Data Protection Compliance Statement

This policy demonstrates our commitment to protecting the privacy and security of your personal information. It contains information regarding how we collect and use personal data or personal information about you in accordance with the General Data Protection Regulation ((EU) 2016/769) (“GDPR”) and all other data protection legislation currently in force in the UK (“Data Protection Legislation”).

Pursuant to Data Protection Legislation, when processing data we will;

• Process it fairly, lawfully and in a clear, transparent way
• Only use it in the way that we have told you about
• Ensure it is correct and up to date
• Keep your data for only as long as we need it
• Process it in a way that ensures it will not be lost or destroyed or used for anything that you are not aware of or have consented to (as appropriate)

Each company within the group is registered as a Data Controller with the ICO.

Company

AMT Vehicle Rental Ltd

ICO Registration number

ZA120651

Company

AMT Contract Hire & Leasing Ltd

ICO Registration number

ZA209348

Company

AMT Specialist Cars Ltd

ICO Registration number

ZB212276

We are a Data Controller. This means that we are responsible for determining the purpose and means of processing personal data relating to you.

“Personal data”, or “personal information”, means any information relating to an identified, or identifiable individual in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

There are “special categories” of sensitive personal data, meaning data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sex life or sexual orientation, genetic data, and biometric data which require a higher level of protection.

The Data protection Policy clarifies:

• What personal data we collect
• Why we process personal data
• With whom we share personal data
• The rights an individual has relating to their personal data and how to enact them
• Our data retention policy
• How personal data is secured
• Our complaints procedure
• Our data breach policy

Details of Personal Information we hold about you, how we process that information and with whom it is shared

We require all third parties to respect the security ofyour personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

The information we collect and process:

Name & Contact Information

Our basis for processing the information:

To enable us to provide our services as a vehicle rental company, to carry out any obligations in relation to any contract you enter into with us and to help us administer your account with us or any of our partners. To carry out market analysis and customer profiling, conduct market research, and create statistical and testing information.To contact you in any way (including mail, email, telephone, text or multimedia messages) about products and services offered by us or the AMT Group for marketing purposes, only if you have given explicit consent for us to do so. To initiate membership or access via email to selected third party services on the basis that they have been identified as a legitimate interest. To help detect and prevent against fraud or loss.

How we share this information:

With insurers and their agents for the purposes of insurance administration and claims. With other members of our Group to enable us to process your vehicle order. With law enforcement agencies, regulatory bodies, credit reference agencies, the DVLA and other third parties as permitted under Data Protection Legislation and any other relevant legislation. With Look After My Car (T/N of Premia Solutions Limited), our approved insurance provider. For more information on how they will use your data, or to opt out, you can read their privacy policy here. With the finance company who provide finance to you in relation to the vehicle (or any member of that finance company’s worldwide group of companies), so that they or their agent(s) can process your order.

The information we collect and process:

Payment Information

Our basis for processing the information:

To enable us to provide our services as a vehicle rental company, to carry out any obligations in relation to any contract you enter into with us and to help us administer your account with us or any of our partners, namely, to make transactions related to charges incurred through the use of our services.

How we share this information:

With other members of our Group only to enable us to process your vehicle order With the finance company who provide finance to you in relation to the vehicle (or any member of that finance company’s worldwide group of companies), so that they or their agent(s) can process your order

The information we collect and process:

Insurance History

Our basis for processing the information:

To help detect and prevent against fraud or loss To provide insurance cover as part of our services offered

How we share this information:

With insurers and their agents for the purposes of insurance administration and claims With other members of our Group to enable us to process your vehicle rental or purchase With law enforcement agencies, regulatory bodies, credit reference agencies, the DVLA and other third parties as permitted under Data Protection Legislation and any other relevant legislation

The information we collect and process:

Driving License Information

Our basis for processing the information:

To help detect and prevent against fraud or lossTo provide insurance cover as part of our services offeredTo ensure you are correctly licensed to drive a vehicle

