Privacy Policy
GasanZammit Motors Limited, C57642 (the “Company”, “We”, “Us”) cares about your privacy and the information you share with Us and wants you to understand how we are using and protecting the information we collect about you. The Company further reiterates its commitment to treat the personal information of Data Subjects with the utmost care and confidentiality. With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.
Our processes comply with applicable privacy law and regulations, including the EU General Data Protection Regulation, Regulation (EU) 2016/679 (the “GDPR”), together with Chapter 586 of the Laws of Malta, Data Protection Act (collectively referred to as the Data Protection Laws) which regulate the processing of Personal Data, whether held electronically or in manual form, as well as granting Data Subjects’ rights in order to protect and be informed how and why their Personal Data is being used. The scope of the Data Protection Laws is to protect each individual’s right to privacy with respect to the processing of Personal Data.
Definitions:
“Data Subject” – a living person to whom the Personal Data relates.
“Personal Data” – means information or data relating to a living person who can be identified from that data. This includes information like names, addresses, date of birth, gender, nationality, contact details, employment details, details regarding education and qualifications, next of kin details, fingerprints, photographs, social security numbers, financial data, employee numbers, disciplinary warnings, performance appraisals or health records. It also includes any correspondence (such as email or via social media) related to a living individual.
“Data Processing”– means any operation or set of operations which is taken with regard to Personal Data, whether or not it occurs by automatic means and includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.
“Data Controller”- means GasanZammit Motors Limited, C57642, Triq il-Merghat, Central Business District, Birkirkara, CBD 1020, Phone: +356 2778 8200, e-mail: compliance@gasan.com
“Gasan Group” – Include the following subsidiary and associated companies:
- GasanZammit Motors Limited (C 57642);
- GasanZammit International Limited (C 63475);
- Direct Vehicle Leasing Limited (C 98876)
- Mekanika Limited (C 3238);
- Mek Services Limited (C92892);
- Gasan Group Limited (C 29585);
- Gasan Finance Company p.l.c. (C 16435);
- Gasan Properties Limited (C 2);
- Gasan Enterprises Limited (C 467);
- TumasGasan Holdings Limited (C 28031);
- TumasGasan Operators Limited (C 70333);
- Ropes Limited (C 45241);
- The Quad Limited (C 45767); and
- Ta’ Monita Residence Condominium Limited (C 59216).
The contact data for queries relating to data protection
Please contact us for all of your data protection concerns on phone +356 2778 8200 or e-mail: info@gasanzammit.com.
What information we collect
We collect Personal Data in a transparent way and only with the cooperation and knowledge of interested parties. Once this information is available to Us, Company employees processing Personal Data comply with the following rules laid down by the Data Protection Laws and any other legislation in force at the time of processing. In this respect, data will only be shared with employees of the Company in a confidential manner in the course of executing their duties and will not be disclosed to third parties without the Data Subject’s consent or unless obliged to under a specific law, international convention/instrument or EU Regulation/Directive.
Legal basis for processing
We process your personal details, in particular your master data (e.g. name, company, address, date and place of birth, contact details and preferences, contact person/driver, bank details), your vehicles and appointments, your customer profile (e.g. family status, fleet size, any preferences for vehicle purchase and service), information on your personal ID and licence, contract details and contact history, initial registration, service history and the technical details of your vehicles, including diagnostic data, any work carried out and installed or delivered parts and the relevant vehicle identification number for the purpose of
- normal processing of the underlying contractual relationships, to which you are a contractual party (esp. vehicle, parts or accessory contracts and/or requests for information, leasing/financing contracts, workshop/guarantee application, new vehicle warranty, optional extended warranty, roadside assistance guarantee, care for your digital service record, good will payments, any service programme) and the performance of pre-contractual measures requested by you (e.g. test drive) including the duties of care required to do so, the assertion of any claims and defence in case of legal disputes and the prevention and investigation of offences on the basis of Art. 6 Para. 1, b) of the General Data Protection Regulation (GDPR),
- fulfilment of the product surveillance and monitoring requirement and the implementation of any recalls under the legal requirements of the Consumer Affairs Act (Chapter 378 of the Laws of Malta) on the basis of Art. 6 Para. 1 c) GDPR,
- product development and improvement, as well as implementing any free servicing on the basis of the legitimate interest of the manufacturer and importer under Art. 6 Para. 1 f) GDPR,
- direct marketing (e.g. customer information and support, invitation to product presentations, notification of technical innovations, tyre changes, VRT due dates, service information and promotions, connection offers at the expiry of the leasing/financing contract, new purchase options, sending of customer magazines, customer satisfaction survey) based on your consent () pursuant to Art. 6 Para. 1 a) GDPR and, if permitted without your consent, in particular by post on the basis of the legitimate interest of the importer and us as traders according to Art. 6 Para. 1 f) GDPR,
- enforcement of or defence against civil and/or criminal law claims arising from contractual or legal obligations on the basis of the legitimate interest of the respective claimant or respondent in accordance with Art. 6 Para. 1 f) and Para. 4 GDPR and
- insofar as the processing and use of your data is legally required, e.g. to comply with tax and commercial retention periods or to fulfil the identification and recording obligations under the Prevention of Money Laundering Act (Chapter 373 of the Laws of Malta) on the basis of Art. 6 Para. 1 c) GDPR.
