Data Privacy GDPR


Customer Information Relating to Data Protection (GDPR)

document in pdf form.

The protection of your personal data matters to BNP Paribas-Group, to which Arval Austria GmbH belongs. For the purposes of data protection (and the Privacy Policy of the Group), we have defined strict principles of data protection that are applicable to the entire Group. The Privacy Policy of the Group is available for download on the website of BNP Paribas.

This Customer Information contains detailed information about the protection of your personal data by Arval Austria GmbH (“we”).

As the data controller, we are responsible, in the context of our business operations, for the processing of your personal data. This document informs you about which of your personal data is processed by us, the reasons why we use and transmit such data, the period during which we retain such data, and the rights that you have and how you may exercise such rights.

If you are interested in a specific product or service, we may provide you with additional information.



We collect and use personal data, where this is necessary in the context of our business operations to provide to you a high-quality range of individual products and services.

The different types of personal information which we may collect includes inter alia:

  • Identity information (e.g. name, identity card or passport, driving license, nationality, place of birth and date of birth, sex, photo, IP address);
  • Contact details (e.g. postal address, email address, phone number);
  • Information on the family situation (e.g. family status, number of children);
  • Tax information (e.g. tax identification number, tax status);
  • Information on training and career (e.g. level of education, professional activity, name of the employer, earnings, etc.);
  • Bank, finance and transaction data (e.g. bank account, credit card number, money transfers, assets, investment profile disclosed, credit history, debt level and expenses);
  • Information on the leasing contract (e.g. customer number, contract number, license plate of the vehicle);
  • Information on insurance matters (e.g. claims history including claims payments and damage appraisals, information on personal injuries);
  • Data relating to your habits and preferences:
    • Data relating to your use of our products and services, in particular finance and transaction data;
  • Data relating to interactions between you and us (contacts to our branches [contact reports], visits on our websites, use of our apps and social media pages, personal meetings, chat contact, email traffic, surveys, phone calls);
  • Video surveillance data (including recordings of surveillance cameras) and geolocation data (display of locations for identifying the location of service suppliers for your support or for providing specific services such as car-sharing);
  • Data necessary to prevent a situation of over-indebtedness.

According to the product or services you selected, the following data may be only collected by us, if you have given your explicit prior consent:

  • Biometric data, e.g. fingerprint, voice or facial patterns that can be used for identification and security purposes;
  • Data relating to criminal convictions and criminal or administrative offenses in connection with fines for traffic offenses as part of the "Traffic Ticket Management” service.

Personal data relating to racial or ethnic origin, political opinion, religious beliefs or philosophical views, trade union membership, as well as genetic data and details on the sexual orientation, will generally not be processed by us, unless we are obliged to do so by law.

The data used by us may be provided either directly by you or by the following sources for the purposes of updating or enhancing our own databases:

  • Publications/databases made available by authorities (e.g. the Federal Gazette);
  • Corporate customers and/or their branches/subsidiaries (e.g. including your employers) or our service providers;
  • Third parties such as credit agencies and pools for combating fraud or data brokers who are consulted in compliance with data protection regulations;
  • Websites / social media pages with information posted by you (e.g. your own website or social media page)
  • Databases made available to the public by third parties.



In certain cases, we will collect personal data of persons with whom we have, might have or had a direct relationship, and may use this data where appropriate. The persons include for instance:

  • Potential customers

Under certain circumstances, we may have collected information about you, although you do not maintain any direct relationship with us. This may be the case, if your employer has provided to us information about you or if we have obtained your contact details from one of your customers and you, for example, belong to one of the following groups of persons:

  • Family members;
  • Co-applicants, guarantors;
  • Authorized legal representatives;
  • Beneficiaries of payment transactions of our customers;
  • Beneficiaries of insurance policies or trustees;
  • Landlords;
  • Economic beneficiaries;
  • Debtors of customers (e.g. in an event of insolvency);
  • Shareholders;
  • Representatives of legal persons (e.g. of customers or service providers);
  • Employees of service providers or trading partners.



a. To fulfill the legal and regulatory obligations incumbent on us

We use your personal data to fulfill various legal and regulatory obligations, including:

  • Banking and financial regulations on the basis of which we:
    • take security measures to prevent misuse and fraud;
    • detect transactions that differ from usual patterns;
    • assess your credit risk and your repayment ability;
    • monitor and report risks to which may be exposed;
    • record telephone calls, chats, emails, etc., where required;
  • Responding to official requests by a competent government agency or judicial authority;
  • Prevention of money laundering and terrorist financing;
  • Complying with sanction and embargo regulations;
  • Combatting tax evasion and fulfillment of fiscal monitoring and reporting obligations.


