Stolen Vehicle Tracing - Privacy Statement
Stolen Motor Vehicle Investigation is a service provide by DIGITPOL BV to trace vehicles that are reported as STOLEN in the Schengen Information System (SIS) database. Digitpol BV is established in Apeldoorn, Boogschutterstraat 1 | 7324 AE Apeldoorn | Netherlands with the Chamber of Commerce number of 73676772.
This privacy statement applies to the services related to tracing stolen vehicles.
At Digitpol BV, we take our responsibilities under the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming) (“UAVG”) and the General Data Protection Regulation (“GDPR”) very serious.
As such, this policy sets out how Personal Data is managed and dealt with in order to ensure that the obligation to fulfil individuals’ reasonable expectations of privacy is applied and followed and that the responsibilities established under the UAVG and GDPR are complied with.
The mission of Digitpol BV is to tackle vehicle crime. In doing so, we aim to support investigations in the field of criminal and civil law and to represent the interests of parties who suffer or have suffered damage as a result of vehicle crime such as insurance companies or car owners. To that extend Digitpol has obtained a permit from the Netherlands Ministry of Security and Justice to conduct criminal and civil investigation. The permit number is POB1557.
When a Dutch registered vehicle is stolen, and its owner has reported the theft to the Police and the theft report has been filed an e-mail is sent to the owner by Stichting Verzekeringsbureau Voertuigcriminaliteit (“VbV”) of Postbus 21, 7300 AA, Apeldoorn on behalf of the insurer. VbV, who manages the stolen car registry in the Netherlands, requests the relevant owner to fill in a specific questionnaire in which certain details surrounding the theft of the vehicle are gathered and consent is collected by the VBV.
Prior submitting said questionnaire, the owner is asked whether he/she consents to fully cooperate with the VBV and an investigation and whether he/she gives consent that the car owner "user" fully agrees with a request from the investigation team to the car manufacture, to request and share the car owners data, specifically a GPS positions and for the sole purpose, to locate the stolen vehicle and only while the car is reported as stolen.
By agreeing to this consent, DIGITPOL will receive by API a request from the VBV to search for the vehicle. On the basis of consent and an active stolen signal on the VIN, DIGITPOL will request by API to the car manufacture the geolocation of the stolen vehicle. DIGITPOL’s SMVIU database is configured to terminate the API with the car manufacture when the stolen signal is removed.
DIGITPOL will only have access to a vehicle data from a manufacture when the owner has given consent and when the stolen signal is active.
As such Digitpol BV acquires, uses, stores, and otherwise processes Personal Data relating to service users, and contracting parties, (collectively “data subjects”) based on the performance of a contractual obligation in reference to Art. 6.1. b GDPR and the data subjects` consent in reference to Art. 6.1. a GDPR as either a data processor where we receive our instructions directly form the owner of the vehicle or as a sub-processor, where we receive our instructions through VbV, in accordance with Chapter 4 of the GDPR. For further details, please refer to our Processing Agreement with VbV and our Data Protection Addendum.
Our mission is to locate a stolen vehicle and to liaise with Law Enforcement to ensure the vehicle is seized by the Police or Law Enforcement. During the course of you using our services we are processing and only insofar as this is necessary for our services to locate the stolen vehicle and ensure it is seized, we may process both personal and non-Personal Data.
In general, Digitpol BV is largely unaware of what data is actually being stored or made available by a vehicle owner or service user and does not directly access such data except if authorized to do so. DIGITPOL has no access to vehicle ownership and cannot identify a vehicle to a personal identity. DIGITPOL has access to vehicle data which is not considered as personal data.
Typically, data processed by us concerns Vehicle related data including a vehicles VIN, License Plate, Make, Model, Color, Engine specifications or the vehicle`s location, if provided and available, in order to trace the stolen vehicle or to identify the originality of a stolen vehicle, which only in very limited circumstances, may relate to or reveals Personal Data.
