GTM debug

EUROWAG GROUP PRIVACY NOTICE

This Group Privacy Notice provides an overview about how we process personal data at EUROWAG within its companies that are listed here (also referred to as “EW” or "we”) and is designed to ensure compliance with our informational obligations pursuant to Articles 13 and 14 of the EU General Data Protection Regulation ("GDPR") as well as other local data protection legislations.

We have appointed the Group Data Protection Officer (the “Group DPO” or “DPO”) to handle any data subject or GDPR-related requests.

Contact details of our DPO are as follows:

  • address for correspondence: W. A. ​​G. payment solutions, Inc. - Compliance department, Na Vítězné pláni 1719/4, 140 00 Prague 4, Czech Republic

This document serves as the highest and most general privacy notice of EUROWAG. We have also adopted more Specific privacy notices that supplement and precise this Group privacy notice, such as employee privacy notices, mobile app privacy notices or CCTV privacy notices at our premises. Supplementary privacy notices should be read in conjunction with this Group Privacy Notice as they apply together.

What will you learn about the personal data from this document?

Why we process personal data?

Generally, we need to process personal data in order to: 

  • conduct our business and provide our services and products;
  • efficiently manage our human resources;
  • meet our legal and contractual obligations; and
  • pursue our own legitimate interests. 
For what purposes, on what basis and how long we process your personal data?  

At EUROWAG we process your personal data for the following purposes of processing and based on the following legal grounds. When doing so, EW entities act as joint controllers within the meaning of Article 26 GDPR.[1]
In the table below is also a general information of how long we store and process your personal data. These are general retention periods that may be shortened if the data is no longer necessary for the purposes or prolonged, if it is required by law or our legitimate interests. 

More detailed description of the purposes and legitimate interest we pursue can be found here.

[1] The essence of our joint controller arrangement at EUROWAG is follows: (i) the GDPR and ePrivacy related compliance agenda is subject to the oversight and advice of the Group DPO who handles all data subject requests with the help of local personnel; (ii) all purposes in this Group Privacy Notice are joint purposes of all EW entities meaning that all entities are entitled to process the same personal data jointly, but based on a strict „necessary“ principle; (iii) the necessary principle allows sharing of any personal data processing for the purposes designated herein between any EW entities provided it is necessary; (iv) each EW entity may process its own personal data for its own purposes that not joint purposes, but must inform Group DPO and data subjects about such processing in line with Article 13 and 14 of the GDPR.

Below you can find the overview:

