Global Data Protection Policy
PREAMBLE
Personal data is playing an increasingly important role in our economies, societies and everyday lives. New and innovative technologies are generating significant volumes of personal data, and modern communications networks and processing systems are enabling organisations to collect, analyse, use, share and store data on a global scale.
It is against this context that data protection legislation has been developed and implemented in various regions across the world.
Cartrack recognises the Data Subjects’ rights to privacy and is committed to protecting and controlling the use of the personal data that it collects, in accordance with the regulatory requirements of the jurisdictions in which it operates.
Executive management is continuously assessing the need to develop and implement or amend further policies, procedures and terms and conditions, including those with regard to data protection; consent policies and forms; data access; security breaches and employee privacy requirements.
PURPOSE
This policy governs the collection, use and disclosure of personal data provided to Cartrack. It directs how we gather, store and handle personal data of Data Subjects, customers and other stakeholders, in accordance with relevant data protection legislation.
APPLICATION
This policy applies to all legal entities within the Cartrack Group, including all employees, as well as third parties who provide services to the Group and covers personal data collected and managed by the Cartrack Group.
WHAT IS PERSONAL DATA
“Personal data” means any information or pieces of information relating to an individual, that could identify that individual, either directly (e.g. by name) or indirectly (e.g. through pseudonymised data). Personal data therefore includes things like email/home addresses, usernames, profile pictures, user generated content, financial information, and geolocation.
PRINCIPLES FOR THE COLLECTION AND PROCESSING OF PERSONAL DATA
- Collection/processing
Cartrack will only collect personal data when it is necessary to comply with legal obligations that apply, or when such processing operation is necessary for the performance of a contract or pre- contractual procedures.
Cartrack may also process information if it has a legitimate interest, provided that in each case our interest is in accordance with applicable law and the rights of the Data Subject.
When none of the other lawful processing conditions support the data processing operation, Cartrack will only process personal information if it has obtained the consent of the Data Subject to process said personal data for specific, explicit and legitimate purposes. - Purpose
Cartrack will only disclose or use personal data for the fulfilment of the specific purposes for which it was obtained, or for other lawful processing. - Accuracy
Cartrack will take all reasonable steps to ensure that personal data that it processes is accurate, complete and up to date. - Openness
Cartrack is committed to openness regarding its policies and practices of handling of personal data. - Security
Cartrack will ensure that appropriate security safeguards are in place to protect personal data from loss, unauthorised access, destruction, use, modification or disclosure. - Transfers
Cartrack may transfer personal data outside the European Union to be processed by some of its service providers, companies associated with and/or belonging to the Cartrack Group. In this case, Cartrack ensures that this transfer takes place in accordance with the legislation in force and that an adequate level of protection of personal data is guaranteed based on standard data protection clauses adopted, in accordance with Article 46 of the European Union General Data Protection Regulation (“GDPR”).
Under no circumstances does Cartrack transfer personal data, outside the conditions described above, or sell personal data to third parties. - Retention
Cartrack will retain personal data for as long as is necessary for the purposes for which it was collected. In some cases, data retention may occur for longer periods, especially when applicable law so requires. - Access
The Data Subject may request a copy of their personal data from Cartrack and, where required, instruct Cartrack to effect changes to correct the data or to permanently delete their personal data, in accordance with local regulations.
RIGHTS OF THE DATA SUBJECT
Withdrawing consent or choosing to delete some types of personal data may prevent Cartrack from supplying certain services to a Data Subject, or responding to queries as a prospective employee or supplier. In order to better protect and safeguard personal data, Cartrack takes steps to verify the identity of a Data Subject before granting access or making changes to personal data.
Rights | Explanation |
Information | The Data Subject has the right to be provided with clear, transparent and easily understandable information about how we use personal data, and what the Data Subject’s rights are |
Access | The Data Subject has a right to access, and to receive a copy of, any personal data we hold about the individual (subject to certain restrictions). A reasonable fee may be charged for providing such access but only where permitted by law |
Rectification | The Data Subject has the right to have personal data rectified if it is incorrect or outdated and/or completed if it is incomplete |
To be forgotten | The Data Subject has the right to have personal data erased or deleted; subject to legal or legitimate grounds for retaining the personal data |
Direct marketing | The Data Subject may unsubscribe or opt out of direct marketing communication at any time |
Withdrawal of consent | The Data Subject may withdraw consent to our processing of personal data when such processing is based on consent. Where consent is withdrawn, the lawfulness of processing prior to withdrawal is not affected |
Objection to processing | The Data Subject may object to the processing of personal data when such processing is based on the legitimate interests pursued by the data controller, such as the: – Improvement of our products and services – Enhancement of our communication with the Data Subject – Proper administration of our website – Risk management – Protection of legal rights |
Lodge a complaint | The Data Subject has the right to contact the relevant data protection authority to lodge a complaint against our data protection and privacy practices |
Data portability | The Data Subject has the right to move, copy or transfer personal data from our database to another. This only applies to personal data that the Data Subject has provided, where processing is based on a contract or explicit consent, and the processing is carried out by automated means |
Restriction | In circumstances limited by the GDPR, the Data Subject may restrict the processing of personal data, so that it can be stored, but not used or processed further, such as: – Inaccurate data contested by the Data Subject must be restricted until verified and corrected – Processing is unlawful but the Data Subject objects to the erasure thereof – Cartrack no longer requires the Data Subject’s data but the Data Subject requires it to be stored for the establishment, exercise or defence of legal claims – The Data Subject objects to processing based on Cartrack’s legitimate interests, until verification of overriding rights |
DATA PROTECTION OFFICER
Data Subjects that have any queries or concerns regarding Cartrack’s data protection policies or procedures may contact the Data Protection Officers at:
South Africa, Kenya, Tanzania, Namibia, Nigeria, Singapore, Mozambique: dataprotection@cartrack.com
Poland, Portugal and Spain: dpo@cartrack.com
USA: dataprotection@cartrack.com
Hong-Kong, Indonesia, Philippines, Malaysia, Thailand, UAE: dataprotection@cartrack.com
Data Subjects also have the right to submit a complaint to the local Supervisory Authorities.
RESPONSIBILITIES
This policy framework falls within the scope and responsibility of the Risk Committee which reports to Cartrack’s Board of Directors.
Compliance is verified by Internal Audit which reports independently to the Board of Directors