Download App

Privacy Policy DRIV&PAY

Supplementary information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) 2016/679

DRIV&PAY

This Privacy Policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”) by Italiana Petroli S.p.A. (“IP”) and ESE S.r.l. (“ESE”), as joint controllers pursuant to Article 26 GDPR, and describes the methods and purposes of the processing of personal data of data subjects in the context of the use of the “DRIV&PAY” in-app payment service (hereinafter, “DRIV&PAY” or the “Service”). The Service is available within the “DRIV&” App, reserved for members of the “DRIV&” loyalty program (hereinafter also referred to as the “Program”), and allows you to pay for supplies using payment cards configured in the App and, on enabled devices, also via Apple Pay.

This information, provided with reference to the specific DRIV&PAY service available on the Driveloyalty.it website, must be considered supplementary to the general privacy policy of the DRIV& App, available on the Driveloyalty.it website, to which reference is made for the consultation of further information required by Articles 13 and 14 of the GDPR that are not expressly reported in this document.

1. JOINT CONTROLLERS AND DATA PROTECTION OFFICER

The joint controllers of your personal data processed within the Service are:

  • Italiana Petroli S.p.A. with registered office in Rome (RM), Via Salaria no. 1322, postcode 00138
  • ESE S.r.l. with registered office in Rome (RM), Via Salaria 1322, Postcode 00138

as co-promoters within the Program.

In the remainder of this Privacy Policy, IP and ESE are also individually defined as “Joint Controller” and jointly “Joint Controllers“, having jointly determined the purposes and means of processing through the conclusion of a specific agreement pursuant to Article 26 of the GDPR.

As part of this agreement, IP has been designated as the point of contact for all your requests relating to the processing of your personal data and the exercise of your rights deriving from the GDPR; it remains understood that you can exercise your privacy rights pursuant to Article 15 and following of the GDPR in respect of each of the Joint Controllers. The essential content of the agreement is made available to you upon your specific request

We also inform you that the Joint Controllers have appointed a Data Protection Officer (hereinafter the “Data Protection Officer” or “DPO“) who can be contacted at the following addresses:

  • e-mail, at: dpoitalianapetroli@pec.gruppoapi.com.
  • ordinary mail, to the address of both Joint Controllers, with registered office in Rome (RM), Via Salaria no. 1322, Post Code 00138, for the attention of the Data Protection Officer.

2. PERSONAL DATA SUBJECT TO PROCESSING AND SOURCE FROM WHICH THEY ORIGINATE

The Joint Controllers collect the following categories of personal data concerning you (the term “Personal Data” shall mean all the categories listed below, considered jointly):

  • personal/identification data (such as: name, surname and tax code);
  • contact details (telephone number and e-mail address);
  • login credentials to the App and the Service (e-mail/username and password);
  • payment data, as the Service allows you to make payments using one or more payment cards configured in the App or via Apple Pay (for enabled devices). When configuring the card, the user enters the data necessary to verify eligibility for online payments (name and surname, expiry date, CVV2/verification code). The data of the cards configured in the App and the operations carried out are managed through the mobile gateway service provided by N&TS Group S.p.A., according to high standards of security and protection. In particular: (i) the e-mail address may be sent to N&TS for the management of card tokenisation and payments on the payment tool; (ii) only an encrypted PAN code and the indication of the card circuit are saved on the App systems, for the sole purpose of allowing the cards to be displayed in the user’s wallet;
  • data relating to transactions carried out through DRIV&PAY, such as: selected fuel pump, selected amount, payment method used, pre-authorisation result, amount actually charged, date/time of the transaction, point of sale/fuel pump and transaction history. In this regard, pursuant to Article 14 of the GDPR, we inform you that, following your choice to use one of the available payment methods, the card issuer and/or Apple (if you use Apple Pay), as independent data controllers, process the data necessary for the execution of the operation and make available to the Joint Controllers the information necessary for the management of the Service (such as the outcome of the operation and the references of the transaction);
  • data relating to the detection of the position/geolocation of the device (if enabled on the iOS or Android device), processed to allow the identification of the point of sale and the display and selection of the enabled fuel pump (the list of fuel pumps is visible only if the position of the user’s device is recognised as present at an enabled point of sale);
  • data relating to electronic invoicing, where required, such as: company name, VAT number, SDI code, any PEC, complete address and vehicle registration number(s).

