Continental Cars Limited (“we”, “our”, “us”, “CCL”, or “the Company”) recognises its obligations as a Data Controller in terms of applicable data protection and privacy laws, mainly the General Data Protection Regulation (EU) 2016/679 as supplemented by the Data Protection Act (Chapter 586 Laws of Malta), together with other applicable laws as may be amended from time to time.
The Services constitute:
- Car sales services,
- After sales services,
- Test drives.
1. Data Protection Officer
The Company has appointed RSM Malta as the Data Protection Officer (‘DPO’) who is responsible for matters relating to privacy and data protection. The DPO can be reached by sending an email at email@example.com.
You can also obtain information on your data, and submit any suggestions you may have, by e-mail or letter to the following address:
Continental Cars Ltd.
Princess Margaret Street
Msida, MSD 1330
2. What is Personal Information?
Personal Information is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is an individual who can be identified, directly or indirectly, by information such as name, identification number, location data, online identifier, or other data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. Personal Information excludes any information which has been rendered anonymous in such a manner that the data subject is no longer identifiable, also known as anonymous data.
3. Types of Personal Information we collect
Depending on your relationship with us, we collect, use and store different categories of Personal Information about you as follows:
- Identity information (name, driver’s licence and/or other government issued identification);
- Contact information (postal address, email, telephone/mobile number);
- Customer Feedback (information relating to queries, feedback or complaints);
- Purchase details (order status, car model, products and service history);
- Payment data (data necessary for fraud prevention, billing information, credit/debit card details. Please note that the security code is processed for transaction purposes only and is not retained by us);
- Warranty and other documentation for our products;
- Insurance forms;
- Credit information from consumer reporting agencies;
- Call recordings;
- CCTV footage;
4. Why and how we collect your Personal Information
4.1. Direct Data Collection
We collect and use Personal Information for business purposes. Personal Information is collected directly from you when;
- You choose to or are required to submit Personal Information (such as your name, address, e-mail address and telephone number) to us via physical forms upon visiting us, and/or electronic forms on this website,
- You register for personalised services,
- You contact us with an enquiry.
Personal Information is also collected when you contact us via the contact details made available on our website; send us correspondence; and/or message us on our social media pages.
We may use your Personal Information to:
- Execute a contract;
- Administer requests submitted by you via our website or any applicable means, including test-drive requests;
- Administer and/or carry out any obligations we may have under any agreement with you;
- Facilitate, complete or confirm any transaction or purchase of goods or services you choose to enter with us, including warranty coverage;
- Contact you if there are any urgent safety or product recall notices;
You may register for personalised services. To be able to provide such services, we will ask for your consent to use your registration details to;
- Conduct promotional and market research, and
- Provide you with needs-oriented design of electronic services.
Additionally, based on your consent, we will use the information called up by you on your visit to the Volkswagen portals to construct your user profile and send you specially tailored promotional offers.
When we use your Personal Information for promotional and market research, we adopt a strict data minimisation and pseudonymisation approach, and we will not share any of the information from research with any third parties outside of Volkswagen Group and Volkswagen Partners for marketing purposes, or store any of your information outside of the European Union/European Economic Area.
4.2. Indirect Data Collection
We use third party entities such as credit rating agencies, and other publicly accessible sources, when we need to carry out credit ratings or when we are trying to collect or enforce payment for outstanding bills.
5. Applicable legal grounds
We process your Personal Information where the following legal grounds apply:
- You have provided us with your consent (in such cases, you will be provided with clear information as to what you are consenting to and how you can withdraw your consent. Refer to Section 6 for more information);
- Processing is necessary to perform a contract or to take steps at your request, before entering a contract (in such cases the consequences of not providing this information may include being unable to proceed with the requested service);
- Processing is necessary for our legitimate business interests, including the effective running of the website; managing compliance; monitoring trends; developing new products; improving performance; and for the establishment, exercise and defence of legal claims (we will always ensure that such interests do not override yours);
- Processing is necessary to comply with legal obligations which we are subject to;
- Processing is necessary for the vital interests of the data subject (e.g. in the event we communicate to you a product recall or product safety notice).
6. Your consent is important to us
Subject to your consent, we may use your Personal Information to:
- Conduct promotional and market research, when providing you personalised services;
- Provide you with needs-oriented design of electronic services, when providing you personalised services;
- Construct your user profile and send you specially tailored promotional offers, using personal information called up by you when you visit one of the Company’s portals.
