PRIVACY POLICY

Privacy policy according to the articles 13, 14 of the GDPR

  1. Personal data information collected from the data subject:

 Public Limited Company «SIGMA SA», legally represented, registered in Heraklion Crete, at: 1, 18 Agglon sq («company»)

  1. Personal data collection and storage, as well as nature and purpose of use

Basic data: Name, Surname, address (private or professional), date of birth

Contact information: Telephone number (private or professional), fax,  e-mail address  (private or professional)

Car Rental Agreement Data: Car Make and license tag number, vehicle category, pick up  and return date, pick up and return location, various extras and services, Rental agreement number, reservation number, driver's license data, driver's license photo

Payment data/financial data: e.g. credit card details

Non-mandatory data: Information provided without obligation such as wishes for vehicle equipment or car category

Special categories of data: In case of an accident, vehicle damage or similar incident, information concerning the actual facts of the incident or the damage will be processed. All the relative information can be provided by customers, passengers or injured. In such cases, data concerning health can be processed, such as information on injuries, blood alcohol content, driving under the influence of drugs, etc.

Third party personal data: In case of provided personal data of third parties that fall within the scope of the rental relationship (e.g. vehicle co-operators, co-passengers, passengers), will also be processed.

  1. Legal framework of personal data processing by the «company».

Article 6 paragraph 1 (a) of the GDPR. According to this provision, the data processing shall be lawful only if and to the extent that the customer has given consent to the processing of his or her personal data for the specific purpose.

Article 6 paragraph 1 (b) of the GDPR. According to this provision, the processing of personal data shall be lawful only if and to the extent that, is necessary for the performance of the contract to which the customer is party or in order to take steps at the request of the customer (e.g. if a car reservation is required) prior to entering into a contract.

Article 6 paragraph 1 (c) of the GDPR. According to this provision, personal data processing shall be lawful only if and to the extent that is necessary for compliance with a legal obligation to which the «company» is subject.

Article 6 paragraph 1 (f) of the GDPR. According to this provision, personal data processing shall be lawful only if and to the extent that is necessary for the purposes of the legitimate interests pursued by the controller, that is, the «company» or by a third party overriding the interests, rights and freedoms of yours.

Article 9 paragraph 2 (f) of the GDPR. According to this provision, processing of special categories of personal data is necessary for the establishment, exercise or defence of legal claims. The special categories of personal data also  include health data of the data subject.

  1. Scope of procession
  2. 1. Vehicle reservation and rental fee

Personal data, contact details, agreement data, financial data as well as any other optional information will be processed for the purpose of booking, as well as the conclusion and fulfilment of a rental agreement.

Personal data, contact data and agreement data will be used for customer service purposes in case you contact the «company» as a customer, for example, in the event of change or cancellation of reservations.

If you book your car through travel agencies, online travel agencies or other intermediaries, your personal data, contact details, rental details and possibly financial information will be sent to the «company»  by our partners.

The «company» uses your personal data and contract data for billing and sales processing with travel agencies and collaborators. In addition, your personal data may by transferred to affiliated companies, on condition that the required or needed vehicle or vehicle type is not available to the «company».

The «company» is legally required to compare your personal data and contact details for prevention purposes and for  offences investigation according to offenders' lists sent by the criminal investigation offices. This comparison serves to avoid risks and facilitate criminal prosecution.

The «company» uses your data for your own and our security, for example in order to prevent the payments avoidance of property crimes (especially fraud, theft, swindling). If you wish to rent a vehicle, the «company» will process your financial data in order to verify your credit rating according to information provided by credit institutions.

After completing the lease, your personal data, financial data and contract details will be stored until the statutory mandatory detention periods have expired.

Legal framework of the above mentioned processing:

Article 6 paragraph 1(b) of the GDPR for the processing of personal data for the purpose of concluding and executing rental agreements and clients' servicing.

Article 6 paragraph 1(f) of the GDPR for processing data for the purposes of charging to third parties and of pursuing legitimate interests and preventing risks and fraud.

Article 6 paragraph 1(c) of the of the GDPR for  processing data for compliance with a legal obligation to which the «company» is subject, such as prevention and investigation of crimes, control and storage of driving licences data and maintenance of data on tax obligations and legitimate commercial and other requirements.

