Privacy Policy of the Company under the Corporate Name
“DRIVE SOCIÉTÉ ANONYME FOR VEHICLE RENTALS”
and the Distinctive Title “DRIVE S.A. Grental”
7th km Thessaloniki–Moudania Road, PC 57001, P.O. Box 60279, Tax ID (Α.Φ.Μ.) 099770081
[G.E.MI. No.: 058300604000]
[Last Update: …………………..]
1. Scope and Identity of the Data Controller
This Privacy Policy describes, in a clear and transparent manner, how the company under the corporate name “DRIVE SOCIÉTÉ ANONYME FOR VEHICLE RENTALS” and the distinctive title “DRIVE S.A. Grental” (hereinafter the “Company”, “DRIVE S.A.”, “we/us”) collects, uses, retains, discloses and protects personal data when you visit or use our services, contact us or transact with us, whether electronically, by telephone or in person. This Policy applies in particular to visitors of the website, users who create an account, customers/lessees, drivers, lawful representatives of corporate customers, recipients of updates (newsletter) and, in general, any natural person whose data comes to our knowledge in the context of providing vehicle rental services, leasing/operating lease, as well as related services (such as contact requests, customer service and expressions of interest).
The Data Controller for the personal data is DRIVE S.A., with registered seat and contact details as set out on our website and in our corporate particulars. For data protection matters and for the exercise of your rights, you may contact us in writing at the address of our registered seat or electronically via the dedicated contact point we have designated for GDPR matters. For general questions regarding services/reservations, you may use the Company’s official communication channels. Our objective is operational balance: on the one hand, to effectively safeguard the Company, our transactions and our systems, and on the other hand, to fully ensure the rights and reasonable privacy expectations of our customers and visitors.
This Policy is applied in accordance with the applicable European and Greek data protection framework, in particular the General Data Protection Regulation (Regulation (EU) 2016/679), Greek legislation and the special framework for electronic communications and related technologies (where applicable, e.g., cookies). Where processing is carried out by third-party providers on our behalf (e.g., hosting, technical support, statistical/security tools), such providers, as a rule, act as processors under our instructions and subject to appropriate contractual commitments on confidentiality and security.
For the purposes of this Policy, “personal data” means any information relating to an identified or identifiable natural person (such as contact details, reservation details, identification/driving licence details where required for the conclusion and performance of a rental), while “processing” means any operation performed on data (collection, recording, organisation, storage, use, transmission, erasure, etc.). The Company applies the fundamental GDPR principles (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability) and adopts appropriate technical and organisational measures, depending on the nature and risks of the processing.
This Policy covers processing activities linked to the operation of the website and its specific functionalities, such as, indicatively, account creation/use, online vehicle reservation, submission of expressions of interest for leasing/related services, driver transfer service (where provided), submission of requests via the contact form and subscription to newsletters. In addition, it covers processing carried out outside the website, such as communication for offers/quotations, conclusion and management of contracts, customer service, complaints handling and post-rental support, to the extent that such processing concerns natural persons.
Our website and services are not addressed to minors and are not intended for use by persons who lack legal capacity to enter into binding agreements. If we become aware that a minor’s data has been collected unlawfully, we take reasonable measures to delete such data and restrict any further processing.
Finally, the website may contain links to third-party websites and/or buttons leading to social media. This Policy does not cover the practices of third parties, and we recommend that you review the relevant privacy policies of such third-party providers prior to any use. For technologies such as cookies and similar identifiers, we provide more specific information and choice settings through the relevant preference management mechanism and the corresponding cookie notice, which operates supplementary to this Policy.
The Company may amend this Policy so as to reflect changes in legislation, our services and/or our procedures. The version in force is posted on our website with a “Last Update” reference and, where required, you will receive additional notice by an appropriate means.
