Global privacy statement

Your privacy is important to us and to Société Générale Group to which Ayvens belongs. This is a matter of priority for us and we have implemented strong principles in that respect, especially in regards of the EU General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament, and Law on Personal Data Protection of the Republic of Serbia ("Off. Gazette RS", no. 87/2018).

Ayvens S.A. and its affiliated entities (hereafter “Ayvens”) value the trust of customers, suppliers and business partners and are committed to protecting their personal data. Compliant privacy and information security practices are therefore integral components of Ayvens’ services, corporate governance, risk management and overall accountability. We only process such personal data as is necessary for our business activities and the provision of the Ayvens services.

This Global Privacy Statement (the “Statement”) describes our practices in connection with the personal information (“Personal Data”) that we process about you and your business relationship with Ayvens.

Please read this Global Privacy Statement carefully so that you understand how we collect and use your Personal Data.

1. Scope of this statement

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.

We collect and use your Personal Data through our various vehicle and fleet leasing, fleet management and driver mobility services and in the course of performing our business activities (“Services”).

Please also note that specific services may be subject to a separate privacy statement referenced in the respective terms.

Responsibilities OF CUSTOMERS

Insofar as Customers in their capacity as employers have access to Personal Data of their employees, i.e. Drivers, the Customer is the controller responsible for the processing and use thereof in such capacity. This Statement does not apply to the processing and use of Personal Data of Drivers by Customers.

2. Who are we?

The local Ayvens entity is responsible for the processing of your Personal Data (controller).

Ayvens d.o.o Beograd, Premises: Milutina Milankovića 7Đ, Novi Beograd Web site – www.ayvens.rs Registration number: 20295325

The Ayvens Group is part of Ayvens S.A. Address: 1, Rue Eugène et Armand Peugeot 92500 Rueil Malmaison, France

Ayvens may also be referred to as “we”, “our” or “us”.

3. How do we collect your personal data?

We and our service providers collect Personal Data in the following ways:

Through sales activities We commence the processing of Personal Data if you provide this, directly or indirectly via third parties, e.g. as part of an offline sales lead, registration, online contact form, inquiry by e-mail, telephone, chat and/or application, survey or price competition.

Through the Services Most of the Personal Data we collect are in relation to the Services we provide or will be providing to you as (i) a Driver and our Customer, your employer, if you are using a company vehicle, or (ii) a Private Lease Customer. This starts with the registration of your Personal Data with respect to the vehicle to be leased (in some circumstances we may do some preliminary credit checks before this) and continues with the registration of the leased vehicle and when we communicate with you about our services, e.g., to arrange for periodic maintenance and repairs. We may also process your Personal Data when your vehicle inadvertently is involved in an accident, to ensure that we restore mobility and handle any damage, or where we are the recipient of traffic, communal and parking fines in relation to your leased vehicle. Next to our core-leasing activities, we also provide a number of other related services, such as e-mobility services, car rental services, and roadside assistance. Another service we provide relates to car remarketing, sales of used Ayvens vehicles.

Online We collect Personal Data from you online, when:

From other sources We receive your Personal Data from other sources, for example:

We need to collect Personal Data in order to provide the requested Services to you or to handle queries, comments or complaints related to our Services. If you do not provide the Personal Data requested, we may not be able to provide the Services. If you disclose any Personal Data relating to other persons to us or to our service providers in connection with the Services, you represent that you have the authority to do so and to permit us to use the information in accordance with this Statement.

**Monitoring of communications **Subject to applicable laws, we will monitor and record calls, e-mail, text messages and other communications we have with you. We do this for compliance with regulatory rules, self-regulatory practices or procedures relevant to our business, to prevent or detect crime, in the interests of protecting the security of our communication systems and procedures, and for quality control and staff training purposes.

For example, where we are required by a regulator to record certain telephone lines (as relevant) we will do so. In addition, where appropriate and having regard to applicable data protection law, our monitoring will be to check for inappropriate content in communications. In very limited and specific circumstances we may conduct short term carefully controlled monitoring of your activities where this is necessary for our legitimate interests or to comply with a legal obligation. We may do this for instance where we have reason to believe that fraud or other crime is being committed, where offences are suspected and where the monitoring is proportionate to the type of the disciplinary offence, or where we suspect non-compliance with sanctions and embargoes or anti-money laundering and counter terrorism regulations to which we are subject. In particular, telephone calls may be recorded for these purposes.

