This Privacy Notice was last updated on 11.12.2019.
Car Sharing Services Malta Ltd (“we”, “our”, “us”, or “the Company”) recognises its obligations as a Data Controller in terms of applicable data protection and privacy law, mainly the General Data Protection Regulation EU 2016/679 as supplemented by the Data Protection Act (Chapter 586 Laws of Malta), together with other applicable laws as they may be amended from time to time.
It is important that you read this Privacy Notice together with any other privacy notice we may provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are processing your Personal Data. This Privacy Notice supplements the other notices and is not intended to override them.
The Services constitute a car sharing service subscription which enables subscribers to rent available vehicles for varying periods of time.
By using our Services, you acknowledge that you have read and understood this Privacy Notice.
‘Personal Data’ is a reference to any information relating to an identified or identifiable natural person. This includes any identifiable material relating to their physical, physiological, mental, economic, cultural or social identity and includes but are not limited to physical files, identification numbers, location data and images or records of individuals. It does not include data which has been rendered anonymous in such a manner that the data subject is no longer identifiable.
‘Sensitive Data’ is a reference to any information consisting of religious beliefs, racial or ethnic origin, political opinions or trade union membership, data concerning health or data concerning a natural person's sex life or sexual orientation and genetic and biometric data.
‘Processing’ is used to refer to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘Controller’ refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
‘Processor’ refers to a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
GOTO Malta has appointed a Data Protection Officer (‘DPO’) who is responsible for matters relating to privacy and data protection. The DPO can be reached by sending an email at firstname.lastname@example.org.
3.1. We process Personal Data on the following categories of Data Subjects:
|Potential Employees||Individuals who apply for employment at the Company.|
|Employees||Individuals who are currently or previously in part or full-time employment with the Company.|
|Clients||Organisations, enterprises or individuals that engage the services of the Company.|
|Suppliers||Organisations, enterprises or individuals that supply the Company with services or goods.|
3.2. Personal Data we collect when using the Services:
Most of the Personal Data we process is provided to us directly by you to provide you with our Services and to respond to enquiries or to complaints. Such Personal Data may be requested from you when you create an account; leave a comment; enter a competition, promotion or survey; and give us feedback. Other information about you is collected from your use of the Services.
The provision of personal data is either voluntary, arises from statutory requirements or from contractual provisions. Where applicable, failure of the provision thereof will prevent the Company from complying with its legal or regulatory obligations; concluding contracts; and delivering the Services. For example, when renting a vehicle with us we will require information such as your name, address, payment information and driver's licence. Failure to provide this information will prohibit us from renting a vehicle to you. You will be made aware if this situation arises and what the consequences of not providing the personal information will be.
Depending on your relationship with us, we collect, use, store and transfer different categories of Personal Data about you as follows:
|Personal Data||Purpose and Legal Basis|
|Identity Data: first name; last name; username or similar identifier; date of birth; driver's licence and/or other government issued identification.||For the performance of our agreements with you, including managing your account; license validation; and billing. To comply with our legal requirements. In our legitimate business interest for security and anti-fraud purposes. With your specific consent to provide you with marketing messages.|
|Contact Data: Email address; Telephone/Mobile phone number; Postal address.||For the performance of our agreements with you, including managing your account; license validation; and billing. To comply with our legal requirements. In our legitimate business interest for security and anti-fraud purposes. With your specific consent to provide you with marketing messages.|
|Vehicle and Usage Data: fuel consumption and mileage; traffic offences such as speeding; where indicated by signage, vehicles are equipped with global positioning system (GPS)and front-facing dashcam which shall only record when it detects an actual or potential collision; incident reports including details of the parties involved, together with the nature of any personal injuries and/or vehicle damage; insurance information.||For the performance of our agreements with you. In our legitimate business interest to monitor the usage of our vehicle fleet and to recover the costs of any loss or damage caused to the vehicle. In your own legitimate interest for security purposes. To comply with legal obligations to which we are subject, for example, cooperating with the competent authorities. To establish, exercise or defend legal claims arising as a result of an incident.|
|Customer Feedback: information relating to queries, feedback, complaints; call recordings.||In our legitimate business interest to monitor the quality of Services and provide our customers with improved Services. Calls are recorded for quality control and training purposes.|
|Payment Data: data necessary for processing payments and fraud prevention; credit/debit card details (the security code is processed for transaction purposes only and is not retained by us); billing information.||For the performance of our agreements with you, including managing your account. In our legitimate business interest for security and anti-fraud purposes.|
3.3. Personal Data we collect when applying for a job:
We are the Data Controller for the information you provide during a recruitment process, unless otherwise stated.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes.