2. Categories of Data We Collect and Sources of Collection
The Company collects and processes personal data mainly (a) directly from you, when you complete forms on the website, request information/offer, subscribe to an updates service or contact us by any means, (b) automatically, when you visit and use the website, through technical data and, where you have opted in, through cookies and similar technologies, and (c) from third parties connected with the transaction or provision of the service, such as, indicatively, corporate customers/employers who provide driver details for a rental, infrastructure and technical support providers, as well as providers of statistical/website functionality services, to the extent this is necessary for the operation of the service and subject to appropriate contractual safeguards.
In the context of online browsing, communication and online website functionalities (such as contact forms and newsletter subscription), data such as full name, contact details (telephone, email), as well as any information you enter in the relevant request field, may be collected. When making a reservation and/or entering into a vehicle rental agreement, the Company may collect, on a case-by-case basis and depending on the service, identification and transaction data such as full name, contact address or registered office address, Tax Identification Number (Α.Φ.Μ.) (where required), ID card/passport number and date of issue, driving licence number and date of issue, date of birth, reservation details (place and time of pick-up/return, type of vehicle, details of the desired vehicle), as well as contact details. For certain online reservation functions, additional facilitating information may be requested (e.g., driver’s age or flight number, where available), to the extent it relates to the execution of the reservation and the proper provision of the service.
As regards payment, the process is, as a rule, completed by redirecting to a secure environment of the bank/payment service provider, so that the Company does not collect or store, beyond what is necessary, full card data, but rather receives the necessary confirmation/completion details of the transaction and/or the data required for the conclusion and performance of the rental. Furthermore, in certain cases (e.g., for communication purposes or transaction management) contact details of relatives/contact persons may be disclosed to us, provided you supply them.
When you visit the website, technical and usage data are collected (such as information on performance/traffic and basic actions within the website) and, if the relevant cookies are enabled, cookies may be used for functionality, advertising, analytics and third-party cookies, including tools and providers such as Google Tag Manager, Google Optimize and third-party services (e.g., google.com, youtube.com). It is noted that data collected through analytics tools (such as, indicatively, the URL visited by the user, actions within the site and time spent) may, as the case may be, be transferred to infrastructure of providers located outside the EU/EEA, an issue further specified in the relevant chapter on transfers and safeguards.
In addition, the Company may operate a video surveillance (CCTV) system at its premises, collecting image data exclusively for the protection of persons and property and in compliance with the principle of proportionality, limiting recording to absolutely necessary areas (store entrances/exits and cash desks) and with appropriate on-site information signage. Finally, in the context of its operations, the Company may process data of suppliers/partners exclusively for the performance of our contracts and transactions. For job applicants who submit a CV, processing takes place for the purposes of assessing the application, in accordance with data minimisation principles and with a recommendation not to provide unnecessary data, in particular sensitive data (e.g., health data), while specific information is or will be provided for this purpose.
3. Purposes of Processing and Legal Bases
The Company processes personal data solely for specific, clear and lawful purposes and only to the extent necessary for the provision of vehicle rental services, the operation of the website and compliance with the applicable regulatory framework. Processing is based, as applicable, on one or more of the legal bases under Article 6 GDPR, in particular: (a) performance of a contract or taking steps at your request prior to entering into a contract, (b) compliance by the Company with a legal obligation, (c) the legitimate interests of the Company and/or third parties, provided that your fundamental rights and freedoms do not override such interests, and (d) your consent, where required (in particular for optional cookies/analytics/marketing technologies and for promotional communications).
As a rule, the Company processes data that are necessary for your proper service and for the performance of the transaction: for the registration, management and handling of requests through the website, for the completion of a reservation, for the conclusion, performance and management of the vehicle rental agreement (including communication with you regarding pick-up/return, service options and support before, during and after the rental), as well as for the organisation and improvement of the provision of our services.
Furthermore, the Company may process data for purposes serving its legitimate interests, such as the security of information systems and infrastructure, operational continuity and protection of the website, prevention and investigation of malicious actions/fraud, protection of persons and property (including the use of CCTV in strictly necessary areas, where applicable), qualitative upgrading of services, handling and documentation of communications/complaints, as well as the establishment, exercise or defence of the Company’s legal claims (e.g., in the event of a dispute or legal proceedings).