Recipients, Including Transfers to a Third Country and Appropriate Guarantees
This includes passing on, if necessary, to:
- any Gasan Group internal bodies and organisational units that require your data for the fulfilment of our contractual and legal obligations or in the context of the processing and implementation of our legitimate interest,
- any franchises represented by GasanZammit Motors Limited, hereafter referred to as ‘our Principals’, as representatives of the manufacturer and road side assistance warrantor (where this is applicable in your specific case),
- our Principals as the manufacturer based on the standard contractual clauses introduced by the decision of the European Commission 2021/914 of 4 June 2021 available in the Official Journal of the European Union No. L 199 dated 07.06.2021, pp. 31 et seq. and at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en ,
- the relevant leasing or financing provider, where you would like to conclude a leasing or financing contract,
- the respective insurer, if you wish to take out an insurance or an optional extended warranty,
- external service companies (e.g. external data centres, support/maintenance of IT/IT applications, credit bureaus, archiving, document processing, call centre services, letter shops, credit institutions, courier services, logistics and social media or communication service providers) as well as
- accountants, lawyers, authorities and courts.
Data Processing by our Principals
Our Principals, in the sense of the data protection regulation, are themselves responsible for the processing of the above-mentioned data categories forwarded on by Us.
Legal Basis
Where applicable, our Principals handle your personal details transmitted by us, in particular master data (such as name, , address, date of birth, contact information, contact preferences, contact person/driver), your vehicles and dates, your customer profile (such as your marital status, , any preferences on vehicle purchase and service), contract data, initial registration, service history, as well as the technical data for your vehicles, including diagnostic data, any work carried out and fitted or supplied parts and the vehicle identification number for the purposes of the
- normal processing of the underlying contractual relationships, to which you are a contractual party (esp. vehicle, parts or accessory contracts, new vehicle warranty, optional extended warranty, roadside assistance guarantee, care for your digital service record, goodwill payments, any service programmes) and the performance of pre-contractual measures requested by you (e.g. test drive, brochures) including the duties of care required to do so, the assertion of any claims and defence in case of legal disputes and the prevention and investigation of offences on the basis of Art. 6 Para. 1 b) GDPR,
- fulfilment of the product surveillance and monitoring requirement and the implementation of any recalls under the legal requirements of the Consumer Affairs Act (Chapter 378 of the Laws of Malta) on the basis of Art. 6 Para. 1 c) GDPR,
- product development and improvement, as well as implementing any free servicing on the basis of the legitimate interest of our Principals under Art. 6 Para. 1 f) GDPR,
- ensuring the brand-specific support by the authorised Principals’ network on the basis of the legitimate interest of our Principals under Art. 6 Para. 1 f) GDPR,
- Direct marketing (e.g. customer information and support, invitation to product presentations, notification of technical innovations, service information and promotions, connection offers at the expiry of the leasing/financing contract, new purchase options, sending of customer magazines, customer satisfaction survey) based on your consent () pursuant to Art. 6 Para. 1 a) GDPR and, if permitted without your consent, in particular by post on the basis of the legitimate interest of our Principals according to Art. 6 Para. 1 f) GDPR,
- enforcement of or defence against civil law claims arising from contractual or legal obligations on the basis of the legitimate interest of the respective claimant or respondent in accordance with Art. 6 Para. 1 f) and Para. 4 GDPR and
- insofar as the processing and use of your data is legally required, e.g. to comply with tax and commercial retention periods on the basis of Art. 6 Para. 1 c) GDPR.