We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary. The provision of Personal Data is on a voluntary basis. However, if you do not provide us with your Personal Data it may affect your application.
|Personal Data||Purpose and Legal Basis|
|Identity Data: first name; last name; date of birth.||All of the information you provide during the process will only be used for the purpose of assessing your suitability for the role you have applied for; progressing your application with a view to offering you an employment contract with us; and to fulfil our legal or regulatory requirements where necessary. Processing is necessary in order to take steps at the request of the data subject prior to entering into a contractual agreement.|
|Contact Data: Email address; Telephone/Mobile phone number; Postal address.||All of the information you provide during the process will only be used for the purpose of assessing your suitability for the role you have applied for; progressing your application with a view to offering you an employment contract with us; and to fulfil our legal or regulatory requirements where necessary. Processing is necessary in order to take steps at the request of the data subject prior to entering into a contractual agreement.|
|Other information: Personal data included in a CV, application form, cover letter or interview notes, such as qualification, skills, experience and employment history; Information about your entitlement to work in Malta (where applicable); References; Driving license (where applicable); Any other information, voluntarily disclosed by you, for which the Company needs to make reasonable adjustments during the recruitment process; Conduct certificates issued not earlier than six (6) months prior to the date of submission of the application. Provided that the Company shall only verify and will not retain or make any copies of such certificates, unless required by law.||All of the information you provide during the process will only be used for the purpose of assessing your suitability for the role you have applied for; progressing your application with a view to offering you an employment contract with us; and to fulfil our legal or regulatory requirements where necessary. Processing is necessary in order to take steps at the request of the data subject prior to entering into a contractual agreement.|
4.1. The Company may share your Personal Data with other organisations which require such information to assist us in managing the Services, including: a. Third parties to whom disclosure may be required as a result of our relationship with you; b. Third parties to whom disclosure may be required as a result of legal obligations imposed on us, for example, law enforcement entities and government bodies (e.g. Jobs plus); c. Our legal advisors as necessary to establish, exercise or defend the Company’s position against potential, threatened or actual litigation; d. Any service providers that may have access to your Personal Data in rendering us with their support services, for example, outsourced IT, HR and bookkeeping support; e. Insurance companies or their representatives; f. Consultants or other advisers auditing any of our business processes or who have the need to access such information for the purpose of advising us; and g. Any successor (or receiving) organisation in the event of a corporate sale, merger, reorganisation, dissolution or similar event involving us and/or our subsidiaries and related entities. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Privacy Notice. In such cases you will be informed accordingly of your rights.
4.2. We will make sure that any third-party providers have undertaken to use any Personal Data legitimately and in accordance to our written instructions or agreements. This means that they cannot use or share your Personal Data unless we have instructed them to do so. They will also be bound to retain the Personal Data in a secure manner and for the period we instruct.
4.3. We will not share your Personal Data with any third parties for the purposes of direct marketing.
5.1. We may send you email newsletters and email marketing messages with special offers and promotions if you have specifically consented to receiving such material at account registration stage.
5.2. If you change your mind, you can unsubscribe at any time by using the “unsubscribe link” provided at the end of our newsletter or any other marketing message. Alternatively, you can contact us on email@example.com.
5.3. If you unsubscribe from receiving such material, we will update our database to ensure you do not receive any further marketing messages from us.
5.4. We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future, or if there are any legislative changes.
5.5. Please note that by revoking consent to receive marketing and promotional e-mails this does not affect our non-marketing communications (transactional emails) including, for example, communications about the status and activities of your account, billing communications, responses to your requests, post-service feedback or survey requests, and other similar communications.
6.1. Our Services are not geared towards minors under the age of 18 and we do not knowingly collect personal information from minors. If you believe we have received personal information from minors under the age of 18, please contact us immediately on firstname.lastname@example.org.
6.2. If we learn that we have collected any personal information from minors, we will take all the necessary steps to securely delete such information and deactivate any accounts.
8.1. In terms of applicable data protection and privacy laws we protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
8.2. As a data subject you have the following rights:
|Right of access||You have the right to obtain for us confirmation as whether or not Personal Data concerning you is being processed, and where that is the case, access to the Personal Data and the additional information as outlined in the regulations.|
|Right to rectification||You have the right to obtain from us without undue delay the rectification of inaccurate Personal Data concerning you.|
|Right to erasure||You have the right to obtain from us the erasure of your Personal Data in terms of law. This right is limited by, and subject to all our compliance, regulatory and legal obligations.|
|Right to restriction of processing||You have the right to obtain from us restriction of processing where, one of the following applies: (1) the accuracy of Personal Data is contested by yourself for a period enabling us to verify the accuracy of your personal data; (2) the processing is unlawful and you oppose to the erasure of your Personal Data and request the restriction of its use instead; (3) we no longer need the Personal Data, but it is required by yourself for the establishment, exercise or defence of legal claims; (4) you object to processing pursuant to your right to object pending the verification whether our legitimate grounds override yours.|
|Right to data portability||You shall have the right to receive your Personal Data which you have provided to us, in a structured, commonly used and machine-readable format.|
|Right to object||You have the right to object, on grounds relating to your particular situation to processing of your Personal Data. We shall no longer process your Personal Data unless we have a compelling legitimate ground for the processing. You have the right to object at any time to the processing of Personal Data concerning you for direct marketing purposes.|
|Right to lodge a complaint||Should you require any clarification or need to discuss matters relating to the processing of your Personal Data, we’d be happy to assist you by contacting our Data Protection Officer at email@example.com.|
In the case you are not satisfied with the outcome, you also have a right to lodge a complaint with the Supervisory Authority. The Maltese Supervisory Authority, the Information and Data Protection Commissioner (‘IDPC’), may be contacted either online, via the submission of a report by conventional mail, or by email at firstname.lastname@example.org.
