Responsible for processing personal data

Personal data will be processed by CRC, Car Rental Company, Ltd, headquartered at Av. Severiano Falcão 10, 2685-378 Prior Velho, taxpayer number 514157607, hereinafter referred to as “CRC”.

Legislation

The processing of personal data carried out by CRC, as well as the sending of commercial communications carried out by electronic means, are in compliance with the national and community legislation in force, Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and guidelines issued by European and national authorities, by model clauses approved by the European Commission or by supervisory authorities, as well as by any relevant jurisprudence, jointly referred to as “Data Protection Regime”, hereinafter “GDPR”.

Processing of personal data

The processing of personal data is carried out in accordance with the general principles set out in the “GDPR”, namely:

• In the context of the relationship established with the data subject, we ensure that personal data will be processed in a lawful, loyal and transparent manner («Principle of lawfulness, loyalty and transparency»);

• We collect personal data for specified, explicit and legitimate purposes and do not further process the same data in a way that is incompatible with those purposes (“Principle of purpose limitation”);

• We ensure that only personal data that is adequate, relevant and limited to what is strictly necessary for the purposes for which they are collected are processed («Principle of data minimization»);

• We adopt appropriate measures so that inaccurate personal data, taking into account the purposes for which they are processed, are erased or rectified without delay («Principle of accuracy»);

• We keep personal data in such a way as to allow their identification only for the period necessary for the purposes for which they are processed («Conservation principle»);

• We ensure that personal data are treated in a way that guarantees their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, adopting the appropriate technical or organizational measures («Principle of integrity and confidentiality”).

What personal data we do process

In the context of the activities carried out by CRC, the Data Subject is, without limiting, the customer and/or former customers, potential customers, partners, job candidates, employees and former employees, employees of partners, suppliers and service providers and its collaborators, applicants and claimants, visitors and individuals and all those individuals who maintain a relationship with CRC and to whom the Personal Data concern.

CRC does not voluntarily or directly solicit or collect personal data from minors. If CRC discovers that it has inadvertently collected personal data from a minor under the age of 18, it will immediately proceed to delete the records with the personal data of that Subject. We point out, however, that CRC may collect personal data relating to minors, when provided by parents or a legal guardian who expressly consents to such collection or when they are collected through CCTV systems.

In carrying out its activities, CRC processes the personal data of a significant number of categories of Data Subjects.

The personal data that CRC collects always depends on the nature of the interaction, but may include the following:

• Identification and contact data: Name, surname, postal address, telephone or mobile number, e-mail address, civil identity documents (citizen card, passport) or other similar information.

• Data related to the provision of services and supply of goods, or for contractual performance or for compliance with legal obligations, such as: billing data, billing history, current account values, payment data, data on the method of payment with credit or debit card details), taxpayer number, driving license details, special requests related to the vehicle to be rented.

• Data related to the way of acquiring services, goods or subscribing to services, your transaction, billing history and assistance in the context of the CRC services you use, or any other related information and information in the context of answering any questions , requests or complaints.

• Demographic data, place of birth, nationality, CV, gender, age, preferred language, general education and professional history, as well as data of general interest about the job.

• Preferences Data: Information about the Subject’s preferences and interests, insofar as this is related to the products and/or services and about the way in which he prefers to receive communications.

• Data from social networks: Information shared on social networks when interacting with the CRC, where transparency is guaranteed through the existence of adequate privacy policies.

• Depending on the relevant circumstances and applicable local laws and requirements, we may collect: photo, video image, age/date of birth, supplementary information that you choose to share with us;

• Images from CCTV systems if you visit our facilities.

We emphasize that you will not be obliged to share personal data with CRC. However, if you choose not to share your personal information, in some cases, CRC may not be able to provide the services or products you want, ensure certain specialized features or effectively respond to any questions you may have.

Why we treat your information

The development and carrying out of the various activities pursued by the CRC presuppose the existence of a relevant set of specific, explicit and legitimate purposes for the processing of personal data, such as:

With what purpose do we process your information

By reference to the «Principle of Lawfulness» enshrined in the GDPR, in the development and carrying out of its activities, CRC only processes personal data when there is a basis of lawfulness that legitimizes the treatment, namely:

• Consent

CRC will only process personal data if you consent to the respective Processing through a free, specific, informed and explicit expression of will, by which you accept, by means of a declaration (in writing or orally) or an unequivocal positive act (by filling in an option), that personal data are processed.