b. To perform a contract concluded with you or to take specific measures upon your request before concluding a contract

With regard to you as driver or also as our individual customer, we use your personal data to conclude and perform our contracts, in particular for the purpose of:

  • evaluating whether and under which conditions we can offer to you a product or service;
  • informing you about our products and services;
  • planning and managing: (I) delivery, return, maintenance and repair of the vehicle (including recalls of vehicles by manufacturers), (II) further services (e.g. fuel cards and toll tickets, if applicable), and (III) selling the vehicle (as “used” car);
  • settling disputes (e.g. upon debt collection) and supporting you, and responding to your requests and complaints (including handling of insurance claims);
  • ensuring or facilitating your mobility by enabling you e.g. to use our mobile applications to easily access some of our services directly via your smartphone;
  • settlement, invoicing and recoveries.


c. To safeguard our justified interests

We use your personal data to develop and market our products and services with a focus on optimizing our risk management and safeguarding our statutory rights. This includes, inter alia, the following activities:

  • Request of information from credit agencies regarding your credit rating and the associated credit default risk as well as transmitting data to credit agencies relating to your contractual obligations and repayment status in the event of a credit default;
  • Creation of transaction records;
  • Performing Fraud prevention;
  • Roll out of prevention measures, e.g. creation of alerts in connection with risks originating from the traffic or road area;
  • IT management including infrastructure management (e.g. shared platforms) as well as measures to ensure business continuity and IT security;
  • Creation of individual statistical models based on the analysis of transactions, e.g. to better determine your driver profile;
  • Development of aggregate statistics, tests and models for research and development, to optimize the risk management of our corporate group or to improve existing products and services and to create new products and services;
  • Training of our staff using telephone recordings in our call centers;
  • Personalization of our own offering and the offering of other entities of BNP Paribas through:
    • qualitative improvement of our leasing-, finance and insurance products and fleet services (including customer satisfaction surveys);
    • promotion of products matching your situation and your profile.
      This may be achieved by:
      • segmentation of our existing customers and prospective customers;
      • analysis of your habits and preferences on the various channels (visits to our branches, emails or messages, visits on our website, etc.);
      • transfer of your data to another entity of BNP Paribas, if you are or – in particular – if you wish to become a customer of this entity.

With regard to the employees of our corporate customers, we process data for the purpose of:

  • informing them about our products and services;
  • planning and managing: (I) delivery, return, maintenance and repair of the vehicle (including recalls of vehicles by manufacturers), (II) further services (e.g. fuel cards and toll tickets, if applicable), and (III) selling the vehicle (as “used” car);
  • settling disputes (e.g. upon debt collection) and supporting them, and responding to their requests and complaints (including handling of insurance claims);
  • ensuring or facilitating their mobility by enabling them e.g. to use our mobile applications to easily access some of our services directly via their smartphone, or by using a pool of vehicles for car-sharing to increase the vehicle utilization rate;
  • providing to the manager of the vehicle fleet information on the fleet status and trends (e.g. reports on maintenance, fuel consumption, use of toll tickets where applicable);
  • settlement, invoicing and recoveries.

Your data may be aggregated in anonymized statistics which may be offered to professional customers for the development of their business. In this case, your personal data will never be disclosed, and the recipients of these anonymized statistics cannot not determine your identity.


d. to respect your decision, when we have requested your consent to a specific data processing measure

In some cases, we require you consent to the processing you’re your data, e.g.:

  • where the purposes mentioned above lead to an automated decision-making that entails legal consequences or significantly affects you. At that point, you will be informed separately about the logic, significance and envisioned consequences of such a processing;
  • where we are required to take further data processing measures for purposes other than mentioned above, we will inform you accordingly and request your consent if necessary;
  • to personalize the offering of other BNP Paribas entities through promotional products or services that match your situation and your profile, which we achieve by:
    • segmentation of our prospective customers and existing customers;
    • analysis of your habits and preferences on the various channels (visits in our branches, to intermediaries or credit agencies, emails or messages, visits on our website, etc.);
    • comparison of the products or services that you are already provided to you with other data from your that we are processing;
  • to train our staff using recordings of incoming calls at our call centers.



For the purposes mentioned above, your personal data are exclusively transmitted to the following units:

  • Entities of the BNP Paribas-Group (so that you can for example use our entire range of products and service);
  • Service providers who act on behalf of us;
  • Independent agents, intermediaries or brokers as well as banking and business partners with whom we have regular relations;
  • Financial or judicial authorities, government agencies or public institutions (upon request and as far as permitted by law);
  • Members of specific regulated professions such as lawyers, notaries publics or auditors;
  • Credit agencies.



