This document outlines the privacy policies related to the use of the QodeVault. QodeVault is a fleet management platform used by Qode Media for collecting and analysing vehicle and fleet data.
This document aims to increase transparency about the information that is being collected by QodeVault and how that data is processed.
This Policy sets out the following:
- What personal data QodeVault collects
- Where it obtains the data from;
- What it does with that data;
- How it stores the data;
- How it deals with your data protection rights;
- And how it complies with the data protection rules.
- All personal data is collected and processed in accordance with Irish and EU data protection laws.
The Provider/We/Us/QodeVault – Qode Media as QodeVault is the provider of the service
The Client/You/The User – The users of the QodeVault service. This includes any individual that uses the QodeVault service, has access to QodeVault data or visits the QodeVault website.
The data subject – This includes any individual that drives a vehicle that QodeVault is collecting data from.
Information QodeVault Collects
The following data points are collected from each vehicle tracked by QodeVault:- position, speed, acceleration (x,y and z) and the identifier of the device in the vehicle.
This data is collected for the following reasons: –
- Detection and prevention of loss or theft of the company vehicles
- Management of insurance claims
- Vehicle impact analysis (location, g-force and direction of impact)
- Identification of unauthorised vehicle movements
- Monitoring and improving employee productivity and performance
- Monitoring and improving customers and employees driving behaviour
- Management of vehicle inventory
We also collect data that is related to the vehicle rental such as the customer’s reservation data or rental contract data. This data is the data that customers provide when they make their reservation for a rental vehicle or when they provide information for the rental contract while at the branch or pick up location. This includes the customer’s name, date of birth, address,email address, occupation, rental agreement identifier, reservation number and rental period.
We use data hosting service providers in Europe to host the information it collects, and use technical measures to secure The User’s data. For more information on where we store personal data then contact us at firstname.lastname@example.org.
QodeVault will adhere to the following obligations under GDPR law:-
- We will only process personal data in accordance with data controllers written instructions (including when making an international transfer of personal data) unless required to do so by law.
- We will ensure that people processing the data are subject to a duty of confidence and will take appropriate measures to ensure the security of processing.
- We will only engage a sub-processor with the prior consent of the data controller and a written contract.
- We will assist The User in providing subject access and allow data subjects to exercise their right under GDPR.
- We will assist The User in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
- We will delete or return all personal data to The User as requested at the end of the contract.
- We will submit to audits and inspections, provide The User with whatever information it needs to ensure they are both meeting their Article 28 obligations, and tell The User if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
The User shall implement reasonable safeguards to prevent unauthorized access to, use of, or disclosure of the disclosing party’s Data.
Duration of Processing
All identifiable personal data is purged after 4 years unless it is still required under legislation. We own the information that is collected in its aggregate and anonymized form and we reserve the right to use such aggregate, anonymized information without restriction.
QodeVault compiles, stores and uses aggregated data and system usage information to monitor and improve the Products and for the creation of new products. This aggregated data is no longer associated with a device or an individual and as such is not Individual Vehicle Data. We will not attempt to disaggregate the data or re-associate it with a device or individual without The User’s consent or unless legally compelled to do so or unless required for safety or troubleshooting purposes.
We may share certain data with third parties in an anonymized form, provided that such data is indeed anonymized according to the highest standards of anonymization set by the relevant national and EU data protection authorities.
QodeVault follows strict security procedures in the storage and disclosure of personal data, and to protect it against accidental loss, destruction or damage. The data you provide to us is protected using SSL (Secure Socket Layer) technology. SSL is the industry standard method of encrypting personal information so that they can be securely transferred over the Internet.
