Rules for the processing of personal data of the EAG SE group - mobile application

Caraudit

Principles of privacy policy and personal data processing for users of EAG SE for!

Caraudit application

EAG SE, CRN: 29126169, with address Platnéřská 88/9, Praha, 110 00, Czech republic, entered

in the Commercial Register kept by the District Court of Prague, Section: H 886, processes "

personal data that will be applied by the Operator in connection with the internal application "

Caraudit, whose purpose is to perform a technical inspection of the Operator’s vehicles."

The main objective is to provide information on the method and scope of personal data proce-

ssing during the interaction between the personal data person concerned and the Operator, in

particular personal data and the Operator, in particular persons"

At the same time, the rules contain information on the rights of the personal data subjects in con-

nection with the processing of their personal data. The rules are eﬀective from 17.5.2021 and are

prepared in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the

Council. 2016/679 protection of individuals with regard to the processing of personal data and on

the free movement of such data and repealing Directive 95/46 / EC (Regulation), соотв. in accor-

dance with Act no. 18/2018 Coll., Personal Data Protection Act and on Amendments to Certain

Acts, as amended (Act)."

The rules are intended for users of the Caraudit application who are employed by the (User) Oper-

ator."

The rules ﬁrst contain general provisions, in particular of an informative nature, with regard to the

processing of personal data."

General information on the processing of personal data under these

Rules

Personal data and its meaning

Personal data is all information about an identiﬁed or identiﬁable natural person - personal data

subject, which can be identiﬁed directly or indirectly, in particular by reference to an identiﬁer,

such as his name, date or place of birth, possibly birth number, e-mail address, telephone num-

ber, residence, network identiﬁer (cookies), ID number and driving license, copies of these licens-

es, data on proﬁles on social networks, chat content, google ID, online and oﬄine data and their

combinations, data on movement on the Website, incl. cluster analysis, data on the goods pur-

chased so far and services provided by the Operator, etc. In short, it is any data that could, alone

or in combination with other data, identify a speciﬁc natural person."

Personal data processing activities

The processing of personal data is any operation or set of operations with personal data or ﬁles of

personal data which is carried out by means of automated procedures or by non-automated

means, such as acquiring, assembling, using, arranging or combining, arranging, structuring, rear-

ranging or combining, storing, adapting, reworking or modifying, searching, retrieving, viewing,

recording, using, disseminating, making available by transmission or any other making available,

restricting, deleting or destroying personal data."

Purpose, legal reason and scope of personal data processing

The controller may, in accordance with Article 6 of the Regulation, process personal data only for

certain legal reasons, on the basis of a contract or to take pre-contractual measures at the re-

quest of the data subject, by law (imposed legal obligations), interests or is necessary for the pro-

tection of the vital interests of the data subject or of another natural person, on the basis of the

legitimate interests of the Operator or a third party, or on the basis of the consent of the person

concerned."

The scope of processed data depends on the purpose, resp. legal reason for the processing."

Transfer of personal data to third parties

In some cases, the Operator, in connection with its business activities, uses the services of other

entities, which may, among other things, process personal data submitted by the Operator for the

Operator. Such entities then have the status of personal data intermediaries, have a contract with

the Operator on the protection and processing of personal data and process personal data only

on the basis of the Operator's instructions and in compliance with strict conditions of personal

data protection and security. For example, IT system administrators."

As part of the fulﬁllment of its legal obligations, the Operator then transfers personal data to pub-

lic authorities (eg courts, bodies active in criminal proceedings, administrative bodies, etc.), to the

extent necessary and within the limits of the law."

Categories of personal data processed:

A. Authentication data

1. The user logs in to the Caraudit application under his registered work email and under the

password assigned to him by the Caraudit application administrator (Operator). "

2. The Caraudit application also recognizes the User Identiﬁcation Data, which is deﬁned by the

Teas administration application, particularly name and surname."

3. Each user represents also an employee who has legal relationship with the Operator of the

mobile application Caraudit. Caraudit serves as their mandatory working tool that automates

their daily paper work. "

Processing method:

logs in thanks to his work email and set password. Caraudit application can identify user based

on his email also with name and surname. These data are saved only for evidence in case user for

example ﬁnishes the Vehicle inspection, in this case Caraudit app keep the name as a proof of

author and responsible person for the vehicle inspection. User cannot change the password with-

in the app, all is handled in the administrative system of Operator."

