Privacy Policy

Purpose

Car Sharing Services Limited (hereinafter referred to as the “Company”) is required to obtain, store and use certain information about individuals/ natural persons, sometimes referred to as “data subjects”. The data we collect includes information about our employees, customers and other persons who provide a service to or have a business relationship with the Company. The purpose of this document is to describe how all such personal data is collected, handled and stored in order to conform with applicable data protection laws. This data protection policy will ensure that the Company:

  • Follows good practice and complies with applicable data protection laws;
  • Protects the rights of data subjects;
  • Correctly stores and processes individuals’ personal data; and
  • Safeguards the Company’s interests by minimizing risks of personal data breaches, and ensuring that any such breaches are properly managed.

Definitions & Interpretations

  1. ‘Personal Data’ is a reference to any information relating to an identified or identifiable natural person. This includes any identifiable material relating to their physical, physiological, mental, economic, cultural or social identity and includes but are not limited to physical files, identification numbers, location data and images or records of individuals.

  2. ‘Sensitive Data’ is a reference to any information consisting of religious beliefs, racial or ethnic origin, political opinions or trade union membership, data concerning health or data concerning a natural person's sex life or sexual orientation and genetic and biometric data.

  3. ‘Processing’ is used to refer to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  4. ‘Controller’ refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

  5. ‘Processor’ refers to a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

  6. ‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

  7. ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

  8. ‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; and

  9. ‘Data subject access requests’ refer to the right which the data subject has in order to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data processed by that controller.

GDPR Overview

The General Data Protection Regulation (hereinafter referred to as the “GDPR”), is the latest regulation governing the processing of personal data in the EU. The GDPR came into effect on the 25th May 2018, and it applies to any organisation or body which manages or handles the processing of personal data. Due to the ever-growing risks posed by technology, the GDPR will aim to cover areas that weren’t adequately tackled by the previous legislation directed towards data protection. These are the general principles which have formed the principal focus of the changes brought about through the implementation of the GDPR:

  • Consent: consent is the basis for any agreement. Under the GDPR consent is described as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. In addition, consent may be withdrawn by the data subject at any time;
  • Privacy by design: privacy should be the foundation for any system of data processing. Privacy should not be an afterthought but a cardinal consideration on which any data processing process is designed and implemented.
  • Increased territorial scope: the GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
  • Penalties: if a company or organisation is found to be in breach of the GDPR it can face fines of up to 4% of the group’s annual global turnover or €20 million (whichever is greater).

The GDPR also heightens specific rights of data subjects, such as:

  • Breach notification: data subjects are to be notified when a breach in the processing or storage of their data could “result in a risk for the rights and freedoms of individuals”.
  • Right to access: data subjects now have the right to obtain information from the data controller as to whether data concerning them is being processed, and they also have the right to access that same data.
  • Right to be forgotten: data subjects now have the right to demand data about them to be erased. This includes data that is currently in the possession of the data controller, data which is yet to be processed and data which is in the possession of third parties.
  • Right to rectification: data subjects have the right to update and correct data held about them.
  • Right to data portability: this links with the right to data access, stating that the data concerning the data subject must be transferred to the data subject in a “commonly used and machine-readable format” and also have the right to transmit that data to another controller.

In order to for personal data processing to be legitimate, there must be a lawful basis for such processing. The GDPR outlines six lawful grounds for processing:

  • Consent has been obtained to process personal data for a specific purpose;
  • Processing is necessary for the performance of a contract the data subject is party to, or to take steps prior to entering into a contract at the data subject’s request;
  • Controller is subject to a legal obligation which requires the processing of personal data;
  • Processing is necessary to protect the vital interests of the data subject;
  • Processing is necessary for the performance of a task carried out in the public interest/in the exercise of official authority vested in the controller; or
  • Processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject concerned is a child.

The Company must therefore ensure that at least one of the above grounds applies to any processing which is undertaken with respect to personal data.