Article 6 paragraph 1 (f) of the GDPR for the purposes of the legitimate interests pursued by the «company» to use personal data to improve the services provided and the customer service in order to achieve the best possible efficiency and content. Regarding the processing of data for the purpose to prevent damage to the «company» and its vehicles, it is a legitimate interest to ensure the event of loss or damage to the vehicle through payments.

Categories of recipients of your personal data

For the above mentioned purposes, the «company» discloses your personal data to the following recipients: IT service providers, credit institutions, travel agency affiliates, and in specific cases to public and municipal authorities

4.2 Marketing and advertisement

The «company» may process your personal data, contact details and contract data in order to optimize its offers.

The «company» may process your email address in order to provide you with similar services or products. You may object to the specific use of your email address at any time without incurring any costs.

Legal framework of data processing

Article 6 paragraph 1(a) of the GDPR for commercial purposes with explicit prior consent.

Article 6 paragraph 1(f) of the GDPR for legitimate interest including marketing purposes. The «company's» legitimate interest in processing your personal data for purposes of direct marketing and advertising is to attract you with its offers and establish a solid customer relationship with you.

Categories of recipients of your personal data

For the above mentioned purposes, the «company» discloses your personal data to IT service providers, call centres and advertising partners.

4.3 Losses, accidents, violations

In the event of damage caused to the «company's» vehicles by you or any other person, or in the event that you or any other person is involved in any accident with one of the «company's» vehicles, processing of personal data, contact details,  any other data contained in the rental agreement and data concerning health conditions, will be held for the following purposes:

  • Accepting and processing complaints,
  • Customer service in case of damage,
  • Settlement of claims
  • Accident damage processing (processing based on your information and third party information such as police, witnesses, etc.).
  • Processing of the above mentioned data for the purpose of claims settlement e.g. with the insurance companies.

The «company» also is processing your personal data, contact details and rental agreement data for legal obligations fulfilment (such as transmission to the judicial authorities).

In case of suspicion by the competent authorities that one of the «company's» vehicles is involved in an illegal act, The «company» is processing additionally to the data collected and stored any other  information provided by the competent authorities.

Legal framework of data processing

Article 6 paragraph 1 (b) of the GDPR for data processing for purposes of complaint management and customer service in case of vehicle failure of damage.

Article 6 paragraph 1 (c) of the GDPR for data processing for purposes of damage management.

Article 6 paragraph 1 (f) for data processing for purposes of damage liquidation, of pursuit the «company's» claims against you and regarding administrative offences.

Article 9 paragraph 2 (f) of the GDPR for processing data concerning health for the establishment, exercise or defence of legal claims.

Legitimate interest, seeing that data processing is based on article 6 paragraph 1(f) of the GDPR

Legitimate interest of the «company», in personal data processing for exercising legal claims against you for damage liquidation, is to prevent any damage to the company and to provide the customers intact vehicles.  In addition, due to contractual relationships with third parties (such as insurance companies), the «company» is required to process your personal data for purposes of liquidation of property damage. Legitimate interest of the «company» is to comply properly with the terms of the contract.

Recipients / categories of recipients

For the above mentioned purposes, the «company» may disclose your personal data to the following recipients: public services, police authorities, evaluators, lawyers and insurance companies.

4.4 Processing of data due to legal obligations

The «company» may process your personal data, contact details, rental agreement data and financial information in order to comply its legal obligations.  This includes data processing during the informing procedure of authorities about, for example, tax issues

Legal framework of data processing

Art. 6, paragraph 1 (c) of the GDPR.

Recipients / categories of recipients

In addition to the above-mentioned purposes, we may be required to disclose your personal data to public authorities.

4.5 Optimizing the «company's» offers

The «company» may process your personal data, contact details and contract data in order to optimize its offers.

Including e.g. preparation and analysis of rental reports, planning for vehicle allocation improvement, conducting and analyzing customer satisfaction surveys. The «company» processes your personal data and rental agreement details for Web presence optimization.

To improve the quality of provided services and optimize the customer service, the «company» processes its data files using an algorithm in order to form a profile of the potential future use of its services.

In addition, the «company» uses addresses from external cooperators sources to ensure the accuracy of its data file in order to perform the contract concluded with you.

