General principles of personal data processing in a car rental company Justrent OÜ

1. General Provisions

1.1. The procedure for processing personal data (referred to as the “Procedure”) establishes the car rental company Justrent OÜ principles for processing personal data, the rights of the data subject and the obligations of the personal data processing agency and security measures for protecting personal data.

1.2. When processing personal data Justrent OÜ should be guided by the Personal Data Protection Act and the instructions of the Data Protection Inspection.

1.3. The purpose of the Personal Data Protection Act and this Procedure is to protect fundamental rights when processing personal data, in particular the right of privacy.

2. Definitions

2.1. Personal data include any data relating to an identified person, regardless of the form or type of this information.

2.2. Privacy Information - Justrent OÜ is a car rental company. During performance of their duties, Justrent OÜ collects personal data, including confidential and private information not available to the public - people have the right to privacy. When storing and using information containing personal data Justrent OÜ is guided by the Personal Data Protection Act, the Public Information Act, this Procedure and the Instruction on Documentation Management.

2.3. The processing of personal data is any activity with the personal data, including the collection, storage, organization, preservation, modification and disclosure of personal data, access to personal data, execution and retrieval of personal data, use, transfer, cross-use, connection, encryption, removal or destruction of personal data; or several of the above operations, regardless of the methods and means of performing the operations.

2.4. The data subject is the person whose personal data are processed.

2.5. The third party is an individual or legal entity, a branch of a foreign company or a state or local government body that does not control personal data, a data subject, an individual who processes personal data under the guidance of a processor.

2.6. The responsible processor is a person or entity, a branch of a foreign company, or a state or local government body that processes or guides the personal data processing.

3. Purpose of processing personal data

3.1. Justrent OÜ processes personal data only for lawful purposes and only to the extent necessary for carrying out car rental activities.

3.2. When processing personal data Justrent OÜ should be guided by the following principles:

3.2.1. The principle of legality - personal data are collected only by fair means and validly;

3.2.2. The principle of purpose - personal data may only be collected for specific and legitimate purposes and be processed in a manner consistent with the processing objectives;

3.2.3. The principle of minimalism - personal data can be collected to the extent necessary to achieve the goals;

3.2.4. The principle of use restriction - personal data can be used for other purposes only with the consent of the data subject or with the consent of the competent authority;

3.2.5. The principle of data quality - personal data must be modern, complete and necessary to achieve the purpose of data processing;

3.2.6. The principle of security - security measures must be taken for the personal data protection from unintentional or unauthorized processing, disclosure or destruction;

3.2.7. The principle of individual participation - the data subject should be informed about the data that he collects, should have access to his own data and have the right to correct inaccurate or misleading information.

4. Persons whose data is processed

4.1. Justrent OÜ handles personal data of a car lessee.

4.2. As an employer, Justrent OÜ processes personal data of people working under contracts concluded in accordance with the Employment Contracts Act and the Obligations Law Act.

5. Sources of personal data and the basis of processing

5.1. Sources of personal data are:

5.1.1. Documents sent, transmitted and/or completed by the data subject or his authorized representative (for example, ID, passport, contact details, driver's license and other documents) and his testimony;

5.2. The processing of personal data is based on;

5.2.1. Person’s own initiative (for example, a statement, application, memorandum, request for information or another request from a person);

5.2.2. Initiative of a person or an enterprise (for example, an application, statements, request for information) having permission from the data subject to transfer data or who has the legal right for this.

6. Persons / institutions having the permission to the transfer and process of personal data

6.1. Personal data are reported to people and institutions to which the data subject is authorized to provide data or who have a legal right to do so.

6.2. The transfer of the personal data (to whom, when and what data) is recorded in the Justrent OÜ correspondence register. Personal information is not collected by Justrent OÜ and is not transmitted.

6.3. The processing of personal data is allowed without the consent of the data subject, if personal data are processed:

6.3.1. according to the law;

6.3.2. to protect the life, health or freedom of the data subject or other person, if the data subject cannot obtain consent;

6.3.3. for the execution of the contract with the data subject or for the execution of the contract, except for the processing of confidential personal data.