 

If the user chooses to enable access or confirmation via Face ID/Touch ID (or similar features), it is specified that no processing or saving of biometric data is carried out by the Joint Controllers: the biometric verification is carried out exclusively by the device’s operating system and the App is only notified of the authentication result (e.g. successful/unsuccessful authentication), which is necessary to allow access to the Service and/or confirmation of the operation.

With reference to the source from which the aforementioned Personal Data originates, please note that it is collected directly from you as part of the enabling and use of the DRIV&PAY Service through the App. Data relating to payment transactions (e.g. pre-authorisation and debit outcome) are also generated during the use of the Service and are processed as part of the payment chain. In particular, the pre-authorisation of the amount is managed by the acquirer, Nexi Payments S.p.A., and the results of the transactions also depend on the checks carried out by the card issuer and/or, in the case of use of Apple Pay, by the parties involved in the relevant payment process, as independent data controllers, who make available to the Joint Controllers only the data necessary for the management of the Service, such as the status/outcome of the transaction (e.g. authorised/unauthorised) and the transaction references.

3.PURPOSE AND LEGAL BASIS FOR THE PROCESSING OF YOUR PERSONAL DATA

Your Personal Data, as indicated above, is processed by the Joint Controllers for one or more of the following purposes, on the basis of the legal basis indicated from time to time:

a) Enabling, using and managing the DRIV&PAY Service via the App, including access management, also through device authentication mechanisms (such as Face ID/Touch ID); configuration and management of payment methods; execution of payment for fuel purchases; management of transaction history and sending of the summary by e-mail, where required; possible activation and management of electronic invoicing at the user’s request; management of service and assistance communications; prevention of improper use and guarantee of security related to the Service. For such processing, the legal basis is the need to perform the contract to which you are a party and/or to perform pre-contractual measures taken at your request, pursuant to Article 6, paragraph 1, letter b) of the GDPR.

b) Detection of the location/geolocation data of the device (if enabled on the device) for the use of the DRIV&PAY Service, aimed at allowing the automatic recognition of the stations/points of sale enabled for the Service and the display and selection of the fuel pump usable for payment in the App. The list of fuel pumps is in fact made available only if the user’s position is recognised as being present at an enabled point of sale. It should be noted that position detection is activated and used only when the user activates the DRIV&PAY function (e.g. during the point of sale recognition and fuel pump selection phase) and is not used continuously and systematically outside this phase. The processing of location/geolocation data is based on your free and specific consent, pursuant to Article 6, paragraph 1, letter a) and Article 7 of the GDPR, taking into account the provisions of Article 126 of Legislative Decree No. 196/2003 (“Privacy Code”) and Article 9 of Directive 2002/58/EC (“e-Privacy Directive”). The provision of location data is optional; however, in the absence of consent and/or activation of the device’s geolocation function, the Joint Controllers may not be able to provide all the DRIV&PAY functions that require automatic recognition of the enabled stations and selection of the fuel pump. In any case, it is possible at any time to deactivate the collection of location data by the App by changing the device settings relating to geolocation services.

Once provided, your Personal Data may also be processed for the following additional purposes:

c) to fulfil obligations established by laws, regulations or European legislation, as well as to comply with the provisions or requests of competent authorities, supervisory and control bodies or other legitimate entities, with which the Joint Controllers are required to comply. In such cases, the processing is necessary to fulfil a legal obligation to which the Joint Controllers are subject, pursuant to Article 6, paragraph 1, letter c) of the GDPR;

d) to meet the legal defence purposes of the Joint Controllers, both in court and in the out-of-court or pre-litigation phase (e.g. management of complaints, disputes or controversies arising in relation to the use of the Service). In such cases, the processing is carried out for the pursuit of the legitimate interest of the Joint Controllers in the protection of their rights and interests, pursuant to Article 6, paragraph 1, letter f) of the GDPR.