Purpose of processing
Legal ground
General retention periods
1. Provision of toll services
Contract performance/
legitimate interest
During providing of toll services or until  an objection to the processing of personal data is settled if the rights and  freedoms of the data subject prevail in a specific case.
2. Provision of telematic services
Contract performance/
legitimate interest
During providing of telematic services or until  an objection to the processing of personal data is settled if the rights and  freedoms of the data subject prevail in a specific case.
3. Provision of fuelling services
Contract performance/
legitimate interest
During providing of the fuelling services for the customer in relation to fuel card or until an objection to the processing of personal data is settled if the rights and freedoms of the data subject prevail in a specific case.
4. Provision of financial services
Contract performance/
legitimate interest
During providing of financial services or until  an objection to the processing of personal data is settled if the rights and  freedoms of the data subject prevail in a specific case.
5. Provision of tax services
Contract performance/
legitimate interest
During providing of tax services or until  an objection to the processing of personal data is settled if the rights and  freedoms of the data subject prevail in a specific case.
6. Provision of additional services
Contract performance/
legitimate interest
During providing of additional services or until an objection to the processing of personal data is settled if the rights and freedoms of the data subject prevail in a specific case.
7. Support and customer care
Contract performance/
legitimate interest
During providing of services based on valid contract or until an objection to the processing of personal data is settled if the rights and freedoms of the data subject prevail in a specific case.
8. Management of contractual relations
Contract performance/
legitimate interest
During providing of additional services or until an objection to the processing of personal data is settled if the rights and freedoms of the data subject prevail in a specific case.
9. Administrative purposes
Legitimate interest
During administrative processing activities related to processed personal data related with achievement of the necessity for sharing data due to the business and administrative needs of EUROWAG, or until an objection to the processing of personal data is settled, if the rights and freedoms of the data subject prevail in a specific case.
10. Credit risk assessment
Legitimate interest
During the credit score check procedures and approval or dis-approval of requested product to the customer, or until an objection to the processing of personal data is settled, if the rights and freedoms of the data subject prevail in a specific case.
11. Pricing and B2B relationship management
Contract performance/
legitimate interest
During performance of the service support related to issue or until conclusion of new prize offer, respectively until  an objection to the processing of personal data is settled, if the rights and freedoms of the data subject prevail in a specific case.
12. Creating a network of partner suppliers
Contract performance/
legitimate interest
During providing of services based on valid contract or until an objection to the processing of personal data is settled if the rights and freedoms of the data subject prevail in a specific case.
13. Fulfilment of legal obligations
Legal obligation
In general, for a maximum period that results from the relevant local legal provision that imposes the obligation to process personal data on this legal basis.
14. Defending, claiming and proving legal
Contract performance/
legitimate interest
During applying the relevant legal relationship and until the legal claim expires, the right is properly exercised, and the legal claim is satisfied, or the legal matter is substantively terminated, and available remedies are exhausted.
15. Security of personal data and IT systems
Contract performance/
legitimate interest
In general, no longer than 1 year.
16. Property protection and security
Legitimate interest
As to CCTV records within the period of refuelling truck keeping behalf the customer (controller) pursuant instructions of the controller or within retention period stipulated in Data Processing Agreement, usually 25 days or 183 days in case of customer’s request. As to Physical access control data we retain at most 12 months from collecting.
17. Direct marketing and PR purposes
Consent/
legitimate interest
Generally during validity of consent if consent is the legal basis for processing or until receiving an objection to direct marketing or withdrawing consent to the processing of personal data.
18. Statistics purposes
Consent/contract performance/legal obligation/legitimate interest
During the course/existence of other processing purposes, while minimising their retention until the necessary statistical output is generated; this is without prejudice to the possibility of retaining personal data used for the original processing purposes.
Which legitimate interests we pursue?

The list of legitimate interests pursued by Eurowag is as follows: 

  • processing of payment documentation; 
  • processing of technical data and invoicing,
  • onboarding process;
  • prevention of frauds;
  • monitoring of drivers behaviour;
  • manual and phone authorization of customers;
  • reporting for customers (finance reporting a business analyses);
  • early Money Collection (refund of VAT on behalf of the customer);
  • fuel tax refunds and mediation of trade; 
  • provision of education, promotion and training for users;
  • solving of customers issues; 
  • communication between the contracting parties; 
  • records of internal and external powers of attorney; 
  • records of supplier-customer contractual relationships between the controller and its customers, partners and suppliers; 
  • other legal agenda;
  • assessment of credit risk (screening) of customers, including credit scoring model and payment behaviour reporting;
  • preparation of B2B pricing policy and discounts for customers
  • monitoring and evaluation of suspicious events based on log analysis through specific software applications
  • penetration testing and performance of security audits with the possibility of access to protected data;
  • monitoring of users network and systems;
  • CCTV systems;
  • physical access control;
  • customising and sending marketing electronic newsletters (e-mail, SMS) to existing customers;
  • realisation of tele-marketing activities including campaigns for current customers and voice records;
  • targeting and personalisation of advertising content;
  • collection and analysis of customer feedback. 

Where the law requires us to use consent instead of legitimate interest in any of the above cases, we rely on consent. 

Detailed description of legitimate interests we pursue and their relevance to the purposes of processing can be found here.

What categories of personal data we process and from where we collect them?

Generally, we collect your personal data directly from you. In this case provision of personal data is voluntary. You can provide your personal data to us by different means and ways. 

However, we may also obtain your personal information from other sources (e.g. our processors, other third parties or public registers). You can find more information in the table below.

