GDPR Compliance

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.

At FleetCO, we are committed to ensuring the protection of your personal data and complying with the GDPR. This page explains how we process personal data in accordance with GDPR principles and outlines your rights as a data subject.

This GDPR Compliance statement applies to all personal data processed by FleetCO concerning EU/EEA residents, regardless of where the processing takes place.

FleetCO is the data controller for personal data collected and processed through our fleet management platform and website.

As a data controller, we determine the purposes and means of processing personal data and are responsible for ensuring that all processing activities comply with GDPR requirements.

Contact details for FleetCO as the data controller:

FleetCO

Lusaka, Zambia

Email: privacy@fleetco.com

Phone: +260 971 196 736

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and implementation to ensure compliance with GDPR requirements.

Our DPO serves as the point of contact for data subjects and supervisory authorities on all matters related to the processing of personal data.

Contact details for our Data Protection Officer:

Data Protection Officer

FleetCO

Email: dpo@fleetco.com

Phone: +260 971 196 736

Under the GDPR, individuals have enhanced rights regarding their personal data. As an EU/EEA resident, you have the following rights:

We are committed to facilitating the exercise of these rights and will respond to your requests within one month, as required by the GDPR. This period may be extended by up to two additional months if necessary, taking into account the complexity and number of requests.

Under the GDPR, we must have a valid lawful basis for processing personal data. Depending on the specific processing activity, we rely on one or more of the following legal bases:

Consent: Where you have given clear consent for us to process your personal data for a specific purpose. For example, when you opt-in to receive marketing communications.

Contract: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract. This applies to most of our core service functionality.

Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject. For example, tax and accounting requirements.

Legitimate Interests: Where processing is necessary for our legitimate interests or the legitimate interests of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. We conduct legitimate interest assessments for such processing.

Vital Interests: In rare cases, where processing is necessary to protect someone's life.

Public Task: Where processing is necessary for the performance of a task carried out in the public interest.

We will always be transparent about which lawful basis applies to each processing activity.

As a global company with operations outside the EU/EEA, we may transfer personal data to countries that do not provide the same level of data protection as the EU/EEA.

When transferring personal data outside the EU/EEA, we implement appropriate safeguards to ensure that your personal data remains protected according to GDPR standards. These safeguards include:

Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses in our agreements with third parties who process personal data outside the EU/EEA.

Adequacy Decisions: Where applicable, we transfer data to countries that have received an adequacy decision from the European Commission.

Binding Corporate Rules: For intra-group transfers, we may rely on Binding Corporate Rules approved by EU data protection authorities.

Explicit Consent: In specific cases, we may rely on your explicit consent for international transfers, after informing you of the potential risks.

If you have questions about our data transfer mechanisms, please contact our Data Protection Officer.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements.

Our retention periods are determined based on:

The amount, nature, and sensitivity of the personal data

The potential risk of harm from unauthorized use or disclosure

The purposes for which we process the data and whether we can achieve those purposes through other means

Legal, regulatory, and contractual requirements

For specific information about retention periods for different types of data, please refer to our Privacy Policy or contact our Data Protection Officer.

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of personal data during transmission and at rest

Regular testing and evaluation of the effectiveness of security measures

Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services

Process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

Procedures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Staff training and awareness programs on data protection and security

Access controls and authentication mechanisms to ensure that only authorized personnel can access personal data

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will:

Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach

Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms

Document all breaches, including the facts relating to the breach, its effects, and the remedial action taken

Our data breach response plan includes procedures for identification, reporting, containment, recovery, assessment, and notification of data breaches.

To exercise any of your rights under the GDPR, please contact our Data Protection Officer using the contact details provided below.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

We aim to respond to all legitimate requests within one month. Occasionally, it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

There is generally no fee for exercising your GDPR rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

If you have a complaint about how we handle your personal data, please contact our Data Protection Officer in the first instance. We will investigate your complaint and work to resolve any issues as quickly as possible.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

The lead supervisory authority for FleetCO is [Relevant EU Supervisory Authority], but you may contact any supervisory authority within the EU/EEA.

We may update this GDPR Compliance statement from time to time to reflect changes in our practices or legal requirements.

We will notify you of any significant changes by posting a prominent notice on our website or by sending you a direct notification.

We encourage you to periodically review this page for the latest information on our GDPR compliance practices.

If you have any questions or concerns about our GDPR compliance or how we process your personal data, please contact our Data Protection Officer:

Data Protection Officer

FleetCO

Email: dpo@fleetco.com

Phone: +260 971 196 736

Address: FleetCO, Lusaka, Zambia