• Pre-contractual due diligences or performance/execution of a contract

CRC may process personal data if they are necessary, without limiting, for the performance of a contract for the provision of services and/or supply of products to which it is a party as an Employee, Customer and/or Supplier, or to carry out pre-orders -contractual on request.

• Compliance with a legal obligation

CRC may process personal data to ensure and guarantee compliance with legal obligations to which it is subject under the legislation of a Member State and/or the European Union.

• Legitimate Interests

CRC, other Responsible Persons or Third Parties may process personal data, provided that the same Treatment does not prevail over the interests or fundamental rights and freedoms of the Data Subject.

How long do we keep personal data

During the processing period of personal data, CRC guarantees that they are treated in accordance with this Privacy Policy. As soon as the data is no longer necessary for the fulfillment of the purpose, CRC will proceed to its safe elimination.

CRC retains personal data only for the period of time necessary to carry out the specific purposes for which they were collected. However, CRC may be required to retain some personal data for a longer period, taking into account factors such as:

• Legal obligations, under the laws in force, to retain Personal Data for a certain period;

• Limitation periods, under the laws in force;

• (eventual) Disputes; and,

• Guidance issued by competent data protection authorities.

Sharing of personal data with third parties

Personal data may be shared with entities responsible for providing services to CRC.

The companies in charge of providing services are bound by a written contract to the CRC, only being allowed to process personal data for the specifically established purposes and are not authorized to process personal data, directly or indirectly, for any other purpose, for their own benefit or for the benefit of others.

Personal data may be shared internally with other CRC companies that will comply with the applicable data protection rules depending on the purposes assigned to the processing carried out.

Upon request and with due consent, personal data may be shared with other entities.

In compliance with legal and/or contractual obligations, personal data may also be transmitted to judicial, administrative, supervisory or regulatory authorities and also to entities that licitly carry out data compilation actions, actions to prevent and combat fraud, accident, administrative offense or road crime insurance, market or statistical studies.

EEA cross-border transfer

Within the scope of the internationalization of the provision of integrated services to Clients, or to our international partners, or to providers of external communications services or to providers of external services in the area of ​​information systems management, CRC may transfer personal data to outside the European Economic Area (EEA), such as Portuguese-speaking countries, whose data protection legislation may not ensure protection equivalent to that conferred within the EEA.

However, CRC only transfers personal data outside the EEA:

• when the transfer is made to a location or by a method or under circumstances that the European Commission considers to ensure adequate protection of Personal Data;

• when you have implemented standard data protection clauses adopted by the European Commission or a competent data protection authority; or,

• when none of the above options apply, but the law still authorizes such a transfer, for example, if it is necessary for the declaration, exercise or defense of a right in a legal proceeding.

In this sense, CRC follows criteria in the selection of service providers, in order to comply with its obligations to protect personal data, committing itself to signing the Data Processing Agreement with them, which includes, among others, the following obligations to apply appropriate techniques and organizational measures to the protection of personal data.

What are the Data Subject’s rights

As Data Subject of personal data processed by CRC, you have the right of access, rectification, limitation, portability, erasure and the right to oppose the processing of personal data, under certain circumstances, which may be exercised under the terms of this section of the Privacy Policy.

• Right to provide information

You have the right to obtain clear, transparent and easily understandable information about how CRC uses personal data and what your rights are. That's why CRC makes all this information available to you in this Privacy Policy.

• Right of access

You have the right to obtain information about what Personal Data CRC processes (if it is processing it) and certain information (similar to that provided in this Privacy Policy) about how such data is processed. This right allows you to know and confirm that we use your data in accordance with data protection laws.

CRC may refuse to provide the requested information whenever, to do so, CRC has to disclose Personal Data of another person or the information negatively impacts the rights of another person.

• Right of rectification

If your data is incorrect or incomplete (for example, if your name or address is wrong), you can ask CRC to take reasonable steps to correct it.