If you have already consented to any of the above purposes and no longer want us to use the information related to you for any of the above purposes, you have the right to withdraw consent as any time. In such cases select the unsubscribe button in our email communications or contact the Data Protection Officer by email at firstname.lastname@example.org.
In any case, we may continue to process your Personal Information if it is required by law and to meet our contractual obligations with you, such as honouring your warranty. This requirement will continue for as long as the agreement subsists and for a specified retention period thereafter, if and as required by law.
7. Volkswagen ID
The digital services listed below can be found in the myVolkswagen customer area. myVolkswagen brings together relevant information and settings for your vehicle and digital services. In this instance, Article 6, paragraph 1, letter b GDPR is, in principle, the legal basis for the processing of personal data.
Logging into or registering with Volkswagen ID is required to use the abovementioned services.
9. Log files
If you have logged into myVolkswagen with your Volkswagen ID, in the event that an error occurs, we will log the following data:
* your Volkswagen ID in the form of your username
* your vehicle identification number (if the error occurred in a function with vehicle context and you have previously added a vehicle to your Volkswagen user account)
We record this log data on the basis of a legitimate interest (Article 6, paragraph 1, letter f GDPR) in quickly eliminating errors which occur on this site and providing you with the best possible assistance in the event of an error. This log data is stored in encrypted form and deleted again automatically after 30 days.
10. Virtual garage
The virtual garage allows you to save vehicles you have ordered or already own in your Volkswagen ID so you can view your vehicles and their equipment at a glance and we can offer you convenient access to additional vehicle-related services on the website without having to identify your vehicle again. You need to enter the commission number (for vehicles still in production) or vehicle identification number (VIN; for vehicles already owned) to identify your vehicle. You then have the option to voluntarily enter more data on your vehicle (registration number, nickname) to make it easier for you to identify in the subsequent vehicle overview. If this data is already available in the Volkswagen ID, this is transmitted to the garage. If you decide to enter this data, it is also stored in the Volkswagen ID.
Images of your vehicle in production status are also displayed in this vehicle overview. These images are assigned to you based on the vehicle identification number you entered. If you would like to delete or amend your data, you can do this in Volkswagen ID.
We may store some information (commonly known as "cookies") on your computer when you look at our site. Cookies are used to enable and improve the use and functionality of the website, such as navigation and access to secure areas of the Website.
The information collected from certain cookies facilitates your use of our web site and ensures that you do not need to re-enter your details every time you visit it.
12. Sharing of your Personal Information
We may disclose information to third parties in connection with the abovementioned purposes, in the following circumstances:
- Any third parties who we engage to provide services to us, such as outsourced IT service providers;
- Debt collection agencies for the purpose of recovery of any debt you owe us pursuant to the agreement we have entered into;
- Any advisors/auditors auditing any of our business processes or who need to access such information for the purpose of advising us;
- Any law enforcement body which may have any reasonable requirement to access your Personal Information for the purposes of the prevention, investigation or detection of crime; and
- Any successor (or receiving) entity in the event of merger, reorganisation or similar event.
However, we will always take steps with the aim of ensuring that your privacy rights continue to be protected.
We will make sure that any third-party recipients have undertaken to use any Personal Information legitimately and in accordance to our written instructions or agreements. This means that they cannot use or share your Personal Information unless we have instructed them to do so. They will also be bound to retain the Personal Information in a secure manner and for the period we instruct.
13. Applicable Safeguards
13.1. Protecting Your Personal Information
We have implemented measures and policies to safeguard your Personal Information from unauthorised access or improper use and will continue to update these measures as new technology becomes available.
13.2. Security in Transmission
No method of transmission over the Internet or method of electronic storage is 100% secure. We cannot warrant the security of any information you transmit to use, and you do so at your own risk. If you wish to send an e-mail from your private e-mail account to the Company, you must take your own security precautions in order to maintain the confidentiality and integrity of your e-mail’s content, by using standard commercially available encryption software, for example.
13.3. Personal Information Breach
We cannot guarantee that your Personal Information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or organisational safeguards.
We have put in place procedures to deal with any suspected personal data security breach and will notify the supervisory authority of a suspected breach where we are legally required to do so. In certain cases, we will also inform you, as the data subject, of the occurrence of the breach and the steps you need to take to safeguard your rights.