Source of personal data
Categories of personal data obtained from sources other than the data subject
Customers as employers of data subject:
Common personal data (e.g. basic identification data and contact information, e.g first name, last name, other names, date of birth, nationality, address, e-mail address, telephone number, ID number, ID photo, bank account number)
Insolvency registers:
Information from the insolvency registers revealing individual insolvency, bankruptcy records, debt relief restrictions etc., checking open items in the internal system.
Public commercial registers:
Name, surname, title, function in company, dates of validity of records.
Public financial authority registers:
Business name, ID. No., VAT No., data involved into financial statements and other publicly available accounting documents.
Navigation units installed in customer vehicle:
Dynamic transactional data related to all GPS data generated by navigation units installed in vehicles, messages, electronic communication metadata.
Fraud Management System / CRM system:
Static data processed in FMS system in relation to individual customer, ID of customer of fuelling services, contacts, credentials, logins, scoring results. Dynamic transactional data related to assessment of individual actions during providing of the services.
Dynamic transactional data related to operations connected with use of the fuelling card. Dynamic transactional data related to logistic operations, storages and fuel consumptions. Dynamic transactional data related to CCTV record keeping prove of fuelling the vehicle.
Other internal or external systems and apps used as means of the processing personal data during providing other services of WAG Group:
Dynamic, transactional data related to performing actions during providing services and less substantial electronically processed records about provided service.
OBU units installed
in customer vehicle and external toll systems of national providers in multiple countries:
Dynamic transactional data related to all OBU data generated by toll units installed in vehicles, messages, electronic communication metadata etc. (The amount of toll paid, The route for which the toll was paid, Place and time of toll payment, The period of time permitted for the performance of the journey and the voucher number).
Static data related to ID of toll services customer, its account, vehicle, the registration number of the vehicle or vehicle combination, characteristics of the vehicle or vehicle combination that are relevant for the toll amount, Identification number, Identification number of the on-board unit installed in the vehicle for the purpose of toll collection, contract number of the user.
Is there a legal and contractual obligation to process personal data?

There are several legal regulations that oblige us to collect and process certain personal data about you. This is in particular the obligation the prevent, control, evaluate and detect money laundering, processing of accounting and tax information and fulfilling the purpose of security of personal data and IT systems. 

If the collection of personal data relates to a contractual relationship it is often a contractual requirement or a requirement that is necessary for the conclusion of a contract. Failure to provide personal data (whether yours or your colleagues') may result in failure to conclude or performance of a contractual relationship with the company you represent. 

When the legal ground for processing your personal data on individual purpose is consent, the provision of your personal data is strictly voluntary and failure to provide it will not have any negative effect or consequences on you. 

Who are recipients of your personal data? 

We take the confidentiality of your personal data very seriously and have internal policies in place to ensure that your data is only shared with authorised personnel at EUROWAG or a verified third party. 

Our staff might have access to your personal data on a strictly need-to-know basis typically governed and limited by function, role and department. We also ensure that selection of our sub-contractors and any processing of personal data by them is compliant with the GDPR or other national law. 

Necessary personal data of our clients, business partners or other natural persons are provided to the following categories of recipients: 

  • other companies belonging to EUROWAG based on the joint controllers agreement;
  • our verified and properly mandated processors; 
  • our professional advisors (e.g. attorneys or auditors); 
  • payroll and accounting companies; 
  • providers of standard software, cloud and Telco services; 
  • providers of technical (e.g. IT) and organisational (e.g. events agency) support of our company; 
  • Postal couriers and couriers services;
  • companies assessing the credit risk of customers in the provision of our financial services;           
  • toll service providers;
  • providers cooperating in securing tax refunds;
  • fuel point operators, washing service operators, parking service operators, etc. (contractual partners within the acceptance network);
  • shippers within the framework of using a common platform; 
  • receivable collection entities;
  • marketing agencies;
  • providers of print and postal services, including courier services;
  • employees of aforementioned entities.