Further and taking into consideration that the definition of Personal Data as used in Art. 4 of the GDPR is somehow board and that in accordance with CJEU - C‑175/20 - SIA ‘SS’ (Opinion of AG Bobek) technical or vehicle data in certain circumstances qualifies as personal data, as well as the European Data Protection Board`s stance set out in Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications, certain data generated by connected vehicles may also warrant special attention given their sensitivity and/or potential impact on the rights and interests of data subjects. And as such, we recognize and keep in mind when processing technical data concerning vehicles may intrinsically become Personal Data and in particular that location data could be revealing the life habits of data subjects as well as a driver’s centres of interest and may possibly reveal sensitive information such as religion through the place of worship, or sexual orientation through the places visited. Accordingly, we and the relevant data controller`s involved in the process, are particularly vigilant not to collect Personal Data except if doing so is absolutely necessary for the purpose of processing.
Furthermore, the European Data Protection Board also asserted that in attempts to find a vehicle using location in the case of theft the processing of location data is limited to the strict needs of the investigation and to the case assessment. Given that the European Data Protection Board has strongly reaffirmed the already applicable principles of the GDPR`s limitations as to storage, purpose, and duration of processing and the need for consent, we and the relevant data controller`s involved in the process, are equally and particularly aware and cognizant of the requirements. As such we have this not only made abundantly clear in this document, but exhaustively trained and educated as those involved in the process on the aforementioned and auxiliary requirements.
As far as we process Personal Data within the meaning of Article 4 of the GDPR, we will process it to the extent permitted by law, for example, in the course of providing our services or to comply with our legal obligations. We may also use Personal Data for the following purposes: Managing and planning operational processes and Contractual Data Processing for Payment and Administrative Purposes and Service provision.
The Personal Data you provide is collected and processed for the purpose of fulfilling a contract, our legal obligations, protecting legitimate interests. The legal basis for the processing of your data is, in addition to Art. 6 Para. 1 lit. b), c), d) and e) GDPR, and Article 9 Para. 2 lit. c), h) GDPR for Special Category Data and Sensitive Personal Data, if any and if necessary.
Legal Basis for the processing of your data
When reporting a stolen car, a theft or loss, your personal data will be processed by your insurance company, the police and for Dutch vehicles, the Stichting VbV with your permission and consent to represent your interests. You also give permission to pass on your data to your insurance company, power of attorney or intermediary. Processing of your personal data takes place in a lawful, fair and transparent manner.
In such cases when DIGITPOL receives an order to search for your vehicle, you have given consent when you reported the theft to the reporting authority, therefore on the basis of a request from an insurance company, we search for your vehicle when an active stolen signal is registered. At all times, Digitpol has consent from the vehicles owner or the insurance company. At the time of reporting the theft, the vehicles owner gives consent by a questionnaire sent by the VBV. The insurance company becomes the rightful owner when the vehicle is paid out to the last keeper. DIGITPOL may also receive a Power of Attorney from a vehicle owner accompanied by the vehicle registration documents and an identity card, either way, the basis for all activities related to searching for stolen vehicles is based on consent and an active stolen signal on the vehicles VIN and License Plate.
Role of the Car Manufacture.
On the basis of consent and an active stolen signal on the VIN, DIGITPOL will request by API to the car manufacture the geolocation of the stolen vehicle. DIGITPOL’s SMVIU database is configured to terminate the API with the car manufacture when the stolen signal is removed. DIGITPOL will only have access to a vehicle data from a manufacture when the owner has given consent and when the stolen signal is active.
Technical or vehicle data can in accordance with CJEU - C‑175/20 - SIA ‘SS’ (Opinion of AG Bobek) fall under Personal Data in reference to Art. 4 of the GDPR, if that data with reasonable means allows to identify a specific individual. For such a qualification it is neither relevant whether data compromises technical data, nor whether data is vehicle generated or provided by the customer. DIGITPOL has no capability or access to identify the vehicles owner or any data related to the owner. DIGITPOL will receive only data related to a vehicle. We do treat data as personal data.