Data Subjects

table-1

table-2

1. Data Processes

table-3

table-4

table-5

2. Data Protection Procedures

Data Breach and Notification

Under the GDPR, data controllers and data processors are now subject to this data breach and notification regime. Whenever there has been a breach of personal data which is likely to result in a high risk to the rights and freedoms of a data subject, the data processor must report this to the data controller, the Information and Data Protection Commissioner (IDPC) as the designated supervisory authority, and the affected data subject himself/ herself (depending on the nature of the breach). The purpose of an incident response is to ensure that:

  • Data breach events are detected, reported, categorized and properly monitored.
  • Incidents are assessed and responded to appropriately.
  • Action is taken to reduce the impact of disclosure.
  • Serious breaches are reported to the IDPC.
  • Lessons learnt are communicated to all those involved with processing personal data.
  • Mitigation improvements are put in place to prevent the recurrence of future incidents.

The GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In relation to this definition, the Article 29 Working Party (WP29), which is an advisory body made up of a representative from the data protection authority of each EU Member State, also defines the following terms:

  • “Destruction” of personal data: when the data no longer exists, or no longer exists in the form that is of any use to the controller;
  • “Damage”: where the personal data has been altered, corrupted, or is no longer complete;
  • “Loss” of personal data: when the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession; and
  • “Unauthorised”: disclosure of personal data to (or access by) recipients who are not authorized to receive (or access) the data, or any other form of processing which violates the GDPR.

Below are a few examples of incidents which may arise:

table-6

Any suspected personal data breaches should be reported to Data protection representative by completing the breach notification record in Appendix A. It should be noted that if serious personal data breaches should be reported immediately to the Information and Data Protection Commissioner within 72 hours from the discovery of the breach. Where the notification to the Information and Data Protection Commissioner is not made within 72 hours, it must be accompanied by reasons for such delay. However, if a breach is unlikely to result in a risk to the rights and freedoms of natural persons, then it does not require notification to the Data Commissioner. For example, If the personal data is already publicly available then the disclosure of such data might not constitute a likely risk to the individual. In any case, it is important that steps are immediately taken in order to contain the breach, and that documentation of the breach takes place as it develops. Consideration must also be given to whether the individual(s) affected by the breach needs to be notified. This will depend on the;

  • Impact on individual(s)Examples of high-risk breaches include instances where the personal data that has been compromised reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions or related Security measures.
  • Feasibility of contacting individuals

Any notification should be discussed and where in doubt seek legal advice or data commissioner guidance to decide on the way forward. It is important to keep in mind that the main objective when notifying individuals is to provide specific information about the steps they should take to protect themselves. When notifying individuals, the following information should be provided:

  • A description of the nature of the breach;
  • The name and contact details of the data protection representative or other contact point;
  • A description of the likely consequences of the breach; and
  • a description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
  • Individuals should be notified of a breach through dedicated messages such as email or SMS. It is recommended that the means chosen is one that maximizes the chance of properly communicating information to all affected individuals. This may mean that several methods of communication are used, as opposed to a single contact channel. Kindly note that in some circumstances, and on the advice of law-enforcement authorities, the Controller may delay communicating the breach to affected individuals until such time as it would not prejudice ongoing investigations.

When in doubt, one should make reference to the below charts which provide some useful examples of different types of breaches involving risk or high risk to individuals:

Chart A

table-7

Chart B

table-8

Data Protection Representative (“DPR”)

The Company’s Data Protection Representative is: Name: Liran Golan
Email address: Liran@goto.com.mt Telephone no: +356 22268000 The DPR is responsible for monitoring internal compliance within the organisation, conducting privacy impact assessments, informing and advising the Company regarding data protection matters and obligations while being a mediator between data subjects, the Company and the supervisory authorities.

Awareness & Training

The Company ensures that employees whose duties includes or could include the processing of personal data are sufficiently aware of data protection principles. The Company conducts periodical training sessions on data protection.

Duties of the Human Resources Manager

  • Ensuring that all the data about individuals are stored in secure archives;
  • Ensuring that all the data about individuals is still relevant and required;
  • Ensuring that the information requested from individuals is legitimate and only used for the purpose they were collected for;
  • Developing an employee code of practice based on this policy, which highlights responsibilities of staff for protection of personal data they may process;
  • Keeping a record of all the personal data which is processed on individuals;
  • Establishing a retention period for each category of records held on individuals based on this policy guidelines;
  • Ensuring that any personal information which is not required is deleted and destroyed;
  • Dealing with requests from employees to supply them with the data processed about them;
  • Liaising with the IT manager for the provision of a readable format of employee personal data following a data subject’s request;
  • Ensuring that HR policies are updated in line with this data protection policy;
  • Ensuring that there are signed employee consent forms when these are required;
  • Updating employee contracts with the necessary data protection clauses.
  • Supporting and assisting Compliance Manager during audits and during any breach investigations.

