Car Sharing Services Limited (hereinafter referred to as the “Company”) is required to obtain, store and use certain information about individuals/ natural persons, sometimes referred to as “data subjects”. The data we collect includes information about our employees, customers and other persons who provide a service to or have a business relationship with the Company. The purpose of this document is to describe how all such personal data is collected, handled and stored in order to conform with applicable data protection laws. This data protection policy will ensure that the Company:
Definitions & Interpretations
‘Personal Data’ is a reference to any information relating to an identified or identifiable natural person. This includes any identifiable material relating to their physical, physiological, mental, economic, cultural or social identity and includes but are not limited to physical files, identification numbers, location data and images or records of individuals.
‘Sensitive Data’ is a reference to any information consisting of religious beliefs, racial or ethnic origin, political opinions or trade union membership, data concerning health or data concerning a natural person's sex life or sexual orientation and genetic and biometric data.
‘Processing’ is used to refer to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘Controller’ refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
‘Processor’ refers to a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; and
‘Data subject access requests’ refer to the right which the data subject has in order to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data processed by that controller.
The General Data Protection Regulation (hereinafter referred to as the “GDPR”), is the latest regulation governing the processing of personal data in the EU. The GDPR came into effect on the 25th May 2018, and it applies to any organisation or body which manages or handles the processing of personal data. Due to the ever-growing risks posed by technology, the GDPR will aim to cover areas that weren’t adequately tackled by the previous legislation directed towards data protection. These are the general principles which have formed the principal focus of the changes brought about through the implementation of the GDPR:
The GDPR also heightens specific rights of data subjects, such as:
In order to for personal data processing to be legitimate, there must be a lawful basis for such processing. The GDPR outlines six lawful grounds for processing:
The Company must therefore ensure that at least one of the above grounds applies to any processing which is undertaken with respect to personal data.
1. Data Processes
2. Data Protection Procedures
Data Breach and Notification
Under the GDPR, data controllers and data processors are now subject to this data breach and notification regime. Whenever there has been a breach of personal data which is likely to result in a high risk to the rights and freedoms of a data subject, the data processor must report this to the data controller, the Information and Data Protection Commissioner (IDPC) as the designated supervisory authority, and the affected data subject himself/ herself (depending on the nature of the breach). The purpose of an incident response is to ensure that:
The GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In relation to this definition, the Article 29 Working Party (WP29), which is an advisory body made up of a representative from the data protection authority of each EU Member State, also defines the following terms:
Below are a few examples of incidents which may arise:
Any suspected personal data breaches should be reported to Data protection representative by completing the breach notification record in Appendix A. It should be noted that if serious personal data breaches should be reported immediately to the Information and Data Protection Commissioner within 72 hours from the discovery of the breach. Where the notification to the Information and Data Protection Commissioner is not made within 72 hours, it must be accompanied by reasons for such delay. However, if a breach is unlikely to result in a risk to the rights and freedoms of natural persons, then it does not require notification to the Data Commissioner. For example, If the personal data is already publicly available then the disclosure of such data might not constitute a likely risk to the individual. In any case, it is important that steps are immediately taken in order to contain the breach, and that documentation of the breach takes place as it develops. Consideration must also be given to whether the individual(s) affected by the breach needs to be notified. This will depend on the;
Any notification should be discussed and where in doubt seek legal advice or data commissioner guidance to decide on the way forward. It is important to keep in mind that the main objective when notifying individuals is to provide specific information about the steps they should take to protect themselves. When notifying individuals, the following information should be provided:
When in doubt, one should make reference to the below charts which provide some useful examples of different types of breaches involving risk or high risk to individuals:
Data Protection Representative (“DPR”)
The Company’s Data Protection Representative is:
Name: Liran Golan
Email address: Liran@goto.com.mt Telephone no: +356 22268000 The DPR is responsible for monitoring internal compliance within the organisation, conducting privacy impact assessments, informing and advising the Company regarding data protection matters and obligations while being a mediator between data subjects, the Company and the supervisory authorities.
