VCA Europe S.r.l. Privacy Notice and Information Charter

This page was last updated on 8th February 2024

VCA Europe S.r.l. is an appointed technical service offering Type Approval services to the automotive industry in Italy and other locations worldwide.

Working predominantly with the automotive industry, VCA Europe S.r.l. processes and holds only a very small amount of personal data on European citizens

This policy explains how VCA Europe S.r.l. will comply with data protection law. This includes Legislative Decree No.196 of 30th June 2003 (the Italian Data Protection Code – “IDPC”) as amended by Legislative Decree No. 101 of 10th August 2018, which was enacted in order to make the Italian data protection laws compliant with EU Regulation 2016/679 (The General Data Protection Regulation – GDPR).

What is personal data?

Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognised, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use and storage.

You can read more about this on the Italian Data Protection Authority’s website here:

Requesting your personal data

Where we ask for your personal information we will:

  • let you know why we need it
  • only ask for what we need, and not collect excessive or irrelevant information
  • ensure that it is kept safe and secure and only accessible by those who need it
  • let you know if we will share it with other organisations to give an improved service, how we will do that and whether you can say no
  • only keep it for as long as we need to
  • make sure it is accurate and kept up to date

To help us to keep your information reliable and up to date, we would ask that you:

  • Give us accurate information
  • Tell us as soon as possible of any changes, such as a new address

We are committed to providing the best and most efficient service to industry.  We may share personal information within our organisation or with other bodies where it is relevant to do so. We may also share information with Government where we are required to do so by law.

See the section “Do you share information with third parties?” for further information.

Privacy by design

Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset, and where beneficial, will carry out a Data Protection Impact Assessment (DPIA).

We will always carry out a DPIA where we use new technologies or consider there is a high risk to your rights and freedoms. Where an assessment identifies risks that cannot be satisfactorily reduced or avoided, we will seek advice from the Italian Data Protection Authority (Garante per la protezione dei dati personali) to help us find the best solution.

What data will VCA Europe S.r.l. hold?

VCA Europe S.r.l. routinely collects small amounts of private and personal information in the course of its everyday activities. Unless VCA Europe S.r.l. has received a request in respect of one of the services it offers – for example, a Type Approval application, or has otherwise been sent a request for information, it does not collect or hold citizen information.

How is the information held?

Personal information that is held by VCA Europe S.r.l. will predominantly be in electronic format only, although there may be legacy paper records that are in the process of being phased out where appropriate.

By ‘electronic’, this means emails; documents (in various proprietary software formats i.e. word, excel, pdf etc.); or data held as a database entry.

We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction and damage. We carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet Government security standards and industry good practice. We will only transfer your personal data overseas where appropriate safeguards are in place to protect it.

The training and guidance we give to our staff

All of our staff have been trained in the importance of protecting personal and other sensitive information. Those who routinely access personal data as part of their jobs are expected to undertake more in depth training.

How long will VCA Europe S.r.l. keep my personal information?

That will largely depend on the reason for holding it in the first place, but in practice, our aim is to only hold personal data for as long as it is needed to process requests or service an agreement and as required to comply with audit processes. VCA Europe S.r.l. will have a file retention policy that sets out the length of time it keeps different types of information, although this may vary on a case by case basis (copies of retention periods are available on our website).

Do you share information with third parties?

VCA Europe S.r.l. will only share your personal information where there is a justified and necessary reason to do so. Examples include:

  • sharing your information with European Type Approval authorities in pursuit of an application for Type Approval; or
  • sharing with areas of the Italian Government or other Law enforcement agencies engaged in the protection or detection of crime, or to provide evidence in criminal or civil prosecution cases; or
  • sharing data with software developers employed directly by VCA Europe S.r.l. to carry out development and maintenance work on our web tools; or
  • sharing your data with those organisations that provide VCA Europe S.r.l. with advisory or support services when required.

Please be aware that in these cases, VCA Europe S.r.l. will make an independent assessment of the legality of sharing and identify and mitigate any risks associated with sharing. It will not however, always seek your approval to share this information beforehand.

Electronic data is stored using secure hosting arrangements both within VCA Europe S.r.l. and using solutions offered by third-party providers. Hosting organisations and contractors that hold data on our behalf (which may include some personal data), have a limited role in relation to processing the data held; will need to demonstrate compliance with  GDPR and other legislation; and where necessary, be party to a sharing agreement with VCA Europe S.r.l.

What rights do I have to access or amend my information?

You have the right to request from VCA Europe S.r.l. (the controller) copies of the personal data that we hold about you at any time by making what is known as a ‘subject access request’. You also have the right to ask for your personal data to be rectified or erased. You may also ask VCA Europe S.r.l. to restrict processing of your personal data and have the right to object to processing of that data as well as the right to data portability and in relation to automated decision making.

VCA Europe S.r.l. will usually respond to subject access requests within one month of receipt, but may take up to 2 months in the case of complex and/or numerous requests. We will let you know when you can expect to receive a response, or if we will be unable to provide you with one.

Please note that before we can act on your request, you will need to supply proof of your identity. Please be as specific as you can about the information you want and, if it isn’t obvious, explain why you expect us to hold your personal data.

Please visit the Italian Data Protection Authority (Garante per la protezione dei dati personali) website here: to read about your rights under the General Data Protection Regulations (GDPR). See below for details on how to make an application under GDPR.

Data breach notification

VCA Europe S.r.l. does everything it can to keep your personal data secure. But if, despite this, a breach occurs which creates a risk to your rights and freedoms (for example, financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), we will ensure that both you and the Italian Data Protection Authority is notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:

  • the contact details of how to contact VCA Europe S.r.l.;
  • the likely consequences of the breach;
  • details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects.

Contacting VCA Europe S.r.l.

In most case, VCA Europe S.r.l. is the single controller under data protection law.

Details on how to contact VCA Europe S.r.l. in relation to Data Protection issues, please use our contact from here:


Please note that in the course of your communications with VCA Europe S.r.l., any advice or comments provided, whether that by email, letter, or verbally, should only be considered as opinions. Interpretation of the law is the sole prerogative of the courts.

Making an application under the General Data Protection Regulations

How do I find out what information you hold about me?

Please write to us at, or to the following postal address:

VCA Europe S.r.l.
POINT – Polo per l’Innovazione Tecnologica
Via Pasubio, 5
24044 Dalmine (BG)

In order to process your request, please provide us with your name and any other personal details you think we may hold. Also provide us with any information you have about your dealings with VCA Europe S.r.l. so that we can better target our searches.

Please note that before we can act on your request, you will need to supply proof of your identity.

How long will it take for VCA Europe S.r.l. to respond?

VCA Europe S.r.l. will usually respond to subject access requests within one month of receipt, but may take up to 2 months in the case of complex and/or numerous requests. We will let you know when you can expect to receive a response, or if we will be unable to provide you with one.

Is there a cost?

Not normally. We can however, charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

What if I am unsatisfied with the response from VCA Europe S.r.l.?

If you are unhappy with the content of your response, or the way in which VCA Europe S.r.l. handled your request and wish to make a complaint, there are a couple of ways you can do this.

If you believe that VCA Europe S.r.l. has not sent you all of the information you are entitled to, then please let us know. We will acknowledge your complaint within 5 working days and let you have a full response within 20 working days. If it is not possible to respond fully within this timescale, we will write and let you know why and say when you should receive a full response.

If you are still unsatisfied, you can contact the Italian Data Protection Authority: +39 06 69677 2917 or by email:

Otherwise, if you are unhappy with the way in which VCA Europe S.r.l. handled your request, then please email us at

Ref: SRL-002 Rev 01