Processing time:

Each user has a contractual or employment relationship with the Operator. All data are processed

automatically in the electronic information system of Operator, Caraudit app only authenticates

the user, if he has a permission to access. All data is protected by standard build-in Google pro-

tection provided by the operating system of the user's device."

Provision of data to other entities:

Caraudit does not provide this information to other third parties. The Caraudit application is used

exclusively for the Operator's internal business purposes."

B. Data collection using the Caraudit application

Legal basis and purpose of processing:

The Caraudit application does not collect any personal data about users. The Caraudit application

is a speciﬁc work tool of the Operator in order to carry out professional inspections of the select-

ed vehicle."

After the end of the inspection by the given user, the Caraudit application only records the name

of the logged-in user who was the last to complete the inspection of the selected car. The pur-

pose of storing this information is to record an internal procedural record."

Categories of personal data processed:

Identiﬁcation data - name and surname."

Processing method:

This data is processed automatically in the Operator's administration system."

Processing time:

The storage of this data is not subject to the conditions of personal data protection, as the prima-

ry purpose of storing this data is a technical inspection of the vehicle, which was performed by

the user in time. All data is protected by standard build-in Google protection provided by the op-

erating system of the user's device. Photo documentation for the car is stored on the Provider's

AWS servers, according to standards."

Provision of data to other entities:

Data on who performed the technical inspection of the selected car are an internal matter, the

Provider does not share them with third parties, only in the case of legal obligations that would be

subject to legal regulations."

C. Access to the user's camera and access to galleries

Legal basis and purpose of processing:

The task of the Caraudit application is to gather data about the technical status of a selected ve-

hicle in a form of an Inspection form that has multiple technical categories that user needs to ﬁll

in. Part of this inspection is also a thorough photo documentation of the vehicle, its parts or dam-

ages that the user has found."

The user himself has the option to choose whether to take the photo documentation of the vehicle

directly using the application, or upload the photos to the Technical Inspection directly from his

device."

Categories of personal data processed:

Caraudit does not collect any personal data through access to the camera or gallery. It is uses

choice if he took photos of the vehicle before he started the inspection and now he wants only to

upload them from gallery, or he can directly take photos from the Inspection, by using photo

camera access, that we ask him with in-app disclosure permissions."

Processing method:

Uploaded photo documentation is processed automatically via the Caraudit application. All data

is protected by standard build-in Google protection provided by the operating system of the

user's device. Photo documentation for the car is stored on the Provider's AWS servers, accord-

ing to standards."

D. Use of location services in Caraudit applications

The standard location and background location data we collect allow Caraudit to enable test drive

feature even when the app is the background. Thanks to this feature you can evaluate the techni-

cal state of the vehicle as during the test drive major technical issues show - speed or accelera-

tion issues. The test drive feature is used when driving a car, therefore we must collect location

data also in background."

We evaluate the quality of GPS signal in order to evaluate the test drive results- if the connection

is weak the results will not be precise. Other location data we collect: length of test drive, maxi-

mum speed, approximate speed, mileage in km, and starting and ﬁnishing time. Location data are

collected only during the use of Test drive feature."

Location data are saved only as a result of performed vehicle test drive."

Legal basis and purpose of processing:

The Caraudit mobile application uses location services only in the active mode of the Test drive

function, which has the task of providing the user with accurate data about his test drive on the

selected car. The test drive is one of the parameters of the entire inspection of the car by the Ca-

raudit mobile application, which provides relevant data on the condition and damage of the se-

lected car."

b) Categories of personal data processed:

Caraudit uses GPS data location and background location data, as we evaluate the quality

of the GPS signal because it aﬀects the end result of the test drive. If the GPS connection is

weak the Caraudit app will notify user that the results will be inaccurate. And he has the

opption to start the test drive again.

We also collect the following data during Test drive:

- Driving start time"

- End time of the ride"

- Driving time: duration"

- Mileage"

- Maximum speed"

- Average speed"

- Based on the accuracy of positioning, we evaluate the quality of the GPS signal"

Processing method:

The data from the test drive are processed automatically and are stored on our own AWS servers,

and are used for internal purposes of evaluating the technical condition of the car. As usually only

during the test drive our users can see the real condition of the vehicle - and they can make evi-

dence of the security issues the vehicle might have."