Duties of the General Compliance Manager

  • Keeping the Directors, Company senior management and the Company persons responsible for data protection updated on any new legislation;
  • Providing a data protection strategy and direction to the responsible persons of data protection;
  • Assisting senior management in solving issues related to data protection;
  • Reviewing and updating the Company’s data protection policies and procedures;
  • Investigating data protection compliance failures;
  • Highlighting any shortfalls and reporting them to the controlling persons;
  • Conducting data protection audits to assess adherence with this policy;
  • Discussing improvements, training and any other specific measures required by each company with their company executives; and
  • Following up on the identified shortfalls and gaps found during audits

Duties of the IT Manager

  • Ensuring that all systems, services, software and equipment meet acceptable security standards;
  • Ensuring that all systems having access to personal data are all accounted for and registered;
  • Ensuring that all systems used to transmit sensitive or controlled personal data are equipped with proper encryption;
  • Providing authorised access to files and folders according to the employees’ responsibility and as indicated by department head;
  • Ensuring that all the personal data is safely backed up and can only be retrieved by authorised persons;
  • Performing regular checks to guarantee the security of hardware and software are functioning properly;
  • Evaluating any third-party services which the Company engages or will be engaging to store personal information to ensure that they implement all the acceptable security standards in line with this policy;
  • Ensuring that penetration testing is conducted on all the company systems where personal data is processed;
  • Providing all the technical assistance needed so that all senior management are compliant with these policies;
  • Ensuring that any IT projects have all the data protection measures mentioned in this policy to protect the privacy of personal data;
  • Ensuring that IT systems can be audited and have the necessary logs and audit trails to do so; and
  • Supporting and assisting the Compliance Manager during audits and during any breach investigations.

Duties of the DPR

  • Liaising with the senior management on decisions pertaining to Data Protection;
  • Informing and advising all executives on how to comply with the GDPR and other data protection laws;
  • Monitoring compliance in line with the Company Data Protection Policies and guidelines;
  • Managing any Company activities pertaining to data protection;
  • Conducting data protection impact assessments where required and relative record-keeping;
  • Keeping a register of all the processing operations, highlighting the risks and controls associated with them;
  • Drawing the attention to the senior management of any failure to comply with the applicable data protection rules;
  • Keeping the Company’s Compliance Manager updated with any changes in the type or the processing of personal information.
  • Supporting and assisting the Compliance Manager during audits and during any breach investigations.

Data Retention

Introduction and Scope

In the course of conducting the business, the Company holds personal data relating to various data subjects. It is therefore imperative that records are properly retained to enable the Company to meet its business needs and legal requirements, and to evidence events or agreements in case of allegations, disputes or legal proceedings. The untimely destruction/ deletion of records could affect:

  • the conduct of Company’s business;
  • the ability of the Company to defend or instigate legal actions;
  • the Company’s ability to comply with statutory obligations;
  • the Company’s reputation. Conversely, the permanent retention of records is undesirable and disposal is necessary to free up storage space, reduce administrative burden and to ensure that the Company does not unlawfully retain records for longer than necessary.

Scope and Applicability

This data retention section covers all personal data in the Company’s possession or control, in any medium. Therefore, this data retention section is not restricted to documents in physical form but also includes files in an electronic format. Insofar as reference to employees are concerned, this policy applies equally and indiscriminately to full time and part time employees on a substantive or fixed term contract and also to associated persons who work for the Company such as agency staff, contractors, suppliers, others employed under a contract of service and other third parties that may from time to time be engaged to process personal data on behalf of the Company.