If you believe your Personal Information has been compromised, please contact the Data Protection Officer on email@example.com.
While we strive to ensure the accuracy of information about you, it shall be your responsibility to ensure that the information you provide is correct and to notify us should such information change. In line with GDPR, if you would like to review or change the details you have supplied us with, please contact the DPO on firstname.lastname@example.org.
14. Privacy by Design and by Default
Where we introduce new technologies, policies or processes, we will ensure that your privacy is considered from the outset i.e. at the ‘design stage’, and where applicable we will carry out a Data Protection Impact Assessment (DPIA).
We will always carry out a DPIA where we use new technologies or consider there is a high risk to your rights and freedoms. Where an assessment identifies risks that cannot be satisfactorily reduced or avoided, we will seek advice from the supervisory authority (Office of the Information and Data Protection Commissioner).
15. Retention of your Personal Information
In some cases, it is not possible for us to specify in advance the periods for which your Personal Information will be retained. In such cases, we will determine the period of retention based on the following criteria:
- What the purpose(s) was for which your information was collected in the first place;
- Whether there are any statutory obligations, obliging us to continue to process your information;
- Whether we have a legal basis in place to continue to process your information, including but not limited to consent;
- What the value attached to your information is;
- Whether there are any industry practices stipulating how long information should be retained;
- The risk, cost and liability attached to such retention; and
- Any other relevant circumstances.
16. Your Rights
In terms of applicable data protection and privacy laws we protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of Personal Information.
As a data subject you have the following rights:
- Right of access: You have the right to obtain for us confirmation whether Personal Information concerning you is being processed, and where that is the case, access to the Personal Information and the additional information as outlined in the regulations.
- Right to rectification: You have the right to obtain from us without undue delay the rectification of inaccurate Personal Information concerning you.
- Right to erasure: You have the right to obtain from us the erasure of your Personal Information in terms of law. This right is limited by, and subject to all our compliance, regulatory and legal obligations.
- Right to restriction of processing: You have the right to obtain from us restriction of processing where, one of the following applies:
(1) the accuracy of Personal Information is contested by yourself for a period enabling us to verify the accuracy of your personal data;
(2) the processing is unlawful, and you oppose to the erasure of your Personal Information and request the restriction of its use instead;
(3) we no longer need the Personal Information, but it is required by yourself for the establishment, exercise or defence of legal claims;
(4) you object to processing pursuant to your right to object pending the verification whether our legitimate grounds override yours.
- Right to data portability: You shall have the right to receive your Personal Information which you have provided to us, in a structured, commonly used and machine-readable format.
- Right to object: You have the right to object, on grounds relating to your particular situation to processing of your Personal Information. We shall no longer process your Personal Information unless we have a compelling legitimate ground for the processing. You have the right to object at any time to the processing of Personal Information concerning you for direct marketing purposes.
- Right to lodge a complaint: Should you require any clarification or need to discuss matters relating to the processing of your Personal Information, you may contact the Data Protection Officer by e-mail at email@example.com.
In the case you are not satisfied with the outcome, as a data subject, you also have a right to lodge a complaint with the Information and Data Protection Commissioner, either online, via the submission of a report by conventional mail, or by email at firstname.lastname@example.org. Also, you may seek to enforce your rights through judicial remedy.
Please note that your rights in relation to your Personal Information are not absolute. If you intend to exercise one or more of your rights, please send your request by email at email@example.com.
Generally, no fees are applicable when exercising your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.
We will provide you with a response without undue delay, and in any event, within one month, which starts running as soon as your identity is verified. Occasionally, if your request is particularly complex or you have made a number of requests, we may extend our response time up to three months. In any case, we will inform you accordingly.
The Company may need to request specific information from you to help verify your identity. This is a security measure to ensure that Personal Information is not disclosed to unauthorised third parties.
We may also contact you to ask you for further information or clarification in relation to your request to speed up our response.
17. Links to Third-Party Websites
We are not responsible for the privacy policies and practices of websites which you access using links from our website, or websites which directed you to our website. Any concerns or questions arising from such websites should be handled directly with the respective owners or operators.
18. Contacting Us
If at any time you would like to contact us, you can do so by any of the following means:
Continental Cars Ltd.
Princess Margaret Street
Msida, MSD 1330
Tel: +356 2347 6000
Opening Hours: Monday to Friday: 07:15 – 16:00