In the event of international data transfers to countries Länder outside the European Economic Area (EEA), where a non-EEA country provides an adequate level of data protection according to the European Commission, the transfer of your personal data can be made on this basis.

In the case of data transmissions to non-EEA countries, where the level of data protection is not acknowledged by the European Commission, we may consider an exemption (if the data transfer is required to perform the contract with you, to, for example, make an international payment), or take implement one of the following measures to ensure the protection of your personal data:

  • Use of standard contractual clauses approved by the European Commission;
  • Drafting of binding corporate rules.

If you need a printout of these provisions or information in of their availability, you may contact us in writing (as described in Section 9).



We will retain your personal data at least for the period required by applicable law. Any longer retention is possible, where this is required by operational needs such as a proper account management, the management of our customer relations, the compliance with statutory provisions or official orders. For example, most of the customer data is retained for the duration of the contractual relationship and a period of seven years after the end of the contract.



According to the applicable statutory regulations, you have the following rights, i.e. to:

  • Information: You may request information on the processing of your personal data and a copy of the data processed.
  • Correction: If you believe that your personal data are inaccurate or incomplete, you may request a correction of this data.
  • Deletion: You may request that your personal data is deleted, where this is permitted by applicable law.
  • Restriction of Data Processing: You may request that the processing of your personal data is restricted.
  • Revocation of the Consent to Data Processing: If you have consented to the processing of your personal data, you may revoke such consent at any time.
  • Data Portability: If legally possible, you may reclaim the personal data provided to us or have such data transferred to a third party, where this is technically feasible.
  • Automated Decisions: Where a decision to conclude or perform a contract was only taken in an automated process and this decision has a legal effect on you or significantly affects you, you may request us to perform a repeated manual review, after you have presented your position and requested the manual review. In the event of such a decision, we will inform you in addition separately on the reason as well as the scope and intended effects of such data processing.


You may object to the processing of your personal data in the public interest or on the basis of a consideration of interests with reference to our specific situation; this also applies to a profiling based thereon. In this case, any further processing by us will be carried out only upon proof of overriding legitimate interests.


In addition, you have the unrestricted right to refuse any processing of your personal data for purposes of direct advertising and also for an associated profiling.

To assert your rights, please contact us via email to, via Online-Form or letter Arval Austria GmbH, Businesspark MARXIMUM, Objekt 4/OG3/B in 1110 Wien. Please attach a (scanned) copy of your identity card. According to the applicable statutory provisions, you have the right, in addition to the above rights, to lodge a complaint with the relevant regulatory authority.



Against the background of a constant technology change, we may have to update this information on a regular basis.

The respective current version is available online. We will inform you on fundamental changes on our website or via the other customary communication channels.



You will be informed if your vehicle is an Arval connected vehicle via a sticker in the vehicle / driver delivery kit, QR-code, etc. When your vehicle is an Arval connected vehicle, data is collected by Arval via remote data transmission from the telematics equipment installed in the vehicle (the "Device").

The present section describes the data which is effectively collected and processed, as well as the business purposes of the processing performed by Arval.

a. Device technology

The device has the following sensors:

  • technology that provides cumulative mileage at the end of each trip;
  • accelerometer / gyroscope which provides accelerations and rotations;
  • monitoring of battery voltage;
  • altimeter providing variations of altitude.

b. Data, Purpose and Retention

The Device makes it possible for Arval to receive certain personal data that will only be used for limited purposes and in Arval's legitimate interest.

The data, purposes and retention periods are given below:

Data Purposes Retention Period


Odometer mileage




Pro-active proposal of adjustment of the individual lease contract (duration and/or mileage)

Pro-active maintenance of the vehicle (alert about the next service and/or maintenance of the vehicle)

Detection of alteration of odometer mileage display

Fraud detection regarding the use of fuel cards

Contract duration + 1 year





The following pseudonymized* data:

Timestamps, mileage, type of road (urban, road, motorway), type of environment (day, night, twilight)

Duration of the turned on engine when the vehicle stops

Driving events per trip (harsh braking, cornering, brutal lane change, speed, energy waste in braking, hard acceleration, idling) and related calculated scores

 Fuel consumption estimation per trip


Production of pseudonymized R&D (Research and Development) reports in relation to:

Consulting: Energy transition, benchmark, correlation between conditions of vehicle usage and TCO components / fuel consumption

Insurance: usage understanding, segmented offering

Maintenance: uptime management, operational processes enhancements

Marketing: usage understanding, segmented offering opportunities

2 years








Geolocation collected in real time (provided Arval has received a prior duly filed complaint for the theft)

Stolen vehicle recovery

GPS data collected until the theft claim is closed, then these data will be deleted 60 days after collection

* ‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.


If you have any questions related to the use of our personal data as described above, please contact us under