1 - Introduction
In connection with the provisioning of services to its customers, Wenn ASA (“Wenn“) may process personal data, i.e. images of persons sitting in the vehicle (“End-Customers“), on behalf of its customers (“Customer(s)“). The purpose of this document is to inform Wenn’s Customers of applicable data protection requirements set forth in the General Data Protection Regulation (the “GDPR“) and the measures implemented by Wenn to protect the personal data Wenn processes on behalf of its Customers.
2 - Roles and responsibilities
Wenn processes personal data on behalf of its Customers, as a processor (cf. GDPR Article 4 (8)). Wenn’s Customers are controllers (cf. GDPR Article 4 (7)).
- The controllers shoulder the highest level of compliance responsibility pursuant to the GDPR. In general, the controller is also responsible for the compliance of its data processor(s) (cf. GDPR Article 28 (1)).
- Wenn enters into data processing agreements (“DPAs“) with its Customers pursuant to Article 28 of the GDPR. In accordance with the DPAs, Wenn has implemented adequate technical and organizational measures to ensure a sufficient level of protection for the personal data processed on behalf of the Customers.
3 - Wenn’s Processing of personal data
Based on our assessment, the risk related to Wenn’s processing of personal data, i.e. images of persons sitting in the vehicle, is limited. Our assessment is based on the following:
- The purpose of the processing (i.e. to control the external condition of the rental car to detect potential damages) is a benefit for both the Customers and for the End-Customers.
- The Customers have an existing relationship with the End-Customers, and the End-Customers expect the Customers to process its personal data. For instance, the End-Customers are informed about Wenn’s potential processing of images of persons sitting in the vehicle.
- Wenn’s processing of images of persons sitting in the vehicle does not cause the data subjects to lose control over their personal data. The images are only available to authorized personnel at the Customer and to authorized personnel at Wenn that are appointed by the Customer.
- Wenn has established retention routines based on the storage limitation principle set forth in the GDPR (cf. Article 5 (1) e). Furthermore, if so requested by the Customer, Wenn will establish separate deletion routines, and delete the images pursuant to the Customer’s instructions (unless further retention is required by law).
- As stated in section 2 above, Wenn has implemented several security measures to ensure a sufficient level of protection for the personal data processed on behalf of its Customers.
Please further note that, Wenn may implement (at additional cost) face blurring as an additional security measure for Customers who wish to achieve the purpose by processing less personal data.
Changes to This Data Protection
We may update our Data Protection from time to time. Thus, you are advised to review this page periodically for any changes. We will notify you of any changes by posting the new Data Protection on this page.
These terms and conditions are effective as of 2023-01-01
If you have any questions about our Data Protection,
do not hesitate to contact us at firstname.lastname@example.org