Toyota Motor Europe NV/SA (“TME”)
Toyota Danmark A/S (“TDK”)
This Policy indicates how we handle your personal data (“Personal Data”) when providing the service KINTO Share, to which you can subscribe through KINTO Share’s online booking system.
KINTOrespects your privacy. Whether you are in contact with KINTOas a potential, present or former customer, consumer or businessman or as part of the public etc., you are entitled to protection of your Personal Data. Your Personal Data may include your name, telephone number, email address, but also the identification number of your car, geographical location etc.
This Policy describes how and why we collect your Personal Data, for which purpose your Personal Data are collected, with whom they are shared, how we protect them, and your rights as a data subject in relation to your Personal Data.
This Policy applies to the processing of your Personal Data within the framework of KINTOand tools, applications, websites, portals, (online) campaigns, sales drives, sponsored social media platforms etc. offered or operated by or on behalf of Toyota Motor Europe NV/SA and/or Toyota Danmark A/S.
The Policy includes the general rules and explanations that apply. The information in this Policy may be supplemented by specific notices which you will receive in connection with specific services, tools, applications, websites, portals, (online) campaigns, sales drives, sponsored social media platforms etc. offered or operated by or on behalf of Toyota Motor Europe NV/SA and/or Toyota Danmark A/S. If so, you will receive such specific notices when your Personal Data are used within the framework of the above activities (including websites, portals, individual communication services, newsletters, reminders, enquiries, offers, campaigns etc.).
At the back of the Policy you will find definitions of key concepts, which are written with capital initial letters (e.g. Personal Data, Processing and Controller).
2. WHO IS CONTROLLER OF THE PROCESSING OF YOUR PERSONAL DATA?
Toyota Motor Europe NV/SA (“TME”)
Avenue du Bourget/Bourgetlaan 60
Toyota Danmark A/S (“TDK”)
2860 Søborg, Denmark
Read more in item 22(a) about how it is decided which party is controller of the specific processing of your Personal Data.
3. WHERE TO ADDRESS QUESTIONS AND ENQUIRIES – Point of Contact for Data Protection
We have created a Point of Contact for Data Protection to answer questions and enquiries concerning this Policy, and to issue any additional specific notices in relation to KINTOor your Personal Data (and their processing).
If you have questions concerning this Policy, if you want to complain about our processing of your Personal Data, or if you want to exercise your rights as described herein, you may contact the Point of Contact:
- firstname.lastname@example.org and
Toyota Danmark A/S
2860 Søborg, Denmark
4. MAIN PRINNCIPLES
We want to protect your Personal Data, and we process them in a reasonable, transparent and secure manner.
We observe the following principles in connection with the processing of Personal Data:
- Lawfulness: We always process your Personal Data lawfully, fairly and in a transparent manner in relation to you as a data subject.
- Data minimisation: We limit the processing of your Personal Data to what is necessary and relevant in relation to the purposes for which they are processed.
- Limitation of purpose: We collect your Personal Data only for specific, explicit and legitimate purposes, and we do not further process them in a manner that is incompatible with these purposes.
- Accuracy: We make sure that your Personal Data are accurate and – if necessary – updated.
- Integrity and confidentiality: We use technical and organisational measures to ensure appropriate data protection, taking account, among other things, the nature of the Personal Data concerned. Such measures protect against unauthorised disclosure and access, accidental or unlawful destruction, accidental loss or alteration and against other forms of unlawful processing.
- Access and rectification: We respect your rights in connection with the processing of your Personal Data.
- Storage limitation: We keep your Personal Data in accordance with applicable law and regulations and no longer than is necessary for the purposes for which the Personal Data are processed.
- Protection of international transfers: We ensure adequate protection of your Personal Data in connection with transfer outside the EEA.
- Protection in relation to third parties: We ensure that third parties are only allowed access to (and are only allowed to transfer) Personal Data in accordance with applicable data protection law and with adequate contractual protection.
- Lawful use of direct marketing and cookies: We only send advertising material to you or place cookies on your computer in accordance with data protection law and other relevant legislation.
5. PROCESSING OF YOUR PERSONAL DATA: LEGAL BASIS
Necessary for the performance of our agreement with you
We generally process your Personal Data if this is necessary for the performance of the agreement which you have entered into by subscribing to KINTO Share.
Our legitimate interests
Where this is relevant, we process your Personal Data if required to pursue our legitimate interests in connection with the provision of KINTO Share, provided that our interests do not carry more weight than your interests, rights or freedoms (e.g. your right to protection of your privacy).