If public authorities ask us to provide your personal data, we will review the statutory conditions for accepting the request and ensure that we will not comply with the request if the conditions are not met. 

In case that you have a question about our current processors, do not hesitate to contact our DPO for further information. 

What third-countries do we transfer your personal data to?

By default, we do not transfer personal data to third countries outside the European Economic Area (EU, Iceland, Norway and Liechtenstein) unless it is necessary. For example, when we provide services for our customers we can use our establishments and business partners from Turkey, Bosnia and Herzegovina, Montenegro, Russia, Ukraine, North Macedonia or Serbia. We can also use various cloud services and social network services provided by multiple providers from the USA. 

Although we have never noted any problem with the misuse of any personal data in these countries, according to the European Commission’s decisions, these countries are considered not to guarantee an adequate level of protection (of personal data) and therefore we have to proceed on the basis of the adequate safeguards under Article 46 GDPR or on the basis of the exceptions for specific situations under Article 49 GDPR. That is why we conclude Standard Contractual Clauses approved by the European Commission with data importers in a third country.

In light of the judgment Court of Justice of the EU in the Schrems II case of 16 July 2020, we also apply additional safeguards in relation to transfers to the USA, if we cannot rely on new Data Privacy Framework importer certification. In case the importer is certified, we may transfer your personal data, based on EU-US Commission’s adequacy decision in compliance with Article 45 GDPR requirements, without adopting any other measures. 

Are you subject to any automated individual decision-making?

In some cases, yes. We have identified certain processing operations that likely falls under “automated individual-decision making including profiling” within the meaning of Article 22 GDPR, which are described below:

*We have also identified certain processing operations that are less likely to fall under the Article 22 GDPR, but we inform about these cases anyway.


Description of automated processing
Significance and anticipated consequences for the data subject
Automated blocking of fuelling card – in case when the customer has payable debt against EW entity our EMC system may automatically block all fuelling cards in post-paid regime issued to such customer and notify the contact person of customer about performed action.
Customer, respectively customer’s driver may be affected with non-functioning of fuelling cards provided in post-paid regime and then will not be able to pay for fuelling vehicle with EUROWAG fuelling card.
Credit risk evaluation* – we use ACAS software to create customer’s maximal credit framework for multiple services in post-paid services, but each customer request which should be rejected based on ACAS decision is systematically and individually reviewed by human credit risk specialist.
Customer request for a line of credit for fuelling services should be before rejection individually re-assessed and confirmed or cancelled by human credit risk specialist. No negative consequences on data subjects are estimated.
Telematics* – we use various apps and tools to generate profiling of personal data related to monitored vehicles used our EVA units or other products integrated GPS technology. This allow sus to provide sophisticated new generation telematic services adhered to requirements of sectors and customers.
GPS geolocation and less-intrusive profiling are aimed on support of customers to fraud prevention, explore and find the best fuel price in real time on planned route, plan the most advantageous routes and optimise toll expenses. No negative consequences on data subjects are estimated.
Other profiling*– we can use multiple software tools to process basic characteristics related to data subjects and way as use our products and services, business and payment data, risk values data with aim to address customers and their users with individually enhanced, configured, or personally offered products and services. We can also do this for creation and evaluation of customer-targeted advertising campaigns.
Other profiling may generate added value and better user experience as well as more accurate offer of products and services or its settings which can be more suitable for individual customer based on our knowledge of way how interact and use our products and services. No negative consequences on data subjects are estimated.
What rights do you have? 

We would like to bring the following rights to your attention predominantly: 

"You also have the right to object to the processing of your personal data on the basis of the legitimate interests (we follow, as explained above) and on the legal basis of a public interest.”
"If we process your personal data on the basis of consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.”
“You have the right to effectively object to the processing of personal data for direct marketing purposes, including profiling.”

In addition, the GDPR provides you with a number of data subject rights as well as conditions for their exercise. While some rights are “automatic” such as consent withdrawal or direct marketing objection, some rights are not as they are linked to specific conditions that might not be met in every case. It is the role of our authorised staff, overseen by the DPO, to properly assess your request and inform you in a timely manner, usually within one month (period which can be prolonged).