In certain cases, processing is necessary for the Company’s compliance with legal obligations, such as, indicatively, tax/accounting obligations, obligations arising from consumer protection legislation, and/or obligations to comply with requests/acts of competent authorities or court decisions, as well as for keeping mandatory records or forms provided for by the applicable framework.
Finally, where and to the extent required, the Company processes data on the basis of your consent, in particular for sending newsletters, promotional actions, offers and/or marketing communications and for participation in contests, as well as for enabling optional cookies/analytics/marketing technologies and similar trackers that are not technically necessary for the operation of the website. Any creation of preferences/statistics or the targeted display of content/advertisements through third-party tools (where applicable) is carried out only within the scope of the corresponding optional settings you select, and your consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
4. Recipients of Data and Disclosures to Third Parties
The Company treats personal data as confidential and, as a rule, does not disclose or transfer them to third parties, except to the extent necessary for the provision of services and the fulfillment of our contractual obligations towards you, or where disclosure is required by the applicable regulatory/legislative framework. In any event, we apply the principle of data minimisation: we disclose only strictly necessary data, with appropriate organisational and technical safeguards, so that processing remains lawful, fair and proportionate.
Access to your data within the Company is granted only to authorised persons and departments (e.g., customer service/reservations/accounting/IT), to the extent access is necessary for the relevant purpose of processing (e.g., performance of a reservation/contract, support, invoicing, handling of requests). The Company takes reasonable measures so that access is strictly limited to those who need to know, accompanied by appropriate training and confidentiality rules.
For the technical operation of the website/applications and the provision of supporting services, we may disclose data to selected service providers who, as a rule, act as processors on our behalf (e.g., infrastructure hosting and technical support). Indicatively, the website/application infrastructure is hosted on a cloud platform in the Netherlands, using encrypted communication protocols. Similarly, for organising your updates regarding services/offers and managing newsletter dispatches, we may transfer necessary data (such as email and basic contact details) to cooperating delivery service providers. In all such cases, providers are selected on the basis of security and compliance criteria and are contractually bound as to confidentiality, security and the use of data solely in accordance with our instructions.
Furthermore, the Company may, as the case may be, disclose data: (a) to competent public authorities, courts or supervisory bodies, where required by law or in compliance with a lawful request/court order, and (b) to legal/technical advisers, to the extent necessary for the establishment, exercise or defence of legal claims or for managing security incidents and corporate risk, subject to the corresponding confidentiality and professional secrecy obligations.
Finally, in relation to the operation of the website, where the relevant optional settings are enabled, disclosures may occur through cookies/similar technologies to third-party providers (e.g., analytics/marketing tools, such as Google and YouTube), where online identifiers and interaction data (such as IP address and usage/browsing data) may be transferred. Such disclosures are made in accordance with your choices and the applicable legal basis (in particular, consent for optional cookies) and are further specified in the relevant cookie notice/preferences settings, while any transfers outside the EU/EEA and the safeguards applied are described in the respective chapter of this Policy.
5. Transfers Outside the EU/EEA and International Transfer Safeguards
As a rule, the Company seeks for personal data to be processed and hosted within the European Union/European Economic Area (EU/EEA). Indicatively, the infrastructure of our website and applications is hosted on a DigitalOcean cloud platform located in the Netherlands, using encrypted communication protocols (TLS/SSL/https).
Nevertheless, for certain supporting functions of the website and digital services (such as statistical analysis of traffic/performance and third-party cookies technologies), data may be transferred to providers outside the EU/EEA and/or accessed from third countries. In particular, within the existing operating framework, tools such as Google Analytics have been described, through which usage data (e.g., URL visited by the user, actions and time spent) are, as a rule, transferred to a Google server in the United States and stored there, as well as the use of third-party cookies/tools (e.g., google.com, youtube.com, Google Tag Manager, Google Optimize).