How we share this information:

With insurers and their agents for the purposes of insurance administration and claimsWith other members of our Group to enable us to process your vehicle rental or purchaseWith law enforcement agencies, regulatory bodies, credit reference agencies, the DVLA and other third parties as permitted under the General Data Protection Regulation 2018 and any other relevant legislation including the General Data Protection Regulation

The information we collect and process:

Employment History

Our basis for processing the information:

To enable us to perform an affordability or credit check to consider eligibility for a product or service and to enable us to provide insurance cover. To help detect and prevent against fraud or loss

How we share this information:

With insurers and their agents for the purposes of insurance administration and claims With other members of our Group to enable us to process your vehicle order With law enforcement agencies, regulatory bodies, credit reference agencies, the DVLA and other third parties as permitted under Data Protection Legislation and any other relevant legislation With the finance company who provide finance to you in relation to the vehicle (or any member of that finance company’s worldwide group of companies), so that they or their agent(s) can process your order

The information we collect and process:

Proofs of Identity

Our basis for processing the information:

To enable us to provide our products and services, to carry out any obligations in relation to any contract you enter into with us and to help us administer your account with us or any of our partners. To help detect and prevent against fraud or loss

How we share this information:

With insurers and their agents for the purposes of insurance administration and claims With other members of our Group to enable us to process your vehicle order With law enforcement agencies, regulatory bodies, credit reference agencies, the DVLA and other third parties as permitted under Data Protection Legislation and any other relevant legislation With the finance company who provide finance to you in relation to the vehicle (or any member of that finance company’s worldwide group of companies), so that they or their agent(s) can process your order

The information we collect and process:

Location data

Our basis for processing the information:

To assist us with collecting or repossessing the vehicleTo help detect against fraud or lossTo monitor vehicle mileageTo monitor driving behaviourTo assist us with insurance or damage administration and claims

How we share this information:

With the client named on the Rental Agreement, if we suspect you have broken the terms of the rental agreement, to assist us with insurance or damage administration and claims or to assist us with collecting or repossessing the vehicle With insurers and their agents for the purposes of insurance administration and claimsWith law enforcement agencies, regulatory bodies and other third parties where we have a legal obligation to do so and as permitted under the General Data Protection Regulation 2018 and any other relevant legislation including the General Data Protection Regulation

The information we collect and process:

The products or services about which you have enquired

Our basis for processing the information:

To enable us to provide our products and services, to carry out any obligations in relation to any contract you enter into with us and to help us administer your account with us or any of our partners To carry out market analysis and customer profiling, conduct market research, and create statistical and testing information To contact you in any way (including mail, email, telephone, text or multimedia messages) about products and services offered by us or our partners, if you have specifically consented to such processing

How we share this information:

With third parties who assist us with market analysis, customer profiling and market research as permitted under Data Protection Legislation and any other relevant legislation

The information we collect and process:

Information about your business, role and vehicle fleet

Our basis for processing the information:

To enable us to provide our products and services, to carry out any obligations in relation to any contract you enter into with us and to help us administer your account with us or any of our partners To carry out market analysis and customer profiling, conduct market research, and create statistical and testing information To contact you in any way (including mail, email, telephone, text or multimedia messages) about products and services offered by us or our partners, if you have specifically consented to such processing

How we share this information:

With other members of our Group to enable us to process your vehicle order With credit reference agencies and other third parties (which includes third parties we use to assist us with our marketing activities) as permitted under Data Protection Legislation and any other relevant legislation

The information we collect and process:

Information obtained from third parties, such as credit reference agencies or the DVLA

Our basis for processing the information:

To enable us to provide our products and services, to carry out any obligations in relation to any contract you enter into with us and to help us administer your account with us or any of our partners. To help detect and prevent against fraud or loss

How we share this information:

With other members of our Group to enable us to process your vehicle order With law enforcement agencies, regulatory bodies, credit reference agencies, the DVLA and other third parties as permitted under Data Protection Legislation and any other relevant legislation With the BVRLA, which may share your personal information with its members to prevent crime and protect their assets, as permitted under Data Protection Legislation and any other relevant legislation

Your rights to your Personal Information

Description of your rights

Right to accessYou are entitled to:Confirmation that we are processing your personal data;a copy of your personal data; andother supplementary information

How we will respond to a request

We will comply with any valid request in accordance with our policy detailed below

Description of your rights

Right to rectificationIndividuals have a right to have inaccurate personal data rectified, or completed if it is incomplete.