Among others, you have the following rights: 
  • Right to request access to your personal data. This right includes the right to confirm whether we process personal data about you, the right to access to personal data and the right to obtain a copy of the personal data we process about you if it is technically feasible;
  • Right to rectification (correction) if we process incomplete or inaccurate personal data about you;
  • Right to erasure of personal data; 
  • Right to restriction of processing of your personal data; 
  • Right to data portability;
  • Right to object against the processing including profiling based on legitimate or public interest;
  • Right to object against processing for direct marketing purposes including profiling; 
  • Right to not be subject to the automated individual decision making.

You also have a right to file a complaint to the relevant data protection supervisory authority or apply for judicial remedy. Please note that leading supervisory authority according to place of the main establishment for EUROWAG is the Office for Protection of Personal Data of the Czech republic (www.uoou.cz), but you can also enforce your rights with help of any concerned supervisory authority from country where EW entities operates and is for you more suitable because of language or distance. More information about supervisory authorities of EEA states you can find here.

We respect standard GDPR rights to all data subjects whose personal data we process within EUROWAG worldwide. Therefore, all data subjects, regardless of the country of operation, will therefore be granted with GDPR rights, which will be additionally supplemented by specific rights according to national third country law. 

In this context, please take into your account that some rights in third countries may not be practically exercised due the reasons beyond our control (e.g. right to portability or right to be forgotten).

How we use Cookies? 

We generally use cookies for provision of services online (necessary cookies) or for direct marketing purposes. For more information about how we use cookies and electronic communication metadata from your website browsers and end devices used during visit of our website you can find in Cookie Notice available here.

How we use social networks?  

Please read relevant privacy policies to better understand processing of your personal data by social media platforms providers (e.g. Facebook, Google or LinkedIn), who are separate controllers. We only have a typical admin control over the personal data processed by us via our own company profile.

EUROWAG is responsible for processing your data only to a certain extent, for example if you visit our profile, if we communicate with each other on a social network or if we target you with advertising on social networks. On our profiles on social networks, we can process your personal data and cookies for marketing or statistical purposes together with relevant providers of social networks such as joint controllers in the sense of GDPR. Typically, when we use page insights services to our fan page. Therefore we are obliged to inform you about the basic parts of the agreements that we concluded according to Art. 26 GDPR: 

In case when we use paid targeted ads campaign services provided by social network providers, we use them as our processors based on concluded Data Protection Addendums. 

Glossary of specific terms and abbreviations

Generally, we need to process personal data in order to: 

  • "AML” means anti-money laundering.
  • “B2B” means business-to-business.
  • "DPO” means Data Protection Officer of EUROWAG.
  • “EMWC” means EUROWAG Master Card.
  • “ESG” means Environmental, Social, Governance.
  • EVA” means Enhanced Vehicle Assistant.
  • FMS” means Anti-fraud Management System. 
  • OBU” means on-board unit. 
  • IT” means information technology. 
  • TELCO” means Telecommunication service provider.
  • EUROWAG as agent” means way of providing toll services when EUROWAG allow the customer to enter into a separate contractual relationship with the providers of toll systems, while EUROWAG ensure the payment of tolls and other fees through the EW subsidiary, while subsequently invoicing the costs and services to the customer retroactively.
  • EUROWAG as reseller” means way of providing toll services when EUROWAG enable the toll system provider to invoice its services directly to the customer of EUROWAG, and then we perform necessary processing activities on his behalf as its processor.
Changes of this document 

Data protection and privacy compliance is not a one-off obligation for us but an ongoing effort. Therefore, information we provide in this notice may change or cease to be relevant. From these reasons we may change this Group Privacy Notice from time to time by posting the most current version on our website. In case we change this Group Privacy Notice substantially, we would bring such changes to your attention by explicit notice, on our websites or by email or by in-app activity such push notification. 

Created by December 2023