GDPR COMPLIANCE FOR SERVICE STATIONS

Privacy Policy for Service Station Operations

Effective: 1 May 2025

1. Introduction

We, the (“Entity”), are committed to protecting the privacy of our customers, suppliers, and partners in line with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable national privacy laws. This privacy policy explains how we handle personal data within the operation of our service stations and fuel delivery services.

2. Data Controller

The Entity is the Data Controller for all personal data processed during the provision of services at our fuel stations, stores, car service bays, and through our digital platforms.

3. What Personal Data We Collect

We may collect and process:

• Identification Data: Name, vehicle registration, driver’s license (when required for service or compliance)

• Contact Details: Phone number, email, billing address

• Transaction Data: Receipts, loyalty program details, fuel card usage, payment methods

• Service Interaction Data: Car servicing records, fuel delivery requests, complaints or queries

• Surveillance Data: CCTV footage on-site for safety, theft prevention, and legal compliance

• Website and App Data: IP address, contact forms, booking records, cookie consent logs

Sensitive data is only collected when necessary (e.g., for accident reports or lost property) and always under strict safeguards.

4. Lawful Basis for Processing

We rely on:

• Consent (Art. 6(1)(a)) – loyalty programs, newsletter signups, promotional communications

• Contractual Necessity (Art. 6(1)(b)) – purchases, fuel delivery, vehicle servicing

• Legal Obligation (Art. 6(1)(c)) – tax records, safety logs, CCTV under crime prevention obligations

• Legitimate Interest (Art. 6(1)(f)) – site security, customer service analytics, operations improvement

5. Purposes of Data Processing

We process personal data to:

• Deliver fuel, car-related services, and in-store purchases

• Respond to customer inquiries and service requests

• Fulfill legal and insurance-related obligations

• Monitor site security and prevent fraud or theft

• Maintain service records and customer preferences

• Communicate promotions (where consent is provided)

6. Data Sharing and Recipients

We may share your data with:

• Fuel card providers, payment processors

• Maintenance and technical service contractors

• Security firms for CCTV and on-site safety

• Accountants, tax auditors, legal advisors

• Government and law enforcement (as legally required)

All third parties operate under GDPR-compliant agreements (Art. 28 GDPR).

7. Data Retention

• Service and Transaction Records: 7 years (standard retention)

• CCTV Footage: Up to 30 days, unless required for legal purposes

• Customer Complaints/Queries: 2 years

• Loyalty or Marketing Data: Until consent is withdrawn or after 2 years of inactivity

8. Data Subject Rights

Under GDPR, individuals may:

• Request access to their data (Art. 15)

• Request correction of inaccurate data (Art. 16)

• Request erasure under defined conditions (Art. 17)

• Request restriction of processing (Art. 18)

• Object to certain uses (Art. 21)

• Withdraw consent at any time (Art. 7(3))

9. International Transfers

We do not regularly transfer personal data outside the EEA. If such transfers are necessary (e.g., cloud services), appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions apply.

10. Data Security

We apply strict safeguards, including:

• Controlled access to service systems and fuel logs

• Encrypted financial records and online contact forms

• CCTV monitoring with restricted playback access

• Employee training in data protection and confidentiality

11. Data Breach Notification

Any personal data breach is reported to the Supervisory Authority within 72 hours, and to affected individuals if required by law.

12. Automated Decision Making

We do not use automated profiling or decision-making that has a legal or significant impact on individuals.

13. Data Protection Impact Assessments (DPIA)

DPIAs are conducted for:

• New customer-facing technologies (e.g., fuel apps or kiosks)

• Large-scale CCTV expansions

• Remote fuel ordering or delivery systems

14. Cookies and Website Tracking

Cookies are used strictly for essential functions and anonymous analytics. No advertising or third-party tracking cookies are activated without your explicit consent.

15. Complaints

You may lodge a complaint with your Supervisory Authority if you believe your rights are infringed via CONTACT SUPERVISORY AUTHORITY below.

16. Use of Artificial Intelligence (AI) and Automated Tools

We may use Artificial Intelligence (AI) or automated technologies to support the delivery, analysis, or improvement of our services. Any deployment of AI is conducted in accordance with applicable laws, including the GDPR and forthcoming EU AI Act, and is subject to the following safeguards:

• Transparency: Where AI tools are used to process personal data (e.g., chatbots, service optimization, fraud detection), individuals are clearly informed at the point of interaction.