Objectives

The Company is bound by various obligations in relation to the personal data in its custody or control. Under the General Data Protection Regulation (“GDPR”), personal data should be kept for no longer than is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. A recommended retention period is provided for each category of record in Annex B attached to this Policy. The retention period applies to all records within that category. The recommended minimum retention period derives from either legal obligations in place regulating the retention of a particular record, or, where no legal obligation exists, the retention period is based on the Company’s business needs, provided that the data subject’s rights are not overridden. When the retention period stipulated herein has elapsed, the personal data covered by that retention period should be deleted/ destroyed in accordance with this Policy.

Data Storage

This section gives an overview on how to safely store personal data. Employees shall be prohibited from removing data from the workplace without written permission from the management. This applies to physical as well as electronic data.

Physical Data

  • Data stored on paper (including data that is normally stored electronically but has been printed out) should be kept in a safe place where only those who are authorised to access it can see it.
  • When not being used, paper/files should be kept in a locked drawer or filing cabinet.
  • Employees should ensure paper and printouts are not left in places where unauthorised people can see them, for instance in a printer tray or on a desk.
  • When no longer needed, printouts containing personal data should be shredded and disposed of securely.

Electronic Data

  • Electronically stored data should be protected from unauthorised access, accidental deletion and malicious hacking attempts.
  • Strong password should be used. These should be changed regularly, kept secret and never shared between employees or over email.
  • Data stored on removable media, such as CDs and pen drives, should be locked away when not in use.
  • Data should only be stored on designated drives and servers and only be uploaded to an approved cloud computing service.
  • Servers containing personal data should be placed in a secure location, away from general office space.
  • Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
  • Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
  • All servers and computers containing data should be protected by approved security software and a firewall.
  • Employees are to ensure that when they leave their computers unattended, screens are always locked.
  • Personal data should not be shared informally. As a general rule, files containing personal data should only be printed or sent over email if absolutely necessary.
  • Files containing personal data should not be transferred outside the European Union without explicit written consent from management.
  • Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data. Emailing data files to personal devices shall also be prohibited unless explicitly allowed by management.

Data Accuracy The law requires that the Company takes reasonable steps to ensure that the personal data it holds is accurate and up to date. All employees who work with personal data are responsible for ensuring the accuracy of the data they work with. To keep data as up to date as possible:

  • Personal data should be held in as few places as possible; and
  • Personal data should be reviewed and updated at regular intervals.

Deletion

Deletion is defined as physical or technical destruction sufficient to render the information contained in the data file irretrievable and inaccessible. No destruction of a record should take place without assurance that:

  • the record is no longer required by any part of the business;
  • no work is outstanding in relation to that record;
  • no litigation or investigation is current or pending which affects the record;
  • there are no current or pending issues, such as subject access requests, which affect the record.

Physical Data Paper documents shall be shredded and disposed of appropriately and securely. Destruction should be carried out in a way that preserves the confidentiality of the record. All copies should be destroyed at the same time and in the same manner.

Electronic Data The Company shall maintain and enforce a detailed list of approved destruction methods appropriate for each type of information stored electronically. This shall be overseen by the IT Department within the Company.

Exceptions Exceptions may be granted on request in certain instances, such as in the case of suspition of fraud and misconduct.

Implementation, Enforcement and Breaches Data protection representative shall be responsible for implementing this Policy and ensuring that it is read, understood and adhered to by all employees. Data protection representative shall also be responsible for regularly reviewing and, if necessary, updating the Policy. Breaching this Policy could have serious legal and reputational repercussions on the Company. Consequently, employees found to be in breach of this Policy could potentially face disciplinary action. All employees are expected to promptly report any breaches of the Policy of which they are aware. Reports shall be made to Data protection representative in writing.

Further Information This Policy should be read in conjunction with any and all other data protection policies the Company may establish from time to time. If you have any queries regarding this Policy, please contact Data protection representative at Liran@goto.com.mt Telephone no : +356 22268000

Appendix A Data Protection Breach Record

Kindly note that A29WP state that where precise information is not available (e.g. exact number of data subjects affected) this should not be a barrier to timely breach notification. The GDPR allows for approximations to be made in the number of individuals affected and the number of personal data records concerned. The focus should be directed towards addressing the adverse effects of the breach rather than providing precise figures.

A29WP also recommends that when the Controller first notifies the IDPC, the controller should also inform the IDPC if it does not yet have all the required information and will provide more details later on.

table-9

Annex B

table-10

table-11

table-12