The User is solely responsible for keeping all user identifications and passwords ( “Login Credentials”) secure. If The User believes the security of their Login Credentials has been compromised, or The User suspects unauthorized use, The User will promptly notify QodeVault. QodeVault will be entitled to treat all communications, instructions and transactions as authorized by The User if their Login Credentials are used unless The User has notified QodeVault of compromise or unauthorized use of their Login Credentials. If QodeVault suspect’s, in their reasonable opinion, fraudulent or unauthorized activity on The User’s account, QodeVault reserves the right to terminate or suspend The User’s access to QodeVault’s website or any applicable services or both and will use reasonable efforts to contact The User.
As a data controller, The User is liable for its compliance with the GDPR Data Protection law which imposes the following duties upon data controllers:
- The data controller may only process data where such processing is in accordance with the criteria of legitimate data processing.
- Ensure that personal data collected is kept accurate and up-to-date.
- Ensure that the personal data is only processed for a specified and legitimate purpose
- Ensure that the personal data is only processed in a way that is compatible with the original purpose for which it was collected.
- Provide an individual with access to the information held about them (Subject Access Request).
- Ensure that the personal data collected is adequate, relevant and not excessive.
- Ensure that personal data is kept secure
There are 9 such criteria for legitimate data processing, namely:
- Performance of a contract;
- Compliance with a legal duty;
- To avoid an injury being caused to the data subject, serious damage to his property or to protect another of his vital interests;
- The administration of justice,
- Statutory functions,
- Government or ministerial functions;
- any other function of a public nature performed in the public interest by a person,
- In the controllers legitimate interests, so long as there is no unwarranted interference in the rights of data subjects.
The User also has the obligation to ensure that the data is only accessed for one of the 9 legitimate processing reasons specified above. The User must limit the exposure of personal data to what is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.
We have provided a mechanism for setting up role-based access controls. The User has the responsibility of setting these roles so it limits the exposure of personal data among their users to only what is required to successfully accomplish a given task. The level of visibility can be constrained per user based on vehicle identifiers (vid and registration), driver ids, clients ids or movement types.
A “cookie” is a text file that is sent from a web server to your browser and stored on your computer’s hard drive or mobile device. Thereafter, when you visit that website, a message is sent back to the web server by the browser accessing the website, and this information about your activities is stored in the cookie.
The information collected in cookies (e.g., the web pages you visit on the website and navigation patterns, the date and time of your visit, the number of links you click within the site, the functions you use on the site, the databases you view and the searches you request on the site, the data you save on, or download from, the site, the websites you visited immediately before and after visiting the site, and when you open our e-mails or click on any of their links) is used and analyzed to improve our service to you and to personalize your web-browsing experience by providing QodeVault with a better understanding of your interests and requirements regarding our websites and applications.
Cookies alone do not personally identify you; they are designed to recognize your web browser. However, if you have provided us with personal information, such as through completion of a web form, cookies may be linked to your personal information, such as your e-mail address or password.
Session cookies exist only during one session. They disappear from your computer when you close your browser software or turn off your computer.
Persistent cookies remain on your computer after you close your browser or turn off your computer.
You have the ability to accept or decline cookies by modifying the settings in your browser.
For more information about how to manage cookies in your web browser, see www.aboutcookies.org .
Data Protection Rights
Under certain circumstances, by law The User and Data Subject have the right to:
- Request information about whether QodeVault hold personal information about you, and, if so, what that information is and why QodeVault are holding/using it
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information QodeVault hold about you and to check that QodeVault are lawfully processing it.
- Request correction of the personal information that QodeVault hold about you. This enables you to have any incomplete or inaccurate information QodeVault hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where QodeVault are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where QodeVault is processing your personal information for direct marketing purposes.
- Object to automated
decision-making including profiling , that is not to be subject of any automated decision-making
by us using your personal information or profiling of you.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request transfer of your personal information in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.
- Withdraw consent . In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once QodeVault has received notification that you have withdrawn your consent, QodeVault will no longer process your information for the purpose or purposes you originally agreed to, unless QodeVault have another legitimate basis for doing so in law.
If you want to exercise any of these rights, then please email us at dataprotection@QodeVault.com
The user/data subject will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if the request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
QodeVault may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.