AUTOLEASE FLEET MANAGEMENT LIMITED PRIVACY AND COOKIES POLICY
Last revised: 04 August 2021 (AFM)
Autolease Fleet Management Limited trading as NiftiBusiness (“Autolease” ,“us”, “we”, or “our”) operates the www.niftibusiness.ie website (the “Service”).
We will handle your Personal Data in accordance with Data Protection Legislation. “Data Protection Legislation” means the Irish Data Protection Acts 1988 to 2018, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and any other applicable law or regulation relating to the processing of Personal Data and to privacy, including the E-Privacy Directive 2002/58/EC and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, as such legislation shall be supplemented, amended, revised or replaced from time to time.
INFORMATION COLLECTION AND USE
We collect several different types of information for various purposes to provide and improve our Service to you. We will only collect and use your information where we are legally entitled to do so.
We may add your personal data to our Client Relationship Management database (the “CRM Database”) which we use to develop our relationships with current and prospective contacts in order to manage and develop our business.
We do not sell your personal data or provide it to third parties for direct marketing use.
TYPES OF DATA COLLECTED
While using our Service, we may ask you to provide us with certain Personal Data. Personal Data may include, but is not limited to:
- Email addresses;
- Telephone numbers including mobile phone numbers
- Home addresses
- First and last names;
- Cookies and Usage Data; and
- Portal User Data.
We may also collect information how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address, browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
TRACKING & COOKIES DATA
Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyse our Service.
The ‘Help Menu’ on the menu bar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether. You can also disable or delete similar data used by browser add-ons, such as flash cookies, by changing the add-ons settings or visiting the website of its manufacturer.
For more information about cookies and managing them including how to turn them off, please visit www.cookiecentral.com. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies), you may not be able to fully experience the interactive features of our website or other related websites/applications which you visit/use.
We do not use any non-essential cookies without your explicit consent. You can withdraw your consent to cookies and/or manage your consent preferences at any time by clicking here Cookie Settings.
Examples of Cookies we use:
Session Cookies. We use Session Cookies to operate our Service.
Preference Cookies. We use Preference Cookies to remember your preferences and various settings.
Security Cookies. We use Security Cookies for security purposes.
You can find a list of cookies we use and the purposes for which we use them in the table below.
|[.Nop.Antiforgery]||[Anti-forgery cookies. Ensure that data requests originate from the current domain]||[End of session]|
You should also be aware that there are cookies which are found in other companies’ internet tools which we may use to enhance the Service. You may see ‘social buttons’ during your use of the website, including but not limited to Twitter, Facebook, LinkedIn and Instagram which enable you to share or bookmark certain web pages. These websites and social platforms have their own cookies and privacy practices, which are controlled by them.
portal user data
Where you are a user of our Online Portal (a “Portal User”) we may collect certain categories of Personal Data (“Portal User Data”) on behalf of your employer (or the organisation who is providing you with insurance cover in accordance with their internal insurance policy based on information you provide to the Portal, as the case may be) (the “Portal Data Controller”).
Portal User Data relating to you may include the following categories of Personal Data:
- Full name;
- Phone Number;
- Branch / Cost centres;
- Driving licence information, including:
- Type of driving licence (i.e. full / provisional licence);
- Driving licence number;
- Number of years for which your driving licence has been held;
- Country of issue of driving licence;
- Previous accident records;
- Record of refusal of insurance;
- Medical conditions, which may affect your driving ability;
- Eye test results; and
- Photocopies of your driving licence.
The Portal Data Controller is a controller (as defined in Data Protection Legislation) in respect of your Portal User Data. As a Processor, we will only Process Portal User Data relating to you in accordance with the instructions of the Portal Data Controller who is the controller of your Portal User Data.
how we USE your DATA
NiftiBusiness uses the collected data for various purposes.
We have set out below, in a table format, a description of all the ways we plan to use your Personal Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.
Note that we may process your Personal Data for more than one legal basis depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal basis we are relying on to process your Personal Data where more than one ground has been set out in the table below.
|Purpose||Categories of data||Legal basis for processing and, where necessary, the basis of legitimate interest|
|To provide and maintain the Service To allow you to participate in interactive features of our Service when you choose to do so To provide customer care and support||Email addresses; First and last names;||Necessary for our legitimate interest to provide the website and Service to you.|
|To provide analysis or valuable information so that we can improve the Service To monitor the usage of the Service To detect, prevent and address technical issues||Cookies and Usage Data.||Necessary for our legitimate interests (for running the Service, running our business, provision of administration and IT services and network security)|
|Portal User Data as described above||Necessary for our legitimate interest to provide the Service to you.|
TRANSFER OF DATA
Your information, including Personal Data, may be transferred to, stored at, or accessed from a destination outside the European Economic Area (“EEA”) for the purposes of us providing the Service. It may also be processed by staff operating outside the EEA who work for us, another corporate entity within our group, or any of our suppliers.
