KINTO SHARE USERS – SWEDEN EFFECTIVE DATE: 22 june 2020
This Privacy Notice (the “Privacy Notice”) explains how your personal data is collected and processed by Toyota Sweden AB (reg. no 556041-0010) (“Toyota”, “we” or “us”) when you register for and use our car sharing service KINTO SHARE. There are several solutions for flexible mobility services within Toyota and such services together form the brand KINTO. This Privacy Notice describes how we collect and process your personal data within KINTO SHARE and if you share your personal data for the purpose of using other Toyota/Lexus services, we kindly ask you to read the privacy notice for that respective service.
Who is responsible for the collection and use of your personal data?
Toyota is the responsible party for collecting and processing of your personal data (data controller). Our contact details are:
Postal address: Box 1103, SE-172 22 Sundbyberg, Sweden.
Visiting address: Madenvägen 7, SE-174 55 Sundbyberg, Sweden
Telephone number: +46(0)8-706 71 00
Websites: www.toyota.se and www.kinto-mobility.se.
Toyota Motor Europe NV/SA (”TME”) and Toyota Connected Europe Limited (”TCEU”) will also collect and process your personal data (as joint data controllers) in connection with the utilisation of the technical platform used for the provision of the services relating to KINTO SHARE as described below.
TME can be reached at: Avenue du Bourget/Bourgetlaan 60, 1140 Brussels, Belgium.
TCEU can be reached at: 10th Floor, 14-18 Handyside Street, London N1C 4DN, United Kingdom.
How we process your personal data
We process your personal data in connection with your application for membership, your registration for a KINTO SHARE-account, when you book and use a vehicle, and upon the termination of your membership and KINTO SHARE-account. We collect your personal data directly from you as well as from external sources. The personal data that we process are described in detail below in Section “Processing of your personal data” as well as in our compilation of processing activities that is accessed at our website www.kinto-mobility.se. The personal data that we process are, among other things, you email address, full name, telephone number, address and, if you do not have a Swedish driving licence and/or Swedish electronic signature (“BankID”), photos of you together with the front and back of your driving licence. When you use KINTO SHARE; we will also process data about your use of our services, which, among other things, include details on reservations (for example, vehicle preferences, date, time, distance and damage reports). These personal data are processed for various purposes, for example so that you can register a KINTO SHARE-account with us, make reservations and in order for you to report damages in relation to the vehicle that you have reserved. We process your personal data only where it is lawful for us to do so in relation to each purpose for which we process your personal data. That could for example be where the processing is necessary in order to perform the car sharing contract you enter into with us, or where the processing is necessary for compliance with a legal obligation to which the we are subject, such as for recordkeeping over car rentals.
What are my rights in relation to my personal data?
Toyota, TME and TCEU process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) (“GDPR”). According to the GDPR, you have certain rights in relation to our processing of your personal data for the purpose of KINTO SHARE.
Information: You have the right to obtain concise, transparent, intelligible and easily accessible information about how we use your personal data and your rights related thereto. This is in part why we are providing you with the information in this Privacy Notice.
Access to personal data: You have the right to access your personal data, for example to confirm our use in accordance with law.
Rectification: You are entitled to have your personal data rectified if they are inaccurate or incomplete.
Erasure: You have a ‘right to be forgotten’. This means in short that you, subject to certain conditions, can request the deletion or removal of your personal data where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, where you have withdrawn your consent or where we have no compelling legitimate grounds for the processing which override your interests, rights and freedoms in relation to your personal data.
Restriction of processing: You have, subject to certain conditions, a right to block or prevent further use of your personal data. When processing is restricted, we can still store your personal data, but our use of your personal data will be restricted.
Data portability: Subject to certain conditions, and insofar it does not affect the rights and freedom of other data subjects, you have the right to digitally obtain personal data that relate to yourself and have such personal data transferred to another data controller. The right can for example be used when you have provided us with personal data for the purpose of performing a contract with you and facilitates for you to move, copy or transfer your personal data easily between our IT systems or to external data controllers, without affecting its usability.
Objections to processing: Where the processing is based on our legitimate interest, you have the right to object to such processing unless we have a compelling and legitimate reason to continue processing your personal data. You may at all times object to the processing of your personal data for direct marketing purposes.
Complaints: You have the right to lodge a complaint about the way we handle or process your personal data with the Swedish Data Protection Authority (“DPA”). Such complaint is lodged by way of completing a [form]that is available at the DPA’s website and that is sent by email to firstname.lastname@example.org or by mail to Datainspektionen, Box 8114, SE-104 20, Stockholm, Sweden.
Automated-decision making: As a main rule, you have the right not to be subject to a decision that is based solely on automated processing (including profiling) and that produces legal (or similarly significant) effects to you. Please see further information below in Section “Rejection of activation of KINTO SHARE account”.
How can I exercise my privacy rights?
Toyota is the responsible party for collecting and processing of your personal data (data controller) and we ask you to send all requests regarding exercising your privacy rights to Toyota. If needed, Toyota will then contact the appropriate responsible persons within KINTO SHARE or other companies within the Toyota group (including TME and TCEU) with whom we might share your personal data, in order to manage your requests, questions and complaints. You contact us through our data protection contact person: email@example.com. You may also contact us on the following address: Box 1103, 172 22 Sundbyberg, Sweden.
Your requests will be answered as soon as reasonably practicable and always in accordance with the applicable time periods set out in the GDPR. When you contact us, we may ask for further information necessary for us to verify your identity. The purpose of such request for additional information is to ensure that we do not provide you with information on other data subjects than yourself, which would be a violation of the GDPR. Please note that even though you have requested the erasure of your personal data, there may still be a need to retain certain personal data if required or authorised by law.
