PRIVACY POLICY “eSignature”

Unless otherwise stated in this privacy policy, terms used in this privacy policy have the same meaning as given in the GDPR.

Alphabet is the 'data controller' responsible for processing your personal data in the context of the eSignature Application. Connective acts as data processor as they are responsible for the support and maintenance of the eSignature Application.

Alphabet International is the parent company of Alphabet Belgium Long Term Rental NV and (like Alphabet itself) is part of the BMW Group. On that basis, we may share information with both.

Alphabet collects your personal data in connection with your use of the eSignature Application if:

- You complete the registration for the use of the eSignature Application;

- You contact us directly, e.g. by entering your personal data in the eSignature Application, by contacting us via the portal or by contacting our customer service;

- You respond to our 'direct marketing' campaigns, e.g. by entering personal data online on one of our websites;

- Your personal data is forwarded by third parties.

If you provide information in the name and on behalf of someone else, you are responsible for providing this Privacy Policy to that person in advance.

We may process the following categories of personal data about you in connection with your use of the eSignature Application:

- Contact details (e.g. name, e-mail address, postal address, mobile phone number);

- Contract data (e.g. contracts);

- Account relevant data (e.g. bank account number, VIN, license plate);

- Registration data (e.g. date of registration, password);

- Identification data (e.g. contact details, contract details, account details, identity card);

- Data on your transactions as a customer (e.g. contract number, customer number);

- Financial data (e.g. billing data);

- Biological data (e.g. age);

- Socio-cultural data (e.g. nationality);

- Data relating to your habits and preferences: Information about your use of the platform and data from communications you have with us, including data collected through cookies and other tracking technologies, provided you have given your consent. More information on our Cookie Policy can be found here.

- User data (i.e. persons who have access to the Connective Portal via BMW Financial Services and all persons whose personal data is included in the documents uploaded for signature): e.g. initiators, approvers, signatories, recipients, etc.;

- HR relevant data: data that is directly related to an employee (e.g. name, employee ID, contract related data, etc.);

In order to ensure the accuracy of your personal data, you undertake to notify us of any change in your personal data, failing which we cannot guarantee that we will be able to fulfil our contractual and/or legal obligations and all notices will be validly served on the address(es) specified in the relevant contract(s).

The use of the eSignature Application is only intended for internal use (inter alia for employees), in particular for uploading documents and offering them for signature to internal employees, external employees, suppliers and distributors.

Personal data is processed in this context on the following grounds:

1. Compliance with legal obligations

- To fulfil our legal obligations under e.g. accounting and tax law.

2. Compliance with contractual obligations (e.g.)

- In the context of the management and administration of your contract(s), such as adaptation to contract(s);

- Alphabet works with partners for certain optional contract components. To the extent necessary, we pass on your personal data to our partners for the execution of certain contractual obligations;

- In the context of the termination of the agreement(s) displayed in the eSignature Application, we will contact you.

3. On the basis of our legitimate interest (e.g.)

- In the course of the following processing activities, your personal data will be processed for the purposes of our legitimate interests and may be shared with other entities within the BMW AG group:

• As part of our general business operations, we also process your personal data for internal reporting purposes and analyses. These analyses and reports are aimed at gaining the necessary insights into our company and our products in order to continuously adjust and optimise them. Where possible, this personal data is anonymised/encrypted. This personal data is in no way targeted at specific individuals or groups of individuals and is not used in any way to take actions against specific individuals or groups of individuals.
• Your personal data may also be processed for the purposes of IT security, application development and use, and the optimisation of our IT systems.

Only persons for whom it is necessary to exercise their functions or to fulfil the purposes described above will have access to your personal data.

Alphabet may use service providers such as Connective, as well as IT service providers, external consultants and archiving services. A processing agreement is concluded with these service providers and provides for sufficient guarantees in terms of technical and organisational measures in accordance with the GDPR. Under no circumstances will these service providers be able to use this personal data for purposes other than those specified in the processing agreement entered into with us.

Only personal data that is strictly necessary for the execution of the processing agreement(s) entered into with service providers will be shared with these service providers.

In principle, Alphabet does not transfer your personal data to countries outside the European Economic Area. However, some service providers may process your personal data in countries outside the European Economic Area, such as the United Kingdom, the United States of America and India. To ensure the protection of your personal data, Alphabet has concluded an agreement with these service providers based on the EU Standard Contractual Clauses (available via this link).

If you would like to obtain more information about these EU Standard Contractual Clauses or to obtain a copy of it, please contact us via contact.privacy@alphabet.be.

Alphabet observes the principle of storage limitation when processing your personal data, which means that we generally retain your personal data only for as long as is necessary to fulfil the purposes for which it was originally obtained and for any other related purposes (e.g. if necessary in the course of defending a claim).

If personal data is processed for different purposes, we will keep your personal data until the last purpose has been fulfilled (e.g. if you withdraw your consent to receive direct marketing, we will no longer use the personal data for this purpose. However, it will still be processed in the context of your further use of the eSignature Application).