You may also seek to enforce your rights through judicial remedy. |
8.3. Please note that your rights in relation to your Personal Data are not absolute. If you intend to exercise one or more of your rights, please send your request by email at email@example.com.
8.4. Generally, no fees are applicable when exercising your rights. However, we may charge an administrative fee if your request is clearly unfounded, repetitive or excessive.
8.5. We will provide you with a response without undue delay, and in any event, within one month which starts running as soon as your identity is verified. Occasionally, if your request is particularly complex or you have made a number of requests, we may extend our response time to three months. In any case, we will inform you accordingly.
8.6. The Company may need to request specific information from you to help verify your identity. This is a security measure to ensure that Personal Data is not disclosed to unauthorised third parties.
8.7. We may also contact you to ask you for further information in relation to your request to speed up our response.
9.1. To prevent unauthorised access, maintain data accuracy, and ensure the appropriate use of information, we have put in place appropriate technical and organisational measures, controls and internal policies to protect your Personal Data against loss, misuse and unauthorised access, alteration, disclosure or destruction. Moreover, all efforts are taken to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services processing Personal Data.
9.2. No method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot ensure or warrant the security of any information you transmit to us, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or organisational safeguards.
9.3. Upon registration you need to create a username and password. Any passwords you create should be kept confidential by you and should not be disclosed to or shared with anyone. Where you do disclose any of these details, you are solely responsible for all activities undertaken where they are used. Passwords must have at least 8 characters and must be case sensitive.
9.4. All our staff who process Personal Data are provided with regular training on information security practices. Moreover, we have put in place procedures to deal with any suspected personal data security breach and will notify the regulator of a suspected breach where we are legally required to do so. In certain cases we will also inform you, as the data subject, of the occurrence of the breach and the steps you need to take to safeguard your rights.
9.5. If you believe your personal data has been compromised, please contact the Data Protection Officer by email at firstname.lastname@example.org.
10.1. Should we transfer your Personal Data to third countries or international organisations, this will occur under a safeguard mechanism recognised by the European Commission (‘EC’) as providing adequate protection for your personal data. International transfers will occur under the EC’s model standard contractual clauses.
11.1. Our site has links to other organisations. It is important for you to note that upon linking to another site, you are no longer on our site and you become subject to the privacy notice of the new site.
12.1. We will take reasonable steps to ensure that the Personal Data processed is reliable for its intended use, is accurate and complete for carrying out the purposes described in this Privacy Notice. We will retain the Personal Data only for the period necessary to fulfil the purposes outlined in this Privacy Notice, unless a longer retention period is required or permitted by law.
12.2. Clients: In line with domestic law, we may retain information for as long as your account is active and for up to six years after you close your account or it becomes inactive. Financial information will be retained for a period of ten years. In certain circumstances, we may retain your information for longer periods of time in order to comply with our legal obligations, safeguard our legitimate interests, resolve disputes and enforce our agreements.
12.3. Job applicants: Application documents should be retained for only as long as is necessary for the candidate’s application to be assessed. Upon receipt of the application, the candidate should receive an information notice regarding the processing of their Personal Data in terms of the GDPR and asking whether they would like their application to be kept on file for an extended period following the end of the recruitment process. If they opt in, then the employer may keep the application on file for the agreed period, after which is should be deleted. If not, any application documents shall be generally deleted within six months following the end of the recruitment process.
12.4. In some cases it is not possible for us to specify in advance the periods for which your Personal Data will be retained. In such cases, we will determine the period of retention based on the following criteria:
13: Changes to this Privacy Notice
13.1. If there are any changes to this Privacy Notice, we will replace this page with an updated version. It is therefore in your own interest to check the “Privacy Notice” page any time you access our web site so as to be aware of any changes which we may affect from time to time. Where applicable, we will advise you of the choices you may have as a result of those changes.