We process Personal Data inter alia,
- where this is relevant to enable you to share certain Personal Data with others (e.g. your location, the location of the KINTO Share vehicle used by you, your destination, your expected time of arrival);
- to provide support/customer service for KINTO Share;
- to enable us, in the event of an emergency, to contact a contact person named by you who is to be contacted if you and/or the KINTO Share vehicle used by you is involved in a crash;
- if you have a KINTO Share vehicle equipped with an internet connection, to enable external contractors (e.g. providers of the mobile network providing the internet connection) to fulfil their legal obligation to identify you (by collecting your ID information);
- to carry out research and development to expand and improve KINTO Share, develop new mobility solutions and improve the performance of Toyota’s vehicles, products and services. In this connection, we can process your Personal Data in a form that is not traceable directly to you;
- to disclose your Personal Data when we are required to do so by the law enforcement authorities or courts of law; and
- to enable our KINTO network partners (e.g. national dealers, authorised dealers/repair shops, including other parts of the Toyota and Lexus organisation and its partners) to contact you.
Our legal obligations
We process your Personal Data if this is necessary for the fulfilment of our legal obligations, including compliance with decisions handed down by courts of law or public authorities. If, for example, we have charged you for your use of the internet connection, we may be obliged to keep the invoice (and your Personal Data on the invoice) for a period determined by law.
6. IF PERSONAL DATA ARE PROCESSED
We process Personal Data about you, being the person who has entered into a rental agreement regarding KINTO Share.
7. PURPOSE OF THE PROCESSING OF YOUR PERSONAL DATA
We collect your Personal Data only for specific, express and lawful purposes, and we do not carry out further processing in a way that is incompatible with these purposes.
We collect and use your Personal Data for the following purposes:
- To activate or deactivate your subscription to KINTO Share/your rental of the KINTO Share vehicle.
- To deliver KINTO Share to you.
- To handle your enquiries.
- To support our sales and marketing activities.
- To carry out research and development to expand and improve KINTO Share, to develop new mobility and/or services and solutions and to improve the performance of KINTO Share’s vehicles, products and services or develop new ones.
- To protect, maintain and support our networks, systems and programs.
- If it may reasonably be required in connection with a dispute in which we are or may be involved, either directly with you or with a third party.
We share your Personal Data with others for the following purposes:
- If you have a KINTO Share vehicle equipped with an internet connection, the provider of the mobile network providing the internet connection may have a legal obligation to gather certain ID information related to you. KINTO Share collects the ID information from you and delivers the information to the provider of the mobile network.
- To enable our networks (national distributors and authorised dealers/repair shops) to contact you within the framework of the delivery/implementation of certain services/segmentation.
- Where we are required by public authorities (e.g. the law enforcement authorities) and courts of law to disclose your Personal Data to them.
- If it may reasonably be required in connection with a dispute in which we are or may be involved, we may share your Personal Data with e.g. the party or the other parties involved in the dispute or with a court of law.
- If you have a user-based insurance agreement with an insurance company and, in accordance with such an agreement, we share with the insurance company any Personal Data necessary for them to establish the agreement (e.g. the geographical location data associated with your KINTO Share vehicle, your driving behaviour etc.).
- Information on damages, including information about the parties involved.
8. CAN I CANSEL THE USE OF MY TOYOTA’S GEOGRAPHICAL LOCATION?
You cannot cancel the use of your and/or your vehicle’s geographical location as it is part of KINTO Share.
9. ACCURATE AND UPDATES PERSONAL DATA
It is important for us that your Personal Data are accurate and up-to-date at all times. You are requested to inform us as soon as possible of any changes or errors in your Personal Data by contacting the Point of Contact for Data Protection (see clause 3 “Where to address questions and enquiries”). We do everything within reason to delete or correct erroneous or obsolete Personal Data.
10. ACCESS TO YOUR PERSONAL DATA
You are entitled to have access to your Personal Data processed by us and – if the Personal Data are erroneous or incomplete – to request that they be corrected or deleted. If you want further information on your rights or would like to exercise your rights, please contact the Point of Contact for Data Protection (see clause 3 “Where to address questions and enquiries”).
11. HOW LONG DO WE KEEP YOUR PERSONAL DATA
We keep your Personal Data in accordance with applicable data protection law. We keep your Personal Data only for as long as this is necessary for the fulfilment of the purposes of the processing, or for as long as we are required to do so by law. If you want further information on how long certain Personal Data are kept before being deleted from our systems and databases, please contact the Point of Contact for Data Protection (see clause 3 “Where to address questions and enquiries”).
We use the following criteria to determine the durations for which we keep your Personal Data:
- Duration of your subscription to and provision of KINTO Share.