In any international transfer, the Company ensures that the transfer is carried out only where the conditions of Chapter V GDPR are met and appropriate safeguards are implemented, guided by data minimisation and proportionality. Such safeguards may include, as applicable: (a) an adequacy decision of the European Commission for the relevant third country and/or transfer framework (such as the EU–US Data Privacy Framework, where the recipient participates/is certified), (b) the Commission’s Standard Contractual Clauses (SCCs) (Implementing Decision (EU) 2021/914) with the relevant recipients/providers, and (c) where required, supplementary technical and organisational measures (such as encryption, access restrictions, logical segregation, minimisation/pseudonymisation) in accordance with the relevant recommendations of the EDPB for ensuring a level of protection essentially equivalent to that within the EU.
Before using or changing a provider that entails a transfer outside the EU/EEA, the Company seeks to assess the nature of the data, the purposes, the destination country, the recipient’s role and the available protection measures, so that the appropriate transfer tool is selected and the risk to the rights and freedoms of data subjects is limited. For each transfer, we take measures to ensure that the data transferred are the minimum necessary and that the conditions for lawful and fair processing are met.
Finally, where transfers are linked to optional technologies (in particular analytics/marketing cookies and third-party cookies), these are carried out in accordance with your choices through the relevant preference settings and the legal basis applicable from time to time, while you may withdraw/modify your choices at any time. For further information on the safeguards applied to any international transfers, you may contact the Company at the data protection contact point referred to in this Policy so that, where feasible, further clarifications and/or a summary of the relevant measures may be provided.
6. Retention (Storage) Period of Personal Data
The Company retains personal data only for as long as necessary to achieve the purposes for which they were collected, on the basis of the storage limitation principle, applying, as applicable, erasure, anonymisation or restriction of processing. The precise retention period is determined per data category and purpose, taking into account the nature of the service (e.g., reservation, rental agreement, customer service), the Company’s legal obligations (in particular tax/accounting), the need to document the transaction and compliance (e.g., proof of consent where required), as well as the need to establish, exercise or defend legal claims or defend against third-party claims.
Where processing is based on the performance of a contract or on taking steps at your request prior to entering into a contract, data necessary for the conclusion and management of the rental (indicatively, reservation details, identification/driving data where required, service communications, invoicing/payment data to the extent retained by the Company) are retained for the duration of the contractual relationship and thereafter for a reasonable period, depending on statutory limitation periods and specific record-keeping obligations. For example, accounting/tax documents and supporting transaction records are retained for the period prescribed by law, while data that are critical for managing disputes, damages, accidents or breaches of rental terms may be retained for as long as required to ensure the lawful exercise or defence of the Company’s rights. In the event of initiation or progress of judicial or out-of-court dispute, the retention period may be extended until the final conclusion of the case, but only for data relating to the specific case and to the strictly necessary extent.
Where processing is based on your consent, data are retained for as long as the consent remains in effect and until it is withdrawn, without affecting the lawfulness of processing carried out prior to withdrawal. Indicatively, for sending newsletters or promotional communications, we retain the necessary contact details until you choose to unsubscribe/object, while after unsubscribing we may retain only minimal data in a “suppression list” solely to document compliance and prevent re-sending. In cases where data were provided on a consent basis at the pre-contractual stage (e.g., account/profile creation or a request where no contract is ultimately concluded), the Company may retain the data for a limited and predefined period after withdrawal/discontinuation so that smooth operation, security and transaction documentation are served, and thereafter proceeds to erasure or anonymisation, unless otherwise required by a legal obligation or by the need to support legal claims.
For data collected through the website and technical infrastructure (logs, security data, technical usage data), retention is generally short and oriented towards security, detection of malicious actions and operational optimisation, with periodic erasure/anonymisation. For data that may be collected through optional cookies/analytics/marketing, the duration is determined by the settings of the respective tools and your choices, with the possibility to withdraw/modify at any time through the preference management mechanism. Where a video surveillance (CCTV) system operates, the material is retained for a short period serving the security purpose and is thereafter erased, unless an incident has been recorded, in which case only the strictly necessary excerpt is isolated and retained for investigating the incident and the lawful support of rights. In any event, the Company periodically reviews the necessity of retaining data so that they are not kept beyond what is necessary and a practical balance is achieved between the lawful protection of the Company and the rights and reasonable privacy expectations of data subjects.