We are part of a larger company group and for administrative efficiencies, your information may be stored within one CRM or central IT system which is owned operated or shared by our Affiliates. Where we share your personal data for intra-group administration, we first enter into appropriate agreements to regulate the data sharing or data processing among the relevant Affiliates. We have a data sharing agreement in place with our Affiliate, Autolease Personal Leasing Limited, trading as Nifti, for the purposes of our shared CRM Database. “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with us; “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
If you are located outside Ireland and choose to provide information to us, please note that we transfer the data, including Personal Data, to Ireland and process it there.
Where any Portal Data Controller is located outside of the EEA, that Portal Data Controller is responsible for ensuring that the transfer of Portal User data is lawful under Data Protection Legislation. This may include obtaining your explicit consent in respect of any such transfer.
DISCLOSURE OF DATA
NiftiBusiness may disclose your Personal Data in the good faith belief that such action is necessary to:
- To comply with a legal obligation
- To protect and defend the rights or property of NiftiBusiness
- To prevent or investigate possible wrongdoing in connection with the Service
- To protect the personal safety of users of the Service or the public
- To protect against legal liability
SECURITY OF DATA
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
As a data subject, you have the following rights under Data Protection Legislation and we, as controller in respect of Your Data, will comply with such rights in respect of Your Data:
- the right of access to Personal Data relating to you;
- the right to correct any mistakes in your Personal Data;
- the right to ask us to stop contacting you with direct marketing;
- rights in relation to automated decision taking;
- the right to restrict or prevent your Personal Data being processed;
- the right to have your Personal Data ported to another data controller;
- the right to erasure; and
- the right to complain to the Data Protection Commission (“DPC”) if you believe we have not handled your Personal Data in accordance with Data Protection Legislation.
These rights are explained in more detail below, but if you have any comments, concerns or complaints about our use of your Personal Data, please contact us (see ‘Contact Us’ below). We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex or cumbersome, in which case we will respond within three months (we will inform you within the first month if it will take longer than one month for us to respond). Where a response is required from us within a particular time period pursuant to Data Protection Legislation, we will respond within that time period.
You may ask to see what Personal Data we hold about you and be provided with:
- a summary of such Personal Data and the categories of Personal Data held;
- details of the purpose for which it is being or is to be processed (see above);
- details of the recipients or classes of recipients to whom it is or may be disclosed, including if they are overseas and what protections are used for those oversea transfers (see below);
- details of the period for which it is held or the criteria we use to determine how long it is held (see “Retention of Personal Data” below);
- details of your rights, including the rights to rectification, erasure, restriction or objection to the processing (set out in this section);
- any information available about the source of that data;
- whether or not we carry out automated decision-making, or profiling, and where we do, information about the logic involved and the envisaged outcome or consequences of that decision making or profiling; and
- where your Personal Data are transferred out of the EEA, what safeguards are in place.
Requests for your Personal Data must be made to us (see ‘Contact Us’ below) specifying what Personal Data you need access to, and a copy of such request may be kept by us for our legitimate purposes in managing the Service. To help us find the information easily, please give us as much information as possible about the type of information you would like to see. If, to comply with your request, we would have to disclose information relating to or identifying another person, we may need to obtain the consent of that person, if possible. If we cannot obtain consent, we may need to withhold that information or edit the data to remove the identity of that person, if possible.
There are certain types of data which we are not obliged to disclose to you, which include Personal Data which records our intentions in relation to any negotiations with you where disclosure would be likely to prejudice those negotiations. We are also entitled to refuse a data access request from you where (i) such request is manifestly unfounded or excessive, in particular because of its repetitive character (in this case, if we decide to provide you with the Personal Data requested, we may charge you a reasonable fee to account for administrative costs of doing so), or (ii) we are entitled to do so pursuant to Data Protection Legislation.
You can require us to correct any mistakes in your Personal Data which we hold free of charge. If you would like to do this, please:
- email or write to us (see ‘How can you contact us’ below);
- let us have enough information to identify you (e.g. name, registration details); and
- let us know the information that is incorrect and what it should be replaced with.
If we are required to update your Personal Data, we will inform recipients to whom that Personal Data have been disclosed (if any), unless this proves impossible or has a disproportionate effort.
It is your responsibility that all of the Personal Data provided to us is accurate and complete. If any information you have given us changes, please let us know as soon as possible (see ‘Contact Us’ below).
Right to ask us to stop contacting you with direct marketing
We have a legitimate interest to send you electronic communications in connection with the Service and related matters (which may include but shall not be limited to newsletters, announcement of new features etc. and which may also appear on social media platforms such as Facebook, LinkedIn, Twitter or Instagram.). We may also ask you for your consent to send you direct marketing from time to time. You may be able to select your preferences with respect to direct marketing when registering Your Account. We may also ask you different questions for different services, including competitions. We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
You can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please:
- Click on ‘unsubscribe’ on an email (this will be instantaneous);
- Send an email via ‘Contact Us’ below (this can take up to 5 working days).