Responsible party to collect consent from a user.
The VBV is the responsible party to collect consent from a car owner, this is done at the time the questionnaire is filled in after the theft report is filled.
Purpose of the policy
This policy seeks to ensure that Digitpol BV is:
- clear about how Personal Data must be processed;
- complying with the UAVG and GDPR and with good practice;
- protecting the Personal Data entrusted to us and that it is processed in accordance with data subjects’ rights;
- protecting itself from risks of Personal Data breaches and breaches of data protection laws;
The policy covers Personal Data held by Digitpol BV in relation to data subjects. The policy applies equally to Personal Data held in print and digital form. Digitpol BV’s Data Protection Manager is responsible for ensuring that contractors and others working on behalf of Digitpol BV complying with this policy and should implement appropriate practices, processes, controls, and training accordingly.
Data Protection Manager
Digitpol BV’s Legal Department has been tasked to act as a Data Protection Manager (DPM). Our DPM can be reached at firstname.lastname@example.org or by using the postal address provided above or below.
Third Party Access
Collected data is in no way made available to third parties without a court order or a warrant.
Storage of Data & Cloud
In the event we utilize GPS trip data to locate a stolen vehicle, this data is only processed when a stolen sign is on the VIN. The data is stored on a dedicated high-quality data center that meets the highest security standards and are certified both ISO 9001 and ISO 27001 certified. There is 24/7 surveillance by video cameras and professional monitoring. Databases are hosted on encrypted HDD and backups are stored on an encrypted storage. Logs and access is fully complaint with ISO and industry standards with MFA, IP access as default. All data entered to and from our databases is logged for the purpose of auditing.
The server locations can only be accessed by someone who has been granted legal permission and by the management from DIGITPOL which includes a signed a confidentiality agreement.
How long is data retained?
DIGITPOL does not store vehicle data for longer than is necessary for the purpose of the processing. Any Telematic data retained for 15 days after a case is closed, after the 15 days we permanently destroy the data.
Data Protection Authority
DIGITPOL is registered with the Netherlands Data Protection Authority https://www.autoriteitpersoonsgegevens.nl/en
Permission to Investigate
DIGITPOL has permit from the Netherlands Ministry of Security and Justice to conduct criminal and civil investigation. The permit number is POB1557
Data Protection Principles
Digitpol BV is responsible for, and must be able to demonstrate compliance with the data protection principles set out in the UAVG and GDPR and all Personal Data must be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject,
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject,
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed,
- accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which they are processed is erased or rectified without delay,
- kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the Personal Data is processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the UAVG and GDPR in order to safeguard the rights and freedoms of the data subject, and
- processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Data Subjects’ Rights
The UAVG and GDPR grant several rights to data subjects. These are standardized in both provisions and include the following:
- the right to be informed;
- the right of access;
- the right of rectification;
- the right to erasure (the “right to be forgotten”);
- the right to restrict processing;
- the right to data portability;
- the right to object;
- rights with respect to automated decision-making and profiling;
- the right to withdraw consent;
- to be notified of a data breach which is likely to result in high risk to their rights and freedoms; and
- to make a complaint.
Digitpol BV requires the verification of the identity of an individual requesting data under any of the rights listed along with the vehicle registration papers and a theft report. Requests made must be complied within one month of receipt and immediately forwarded to the DPM and are processed free of charge.
To assert these rights, please contact our DPM at any time using the details provided above. You also have the right to lodge a complaint with your local data protection supervisory authority or the Dutch Data Protection Authority (“DPA”). The DPA is located at Bezuidenhoutseweg 30, 2594 AV Den Haag and their website can be found at www.autoriteitpersoonsgegevens.nl. We would, however, appreciate the chance to deal with your concerns before you approach the DPA or any other supervisory authority.