You are kindly requested to refer to the details provided in Annex 1 to this notice for more detail regarding the processing of your processing data by the applicable Principals as well as to channel any of your information-related queries by them.
Operational Data in the Vehicle
Control units process data for the operation of the vehicle.
These include, for example:
- Vehicle status information (e.g. speed, deceleration, lateral acceleration, wheel speed, seatbelt indicator),
- Ambient conditions (e.g. temperature, rain sensor, distance sensor).
Typically, this data is volatile and is not stored beyond the operating time and processed only in the vehicle itself. Control devices often have data storage. This is installed to temporarily or permanently be able to document information on the vehicle condition, component stress and technical events and faults.
The following are generally stored depending on the technical equipment:
- operating states of system components (e.g. fill levels, tyre pressure, battery status),
- faults and defects in important system components (e.g. lights, brakes),
- reactions of the systems in special situations (e.g. triggering of air-bags, activating the stability control systems),
- information about vehicle-damaging events,
- for electric vehicles, the charge of the high-voltage battery, estimated range,
- the above may vary according to brand and model.
In special cases (e.g. if the vehicle has recognised a fault) it may be necessary to store the data, which is actually only volatile.
If the servicing (e.g. repairs, maintenance) is questioned, the stored operational data can, where required, be read out and used together with the vehicle identification number. The read-out from the vehicle can be performed by staff of the service network (e.g. workshops, manufacturers) or third parties (e.g. breakdown services). The same applies to warranty cases and quality assurance measures.
The read-out usually takes place via the statutory connection for OBD (“on-board diagnostics”) in the vehicle. The operational data read out documents the technical states of the vehicle or individual components, helps to diagnose faults, comply with warranty obligations and improve quality. This data, in particular information on the component stress, technical events and other faults, is sent together with the vehicle identification number to the manufacturer. In addition, the manufacturer is liable for product liability. The manufacturer also uses the operational data for matters such as recalls. This data can also be used to examine claims by the customer under warranty and guarantee.
Error memory in the vehicle can be reset during repair or service work or at your request via a service operation.
Comfort and Infotainment Features
You can store comfort settings and individualisations in the vehicle and reset them at any time.
Depending on the respective equipment these include, e.g.
- seat and steering wheel positions settings,
- chassis and air conditioning settings,
- individualisations, such as interior lighting.
You can upload data yourself within the selected equipment to the infotainment features of the vehicle.
Depending on the respective equipment these include, e.g.
- multimedia files, such as music, films or photos for playback in the integrated multimedia system,
- address book data to use in conjunction with a built-in hands-free kit or an integrated navigation system
- entered navigation destinations,
- data on the use of internet services.
This data for the comfort and infotainment features can be stored locally in the vehicle or can be stored on a device, which you have connected to the vehicle (e.g. smart-phone, USB stick or MP3 player). If you have provided this data yourself, you can delete it at any time.
This data is sent from the vehicle only at your request, in particular when using on-line services according to settings selected by you.
Smart-Phone Integration, e.g. Android Auto or Apple Car Play
If your vehicle is so equipped, you can connect your smart-phone or other mobile end device with the vehicle, so that you can control this using the controls built into the vehicle. This image and sound from the smart-phone may be played back over the multimedia system. At the same time, certain information is transmitted to your smart-phone. This may include, depending on the type of integration, position data, day/night mode and more general vehicle information. Please find information about this in the operating instructions of the respective vehicle/infotainment system.
The integration allows the use of selected smart-phone apps, such as, e.g., navigation or music playback. There is no further interaction between the smart-phone and the vehicle, in particular any active access of vehicle data. The type of further processing of the data is determined by the provider of the app used. Whether and which settings you can use for this depends on the app in question and the operating system of your smart-phone.
On-Line Services
If your vehicle has a wireless network connection, this enables the exchange of data between your vehicle and other systems. The wireless network connection is enabled by a transmitting and receiving unit or via a mobile device supplied by you (e.g. a smart-phone). On-line functions can be used via this wireless network connection. These include on-line services and applications that are provided by the manufacturer or other providers.