We will provide you with information on action taken on a request to stop direct marketing – this may be in the form of a response email confirming that you have ‘unsubscribed’. Unsubscribing from direct marketing does not unsubscribe you from essential electronic communications in respect of the administration of Your Account.
Rights in relation to automated decision taking
You may ask us to ensure that, if we are evaluating you, we do not base any decisions solely on an automated process and have any decision reviewed by a member of staff. Profiling may occur in relation to your Personal Data for the purposes of targeted advertising and de-targeting you from specified advertising. This allows us to tailor our advertising to the appropriate customers and helps to minimise the risk of you receiving unwanted advertising. These rights will not apply in all circumstances, for example where the decision is (i) authorised or required by law, (ii) necessary for the performance of a contract between you and us, or (ii) is based on your explicit consent. In all cases, we will endeavour that steps have been taken to safeguard your interests.
Right to restrict or prevent processing of Personal Data
In accordance with Data Protection Legislation, you may request that we stop processing your Personal Data temporarily if:
- you do not think that your Personal Data is accurate (but we may start processing again once we have checked and confirmed that it is accurate);
- the processing is unlawful but you do not want us to erase your Personal Data;
- we no longer need the Personal Data for our processing; or
- you have objected to processing because you believe that your interests should override the basis upon which we process your Personal Data.
If you exercise your right to restrict us from processing your Personal Data, we will continue to process the Personal Data if:
- you consent to such processing;
- the processing is necessary for the exercise or defence of legal claims;
- the processing is necessary for the protection of the rights of other individuals or legal persons; or
- the processing is necessary for public interest reasons.
Right to data portability
In accordance with Data Protection Legislation, you may ask for an electronic copy of your Personal Data that you have provided to us and which we hold electronically, or for us to provide this directly to another party. This right only applies to Personal Data that you have provided to us – it does not extend to data generated by us. In addition, the right to data portability also only applies where:
- the processing is based on your consent or for the performance of a contract; and
- the processing is carried out by automated means.
Right to erasure
In accordance with Data Protection Legislation, you can ask us (please see ‘Contact Us’ below) to erase your Personal Data where:
- if you had given us consent to process your Personal Data, you withdraw that consent and we cannot otherwise legally process your Personal Data;
- you object to our processing and we do not have any legal basis for continuing to process your Personal Data;
- your Personal Data has been processed unlawfully or have not been erased when it should have been; or
- the Personal Data has to be erased to comply with law.
We may continue to process your Personal Data in certain circumstances in accordance with Data Protection Legislation (i.e. where we have a legal justification to continue to hold such Personal Data, such as it being within our legitimate business interest to do so (e.g. retaining evidence of billing information etc.). Where you have requested the erasure of your Personal Data, we will inform recipients to whom that Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort. We will also inform you about those recipients if you request it.
Right to complain to the DPC
Withdrawal of Consent
We may employ third party companies and individuals to facilitate our Service (“Service Providers”), to provide the Service on our behalf, to perform Service-related services or to assist us in analysing how our Service is used.
These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
We may use third-party Service Providers to monitor and analyse the use of our Service.
LINKS TO OTHER SITES
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
We will notify serious data breaches in respect of your Personal Data to the DPC without undue delay, and where feasible, not later than 72 hours after having become aware of same. If notification is not made after 72 hours, we will record a reasoned justification for the delay. It is not necessary to notify the DPC where the Personal Data breach is unlikely to result in a risk to the rights and freedoms of natural persons. A Personal Data breach in this context means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
We will keep a record of any data breaches, including their effects and the remedial action taken, and will notify you of any data breach affecting your Personal Data (which poses a high risk to you) when we are required to do so under Data Protection Legislation. We will not be required to notify you of a data breach where:
- we have implemented appropriate technical and organisational measures that render the Personal Data unintelligible to anyone not authorised to access it, such as encryption; or
- we have taken subsequent measures which ensure that the high risk to data subjects is not likely to materialise; or
- it would involve disproportionate effort, in which case we may make a public communication instead.
Where we act as a Processor we will notify the Data Controller of any data breaches without undue delay.
retention of personal data
Your Personal Data will be kept and stored for such period of time as we deem necessary taking into account the purpose for which it was collected in the first instance. This may include retaining your Personal Data as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our website.
Where we retain information for Service improvement and development, we take steps to eliminate information that directly identifies you, and we only use the information to uncover collective insights about the use of our Service, not to specifically analyse personal characteristics about you.
Our Service does not address anyone under the age of 18 (“Children”).
We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from Children without verification of parental consent, we take steps to remove that information from our servers.
- By email: info@NiftiBusiness.ie