Changes to this Privacy Notice
This Privacy Notice will be updated from time to time. Our application and web portal will always display the current version, and by ticking the tick-box, we will be assured that you have taken part of the most recent version. If you have any questions regarding any changes to this Privacy Notice, please contact us as set out in Section “How can I exercise my privacy rights?” above.
What is KINTO SHARE?
KINTO SHARE is a car sharing service. It comprises:
car sharing service for the use of a Toyota or Lexus vehicle, or other vehicle brands;
the mobile app KINTO Share (SE) (the “App”) and the web portal (the “Web Portal”) that will be used to make and manage reservations and to grant access to the vehicle used; and
support centre via telephone, the Web Portal or the App.
Processing of your personal data
This section explains how, why and by whom your personal data is collected and used when you register with and use KINTO SHARE.
Step 1 – Application for membership in KINTO SHARE
The Registration Data is collected in order for us to approve your application for a membership with us. The processing is legitimate as it is necessary to conduct preparatory measures for the purpose of entering into the car sharing services agreement regarding KINTO SHARE. The data will be retained until the car sharing agreement is terminated and during such longer period of time that may be necessary in order to establish, exercise or defend any legal claims.
Step 2 - Creating and activating your KINTO SHARE account
Creating your KINTO SHARE account
Once your membership application has been approved, you must create a KINTO SHARE account to use KINTO SHARE. To do this, you will need to login to the App, using your Registration Data, and provide the following additional personal data:
If you have a Swedish driving licence:
your driving licence number;
the expiry date of your driving licence; and
your personal identification number;
If you do not have a Swedish driving licence and/or a Swedish BankID:
two photos , the first of which comprise a picture of your face aside the front of your driving licence and the second comprise a picture of your face aside the back of you driving licence;
driving licence number (depending on which country your driving licence is issued in);
the expiry date of your driving licence;
your personal identification number and/or date of birth (depending on in which country your driving licence is issued in); and
your home address.
registering of debit/credit card for payments of membership fee and variable booking fees.
The personal data above constitutes your “Account Information”. When you have provided your Account Information you will, through signing by BankID, initiate our assessment process to receive a KINTO SHARE account. Your Account Information is used in this step by Toyota with the purpose to create your KINTO SHARE account for us to assess the prerequisites of entering into a car sharing contract. The processing is legitimate since it is necessary in order for you to be able to enter into a car sharing contract with us. The data will be retained until the car sharing agreement is terminated and during such longer period of time that may be necessary in order to establish, exercise or defend any legal claims, or comply with legal obligations.
Activating your KINTO SHARE account
In order to approve your KINTO SHARE account, we will use part of the Account Information regarding your driving licence to verify its validity compared to the Swedish Transport Agency’s register of driving licences, to ensure that you have a valid driving licence. If you do not have a Swedish BankID or a Swedish driving licence, we will instead manually verify your driving licence information against the photos of you and your driving licence that you have provided us with. We will also from time to time during your membership check that you have a valid driving licence by searching in the Swedish Transport Agency’s register of driving licences. The processing of your driving licence data as mentioned above is made in order to perform the car sharing contract you enter into with us and in accordance with current legislation. The data will be retained until the car sharing agreement is terminated and during such longer period of time that may be necessary in order to establish, exercise or defend any legal claims, or comply with legal obligations such as replying to requests from authorities including the Swedish Transport Agency or the Swedish Police.
after the end of the rental period, you do not return the rented object;
you do not pay parking fines;
you do not pay the rent or other remuneration;
you mistreat the vehicle;
you are reported to the Swedish Police for unlawful use; or
you leave the vehicle to another driver unlawfully.
When we provide the basis for reporting in accordance with item (ii) we process name, personal identification number, driving licence number and the reason for making the report. We process your data under item (i) and (ii) in order to perform the car sharing contract with you, as well as for our legitimate interest of protecting and taking care of our vehicles. Our reporting is a prerequisite for BURF being able to uphold an information list and the list is necessary to cater our and other lessors’ legitimate interests of determine, make or defend any legal claims. BURF’s information list is authorised by the DPA. If we get a match against the information list, such data will be retained until the car sharing contract is terminated and during such longer time that may be necessary in order to determine, make or defend any legal claims. The reporting information basis to the information list is only retained during the time necessary for the data to have been received and registered by BURF, which generally is within three business days. More information on how personal data is processed on BURF’s information list is available at: BURF’s [website].
We will also conduct a credit assessment where we provide information to UC (a Swedish credit reference agency) in order for UC to assess your fulfilment of our creditworthiness requirements. The assessment of UC merely generates a “yes” or “no”. We process data on your creditworthiness in order to determine your payment ability. The processing is legitimate since we have a legitimate interest of payment obligations being fulfilled. The data will be retained until the car sharing agreement is terminated and during such longer period of time that may be necessary in order to establish, exercise or defend any legal claims or comply with legal obligations such as replying to requests from authorities.
Rejection of activation of KINTO SHARE account
If your account is not activated, this is based on an automated process, for example due to your driving licence identity not having been verified or due to your ability to pay (creditworthiness) not being assessed as acceptable. You may also be rejected if you are blocked in the BURF information list. According to GDPR you have, as a main rule, the right not to be subject to a decision that is based solely on automated processing (including profiling) and that produces legal (or similarly significant) effects to you. However, this is not the case if such decision-making is necessary when entering into or performing a contract betwe