Awareness & Training
The Company ensures that employees whose duties includes or could include the processing of personal data are sufficiently aware of data protection principles. The Company conducts periodical training sessions on data protection.
Duties of the Human Resources Manager
Duties of the General Compliance Manager
Duties of the IT Manager
Duties of the DPR
Introduction and Scope
In the course of conducting the business, the Company holds personal data relating to various data subjects. It is therefore imperative that records are properly retained to enable the Company to meet its business needs and legal requirements, and to evidence events or agreements in case of allegations, disputes or legal proceedings. The untimely destruction/ deletion of records could affect:
Scope and Applicability
This data retention section covers all personal data in the Company’s possession or control, in any medium. Therefore, this data retention section is not restricted to documents in physical form but also includes files in an electronic format. Insofar as reference to employees are concerned, this policy applies equally and indiscriminately to full time and part time employees on a substantive or fixed term contract and also to associated persons who work for the Company such as agency staff, contractors, suppliers, others employed under a contract of service and other third parties that may from time to time be engaged to process personal data on behalf of the Company.
The Company is bound by various obligations in relation to the personal data in its custody or control. Under the General Data Protection Regulation (“GDPR”), personal data should be kept for no longer than is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. A recommended retention period is provided for each category of record in Annex B attached to this Policy. The retention period applies to all records within that category. The recommended minimum retention period derives from either legal obligations in place regulating the retention of a particular record, or, where no legal obligation exists, the retention period is based on the Company’s business needs, provided that the data subject’s rights are not overridden. When the retention period stipulated herein has elapsed, the personal data covered by that retention period should be deleted/ destroyed in accordance with this Policy.
This section gives an overview on how to safely store personal data. Employees shall be prohibited from removing data from the workplace without written permission from the management. This applies to physical as well as electronic data.
Data Accuracy The law requires that the Company takes reasonable steps to ensure that the personal data it holds is accurate and up to date. All employees who work with personal data are responsible for ensuring the accuracy of the data they work with. To keep data as up to date as possible:
Deletion is defined as physical or technical destruction sufficient to render the information contained in the data file irretrievable and inaccessible. No destruction of a record should take place without assurance that:
Physical Data Paper documents shall be shredded and disposed of appropriately and securely. Destruction should be carried out in a way that preserves the confidentiality of the record. All copies should be destroyed at the same time and in the same manner.
Electronic Data The Company shall maintain and enforce a detailed list of approved destruction methods appropriate for each type of information stored electronically. This shall be overseen by the IT Department within the Company.
Exceptions Exceptions may be granted on request in certain instances, such as in the case of suspition of fraud and misconduct.
Implementation, Enforcement and Breaches Data protection representative shall be responsible for implementing this Policy and ensuring that it is read, understood and adhered to by all employees. Data protection representative shall also be responsible for regularly reviewing and, if necessary, updating the Policy. Breaching this Policy could have serious legal and reputational repercussions on the Company. Consequently, employees found to be in breach of this Policy could potentially face disciplinary action. All employees are expected to promptly report any breaches of the Policy of which they are aware. Reports shall be made to Data protection representative in writing.
Further Information This Policy should be read in conjunction with any and all other data protection policies the Company may establish from time to time. If you have any queries regarding this Policy, please contact Data protection representative at Liran@goto.com.mt Telephone no : +356 22268000
Appendix A Data Protection Breach Record
Kindly note that A29WP state that where precise information is not available (e.g. exact number of data subjects affected) this should not be a barrier to timely breach notification. The GDPR allows for approximations to be made in the number of individuals affected and the number of personal data records concerned. The focus should be directed towards addressing the adverse effects of the breach rather than providing precise figures.
A29WP also recommends that when the Controller first notifies the IDPC, the controller should also inform the IDPC if it does not yet have all the required information and will provide more details later on.