Digitpol BV must implement appropriate technical and organizational measures in an effective manner to ensure compliance with data protection principles. Digitpol BV is further responsible for and must be able to demonstrate compliance with the data protection principles. Consequently, adequate resources and controls to ensure and document UAVG and GDPR compliance are put into place. Those are:
- the appointment of a DPM,
- security and privacy measures when processing and handling data are implemented,
- a Data Protection Impact Assessment (DPIA) is carried out,
- policies and procedures for processing and handling data are implemented,
- Digitpol BV contractors and others working on behalf of the Company are trained in accordance with the UAVG and GDPR,
- security and privacy measures and processing and handling policies and procedures are reviewed and updated, and
- Audits and reviews are carried out regularly.
Digitpol BV is responsible for establishing policies and procedures in order to comply with data protection law.
The DPM is responsible for:
- advising Digitpol BV and its contractors and others working on behalf of the Company of its obligations under UAVG and GDPR,
- monitoring that the UAVG and GDPR and other relevant data protection laws are followed and applied,
- monitoring training and audit activities related to UAVG and GDPR compliance,
- advice when requested and conduct data protection impact assessments,
- act as the contact point for the DPA and data subjects, and
- oversee Digitpol BV’s performance regarding risk deriving from processing operations, considering the nature, scope, context, and purpose.
Contractors and others working on behalf of the Company must ensure that:
- all Personal Data is kept securely,
- no Personal Data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorized third party,
- Personal Data is kept in accordance with Digitpol BV’s retention schedule,
- queries concerning data protection, complaints and access requests are forwarded to the DPM immediately,
- data protection breaches are swiftly made known to the DPM and that support in resolving breaches is prioritized,
- any uncertainty about data protection is addressed to the DPM and without delay, and
- they are aware of the Data Protection principles and have read this Policy.
Third-Party Data Processors
Where Digitpol BV is outsourcing or using external companies for the processing of Personal Data, the responsibility for the data remains with Digitpol BV.
A third-party data processor must:
- provide sufficient guarantees about its data protection and security measures,
- agree to a written contract covering what Personal Data is processed and for what purpose, and
- agree to a written data processing agreement.
We have a clear and specific objective to ensure that Personal Data is kept secure and up to date. In particular we have agreed to:
- comply with the legal requirements in the provision of services,
- process and use your data only to the extent strictly necessary to perform our obligations or as otherwise provided,
- only disclose your data to contractors and others working on behalf of Digitpol BV that have a need to access your data,
- ensure that all such contractors and others working on behalf of Digitpol BV are bound by a confidentiality agreement,
- take all reasonable steps to ensure the reliability of all its contractors and others working on behalf of Digitpol BV who have access to your data,
- ensure that appropriate controls are in place to prevent access to special categories of Data, where relevant, except in circumstances expressly authorised, and
- implement, maintain and at all times operate adequate and appropriate technical and organizational measures to:
- protect the security, confidentiality, integrity, and availability of your data, and
- protect against unauthorized or unlawful processing of your data and against
- accidental loss, destruction or the making vulnerable of, or damage to, your data,
- such measures shall, at a minimum, meet
- the requirements of the UAVG and GDPR, and
- the standards required by all applicable accepted industry practices.
Further, we have obtained both ISO 9001 and ISO 27001 certifications of the data center to ensure the highest security standards along with 24/7 by video camera surveillance and professional monitoring.
Data Subject Access Requests
Data subjects have the right to receive a copy of their Personal Data which is held by Digitpol BV. Likewise, an individual is entitled to receive further information about processing their Personal Data and in particular on:
- the purpose of processing;
- the categories of Personal Data being processed;
- the recipients of Personal Data;
- the retention periods;
- information about their rights;
- the relevant safeguards when Personal Data is transferred outside the EEA; and
- any third-party source of the Personal Data.
Do not share any Personal Data without proper authorization. Do not alter, conceal, block, or destroy Personal Data after such request has been made. Contact the DPM before making any changes or replying to a Data subject Access Requests.