How we will respond to a request

Where we receive such a request we will take any reasonable steps to ensure that the data is accurate and complete. Where data records a disputed opinion, our records will make clear that it is an opinion and, if a challenge is received, such challenge will also be recorded.

Description of your rights

Right to erasureIndividuals have a right to have their personal data erased. This right only applies if:the personal data is no longer necessary for the purpose which we originally collected or processed it for;we are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;we are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;we are processing the personal data for direct marketing purposes and the individual objects to that processing;we have processed the personal data unlawfully;we have to do it to comply with a legal obligation; orwe have processed the personal data to offer information society services to a child

How we will respond to a request

Where we receive such a request we will normally comply as long at least one of the listed circumstances applies.

Description of your rights

Right to restrict processingIndividuals have the right to request the restriction or suppression of processing of their personal data, in the following circumstances:the individual contests the accuracy of their personal data and you are verifying the accuracy of the datathe data has been unlawfully processed and the individual opposes erasure and requests restriction instead;you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; orthe individual has objected to you processing their data under Article 21(1) of the General Data Protection Regulation, and you are considering whether your legitimate grounds override those of the individual.

How we will respond to a request

As a matter of course, we will restrict processing of any personal data where its accuracy or the legitimate grounds for processing is being considered. We will consider any request and comply if we believe it to be a valid request in accordance with our policy detailed below

Description of your rights

Right to data portabilityThe right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. This right applies only to information an individual has provided to us (or we have observed by the individual’s use of our products and services) and where our lawful basis for processing the data is consent or for the performance of a contract and we are carrying out the processing via automated means. This excludes paper files.

How we will respond to a request

When we receive a valid request, we will provide the requested information in a structured, commonly-used and machine-readable format.

Description of your rights

Right to objectIndividuals have the right to object to the processing of their personal data in certain circumstances.

How we will respond to a request

Where the data is processed for the purpose of direct marketing this is an absolute right, and on the receipt of a valid request we will cease such processing. In other cases, we will evaluate the request to decide whether we have compelling legitimate grounds which override the interests of the individual, considering the reasons why they have objected to the processing of their data. In particular, if the individual objects on the grounds that the processing is causing them substantial damage or distress (e.g. the processing is causing them financial loss), the grounds for their objection will have more weight. In making a decision on this, we will balance the individual’s interests, rights and freedoms with our own legitimate grounds. If we are satisfied that we do not need to stop processing the personal data in question we will explain our decision to the individual and inform them of their right to make a complaint to the ICO or another supervisory authority and their ability to seek to enforce their rights through a judicial remedy.

Description of your rights

Rights relating to automated decision making including profilingAMT Contract Hire & Leasing Ltd does not currently use automated decision making in its processing of personal data. This policy will be updated if we begin to do so.

How we will respond to a request

Making a request regarding your personal data

An individual may make such a request verbally or in writing and we will comply with any valid request within 28 days of receipt unless exceptional circumstances require an extension to that time limit. We will inform the individual of any extension, and the reason for such, within 28 days of the original request.

Where we are not certain about the identity of the person making the request, we may ask for more information. Any information requested for identity verification will be processed only for that purpose.

There will normally be no charge for this, except where we consider the request manifestly unfounded or excessive. If we will charge a fee we will notify the individual making the request and we will only comply with the request once we have received the fee.