7. Data Subject Rights and How to Exercise Them
As a data subject, you may exercise, as applicable, the rights provided for under the General Data Protection Regulation (Regulation (EU) 2016/679), in particular: the right to be informed, the right of access, the right to rectification, the right to erasure (“right to be forgotten”), the right to restriction of processing, the right to data portability (where applicable), as well as the right to object, especially where processing is based on legitimate interests. In addition, where processing is based on your consent (e.g., optional cookies/analytics/marketing and/or promotional communications), you have the right to withdraw such consent at any time, without affecting the lawfulness of processing prior to withdrawal. With respect to promotional communications, you may at any time request termination and/or object (opt-out), in which case we will retain only the minimum necessary data to document your choice and prevent re-sending.
To exercise your rights, you may contact the Company’s data protection contact point by email at gdpr@drive-hellas.gr and/or by submitting your request in writing to the Company’s details as set out in this Policy. For your protection and in order to prevent unauthorised access/disclosure, we may request reasonable identification details and/or additional information in order to locate your request and the data it concerns, especially where there is doubt as to the requester’s identity or where the request is submitted by an authorised third party.
The exercise of your rights is, as a rule, free of charge. However, where a request is manifestly unfounded or excessive (in particular due to its repetitive character), the Company may, as the case may be, either charge a reasonable fee reflecting the administrative costs or refuse to act, providing you with relevant justification, in accordance with Article 12(5) GDPR. Furthermore, the Company will respond to your requests without undue delay and, as a rule, within one (1) month of receipt. This period may be extended by up to two (2) additional months, where necessary due to the complexity or number of requests, in which case we will inform you in a timely manner of the extension and the reasons for it. In any event, where it is not possible to satisfy your request, we will inform you of the reasons and, where applicable, of the available means for the protection of your rights.
8. Security of Processing and Protection Measures
The Company applies appropriate technical and organisational security measures at all stages of collection, use, storage and transmission of personal data, based on risk assessment and in accordance with Article 32 GDPR, so as to protect data against loss, alteration, unauthorised access or disclosure and, more generally, unlawful processing. For this purpose, access to data is strictly limited to authorised persons acting under the supervision of the Company or of the processors and who process data only on instructions and for the relevant lawful purpose, with the implementation of access controls, internal confidentiality rules and appropriate information/training.
On a technical level, for the protection of electronic communications, secure protocols such as “https” are used, as well as encrypted connection mechanisms (SSL) between web server and browser, while for communication with hosting infrastructure TLS protocols are applied and the website/application infrastructure is hosted on a cloud platform in the Netherlands. In parallel, the Company carries out infrastructure checks with a view to detecting weaknesses, possible intrusions and vulnerabilities, and maintains procedures for regular testing, assessment and evaluation of the effectiveness of the measures, as well as capabilities to restore availability and access in a timely manner in the event of a physical or technical incident. The Company continuously seeks to improve security measures and, in the event of a personal data breach, activates incident management procedures and takes the prescribed measures to limit impacts, including any notifications required by law. It is clarified that, despite the application of appropriate safeguards, no system can guarantee absolute security; therefore, the Company monitors and updates its measures in line with technological developments and risks.
9. Obligation to Provide Data and Consequences of Non-Disclosure
The provision of certain personal data is necessary either for taking pre-contractual steps and for the conclusion/performance of the vehicle rental agreement or for the Company’s compliance with its legal obligations. Indicatively, in order to complete a reservation/rental and ensure safe vehicle delivery, identification and driving data may be required (such as copy/details of ID, driving licence number and date of issue, date of birth), contact details, as well as reservation details (place and time of pick-up/return, type of vehicle, details of the desired vehicle) and, where applicable, payment/invoicing data. If such necessary data are not provided or are incomplete/inaccurate, the Company may be unable to satisfy your request, complete a reservation or conclude/perform the rental agreement, and/or provide specific services that are inextricably linked to such data. The provision of other data that are not necessary for the contract (e.g., optional selections on the website or promotional communications) is, as a rule, optional and non-disclosure does not affect the ability to conclude/perform the rental, but only the receipt of the respective optional functionalities/updates.