Reporting a Personal Data breach
The UAVG and GDPR requires that Digitpol BV reports any Personal Data breach to the DPA if there is a risk or high risk to the rights and freedoms of the data subject. If you know or suspect a Personal Data breach inform the DPM immediately and follow the instructions set out in the Data Breach Procedure.
Limitations on the transfer of Personal Data
The transfer of Personal Data to a country outside the Netherlands/EEA, will only take place if one or more of the following applies:
- the DPA confirmed that the particular country ensures an adequate level of protection for the data subjects’ rights and freedoms,
- the particular country provides appropriate safeguards such as binding corporate rules, standard contractual clauses approved by the DPA, an approved code of conduct or a certification mechanism,
- the data subject has explicitly agreed to the transfer,
- the transfer is necessary for the performance of a contract between the data subject and Digitpol BV, and
- the transfer is necessary for one of the other reasons set out in the UAVG and GDPR including:
- the public interest,
- establish, exercise, or defend legal claims,
- to protect the vital interests of the data subjects, and
- if the data subject is physically or legally unable to give their consent.
The UAVG and GDPR requires Digitpol BV to keep full and accurate records of all data processing activities. Keep and maintain accurate corporate records reflecting Personal Data processing, including Consent Form. Records should include, at a minimum, the name and contact details of the DPM, clear descriptions of the Personal Data types, data subject types, processing activities, processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place.
Similar, records of Personal Data breaches must also be kept and cover the following:
- the facts surrounding the breach,
- its effects, and
- the remedial action taken.
Secure Deletion and Archiving of Personal Data
Personal Data must be deleted and stored using one of the following secure methods:
- Documents in electronic format must be deleted with a secure deletion utility and standard deletion utilities should not be used,
- Personal Data on hard drives, removable drives, storage devices or any similar item must be securely erased before any disposal or reassignment of the equipment,
- Personal Data that is Archived on hard drives, removable drives, storage devices or any similar item must be organized in an orderly and organized manner and encrypted using at least AES-256,
- Paper copies must be destroyed using cross-cut shredders, and
- The DPM must approve and record the destruction or deletion of Personal Data.
Sensitive and Special Category data
Digitpol BV is through the performance of its services not routinely collecting or processing Sensitive and Special Category data. If the processing of Sensitive and Special Category data during the course of the provision of services becomes necessary, we first need to obtain consents. In this context, consent means any freely given indication of the data subject's wishes for the specific case in an informed and unambiguous manner, in the form of a declaration or any other unambiguous affirmative act by which the data subject indicates that he or she consents to the processing of Personal Data relating to him or her.
Training and Audit
Digitpol BV is required to ensure that all contractors and others working on behalf of Digitpol BV are adequately trained and compliance with the UAVG and GDPR is possible. We also regularly test our policies, systems, and processes to assess and ensure compliance.
Data privacy by design and default
Digitpol BV has to ensure that by default only Personal Data which is necessary for each specific purpose is processed. The obligation applies:
- to the volume of Personal Data collected,
- the extent of the processing, and
- the period of storage and the accessibility of the Personal Data.
In particular, Personal Data should not be available to an indefinite number of persons, and you must ensure that you adhere to those measures.
Data Protection Impact Assessments (DPIAs)
Digitpol BV must also conduct DPIAs in respect of high-risk processing before that processing is undertaken. Digitpol BV’s DPM will conduct a DPIA when:
- new or changing technologies such as programs, systems or processes are introduced,
- automated processing including profiling takes place,
- sensitive and special category data is processed on a large scale, and
- systematic monitoring of a publicly accessible area on a large scale takes place.
A DPIA must include:
- a description of the processing, its purposes and the Data Controller’s legitimate interests if appropriate,
- an assessment of the necessity and proportionality of the processing in relation to its purpose,
- an assessment of the risk to individuals, and
- the risk-mitigation measures in place and demonstration of compliance.