5. Who has access to your data?

In addition to what is indicated for each purpose above regarding who has access to Personal Data under the control of Ayvens, we may also share Personal Data:

In order to provide you with our services, we often work closely with service partners, service providers and unaffiliated partners. Our independent service partners assist us in providing our leasing and other services to you, and include dealerships, maintenance providers, body repair shops, and roadside assistance providers, but also rental service companies and the administrators of our driver safety programs. Dealerships or suppliers of (electric) vehicles may require contact details of a driver to activate a personal account necessary to be set up as a driver, otherwise the vehicle does not work.

Service providers are companies we retain that support us in running our business, for example to help us maintain our IT network and related infrastructure and security and access controls to our premises.

**To whom? ** Ayvens S.A., France **

What data?** Identification and contact data **

Purpose?**

Performing Company’s business operations (input of data in the information system)

To whom?

Ayvens Austria Fuhrparkmanagement und Leasing Gmbh and Ayvens Shared Service; Center in Bucharest Romania**

What data?**

Identification data, contact data, Information on the performance of public office (status of officials) and esxposure to the risk of international sanctions, Data about employment**

Purpose?**

Credit analyses and KYC assessment

To whom?Repair shop network and other suppliers* with which Company has signed business cooperation contract What data?Identification and contact data**Purpose? **Performing contracted services (service and vehicle repair, replacement of tyres, pre-run and relief car, etc)

To whom?Insurance Companies (in line with contracted policy)What data?Identification and contact dataPurpose?Performing activities related to vehicle damage assessment, and similar.

To whom?Auto Moto Savez Srbije (AMSS) What data?Identification data Purpose?Making of Yellow Card for the vehicle user

**To whom? **Autokomerc d.o.o. **What data? **Identification data **Purpose? **Vehicle takeover upon end/termination of business relationship

**

To whom? **SL Solucija d.o.o., Hrvatska **What data? **Audio record (reording of calls within Ayvens - Call centre) **Purpose? **Realization of clients' requests based on contracted services

**To whom? Ayvens Automotive Magyarország Kft, HungaryWhat data? **Identification and contact data **Purpose? **Data back up

We also use and disclose your Personal Data as necessary or appropriate, especially when we have a legal obligation or legitimate interest to do so:

We will limit access to Personal Data to personnel with a business need to know for the purposes described in this Statement.

6. Why personal data may be transferred to third countries?

Ayvens is a global service provider that has customers and locations around the globe. Your Personal Data may be stored and/or processed in a country other than the one you reside in. For a list of the Ayvens affiliates and their locations, that may process Personal Data on behalf of the Controller, see the country signs on the top right of www.ayvens.com.

Some of the non-EEA countries are considered to provide for an adequate level of protection of your Personal Data, according to EU standards. You can find a list of these ‘adequate countries’ [here](targetSelf:Personal data may be transferred from the Republic of Serbia to other countries or international organizations only in accordance with the rules of the applicable regulations.). For the transfer of Personal Data to other countries, Ayvens has put in place adequate measures to protect your Personal Data, such as Standard Contractual Clauses. You may obtain a copy of these measures by contacting us using the address in the ‘How can you contact us?’section below or by following PrivacyWeb Form.

Personal data may be transferred from the Republic of Serbia to other countries or international organizations only in accordance with the rules of the applicable regulations.

7. Children's privacy

Our Services are not directed at individuals under the age of 18.

8. Do we use your data for other purposes?

We may also use your Personal Data for a purpose other than the initial purpose. This is subject to the condition that the secondary purpose is in line with the initial purpose. The following factors are inter alia taken into account: are the purposes clearly related; is the secondary purpose appropriate and/or expected, was the Personal Data obtained directly from you or in another way; what kind of Personal Data is concerned for the secondary purpose; what would be the implications for you; and what data protection measures are applied when using your data for the secondary purposes.

It is generally permissible to process Personal Data for the following secondary purposes: transfer of the Personal Data to an Archive, internal audits or investigations, implementation of business controls and operational efficiency, IT systems and infrastructure related Processing such as for maintenance, support, life-cycle management, and security (including resilience and incident management), statistical, historical or scientific research, dispute resolution, legal or business consulting or insurance purposes.

9. How long will we keep your data?

Personal data of data subjects will be kept for the period necessary to fulfil the purposes described in this Statement unless a longer retention period is required or permitted by law.

The criteria applied to determine the applicable retention periods are:

After the relevant retention period, Ayvens will securely delete or destroy or de-identify your Personal Data or transfer your Personal Data to an Archive, unless this is prohibited by law or an applicable records retention schedule..

In the event that the business relationship is not established, the personal data obtained during the process of creating the offer is stored for a period of 24 months from the moment of non-acceptance of the offer.

