confidential, unless this is not possible on the basis of a legal obligation.
• Carya Group will ensure that its personnel and third parties involved also observe this confidentiality by including a confidentiality obligation in the (employment) contracts.

7. Data Leaks

• In the event of a discovery of a possible Data Leak, Carya Group will inform the Client within 48 hours as well as provide the Client, in accordance with the applicable regulations, with the necessary information so that the latter can, if necessary, notify the Supervisor.
• Notifications to the Client are made to publicly available numbers and email addresses unless the Client has provided a specific telephone number/email address for this purpose.
• After the notification of a Data Leak to the Client, Carya Group will keep the Client informed of new developments concerning the Data Leak, the measures taken by Carya Group to limit and terminate the scope of the Data Leak and to prevent a similar incident in the future.
• Carya Group will not report any Data Leak to the Compliance Officer, nor will Carya Group inform the Data Subjects of any Data Leak. This is the Client’s responsibility.
• Any costs that are incurred to solve the Data Leak and to prevent it in the future are for the account of the party that incurs the costs.

Appendix 1: Overview of Personal Data Processed

Processing purposes:

• Supplier, developer, and maintenance of a Dealer Management System (DMS)
• Offering support for delivered systems
• Service Desk service
• On-site support
• SQL support services
• Data Exchange monitoring (i.e. central monitoring of outgoing and incoming file exchanges)
• Offering different services and providing support: secure internet access, with or without WIFI & VPN solutions, etc.
• Backup internet routing services
• Synchronisation and sharing of data

Categories of Personal Data

• Personal identification data (name, title, telephone number, email/work-private);
• Identification data, other than the national registry number, issued by the government (identity card number, driving licence number, number plate, chassis number);
• Professional activity;
• Personal characteristics (age, gender, date of birth, nationality, etc.);
• Leisure activities (hobbies, sports, etc.);
• Electronic identification data (IP addresses, connection points, etc.);
• Use of computer resources (hardware and applications);

Categories of Data Subjects

• Personal data of the Controller’s clients:
• Personal data of Controller’s employees:

Appendix 2: Overview of security measures

Below is an overview of the security standards that the Controller imposes on the Processor:

Technical security measures

• Up-to-date virus scanner
• Up-to-date firewall
• Secured USB sticks
• Accurate protection of mobile phones and tablets
• Unique login code and password per person
• Require passwords that are sufficiently strong and with limited usage periods
• Secured emails (password-protected)
• No unprotected external hard disks
• Secured/encoded sending of data

Organisational security measures

• Clean desk policy
• BYOD policy
• Email and internet policy
• Password policy
• Mobile devices policy (BYOD)
• Training course on the careful handling of personal data
• Security training