Legal framework of data processing

Art. 6 par. 1 (a) of the GDPR concerning measures to optimize the «company's» offers customers consent is required.

Art. 6 par. 1 (f) of the GDPR

Legitimate interest when legal framework is consisted by the article 6 par. 1 (f) of the GDPR

Legitimate interest of the «company», in using your personal data in order to improve the services provided and the customer service, is the requirement to provide you with the best possible service and the long-term increase of customer's satisfaction.

Categories of recipients of your personal data

For the above mentioned purposes, the «company» discloses your personal data to the following recipients: IT service providers, call centres and «company's» cooperators.

Data transfer to third countries

For working partners established in a third country, the «company» transfers your personal data to the respective third country. Data transfer to third country requires adequacy decision by the European Commission. If there is no adequacy decision by the European Commission for the third country concerned, the transfer to the third country is made on the basis of appropriate safeguards within the meaning of Article 46 (2) of the of the GDPR In addition, the «company»  may transfer your data to a third country under the terms of Article 49 of the of the GDPR. Copies of these safeguards can be obtained  from the above mentioned «company's» address (see → Processing Operator). All third countries are countries outside the European Economic Area. The European Economic Area includes all the countries of the European Union as well as the countries of the so-called European Free Trade Association. These are Norway, Iceland and Liechtenstein.

  1. 6 Events

The «company» is processing your personal data  and contact information in order to invite you to organized events.

Legal framework of the above processing

Article 6 par. 1 (f) of the GDPR for data processing in order to acquire customers and support business customers.

Legitimate interest, seeing that data processing is based on article 6 paragraph 1(f) of the GDPR

The «company's» legitimate interest in processing your data in the context of customer service and customer retention, is our obligation to provide the best possible service performance and to increase its customers' satisfaction.

Categories of recipients of your personal data

For the above mentioned purposes, the «company» discloses the contact details of its business customers to the following recipients: IT service providers, call centres and event organizers.

4.7 Website

Your personal data is collected through the www.motorclub.gr website if you provide it yourself, e.g. as part of a registration, filling out forms, sending emails or booking a rented car. The «company» uses this data for the purposes specified or resulting from the application, for example in the booking request, in order to process your application.

Security, SSL technology

SIGMA SA has taken technical and organizational measures to protect your personal data, in particular against unauthorized process and alteration, accidental loss, unlawful destruction or unauthorized access.. These security measures are constantly adapted to the technological developments. The transfer of personal data between your computer and the «company's» server is always encrypted (SSL method, Secure Socket Layer).

Online Tracking

Some new browsers use the features “Do Not Track”. If this is the case, the «company's» site may not respond to "Do Not Track" requests or be unable to read the headers of these browsers. To learn more about your browsers settings and whether information from some providers are rejected, click here for the USA, here for Canada and here for Europe (Note: If you enable DNT, you will continue to receive generic ads, just not targeted ads.).

Cookies

When you visit the «company's» website, information in the form of "cookie" may have been placed on your computer. The "cookies" are small pieces of text sent from a website and stored on the user's computer by the user's web browser. Cookies are designed to remember information and allow to a Web site to store information on a user's machine and later retrieve it.  Cookies can not be used to run programs or to deliver viruses to your computer.  The "cookies" used by the «company» do not contain personal information and can not be merged with them.

Most of the cookies used by the «company» are so-called "session cookies", which are essential to keep your visit consistent, for example, to ensure that your preferences or other information you entered during the booking request will be retained during your login. In addition, the «company» needs "session cookies" to ensure that a particular offer you have preferred will be associated with your request (for example, promotional offers). These "session cookies" are automatically deleted when the browser is closed. In addition, the «company» uses cookies to recognize you when you visit its site later, if you are particularly interested in certain offers, which allows us to display tailored promotions. Finally, the «company» needs its partner's cookies for advertisement charges, as they record through which side or campaign a customer has mediated. The «company» collects this information only in abstract form, that is, not personally identifiable. Such a cookie has a 31 day lifespan.

You have the option to accept or reject the cookies. The majority of Internet browsers automatically accept cookies. However, you can usually use browser settings to reject cookies. If cookies are declined, you may not be able to use certain features of the site. If cookies are accepted, you can later delete the accepted cookies from your browser. In Internet Explorer 8 you can e.g. Delete cookies by selecting Tools>Internet Options>General and then click on Delete browsing history. By clearing cookies, the settings controlled by these cookies, including the advertisement settings, will be deleted and may not be retrievable.