Third-Party Services
Where you take the opportunity to use on-line services from other (third-party) providers, these services are subject to the data protection policy and conditions of use of the relevant provider. We have no regular influence on the content exchanged.
Please inform yourself about the nature, scope and purpose of the collection and use of personal data in the context of third-party services at the respective service provider.
Duration of Retention
We store your personal data only as long as is necessary for the above purposes, i.e.
- for the purpose of contract execution and enforcement or defence against civil law claims arising from the contractual or legal obligations existing with you until the end of the year following the beginning of the limitation period of the respective reciprocal claims,
- for the purpose of direct mail until you object to the use of your data for the purpose of advertising and
- as long as and to the extent that the storage is required by law or necessary to the performance of the product observation obligation, maintaining product safety and product improvement, to observe any commercial conflict, to maintain your digital proof of service or to observe any advertising refusal..
Data Processing in the Vehicle
Electronic control devices are installed in your vehicle. Control devices process data, which, for example, they receive from vehicle sensors, generate it themselves or exchange it with each other. Some control devices are required for the safe functioning of your vehicle, while others support you when driving (vehicle assistance systems) and others enable comfort or infotainment functions.
The information on data processing in the vehicle is given below:
Personal Reference
Each vehicle is labelled with a unique vehicle identification number. The vehicle identification number is traceable to the current and former holder of the vehicle. There are also other ways to trace the data collected from the vehicle to its holder or driver, e.g. via the number plate.
The data generated or processed by the controllers can therefore be personal or related to a person under certain conditions. Depending on the vehicle data, conclusions about your driving habits, your location or your travel route or on the manner of use may be possible.
Data Processing through Our website
We collect information through this website (www.gasanzammit.com) through forms that you fill in. We use this information to respond to your enquiries and to provide you with information that may interest you. This data is limited to the kind of information that can be found on a typical business card such as; name, job title, employer/company name, address, email address, and phone number. Within this context, the Personal Data collected must be:
- correct and, if necessary, up to date;
- processed lawfully, fairly and in a transparent manner;
- processed in accordance with good practice;
- collected for specific, explicitly stated and legitimate purposes;
- adequate and relevant in relation to the purpose of the processing;
- processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, accidental destruction, loss or damage by both internal and external parties.
This site also collects and stores certain information automatically using cookies and similar technologies, including IP addresses, the region or general location of a computer or device accessing the internet, browser type, operating system, page view history, and other usage information. See our Cookie Policy for further details.
Statutory Requirements for Disclosure of Data
Where statutory provisions apply, data controllers including Us and Our Principals are fundamentally required to release stored data upon request by state authorities to the extent requested in individual cases (e.g. in the investigation of an offence).
Under the applicable law, state bodies are also authorised to read the data from vehicles themselves in individual cases. In this way information can be read out from the air-bag control unit in the event of an accident, which may assist in investigating this event.
Visitors to our premises
Our premises are safeguarded by several safety measures, including CCTV operations and access controls.
We have signs on our site indicating the places in which CCTV is in operation. The footages and images collected are safely secured and may only be accessed by limited individuals upon a sufficient cause. CCTV data is normally automatically overwritten following 7 days provided that such data may be retained whenever it is required for investigation purposes.
Your Rights
You have the right at any time to appeal against the processing of your data for direct marketing purposes; this applies also to profiling, insofar as it relates to direct advertising. To do so, you can use the unsubscribe feature in our electronic communications, call us on: +356 2778 8200 or email us at compliance@gasan.com. With reference to personal data processed by our Principals, you are requested to refer to the contact details provided in Annex 1 about their channels for consent revocation. If you refuse the processing of your data for the purposes of direct marketing, your data will no longer be used for this purpose.
You also have the right, for reasons resulting from your personal situation, at any time to lodge an objection to the processing of your data, which takes place on the basis of legitimate interests (Art. 6 Para. 1 Sentence 2 2 f) GDPR); this applies also to profiling, insofar as it relates to legitimate interests. We will no longer process the personal data, unless mandatory reasons worthy of protection for the processing can be verified, which outweigh your interests, rights and freedoms, or the processing is for the purpose of making a claim, exercising a claim or defence against legal claims.
Under the relevant statutory requirements you also have the right of access (Art. 15 GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction of processing (Article 18 GDPR) and right to data portability (Article 20 GDPR).