6.4. Transfer or access to the personal data for processing by a third party is permitted without the consent of the data subject:

6.4.1. If the third party to whom the data is transferred processes the personal data in order to fulfil the tasks stipulated by the law, international agreement or direct act of the European Union Council or the European Commission;

6.4.2. On a case-by-case basis to protect the life, health or freedom of the data subject or another person, if the data subject consent cannot be obtained;

6.4.3. The third party requests information obtained or created to perform public functions provided for by the law or legislation issued on its basis, and the requested information does not contain confidential personal data and is not subject to any restrictions on access for any other reason.

7. Subject rights and data access

7.1. In accordance with § 19 of the Personal Data Protection Act, everyone has the right to know which personal data is collected about him / her in the organization, and for what purpose and on what basis or what other legislation are his or her data processed and to which people or organizations were his or her personal data transferred.

7.2. The data subject has the ability to obtain information about the collected and processed data. Information can be obtained by submitting a written request to a Justrent OÜ representative for the issuance of documents containing personal data of the data subject.

7.3. To the extent possible, personal data should be provided in accordance with the data subject request.

7.4. When issuing personal data, Justrent OÜ must be sure that it is the individual who is entitled to receive the relevant data. Therefore, the data applicant must prove his identity or the right to request data if necessary.

7.5. According to clause 19 (3) of the Personal Data Protection Act, the personal data processor is required to justify the refusal to issue data or provide information. The processor must notify the subject of the decision to refuse to provide data or information within five business days after the date of receipt of the application. Depending on the data requested, a specific law may provide an exception to the information and the procedure for disclosing personal data.

7.6. The processor has the right to refuse to provide information to the data subject if this can:

7.6.1. violate the rights and freedom of another person;

7.6.2. to prevent an offense or offender;

7.6.3. makes it difficult to determine the truth in criminal proceedings.

7.7. The data subject has the right to require the processor of his / her personal data to correct invalid personal data. If the data are updated or corrected, also keeps incorrect personal data about the time of their use or about their change.

7.8. If processing of personal data is not permitted by the law, the data subject has the right to request:

7.8.1. Completion of personal data processing;

7.8.2. Termination of disclosure or access to personal data;

7.8.3. Removal or closing of collected personal data.

8. Developer and his responsibilities

8.1. The person responsible for protecting personal data at Justrent OÜ is appointed by the directive of the member of the Board.

8.2. The employee of Justrent OÜ who processes personal data, must:

8.2.1. Process personal data in order, on the conditions and in accordance with the instructions permitted by this Procedure;

8.2.2. Maintain the confidentiality of any personal data that became known to him in the course of his or her duties, even after the fulfilment of duties related to the processing or dismissal;

8.2.3. Participate in the protection of personal data training offered by the employer if necessary;

8.2.4. Be familiar and follow the processing of personal data as per the Personal Data Protection Act.

8.3. An employee of Justrent OÜ is obliged to maintain the confidentiality of any personal data that became known to him during the performance of his or her duties and which are not intended for general use.

8.4. The employee Justrent OÜ is liable under the Personal Data Protection Act for violating the processing personal data procedure.

8.5. Justrent OÜ undertakes to:

8.5.1. Immediately delete or close personal data that are not needed to achieve the goals, unless otherwise provided by the law;

8.5.2. To make sure that personal data are correct for the achievement of goals, after all;

8.5.3. Close incomplete and inaccurate personal data and immediately take the necessary measures to supplement and correct them;

8.5.4. Store inaccurate data marked with the time of their use, with the correct data;

8.5.5. Close personal data whose accuracy has been challenged until the accuracy of the data are verified or the correct data are established;

8.5.6. In case of correction of personal data, immediately inform third parties from whom personal data were received or to whom this personal data were transferred, where it is technically possible and does not incur disproportionately high costs.

9. Security measures to protect personal data

9.1. Security measures for the protection of personal data are aimed at ensuring:

9.1.1. Data integrity, that is, to protect data from accidental or intentional unauthorized changes;

9.1.2. Data availability, that is, to protect data from accidental destruction and intentional destruction, as well as to prevent access by the data subject;

9.1.3. Data confidentiality, that is, to protect data from unauthorized processing.

9.2. Personal data are processed by Justrent OÜ on paper and electronically.

9.3. The collected data should be stored in accordance with applicable law.

9.4. Upon expiration of the retention period, the data must be deleted and the documents destroyed.

© 2019 JustRent OÜ. All Rights Reserved