Using Google Analytics (this text is provided by Google, Inc.)

This site uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are stored on your computer and enable the analysis of how you use the website. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.  Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser. However please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

For more information, visit  www.google.com/intl/de/analytics/privacyoverview.html (general information about Google Analytics and privacy). Please note that, on this website, Google Analytics has been expanded by the code "gat._anonymizeIp " to ensure the anonymized collection of IP addresses (so-called IP-Masking). Please visit tools.google.com/dlpage/gaoptout for instructions on disabling Google Analytics Services.

Use of Google Maps

The reservation application and the station tracking application on the site use  API of Google Maps. These applications are necessary for the sustainability and full provision of the reservation service. Using the reservation application and the station tracking application, you agree to  terms of use and privacy policy of Google. Google's terms of use can be found here. Google's privacy policy is found here. The use of Google Maps serves to show the customer the appropriate map of the area as well as the nearest stations of the «company». The transmission of all location data to Google is anonymous. Further information will not be transferred to Google.

Social Media Plug-ins

The «company» adds in its website Social Plugins of Facebook, Twitter and Instagram in order to make the website  more popular. Responsibility for this function, which is  compatible with personal data protection, must be ensured by the respective providers. The plugins integration is by the so-called  "two-click" solution for the best possible protection of the website visitors.

  1. a) Facebook

 Facebook plugins in the «company's» website  are for personalized use.  Therefore you can use the "LIKE" and "SHARE" button. This is an offer from Facebook.

If you visit a page of the «company's» website containing such a plugin, your Browser creates a direct connection to the Facebook servers. The content of the plugins is transferred from Facebook directly to your browser which then embeds it into the «company's» website.

Through this embedding, Facebook receives information about your browser  having accessed the respective page of  the «company's» website, regardless whether you have a Facebook account or you are logged in. This information (including the IP address) is transmitted from your browser directly to a Facebook server in the USA and stored there.

If you sign in with Facebook, Facebook can link the visit to the «company's» website directly with your Facebook account. If you interact with the respective plugins, e.g. by clicking "LIKE" or "SHARE" the corresponding information is transmitted from your browser directly to Facebook server and stored there. The information will also be published on Facebook and will be displayed to your friends on Facebook.

Facebook can use this information for advertising purposes, market research, and personalized pages on Facebook. For this purpose, Facebook creates user profiles about interests, relationships, etc., to evaluate, for example, the use of the «company's» website in relation to the Facebook ads, to inform other Facebook users about your activities on the website and provide other services related to the use of Facebook.

If you do not want Facebook to associate the data collected by the «company's» website with your account on Facebook, you must log out of Facebook before visiting the website.

For the purpose and scope of data collection and the further processing and use of data by Facebook, as well as the related rights and privacy settings, please refer to the privacy policy (https://www.facebook.com / about / privacy /) of Facebook.

  1. b) Twitter

In the «company's» website are embedded plugins of the social network of short messages Twitter Inc. (Twitter). Twitter- plugins (tweet button) can be recognized by the Twitter logo in the «company's» website. An overview of the tweet plugins can be found here (https://about.twitter.com/resources/buttons).

If you visit a page of the «company's» website containing such a plugin, your Browser creates a direct connection to the Twitter server. Twitter receives the information you've visited on the «company's» website with your IP address. If you click the "tweet" button on Twitter while you are logged in to your Twitter account, you can associate the contents of the «company's» webpages to your Twitter profile. This allows Twitter to link your visit to the «company's» webpages with your user account. Please note that, as providers of the «company's» website we have no knowledge of the content of the collected and transmitted data and its use from Twitter.

If you do not want Twitter to associate your visit to the «company's» website with your account, you must log out of Twitter before visiting the website.

For more information please refer to the privacy policy of Twitter (https://twitter.com/privacy).

  1. c) Instagram

The «company's» website uses plugins of the social network Instagram, operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA (“Instagram”).

The plugins are usually marked with an Instagram logo, for example in the form of an Instagram camera.