- Our legal obligations to keep certain Personal Data about you.
- Periods in which a claim may be made by or against us.
- The requirement for us to make investigations (e.g. security investigations).
- The requirement to use your Personal Data in connection with a current or potential dispute.
Upon termination or expiry of your subscription to KINTO Share we either delete your Personal Data after a period of five (5) years, or we keep your Personal Data after the end of the five-year period in a form that is not traceable directly to you.
KINTO may contact you through electronic media, by letter or phone concerning the mobility-related services selected and for the marketing purposes selected. The marketing purposes selected will be stated in the consent given by you.
In this connection, electronic media include: Emails, notifications, push messages, text and multimedia messages, widgets, apps, Facebook, Instagram, Twitter, LinkedIn, Snapchat, Pinterest, blogs, vlogs (videoblogs on e.g. YouTube) and online games, the internet and other digital channels.
KINTO may further process, and mutually disclose, your Personal Data in relation to the mobility-related KINTO services selected and for the marketing purposes selected.
Depending on the consent given by you to KINTO, mobility-related services and marketing purposes selected include the following: (1) reminders etc., (2) product offers and news, (3) marketing-related surveys, (4) invitations to events and competitions and invitations to arrangements and the opportunity to win prizes, and (5) updating of your consent with regard to new partners, products or forms of contact.
You may withdraw your consent at any time.
13. CATEGORIES OF PERSONAL DATA
The following categories of Personal Data are processed:
|Identity data (first name, family name, username or similar identification, title, copy of your driver licence, date of birth, gender, driver licence number, photo, place of employment (name and address of company), organisation or association through which you are given access to use KINTO Share (name and address).|
|Contact data (address, e-mail and telephone number, contact information in the event of emergencies (if you have provided this information in KINTO Share’ online booking system)).|
|Financial data (bank account information, credit or debit card information, e.g. history of your payments of KINTO Share, invoices, VAT number, if relevant).|
|Location data (collection and return of vehicles, information on geographical location in relation to the vehicle used and/or your smartphone (e.g. GPS position, planned destination, information on trips run (starting place and time, finishing place and time, distance, time, localisation en route (however not the exact route)).|
|Technical data (internet protocol (IP) address, your login data, browser type and version, time zone setting and position, browser plug-in types and versions, operating system and platform and other technology on the units you use to gain access to KINTO Share’s online booking system KINTO Share).|
|Information on driving behaviour (e.g. driving logs, travel logs, driving speed, acceleration speed and braking speed, damages, technical errors or accidents reported to us and – in the event of theft, vandalism and/or personal injury or injury to animals – include also matters reported to the police).|
|Information on social media (your ID on social media enabling you to share the location of your KINTO Share vehicle with others (e.g. regarding the services that allow you to share your KINTO Share vehicle’s location with others via social media as selected by you)).|
|Marketing and communication data (your preferences for receiving marketing material from KINTO Share).|
|Car-related information (ID information on the vehicle (e.g. the car’s registration plate, vehicle identification data, information on the remaining driving range of an electric car, current and historic information regarding the vehicle (e.g. accessories, tyres, economy, insurance, and warranty-related information if any), technical data on the vehicle (e.g. distance driven, fuel consumption, warnings).|
Please note: The above matrix includes examples of data which are not necessarily processed by all the controllers mentioned.
As a rule, we do not collect and process special categories of Personal Data on you or your civil registration number (CPR.no.). We receive a copy of your driver’s licence stating your civil registration number (CPR.no.), but we do not separately register or process your civil registration number (CPR.no.).
You will receive a separate notice if other categories of Personal Data are processed.a
14. PROTECTION OF YOUR PERSONAL DATA
We have introduced technical and organisational measures to protect your Personal Data from unlawful or unauthorised access and use and from accidental loss of and damage to their integrity. These measures are designed to consider our IT infrastructure, the possible consequences for the protection of your privacy and the costs involved, and to be in conformity with applicable standards and practices.
Your Personal Data will only be processed by a third party if the third party concerned accepts to comply with such technical and organisational security measures.
The establishment of data security means safeguarding the confidentiality, integrity and accessibility of your Personal Data.
- Confidentiality: We protect your Personal Data from unwanted disclosure to third parties.
- Integrity: We make sure that your Personal Data are not changed by unauthorised persons.
- Accessibility: We allow approved third parties access to your Personal Data as required.
Our data security procedures include access control, backup systems, monitoring, examination and maintenance, registration of security events and continuity.
