Between WLC EXPERT SERVICES SRL and the client, hereinafter individually referred to as the "Provider" or the "Beneficiary," within this agreement, both parties act as data controllers. The terms used in this agreement are defined by Regulation (EU) 2016/679 of the European Parliament.

Object of the Agreement

The object of this agreement is to establish the manner and methods by which each Party will process the personal data of the other Party.

Each Party will carry out the processing of these data in accordance with the applicable legal provisions in force at the time of processing.

Purposes and Legal Grounds for Processing

The Parties may process the personal data of employees and/or other beneficiaries or designated representatives of the Parties in accordance with applicable legal provisions and:

• For the purpose of fulfilling the obligations assumed by the Parties through the Contract;
• For the purpose of sending communications/notices/notifications to the employees and/or other designated beneficiaries and/or representatives of the Parties concerning the object of the contract and the payment deadline for invoices.

Other purposes for which the Parties’ personal data may be used in specific situations are the following:

• For communication with public authorities, auditors, or institutions with competence to carry out inspections and controls on the Parties’ activities and assets, as applicable.
• For the collection of debts/recovery of outstanding debts, if applicable.
• For resolving disputes and litigation, enforcing court rulings, arbitration decisions, court orders, etc., if applicable.

Legal Basis for Processing

The legal basis for processing is in accordance with:

• Article 6(1)(b) of the GDPR – "processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract";
• Article 6(1)(c) of the GDPR – "processing is necessary for compliance with a legal obligation to which the controller is subject";
• Article 6(1)(f) of the GDPR – "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party."

Categories of Data Subject to Processing

The data to be processed by the Parties for the specified purposes are as follows:

• Name, surname, signature, position, phone number, and email address.

In specific situations for the mentioned purposes, other data may also be requested, such as:

• Data from the identity card/provisional identity card/identity bulletin/passport/diplomatic passport/temporary residence permit in Romania/birth certificate or others.

Additionally, the Provider may process:

• Location data provided by the GPS system;
• Rental information: delivery location (rental), return location, rental duration;
• Information about additional drivers, if applicable;
• Information contained in documents or any other material containing personal data that you provide for the execution of this Contract;
• Data concerning health status (for example, in the event of an accident)

Validity

This Agreement takes effect from the date it is signed by the Parties and will remain in force for the entire period during which the Parties process personal data under the terms of the Contract.

Data Processing and Parties’ Compliance Obligations

The Parties undertake to comply with the applicable provisions regarding the protection of personal data, including the provisions of the GDPR, the implementing legislation, and the decisions periodically issued by the Romanian Supervisory Authority (ANSPDCP) when processing personal data in the execution of the order.

The personal data of the Parties’ employees and/or other designated beneficiaries and/or their representatives involved in the provision of the service will be collected by the Parties in the context of providing the services according to the order/contract.

The Parties will disclose only the personal data they are authorized to disclose or have the right to disclose under applicable legal provisions and the contracts/orders to which they are parties, ensuring that there is an adequate legal basis for data processing and that data subjects are properly informed about the disclosure of their personal data, according to the order/contract.

The Parties agree not to disclose under any circumstances other personal data concerning the employees of the Parties and/or other designated beneficiaries and/or their representatives, except those necessary for the provision of services in accordance with the order/contract.

Each Party will implement appropriate technical and organizational measures to protect the personal data of the Beneficiaries against unauthorized or unlawful processing and against accidental loss, destruction, or damage, providing an appropriate level of security.

The Parties will ensure that access to the personal data of the Beneficiaries is limited to personnel involved in providing the Services and/or persons expressly authorized by each of them.

The Parties will aim to reduce the volume of processed data only to the data strictly necessary for each specific processing purpose.

The Parties are responsible, in accordance with the applicable personal data protection regulations, for properly informing the data subjects about their own personal data processing operations, including the processing of personal data based on the order.

Security of Personal Data

The Parties are obliged to establish and maintain appropriate technical and organizational security measures at all times to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, disclosure, or unauthorized access, especially when processing involves the transmission of data over a network, as well as against any other unlawful forms of processing.

The Parties must undertake appropriate technical and organizational measures to protect the security of any networks or electronic communication services used for the transfer or transmission of personal data (including measures designed to ensure the confidentiality of communications and prevent unauthorized access to any computer or system, thereby guaranteeing the security of communications).

Applicable Law

This Agreement is governed by Romanian law.

The Parties agree to make every effort to amicably resolve any differences arising in connection with this Agreement. If the Parties fail to resolve such differences amicably, they will be submitted for resolution to the competent courts of law.

Liability

Each Party will act as an independent data controller for its own data processing related to the Contract, and neither Party will accept any liability for a breach by the other Party of the applicable personal data protection legislation.

The Beneficiary is obliged to inform the employees and/or designated beneficiaries as users of the vehicles subject to the rental contract about the processing of their personal data by the Provider. For more details, please consult our Privacy Policy available on our website [...].

[ALTERNATIVE OPTION – The WLC EXPERT SERVICES Privacy Policy can be found in Annex No. 1 – Information Notice on the Processing of Personal Data, attached to this Agreement.]

Final Provisions

This Agreement represents the Parties' understanding regarding the processing of personal data in connection with the performance of the Contract and supersedes any other provisions, agreements, and prior understandings, regardless of their form, concluded by the Parties regarding their roles and obligations concerning the processing of personal data for the performance of the Contract.

This Agreement may be supplemented or amended only in writing, by mutual agreement of the Parties.