By visiting a page of the «company's» website that contains a social plugin, your browser establishes a direct connection to the servers of Instagram.  Instagram directly transfers the plugin content to your browser which embeds the latter into the «company's» website. Through this embedding, Instagram receives information about your browser  having accessed the respective page of  the «company's» website, regardless whether have an Instagram account or you are logged in.

This information (including the IP address) is transmitted from your browser directly to a Instagram server in the USA and stored there. If you sign in with Instagram, Instagram can link the visit to the «company's» website directly with your Instagram account. If you interact with the plugins, e.g. by clicking "Instagram" the corresponding information is transmitted from your browser directly to Instagram server and stored there.

The information will be posted to your Instagram account and will appear there in your contacts.

If you do not want the collected data by the «company's» website to be associated with your Instagram account, you must log out of Instagram before visiting the website.

For more information please refer to the Instagram privacy policy (https://help.instagram.com/155833707900388)

Legal framework of the above processing

Article 6 par. 1 (f) of the GDPR, when personal data is processed.

Legitimate interest, seeing that data processing is based on article 6 paragraph 1(f) of the GDPR

The «company's» legitimate interest in processing your data through its website, is to optimize the «company's» promotions providing the best possible service performance and increasing its customers' satisfaction.

Categories of recipients of your personal data

The disclosure of your personal data to third parties is occurred only if necessary for the performance of the contract, e.g. to notify the rental agent about the reservation or to process a credit card payment by bank. In such cases, the «company» discloses  by transmission your personal data to IT service providers, call centres, financial service providers and partners, as well as the «company's» cooperators.

Moreover, the data as above described (see → Scope of Procession) will be transferred to Google, Inc. and Facebook Ireland Ltd.

As part of fraud prevention measures, in case of detection or threat of fraud, the  «company» also transmits personal data to actual or potentially injured parties.

Transfer To Third Countries

If business customers reserve by the «company» vehicles to be leased to a third country, the «company» will disclose and transfer the driver's personal data to  the «company» partner in the third country. Data transfer to third country requires adequacy decision by the European Commission. If there is no adequacy decision by the European Commission for the third country concerned, the transfer to the third country is made on the basis of appropriate safeguards within the meaning of Article 46 paragraph (2) of the of the GDPR. Copies of these safeguards can be obtained  from the above mentioned «company's» address (see → Processing Operator).

  1. Storage period

 SIGMA SA stores your personal data  until the processing goal is achieved (see → Scope of Procession). Since SIGMA SA is required by law to store personal data, they are stored for the entire duration of the legal obligation. If necessary, your data will not be accessed during this period unless arises another processing purpose.

  1. Rights of the data subject

You have the right:

  • according to the article 15 of the GDPR, to require information related to the personal data processes by the «company». In particular, you have the right to ask the «company» to provide you with information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been disclosed or the period for which the personal data will be stored, the right to rectification, to erasure, or to restriction of processing or the right to object to processing.
  • according to the article 16 of the GDPR, to demand without undue delay the rectification of inaccurate personal data stored by the «company».
  • according to the art. 17 of the GDPR to obtain from the «company» to erase personal data without undue delay, unless the processing is necessary or exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims
  • according to the art. 18 of the GDPR to obtain from the «company» restriction of processing where accuracy of the personal data is contested, the processing is unlawful or no longer necessary but required for the establishment, exercise or defence of legal claims, or you have objected to processing pursuant to Article 21 par. 1 of the GDPR
  • according to the article 20 of the GDPR to receive your personal data which have been provided to the «company», in a structured, commonly used and machine-readable format or to request their transmission to another controller.
  • according to the article 7 par. 3 of the GDPR, to withdraw your consent to processing your personal data. As a result, data processing will not be allowed on the basis of this consent in the future
  • according to the article 77 of the GDPR to lodge a complaint with a supervisory authority. You can contact the national supervisory authority.
  1. Right to object

If processing of your personal data is necessary for the purposes of legitimate interests pursuant to Article 6 par. 1 (f) of the GDPR, you have the right to object to processing of personal data pursuant to Article 21 of the GDPR, on grounds relating to your particular situation or in case you object to direct marketing purposes.   In the latter case, you have a general right of objection, which is applied by the «company» without any obligation to determine a particular situation.

If you wish to exercise your right to withdraw or to object please send an e-mail to dataprotection@motorclub.gr

Get in Touch