In some cases, we may refuse to comply with a request. If we refuse to comply we will inform the individual as soon as is practicable and within one month. We will inform the individual about the reasons we will not comply with the request, their right to make a complaint to the ICO or another supervisory authority and their ability to seek to enforce this right through a judicial remedy.

If you wish to exercise any of your rights relating to your personal data please contact:

James McGawley
Data Protection Officer
AMT Group
174 Armley Road
Leeds
LS12 2QH

Telephone: 0844 826 2300
Email: james.mcgawley@amtvehiclerental.co.uk

International transfers

We do not transfer your personal data outside the European Economic Area (EEA).

Information Security

We have extensive security arrangements in place to protect personal data we hold on our systems. If you require full details on our security policy, please contact your account manager or the Data Protection Officer, the contact details for which are:

James McGawley
Data Protection Officer
AMT Group
174 Armley Road
Leeds
LS12 2QH

Telephone: 0844 826 2300
Email: james.mcgawley@amtvehiclerental.co.uk

Data Retention Policy

We store Personal Data for differing periods depending on the type of Personal Data and in particular as follows:

• Customer contact data for 7 years from the date on which you cease to be a customer of ours;
• supplier contact data for 7 years from the end of our commercial relationship; or
• until the customer or supplier asks us to return or destroy it and we no longer have a legitimate interest in retaining the data

Personal Data supplied by a customer on behalf of its client(s) in relation to the provision of services is stored until:

• the services have been provided or in accordance with any contract for the supply of services; or
• the customer or the data subject asks us to destroy it.

In each case the above applies unless a legal obligation or other legitimate interest requires us to store the data for a longer period.

We carry out regular audits of any Personal Data we hold to ensure as far as possible that we do not hold any Personal Data that is no longer required.

Making a complaint

If you have a complaint regarding any aspect of our collection or processing of personal data or our data protection policy, please contact:

James McGawley
AMT Group
AMT House
174 Armley road
Leeds
LS12 2QH

On receipt of a complaint regarding Data Protection, within 1 working day we will acknowledge the complaint and provide a response. Where a complaint requires an extension to that time limit we will inform the complainant and provide a formal response with the conclusions to any investigation with utmost urgency.

All complaints received are logged for reference, detailing the original complaint, the details of any investigation and the resolution.

Where we are not able to reach a satisfactory resolution, individuals are advised of their right to report their concern to the Information Commissioners Office or to seek judicial remedy.

Data Breach Policy

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.When we become aware of a personal data breach, we will establish the likelihood and severity of the resulting risk to individuals’ rights and freedoms. Where necessary, we will promptly inform those affected. We will tell them:

• The name and contact details of our data protection officer or other contact point where more information can be obtained
• A description of the likely consequences of the personal data breach; and
• A description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects

When we become aware of any personal data breach we will document and justify any decisions made regarding it.

In the event of a material data breach, we will, where required and where feasible:

• Notify the Information Commissioner’s Office of the breach within 72 hours. Where we are unable to provide a full explanation of the breach within 72 hours we will still provide notification of the breach and an explanation of the delay, with the results of the corresponding explanation being provided as soon as they are available;
• Notify the Financial Conduct Authority of the breach within 72 hours. Where we are unable to provide a full explanation of the breach within 72 hours we will still provide notification of the breach and an explanation of the delay, with the results of the corresponding explanation being provided as soon as they are available;
• Follow the National Cyber Security Centre guidelines for reporting a breach, if the breach involves malicious cyber activity.

We will document any breach, whether or not the ICO, FCA or any affected individuals are notified, as follows:

• A description of the nature of the personal data breach;
• The categories and approximate number of individuals concerned;
• The categories and approximate number of personal data records concerned;
• A description of the likely consequences of the personal data breach;
• A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

Personal data breaches should be reported to:

James Mcgawley
Data Protection Officer
AMT Group
174 Armley road
Leeds
LS12 2QH

Telephone: 0844 826 2300
Email: James.Mcgawley@amtvehiclerental.co.uk