10. How do we secure your data?

We seek to use appropriate organizational, technical and administrative measures to protect Personal Data within our organization, in accordance with applicable privacy and data protection laws and regulations, including requiring service providers to use appropriate measures to protect the confidentiality and security of Personal Data. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please notify us in accordance with the ‘How can you contact us?’ section below immediately.

11. Changes to this statement

We reserve the right to amend this Statement at any time in order to, for instance, address future developments of Ayvens or changes in industry or legal trends. The ‘Last Updated’ legend at the top of this Statement indicates when this Statement was last revised.

12. How can you contact us?

If you have questions, requests or complaints, please feel free to contact us via the contact page of the relevant Ayvens entity or contact our Data Protection Correspondent via PrivacyWeb Form. Because e-mail communication is not always secure, please do not include sensitive personal information in the e-mails you send us.

13. How can I exercise my personal data rights?

Please contact our Data Protection Correspondent via PrivacyWeb Form if you have any questions or concerns about how Ayvens processes your Personal Data; if you would like to exercise your right to request access, correct, suppress or delete Personal Data about you or request that we cease using it (right to object), withdraw your consent or if you would like to request a copy or portability of your Personal Data. We will respond to your request consistent with applicable law.

Please note that we may not be required to comply (or fully comply) with your request. Applicable laws or regulations may impose conditions or restrict certain of such rights. For instance, for as long as we have a relationship with you, or where personal data is kept in a backup system (for the purpose of restoring the data in case of a data loss event) and the data purging cycle may be different than applicable to the production system. In those circumstances, we will write to you explaining why we are unable to comply at that moment or, in the case of backup data, the request may be implemented at a later stage (when the backup is overwritten).

In your request, please make clear what Personal Data you would like to access or have changed or deleted, or otherwise let us know what limitations you would like to put on our use of your Personal Data.

For your protection, in principle we only implement requests with respect to the information associated with the particular e-mail address that you use to send us your request, and we may request additional information necessary to verify your identity before implementing your request. Please note that certain Personal Data may be exempt from such requests pursuant to applicable data protection laws or other laws and regulations.

You may also lodge a complaint with a data protection authority for your country or region, or in the place of the alleged misconduct. Please see here a link to the national data protection authorities located in the European Union and the European Economic Area. To contact Commissioner in Serbia please consult following link: Prijava- Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti

Right of access Data subjects have the right to request information from the Company as to whether their personal data is being processed, as well as to provide them with access to such data. In addition to access to data, the person has the right to request information about the purpose of the processing of personal data, the types of personal data to be processed, the recipients or types of recipients to whom the personal data have been disclosed or will be disclosed, the stipulated period for which the personal data will be stored, and the rights you can exercise in relation to the Company as a personal data controller. Right to rectification and completion Persons whose personal data are processed have the right to rectification of the data, i.e. They have the right to submit a request for the correction of inaccurate data, as well as the right to supplement incomplete data by providing additional statements. Right to restriction of processing Persons whose personal data are processed have the right to restrict the processing of data in the following cases: a) when the accuracy of personal data is disputed (within a period that allows the Company to verify the accuracy of the data); b) where the processing of personal data is unlawful and the data subject objects to the erasure of the data and instead requests the restriction of processing; c) when there is no longer a need to process personal data for the purpose of achieving the purpose, but the person requests that the processing be continued in order to establish, exercise or defend legal claims; d) when an objection is filed to the processing on the basis of the Law on Personal Data Protection, expecting confirmation of whether there are legal reasons for the processing of personal data that outweigh the interests and rights of the person. Right to object Persons whose personal data are processed have the right to object to the processing of personal data to the Company, in the event that the processing is carried out for the purpose of: a) performing tasks in the public interest or exercising the powers prescribed by law of the Company; b) the pursuit of the legitimate interests of the Company, unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject who require the protection of personal data. When an objection is submitted, the Company will not process personal data, unless there are legal reasons for the processing that override the interests, rights or freedoms of the person or are related to the establishment, exercise or defence of a legal claim. Right to erasure The right to erasure ("right to be forgotten") means the right to erasure of personal data in the following cases: a) where the personal data are no longer necessary for the purpose for which they were collected or otherwise processed; b) when the data subject revokes the consent on the basis of which the processing was carried out; c) when a person objects to processing in accordance with the law; d) when the personal data has been unlawfully processed; e) when personal data must be erased in order to comply with legal obligations in accordance with the Law of the Republic of Serbia

© 2025 Ayvens