Access to all information will be controlled and will be driven by business requirements. Access will be granted, or arrangements made for users according to their role and the classification of information, only to a level that will allow them to carry out their duties.
A formal user registration and de-registration procedure will be maintained for access to all information systems and services. This will include mandatory authentication methods based on the sensitivity of the information being accessed and will include consideration of multiple factors as appropriate.
Specific controls will be implemented for users with elevated privileges and leavers, to reduce the risk of negligent or deliberate system misuse. Segregation of duties will be implemented, where practical.
All workstation and server-based assets used, whether connected to the Digitpol BV network or as stand-alone units, must use Digitpol BV approved antivirus/anti-malware protection software and configuration provided by the Digitpol BV. The following procedures shall be followed:
- Virus protection software must not be disabled or bypassed,
- Settings for the virus protection software must not be altered in a manner that will reduce the software effectiveness,
- Automatic update frequency cannot be altered to reduce the frequency of updates,
- All servers attached to the Digitpol BV network must utilize Digitpol BV approved/standard virus protection software and setup to detect and clean viruses,
- All electronic mail gateways, devices, and servers must use Digitpol BV approved e-mail virus/malware/spam protection software and must adhere to Digitpol BV rules for the set-up and use of this software,
- Any threat that is not automatically cleaned, quarantined, and subsequently deleted by malware protection software constitutes a security incident and must be reported, and
- Antivirus/anti-malware signature updates shall occur on a frequency defined by Digitpol BV but shall occur minimally once each calendar month.
In terms of the formal exchange process the diagram below sets out the actual process.
Digitpol Legal Dept.
Boogschutterstraat 1, 7324AE,
By Email: email@example.com
This statement was last updated on Wednesday, 04 January 2022
Automated Decision-Making (ADM)
When a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. the UAVG and GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not automated processing.
Any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Profiling is an example of automated processing.
An agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of Personal Data relating to them.
The person or organization that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in accordance with the UAVG and GDPR. Digitpol BV is the Data Controller of all Personal Data relating to its own purpose.
Processor or Data Processor
Processor or Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority. Digitpol BV is a Data Processor where we receive our instructions directly form the owner of the vehicle.
A Sub-Processor is a third-party data processor engaged by a Data Processor who has or will have access to or process personal data from a Data Controller. In order to use a sub-processor, the processor needs to have the controller’s written permission. Digitpol BV is a sub-processor, where we receive our instructions through VbV.
Vehicle Data includes a vehicles VIN, License Plate, Make, Model, Color, Engine specifications or the vehicle`s location, if provided and available, in order to trace the stolen vehicle or to identify the originality of a stolen vehicle. In very limited circumstances, this may relate to or reveals Personal Data.
A living identified or identifiable individual about whom we hold Personal Data.
Data Protection impact assessment (DPIA)
An assessment tool used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the processing of Personal Data.
“Personal data” The Stolen Car Unit of Digitpol processes vehicle data only, we do not have access to vehicle ownership data.
“Client” Shall mean Insurance company otherwise referred to as “Data Controller” as applicable at the time of data collection from the Car owner.
“Digitpol’s Client” In the case of Digitpol’s client, it is the VBV whom represent the car insurance sector in a contractual agreement with each insurance company.
“User” Shall mean the Client of Insurance Company otherwise known as Car Owner’s who contracted the Insurance Company.
“Stichting VBV” The Vehicle Crime Insurance Bureau (VbV). The mission of the VbV Foundation is to prevent and limit damage caused by vehicle crime. In doing so, it aims, among other things, to enrich and provide information from public and private parties, to support services to support investigations in the field of criminal and civil law and to represent the interests of parties who suffer or have suffered damage as a result of vehicle crime. Stichting VBV is tasked by all Dutch insurance companies to represent them. Stichting VBV is referred to as VBV.
“Vehicle OEM” Car manufacturers or manufacturers of car module or parts that may contain data.