• Right to erase data

This right is also known as the “right to be forgotten” and, simply put, it allows you to request the erasure or deletion of your data, as long as there are no valid grounds for CRC to continue using them or their use is illicit. This is not a generic right to erasure, as exceptions are allowed (for example, whenever this data is necessary for the defense of a right in a legal proceeding).

• Right to limitation of treatment

You have the right to “block” or prevent future use of your data while CRC evaluates a request for rectification or as an alternative to erasure. Whenever the processing is limited, CRC continues to be able to store your data, but will not be able to use them later. The CRC maintains a list of Data Subjects who have requested “blocking” the future use of their data, to ensure that this limitation is respected.

• Right to data portability

You have the right to obtain and reuse certain personal data for your own purposes across various organisations. This right only applies to personal data that you have provided to CRC and that CRC processes with your consent and those that are processed by automated means.

• Right to opposition

You have the right to object to certain types of processing, for reasons related to your particular situation, at any time during which such processing takes place, for the purposes of the legitimate interest of CRC or third parties. CRC may continue to process this Data if it can prove “preponderant legitimate reasons for the Processing that overlap your interests, rights and freedoms” or if this Data is necessary for the establishment, exercise or defense of a right in a judicial process.

• Right to revoke a consent

When the legal basis is consent, you have the right to revoke it at any time.

• Right to file a complaint

You have the right to file a complaint with the competent supervisory authority, the National Data Protection Commission – CNPD, if you consider that the processing carried out on personal data violates your rights and/or applicable data protection laws. You can do it through the website www.cnpd.pt

Security and confidentiality

Personal data will be processed by CRC, within the context of the purposes identified in this Policy, in accordance with other policies, procedures and internal rules of CRC and using appropriate techniques and organizational measures to promote the respective availability, confidentiality and integrity, namely in regarding unauthorized or unlawful processing of personal data and their accidental loss, destruction or damage.

Without limiting, CRC uses logical and physical security requirements and measures to guarantee the protection of personal data by preventing unauthorized access, ensures that information is stored on secure computers in a closed and certified information center and that data is encrypted whenever possible, has implemented auditing and control procedures to ensure compliance with security and privacy policies, and periodically reviews our security policies and procedures to ensure that CRC systems are safe and secure.

However, given that the transmission of information over the Internet is not completely secure, the CRC cannot guarantee the security of data when transmitted over an open network.

CRC recognizes that the information you provide may be confidential. CRC does not sell, rent, distribute, or commercially or otherwise make personal data available to any third party, except in cases where it needs to share information with Service Providers for the purposes set out in this Privacy Policy. CRC preserves the confidentiality and integrity of data and protects it in accordance with this Privacy Policy and applicable laws.

Use of cookies

CRC automatically collects information whenever someone visits the Websites. The CRC obtains information from the user's computer and assigns it a "cookie".

Cookies are small text files stored on your computer or mobile device when you access certain websites or other online services, containing information regarding your navigation. The cookies we use do not store sensitive personal information, such as your address, password, or bank details. Apart from the cookies necessary for the provision of the service, cookies will only be collected after expressing your acceptance.

All browsers allow the respective user to accept, refuse or delete cookies, namely by selecting the appropriate settings in the respective browser. The user can thus configure his browser to inform whenever a cookie is received or even deactivate its acceptance.

If you wish, you can change the cookie values here.

Please note that by not allowing certain types of cookies, your experience on the website or other online services may be affected.

In case of doubt or to exercise rights

If you have any questions or would like more information about how we handle personal data or about our information security practices, please do not hesitate to contact us at our address or at rgpd@crcrental.pt

You may at any time, in writing, exercise the rights enshrined in the GDPR and other applicable legislation through the contacts mentioned above.

For the exercise of rights, if necessary, you must attach a copy of the citizen's card or another document that proves the identity of the Data Subject. The right you intend to exercise must be indicated. The exercise of rights is free of charge, except in the case of a manifestly unfounded, excessive or repeated request.

Changes to this Privacy Policy

CRC may periodically update this Privacy Policy, as well as any other specific data protection and privacy statement. When making changes to this Privacy Policy, a new update date will be added.

Last update date: 12/04/2023