• Human Oversight: All AI-supported functions are subject to human review and final decision-making. No fully automated decisions with legal or similarly significant effects are taken without human intervention.

• Fairness and Accuracy: AI systems used by the Entity are regularly monitored to ensure outputs are non-discriminatory, accurate, and aligned with intended purposes.

• Data Minimization: Personal data used in AI models is limited to what is strictly necessary, and anonymization or pseudonymization is applied wherever feasible.

• Third-Party AI Providers: If AI services are sourced from external vendors, they are required to comply with our data protection standards and are bound by GDPR-compliant agreements (Art. 28).

• Rights of Individuals: Data subjects retain all applicable GDPR rights, including the right to object to automated processing (Art. 21) and to receive meaningful information about the logic and implications of any AI-supported decisions (Art. 22).

This clause will be updated as legal frameworks governing AI continue to evolve.

17. Updates
This policy is reviewed annually and updated to reflect changes in law or service station operations.

We the ENTITY take your privacy seriously and treat your personal information with the same care and respect we would expect for our own. This policy has been developed to comply with relevant data protection laws in our jurisdiction and, where applicable, with those of international clients and partners. If you have any concerns or believe there are areas where our data handling may fall short, please contact us using the details at the end of this policy. We are committed to transparency and prompt resolution of any issues.

A specialized compliance team has created this policy:

1. Data Protection Officer (DPO) – Regulatory Oversight

• Ensures all policies comply with GDPR core principles (lawfulness, fairness, purpose limitation, data minimization)

• Coordinates legal review of processing bases, data subject rights, and international data flows

• Oversees DPIAs and data breach response strategies

2. Consulting Practice Compliance Lead – Sector-Specific Applicability

• Aligns privacy standards across business verticals (e.g., finance, logistics, retail)

• Ensures compliance with relevant industry-specific frameworks and confidentiality obligations

• Validates data practices in business transformation, audits, and advisory sessions

3. Cybersecurity Expert – Data Security & Technical Controls

• Reviews encryption standards, access controls, and network protection across all client data storage platforms

• Conducts security assessments of document management systems and cloud services used in consulting delivery

• Oversees breach mitigation protocols

4. Contract & Legal Counsel – Service Agreements & Data Use

• Validates legal bases in B2B engagements, NDAs, and subcontractor arrangements

• Advises on client contract terms related to data confidentiality, liability, and third-party access

• Confirms legal validity of consent and legitimate interest where applied

5. Financial Data Analyst – Billing & Regulatory Compliance

• Ensures secure processing of client billing records, purchase orders, and financial audits

• Validates use of accounting software in accordance with GDPR and local tax laws

• Reviews cross-border invoicing and data sharing with financial institutions

6. HR & People Data Compliance Advisor – Internal Governance

• Manages internal employee data policies, recruitment data, and training records

• Validates lawful handling of consultant performance data and internal access logs

• Monitors use of productivity tools and personal identifiers

7. Business Intelligence & Analytics Advisor – Data Minimization & Ethics

• Validates anonymization of client project data for analytics and reporting

• Ensures dashboard tools and feedback systems align with consent and proportionality principles

• Oversees compliance in data visualization tools and automated reporting

8. Cross-Border Transfer Specialist – International Data Governance

• Ensures use of SCCs, BCRs, and adequacy mechanisms in multinational consulting projects

• Verifies transfer logs, third-country recipient agreements, and GDPR Articles 44–50 compliance

• Supports data transfer impact assessments (TIA) when required

9. Digital Transformation Lead – Tech-Driven Advisory Services

• Reviews AI, automation, and decision-support tools for data ethics and compliance

• Ensures privacy notices cover emerging tech use (e.g., CRM AI plugins, HR analytics)

• Aligns service model updates with EU AI Act and GDPR where applicable

10. Marketing & CRM Advisor – Outreach and Consent

• Ensures lawful processing of prospect data under consent or legitimate interest

• Reviews marketing automation, campaign analytics, and subscription mechanisms

• Validates GDPR-compliant unsubscribe features and tracking tools