16. DISCLOSURE OF PERSONAL DATA
Depending on the purposes of the collection, the collected Personal Data may be disclosed to the following group of recipients:
- Within our organisation and brand:
- Approved personnel
- Associated companies and subsidiaries, including but not limited to Toyota Financial Services Danmark A/S/Lexus Financial Services Danmark A/S and/or Toyota Insurance Management SE/Lexus Insurance Management (independent brand).
- Members of our network of Authorised Dealers and Repair Shops, including but not limited to authorised Toyota or Lexus dealers and repair shops. Other parts of the Toyota and Lexus organisation and partners include Codan A/S.
- External partners
- Advertising agencies: To help us carry out and analyse the effect of campaigns and sales drives.
- Partners: For example trusted companies, which use your Personal Data to provide the service KINTO Share, including support and service, and/or to send advertising material to you (if you have given your consent to receive such material). We always ask such partners to comply with applicable law and this Policy, and we request that they process your Personal Data in confidence. Finance-related information may be passed to external partners, including insurance companies, utility companies, suppliers, car importers, repair shops and drop-off locations etc. If you default on your obligations to us, we may report you to credit rating agencies or warning registers in accordance with applicable rules.
- KINTO’s service providers: Companies providing services for or on behalf of KINTO (as an example, KINTO may share your Personal Data with external IT providers, roadside assistance providers and companies providing customer service and support on behalf of KINTO).
- c) Other third parties:
- When it is necessary to comply with regulations or to protect KINTO.
- To comply with regulations, meet requests from the authorities, comply with court orders, legal procedures, information and reporting obligations etc.
- To control and ensure compliance with our policies and agreements.
- To protect our own and/or our customers’ rights, assets and security.
- In connection with company transactions: as part of a transfer or a sale of all or parts of Toyota’s/Lexus’s activities or in connection with a merger, amalgamation, change of control, restructuring or liquidation of all or parts of Toyota’s/Lexus’s activities
- To the company in which you are employed/organisation or association through which you are given access to use KINTO Share: As part of your access to a service through KINTO Share, we will send information on you to the company in which you have stated to be employed in connection with your subscription to the KINTO Share service or to the organisation/association through which you have stated to have gained access to use KINTO Share. Such information will include the duration of the rental period, the distance driven, your name, project number, cost centre and price.
Please note that the third parties mentioned in b) and c) – in particular service providers offering products, services or application through KINTO Share or through their own channels – may collect Personal Data from you independently. In such cases the third parties concerned are controllers for the handling of your Personal Data, and you will be subject to their terms and conditions.
If your Personal Data are disclosed to associated companies and subsidiaries or members of our network of Authorised Dealers and Garages, your Personal Data will be processed in accordance with Toyota’s/Lexus’s general personal data policy, which is accessible on https://www.toyota.dk/privatlivspolitik.json and https://d3rvezpmgp265q.cloudfront.net/lexusone/lexdkdav11/20200225_Toyota-Lexus%20Privatlivspolitik_FINAL_tcm-3193-1887323.pdf.
17. CONCRETE CONTACT WITH the other parts of the Toyota and Lexus organisation and partners, including OUR AUTHORISED DEALERS AND GARAGES
If you buy a product or service from a member of the other parts of the Toyota and Lexus organisation and its partners, including for example a car from one of our authorised dealers or garages, or if you provide personal information to them, a separate legal relationship will exist between you and the party concerned. They will then (possibly together with us) be controllers in relation to your Personal Data. Any questions or enquiries concerning the other parts of the Toyota and Lexus organisation and its partners’ collection and use of your Personal Data should be made to them directly.
18. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA
KINTO operates a global business. Therefore, your Personal Data may be kept and processed by us or our service providers in several countries, including countries outside your country of residence, or the country in which your KINTO service was bought. Your Personal Data may, for example, be transferred to the United Kingdom, Japan and/or the USA.
If your Personal Data are transferred to countries outside the European Economic Area (“EEA”), we make sure that the required guarantees are provided, including:
– That the transfer is within the scope of a decision on required guarantees made by the EU Commission in accordance with GDPR, Article 45.
– That standard contract regulations for data protection, as approved by the EU Commission or a data protection authority in accordance with GDPR, Article 46.2, point c or d, are met.
– That in the event of transfer of your Personal Data to the USA, the transfer will be regulated by the EU-US Privacy Shield in accordance with GDPR, Article 45.
For further information on how the transfer of Personal Data outside the EEA is regulated, we refer to the following link: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.
For further information on how we have provided the necessary guarantees, you may contact us through the Point of Contact for Data Protection (see Clause 3 “Where to address questions and enquiries”).
19. PROFILING AND AUTOMATED DECISION-MAKING
We do not use automated decision-making in the sense stated in the GDPR.