Personal data relating to your contract(s) with Alphabet will be kept for 10 years after the complete closure of the file.

We use a range of security measures, including encryption and authentication tools, to help protect and maintain the security, integrity and availability of your personal data.

We make every effort, together with our service providers, subcontractors and business partners, to maintain physical, electronic and procedural safeguards to protect your personal data in accordance with applicable data protection requirements. We use security measures such as:

- Strict rules of access to your personal data on a need-to-know basis and only for the purposes specified;

- Transfer of collected personal data in encrypted form;

- Firewalls in IT systems to prevent unauthorised access, e.g. by hackers, and permanent monitoring of access to IT systems to detect and stop the misuse of personal data;

- Management of infringements and incidents (safety management information system);

- Organisational measures for staff processing personal data;

- Asset management;

- Cryptography policy;

- Operational risk management;

- Communication safety management;

- Data Protection Impact Assessment ("DPIA").

You must take reasonable precautions to prevent your account(s) from being accessed by unauthorised persons. This includes the data to log into the eSignature Application (e.g. username, authentication code, password, etc.). Reasonable measures include, inter alia :

- Lock the device when not in use;

- Keep the device free from viruses, malware or spyware;

- Log out when you are finished;

- Personalise passwords and change them regularly;

- Avoid using unsafe or unencrypted WIFI networks.

If you know or suspect that someone else knows your user name or password, you must notify Alphabet immediately via contact.privacy@alphabet.be.

Right of access (art. 15 GDPR)

You can request information about the personal data we process about you at any time. This information includes the categories of personal data concerned, the purposes for which we process them, the source of the personal data if we have not received it directly from you and, if applicable, the recipients to whom we transfer your personal data. You can obtain a free copy of your personal data that we process. If you require additional copies, we reserve the right to charge a fee for those additional copies.

Right to rectification (art. 16 GDPR)

You can request that we supplement or correct your personal data if it is incorrect. We will take appropriate measures, based on the latest information available to us, to ensure, as far as possible, the accuracy, completeness and relevance of the personal data we process.

Right to erasure (Art. 17 GDPR)

You can request that we delete your personal data if the legal conditions to do so are fulfilled. In accordance with Art. 17 GDPR, this could be the case if:

- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

- You withdraw your consent on which the processing is based and there is no other legal basis for the processing;

- You object to the processing, and there are no overriding mandatory legitimate grounds for the processing, or if you object to the processing for 'direct marketing' purposes;

- The personal data has been unlawfully processed.

In certain cases, we can refuse your request for deletion on the basis of Art. 17 GDPR, e.g. if the processing is necessary for:

- Fulfilling a legal processing obligation;

- Exercising the right to freedom of speech and information;

- Establishing, exercising or substantiating a legal claim.

Right to restriction of processing (Art. 18 GDPR)

You can request that we limit the processing of your personal data if:

- For a period that allows us to verify the accuracy of the personal data, you dispute the accuracy of the personal data;

- The processing is unlawful and you oppose to the erasure of the personal data and instead request the restriction of its use;

- We no longer need your personal data for the fulfilment of the above purposes, but you still need the personal data for the establishment, exercise or substantiation of a legal claim;

- You have objected to the processing, pending an answer to the question whether our legitimate interests outweigh yours.

Right to data portability (art. 20 GDPR)

If technically feasible, and at your request, we will transfer the personal data you have provided us with to another data controller specified by you. You can exercise this right insofar as the data processing is based on your consent or is necessary for the execution of a contract.

Right to object (art. 21 GDPR)

You may object at any time, for reasons relating to your specific situation, to the processing of your personal data if this data processing concerns the fulfilment of a task carried out in the public interest or in the exercise of an official authority, or if it is based on our legitimate interests or those of third parties. You have the right to object at any time to the processing of your personal data for 'direct marketing' purposes. If the legal conditions are fulfilled, we will stop processing your personal data unless we can provide compelling legitimate grounds for the processing which outweigh your interests or if we need your personal data for the establishment, exercise or substantiation of a legal claim.

Withdrawal of your consent (Art. 7 GDPR)

If the data processing is based on your consent, you may withdraw it at any time. The withdrawal of your consent does not affect the lawfulness of the processing based on your consent before its withdrawal.

If you have any questions regarding the use of your personal data, if you are not satisfied with the way in which we process and care for your personal data or you wish to exercise one of your rights as a data subject, please contact us via contact.privacy@alphabet.be.

If you are not satisfied with the processing of your personal data or our response to the exercise of your rights, you have the right to lodge a complaint with the supervisory authority, i.e. the Data Protection Authority (rue de la Presse 35, 1000 Brussels; https://www.dataprotectionauthority.be/citizen; contact@apd-gba.be; +32 (0)2 274 48 00).

The most recent version of this privacy policy will be provided by Alphabet to the user via the eSignature Application and will always prevail. Older versions of this Privacy Policy can always be obtained by contacting us via contact.privacy@alphabet.be.