Learn more about Important service updates from Element
At Element Fleet Leasing Limited (“Element”, “we” or “us”) we understand the importance of privacy and are committed to protecting the personal information we collect, use and disclose in the course of managing our business activities under the General Data Protection Regulation (No. 2016/679) (“GDPR”), the Data Protection Acts 1988 to 2018 and other applicable national and EU privacy legislation (together “EU Data Protection Law”). This section answers the top questions in relation to why the EU Data Protection Law is applicable. For more information on how we process personal data under EU Data Protection Law, please click here.
Question 1: Element is based in the EU so why are the processor provisions set out in Article 28 GDPR not required in my agreement with Element?
Response: Element will be processing your personal data as a processor. Under the GDPR, it is the controller that is required to include processor provisions for compliance with Article 28 GDPR but this requirement will only apply where the controller is itself subject to the GDPR and thus obliged to comply with its requirements. In this case, your organisation acts as the controller and we understand that it is not subject to the GDPR (as it is located and operates outside the EU) so your agreement with Element does not require processor provisions for compliance with Article 28 GDPR because the agreement does not involve a controller that is required to comply with Article 28 GDPR.
Question 2: So are you saying that Element does not comply with the GDPR?
Response: No. Element does comply with the requirements of the GDPR that apply to it. In the context of personal data that Element processes under its agreement with you, Element acts as a processor and so it complies with the requirements of the GDPR that directly apply to a processor. These requirements include: (i) maintaining appropriate security measures to keep personal data safe and secure; (ii) maintaining records of how it processes personal data; and (iii) co-operating with data protection regulators. Element’s compliance with these requirements is supported by appropriate internal policies and procedures.
Question 3: We know that the GDPR has strict rules on international data transfers. What does that mean for data flows between us in North America and Element in the EU.
Response: The GDPR is viewed as the regulatory ‘gold standard’ when it comes to ensuring the safety and security of personal data. This means that personal data can flow freely from North America to Element in the EU without the need for additional safeguards because once the data is received by Element in the EU you have the comfort of knowing that we will be required to, and we will, use and protect that personal data in line with the requirements of the GDPR applicable to us.