4. HOW LONG WE KEEP YOUR PERSONAL DATA


The Joint Controllers will keep your Personal Data for a period of time not exceeding that necessary to achieve the purposes for which they are collected and processed, in compliance with the principles of minimisation and limitation of storage referred to in Article 5, paragraph 1, letters c) and e) of the GDPR. In particular, the Personal Data processed for the purposes referred to in paragraph 3, letter a), will be kept for the time strictly necessary for the execution of the contract and the management of the Service, as well as for the period necessary for the fulfilment of any related administrative, accounting and tax obligations and, in any case, for the retention periods provided for by the applicable legislation. Personal Data relating to location/geolocation, processed for the purposes referred to in paragraph 3, letter b), will be processed exclusively for the time strictly necessary to allow the identification of the point of sale and the display/selection of the enabled providers at the time you use the Service and will not be stored for further periods. Personal Data processed for the purposes referred to in paragraph 3, letter c), will be kept for the period of time provided for by the specific obligation or by the applicable law. It is understood that the Joint Controllers may retain Personal Data for the time necessary to ascertain, exercise or defend their rights, in court or out of court and in the stages preceding any litigation, in accordance with the applicable limitation periods. After the retention period, the Personal Data will be deleted or made anonymous in a permanent and non-reversible manner, unless their further retention is necessary for legal obligations or for the protection of the rights of the Joint Controllers. For more information, you can contact the Joint Controllers and/or the DPO at the addresses indicated in paragraph 12 of this information notice.

5. WHO WE MAY SHARE YOUR PERSONAL DATA WITH

In addition to what is already stated in the general privacy policy of the DRIV& Program, for the processing referred to in the DRIV&PAY Service, your Personal Data may also be shared with the parties indicated below (also referred to as “Recipients”)

  • persons authorised by the Joint Controllers to process personal data pursuant to Articles 29 of the GDPR and 2-quaterdecies of the Privacy Code (e.g. the internal staff of the Joint Controllers responsible for managing information systems, administrative and accounting management, invoicing, security of the Service, etc.);
  • entities acting as Data Processors pursuant to Article 28 of the GDPR, appointed by the Joint Controllers to carry out activities related to the provision of the Service (by way of example: IT and technical assistance providers; providers involved in the management of electronic invoicing; as well as the mobile gateway service provider N&TS Group S.p.A. for the technical management of card data and transactions carried out through the Service);
  • entities that operate as independent data controllers within the payment chain, within the limits of what is necessary to carry out the operations requested through the use of the Service (by way of example: Nexi Payments S.p.A., acquirer, for the management of payment transactions, including pre-authorisations and debits; banks/issuing institutions and payment circuits; Apple in case of use of the Apple Pay payment method, etc.);
  • entities or authorities to which it is mandatory to disclose your Personal Data pursuant to legal provisions provided for by European Union law or by that of the Member State to which the Joint Controllers are subject, or following a request validly made by them;

 

The complete list of Recipients is available, upon your request, at the headquarters of the Joint Controllers and at the addresses indicated in paragraph 8 of this Privacy Policy, from which the updated list of Data Processors may also be requested.

6. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES For all information relating to transfers of Personal Data to third countries (outside the EEA) and/or international organisations, please refer to the relevant paragraph of the general privacy policy of the DRIV& Program, available on the Driveloyalty.it website. In any case, you may contact the Joint Controllers at any time, using the contact details indicated in paragraph 8 of this Privacy Policy, to find out the subjects to whom the Personal Data may be communicated and to receive a copy of the guarantees adopted for any transfer (e.g. adequacy decisions of the European Commission and/or standard contractual clauses), where applicable.
7. YOUR RIGHTS REGARDING DATA PROTECTION AND YOUR RIGHT TO LODGE COMPLAINTS WITH THE SUPERVISORY AUTHORITY For all information relating to the rights of the data subject pursuant to Articles 15 et seq. of the GDPR (including, by way of example, access, rectification, erasure, restriction, portability, objection) as well as the right to lodge a complaint with the competent supervisory authority, please refer to the relevant paragraph of the general privacy policy of the DRIV& Program, available on the Driveloyalty.it website.

8. CONTACTS OF THE JOINT CONTROLLERS AND THE RELEVANT DATA PROTECTION OFFICER

You may at any time contact the Joint Controllers at the following e-mail address, identified as the single point of contact for the exercise of your rights: privacy@italianapetroli.it, or at the following e-mail addresses:

 

In this regard, the Joint Controllers inform you that you may in any case exercise your rights towards and/or against each Joint Controllers, by contacting the certified e-mail addresses indicated above or by sending your request/report through the dedicated form, in the “Write us” section of the following website: Privacy – Write us – Contacts and assistance Gruppo api.

Download App