The GDPR (General Data Protection Regulation)

The General Data Protection Regulation (GDPR) is a European data protection law designed to update and strengthen the 1995 EU Data Protection Directive and to standardize data protection practices across the European Union.

The GDPR came into effect on May 25, 2018, and applies to any company that stores or processes the personal data of EU citizens.

How This Affects You:

When you use our services, we store your personal data on our servers. This enables us to operate our website, provide you with necessary travel documentation, and ensure a smooth travel experience. As Car’s Travel Ltd, we are considered both a 'data controller' and a 'data processor.' You, as a customer or passenger, are a 'data subject,' and if you are booking on behalf of someone else, you may also act as a 'data controller.' In such cases, you may need to take your own steps to comply with GDPR requirements.

Your Responsibilities:

As a data controller, you must ensure compliance with the GDPR. We recommend consulting a legal professional to understand how GDPR legislation affects your organization. The Information Commissioner's Office (ICO) suggests the following 12 steps:

1. Awareness: Ensure that decision-makers and key personnel in your organization are aware of the GDPR and its impact.

2. Information You Hold: Document the personal data you hold, its source, and who you share it with. Conduct an information audit if necessary.

3. Communicating Privacy Information: Review your privacy notices and plan any necessary updates to comply with GDPR.

4. Individuals' Rights: Check that your procedures cover all individual rights, including how to delete personal data or provide data electronically in a commonly used format.

5. Subject Access Requests: Update procedures to handle requests within the new timescales and provide additional information as needed.

6. Lawful Basis for Processing Personal Data: Identify and document the lawful basis for processing personal data under GDPR, and update your privacy notice accordingly.

7. Consent: Review how you seek, record, and manage consent. Refresh existing consents to meet GDPR standards if necessary.

8. Children: Consider whether you need systems to verify the age of individuals and obtain parental or guardian consent for data processing activities.

9. Data Breaches: Ensure you have procedures to detect, report, and investigate data breaches.

10. Data Protection by Design and Impact Assessments: Familiarize yourself with the ICO's Privacy Impact Assessments and the latest guidance from the Article 29 Working Party, and plan their implementation.

11. Data Protection Officers: Designate someone responsible for data protection compliance and assess the role's position within your organization. Consider if you need to formally appoint a Data Protection Officer.

12. International: If your organization operates in multiple EU member states, determine your lead data protection supervisory authority with guidance from the Article 29 Working Party.

What We're Doing to Be GDPR Compliant:

Car’s Travel takes data security very seriously. We implement various measures to protect your data, including:

- Enforcing HTTPS connections to our web servers.

- Running regular security scans on our network.

- Performing scheduled scans on all PCs with robust antivirus software.

- Maintaining an inventory of all personal data we store and ensuring we only collect data necessary for our services.

- Keeping a 'Data Flow Map' that outlines where we store data, including third parties involved.

- Regularly reviewing our Data Protection Policies and providing appropriate training to employees.

- Training staff on our 'Data Breach Protocol' to ensure proper action in the unlikely event of a data breach.

We offer several documents to help you understand how we use your data:

- Terms and Conditions

- Privacy Policy

While the GDPR enhances consumer rights to access and delete their data, there are legal constraints that may limit our ability to fully comply with some requests. For example, our licensing authority requires us to retain full journey records for one year, and as a limited company, we must keep accounting records for six years from the end of the financial year they pertain to.

Car’s Travel Ltd is committed to being fully compliant with this regulation.