20. YOUR CHOICE AND RIGHTS
To allow you to make informed choices with regard to how you want us to use your Personal Data, we would like to ensure the greatest possible transparency.
- Your Personal Data:You may contact us at any time through the Point of Contact for Data Protection (see clause 3 “Where to address questions and enquiries”) to ascertain which Personal Data we have about you and where we obtained them. In some cases, you are entitled to receive the Personal Data we have collected about you, in a commonly used, structured and machine-readable format and disclose your Personal Data to a third party of your own choice.
- Right to correction of errorsIf you notice that your Personal Data are erroneous or incomplete, you may request that we correct them.
- Right to limitation of processingYou have the right to request that the processing of your Personal Data be limited while the correctness of your Personal Data are being checked.
- Right to objectionYou also have the right to object to your Personal Data being used for direct marketing purposes (or, if you prefer, you may inform us how often you want to hear from us) or being disclosed to third parties for the same purpose.You may withdraw your consent to Processing of Personal Data at any time by contacting the mentioned Contact Point for Data Protection (see clause 3 “Where to address questions and enquiries”) or by contacting the Toyota dealer or repair shop where you provided your consent.
In addition, you may ask us to delete your Personal Data (except in certain cases, e.g. for documentation of a transaction or to comply with legal requirements).
Please also note that you can complain about the Controller to the relevant data protection authority (“the Authority”).
The relevant Authority in relation to TME (as Controller) is the Belgian data protection authority.
The relevant Authority in relation to TDK (as Controller) is the Danish Data Protection Agency.
The Danish Data Protection Agency
1300 Copenhagen K
Phone+45 3319 3200
21. LEGAL INFORMATION
The stipulations in this Policy supplement, but do not supersede, any other requirements under applicable data protection law. In the event of variance between this Policy and absolute requirements of applicable data protection law, the latter will have precedence.
KINTO may change this Policy at any time. Go to kinto-mobility.dk/kinto-share at any time and read the applicable version of this Policy. You will be notified of any changes of a material nature.
In this Policy the following terms are to be interpreted as follows:
- Controller should be understood as the natural or legal person who, alone or together with others, decides for which purposes and with which means the processing of Personal Data may be undertaken.Whoever is the right Controller of a specific processing activity will depend on the specific processing of your Personal Data. The Controller may be either Toyota Motor Europe NV/SA (Avenue du Bourget 60, 1140 Brussels, Belgium) and/or Toyota Danmark A/S, Dynamovej 10, 2860 Søborg, Denmark (possibly joint Controllers). Either party may thus process your Personal Data for its own purposes, and this will make the party concerned Controller of the processing operation. You may address the Point of Contact for Data Protection (see clause 3 “Where to address questions and enquiries”) for additional information on this, or through a separate notice, e.g. when using specific services (including communication services), or as part of electronic newsletters, reminders, surveys, offers, invitations to campaigns etc.Either party may thus process your Personal Data for its own purposes, and this will make the party concerned Controller of the processing operation. You may address the Point of Contact for Data Protection (see clause 3 “Where to address questions and enquiries”) for additional information on this, or through a separate notice, e.g. when using specific services (including communication services), or as part of electronic newsletters, reminders, surveys, offers, invitations to campaigns etc.
- Processor should be understood as a natural or legal person who processes Personal Data on behalf of the Controller.
- Point of Contact for Data Protection should be understood as the point of contact (i.e. a person appointed by Toyota in the relevant jurisdiction), through which you may address any questions or enquiries concerning this Policy and/or (the processing of) your Personal Data to the Controller, and which will deal with such questions and enquiries.
- EEA means the European Economic Area (the member statess of the European Union and Iceland, Norway and Liechtenstein).
- Personal Data means any form of information that is attributable to a specific person, even if the person is only identifiable, if the information is combined with other information.
- ‘processing’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;.
- Other parts of the Toyota and Lexus organisation and its partners, currently
authorised Toyota dealers and Toyota repair shops in Denmark and the Faroe Islands, https://www.toyota.dk/dealers and authorised Lexus dealers and Lexus repair shops in Denmark and the Faroe Islands, https://www.lexus.dk/dealers (together “Other parts of the Toyota and Lexus organisation and its partners”). The other parts of the Toyota and Lexus organisation and partners include Codan A/S.
Got a question? No matter how big or small, our customer service team are ready to answer your queries. Give us a call, or drop us a note.
Keep up with the latest news and mobility trends on our Facebook, LinkedIn and Instagram.
Stay up to date
Get all the latest from KINTO, straight to your inbox. We promise we’ll only update you on relevant news and stories.
© KINTO Danmark