10. Automated Decision-Making and Profiling
The Company does not take decisions concerning you that produce legal effects or similarly significantly affect you, solely on the basis of automated processing within the meaning of Article 22 GDPR. However, in the context of operating our services and our communications with our customer base, preference/transaction behaviour data (e.g., history of requests/reservations or service selections) may be retained and used for purposes of organising service, improving services and, where you have chosen to receive promotional communications, for better targeting/adaptation of content (e.g., general mapping of interest per service category). Any such practices are not intended to result in decisions that legally bind you or affect you materially, while, where the relevant processing is linked to marketing and/or tracking technologies (cookies/analytics/marketing), it is carried out in accordance with the applicable legal basis (in particular consent for optional cookies/marketing) and with the possibility to object/withdraw choices at any time.
11. Cookies and Similar Technologies
The Website may use cookies and similar technologies (e.g., identifiers/trackers) for its proper technical operation, for remembering choices and, if you select it, for statistical analysis (analytics) and promotion/advertising purposes. Cookies are small text files stored in the browser and facilitate functions such as navigation, saving settings and evaluating Website performance. The Company uses, at a minimum, technically necessary cookies that are essential for providing the service and ensuring the secure operation of the Website, as well as preference/functionality cookies where required in order to “remember” your basic choices. For any other category of cookies that is not technically necessary (such as performance/analytics cookies or marketing cookies and third-party cookies), activation takes place only in accordance with your choices through the preference management mechanism (cookie banner/settings). You may modify or withdraw your choices at any time and may also manage cookies through your browser settings (subject to the proviso that disabling technically necessary cookies may affect functionality). Third-party tools and providers may be used for analytics/functionality/marketing purposes (indicatively Google Tag Manager, Google Optimize, as well as third-party cookies such as google.com and youtube.com); in such case, corresponding disclosures of online identifiers and usage data may occur, in accordance with your choices and as provided in the relevant chapters on recipients and international transfers.
12. Right to Lodge a Complaint with the Hellenic DPA (HDPA)
If you consider that the processing of your data infringes the applicable data protection framework, you may first contact the Company through the competent data protection contact point at gdpr@drive-hellas.gr so that the issue may be examined and resolved. In any event, you retain the right to lodge a complaint with the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα – “HDPA”), in accordance with its prescribed procedures.
13. Specific Notices per Processing Stream
For reasons of completeness, transparency and proportionality, the Company applies more specific notices where processing has particular characteristics or increased intensity. In particular, for video surveillance (CCTV) at the premises, the Company operates a system in minimal and strictly necessary areas (entrance/exit and cash desks), with special signage, and processes image data exclusively for the protection of its legitimate interest in safeguarding persons and property, retaining data for a short period and isolating excerpts only where an incident requires investigation/lawful use. Furthermore, for job applicants submitting CVs, a specific notice is provided, with strict application of the data minimisation principle and a recommendation not to submit unnecessary data, in particular special category data (e.g., health), unless required by a specific legal provision or strictly necessary for a specific purpose. Finally, in cases of corporate customers/agreements where drivers or other persons are declared by third parties (e.g., employers/partners), the Company processes the strictly necessary data for the performance of the rental and expects, as applicable, that the third party disclosing the data has the lawful basis and has informed the data subjects in accordance with the applicable framework, while the Company remains available to provide the relevant information upon request.
14. Effectiveness, “Last Update” and Amendments to the Policy
This Policy becomes effective as of the date indicated as “Last Update” at the beginning of the text and supersedes any previous version relating to the same subject matter. The Company may amend this Policy from time to time, in particular when services/procedures change, technologies used (e.g., third-party tools) change, the corporate structure changes or the applicable regulatory framework changes. In the event of material changes that significantly affect data subjects, the Company will take appropriate measures to inform them (e.g., an announcement on the Website and/or notice by email where feasible and appropriate), and users/customers are advised to review the website periodically in order to remain informed of the version in force.