PRIVACY POLICY JUMBO CAR COSTA RICA

Privacy policy SANJOCAR SA

Version dated 12/07/2019

PreambleThe General Data Protection Regulation (GDPR) entered into force on May 25th, 2018 and complements legislation on the protection of personal data.

For your information, a personal data corresponds to any information relating to an identified natural person or that can be identified, directly or indirectly, by reference to an identification number or to one or more elements specific to it (surname, first name, address, e-mail, telephone, contract number, CB number, ...).

Personal data processing refers to any operation on this type of data (collection, storage, transmission, deletion, etc.) whether on paper or computer. The controller is the person who determines the purposes of each processing and the means to achieve those purposes.

For SANJOCAR SA, the protection of your data is a priority. Therefore, for the sake of transparency, the purpose of this Privacy Policy is to explain to you why your personal data are collected and processed by SANJOCAR SA, in its capacity as controller, how they are processed, what rights you have over your data and how you can exercise them.

SANJOCAR SA reserves the right to modify this Privacy Policy at any time. Any changes will take effect immediately.

Therefore, we invite you to consult our Policy regularly, accessible from all pages of the Site, in order to keep you informed of the latest applicable online version. For changes that we consider to be the most significant, a notification will be made on the Site. We also invite you to check the date indicated on this Policy to know the date of the last update.

Synopsis

1. Why does SANJOCAR SA need to collect your data?

2. What data does SANJOCAR SA collect?

3. What is the legal basis for processing your data?

4. How long is your data kept?

5. What are your rights and how do you exercise them?

5.1. Your rights to your data

5.2. Exercising your rights

6. With whom does SANJOCAR SA share your data?

7. How does SANJOCAR SA secure the processing of your data?

8. Mandatory Fields

9. Cookies Policy

10. Privacy by Design/by Default

11. Accountability

Why does SANJOCAR SA need to collect your data?The data that SANJOCAR SA collects are necessary to enable it to meet the following purposes:

Respond to requests received via the contact form,Monitoring your navigation on the site,Manage business relationships,Manage payment requests website and agencies,Offer you commercial offers,Perform customer management operations related to contracts, order processing, deliveries, invoices, accounting, and in particular customer account management;Commercial prospecting and marketing (sending of advertising messages (SMS or email));Conducting customer studies including survey, trade statistics;Updating its prospecting files for the management of the opposition list to telephone canvassing;Management of requests for access, rectification and opposition rights;Managing people’s opinions about products, services or content.For Supplier Partner data,

Supplier file management: perform administrative operations related to contracts; orders; deliveries and invoices, accounting for the management of supplier accounts;Maintain supplier documentation.With regard to candidate data,

Management of applications.Generally speaking, SANJOCAR SA does not process any of your data for purposes incompatible with those for which it was collected, unless you have given your prior consent.

What data does SANJOCAR SA collect?SANJOCAR SA collects different types of personal data concerning you:

Personal data that you communicate directly to us:

When you fill out a contact form,When you complete a quote request,When you make a booking on the website,When you want to take out a contract,When you contact customer service to ask a question, make a complaint,Generally speaking, when you exchange with SANJOCAR SA in any other way.The disclosure of your personal data is voluntary. However, certain information, identified y an asterisk, is essential for SANJOCAR SA to process your request. Without this information, SANJOCAR SA will not be able to process your request.

Personal data communicated to us

In the context of commercial partnerships, data are transmitted to us by third-party organizations:

Tour operator (turnkey travel organizer)Broker (Comparative Websites)Assistant (insurance companies)Hotel Partners (Hotel, Lodging, etc.)Franchisors.Personal data that we automatically collect

We automatically collect certain information about you when you access the SANJOCAR SA website, including information about your browsing. SANJOCAR SA uses cookies and other tracking technologies to collect information about you when you interact with the SANJOCAR SA Website.

To learn more about cookies and how to disable them, please refer to the Cookie Policy.

What is the legal basis for processing your data?The SANJOCAR SA Company collects your personal data for the purposes described in point 1 of this Policy. In all cases, the Company SANJOCAR SA collects your data, only when their collection and processing are based on a legal basis.

Execution of contractual relations with SANJOCAR SA

Your data is necessary for the performance of the contract to which you have subscribed or wish to subscribe. On this contractual legal basis, any refusal to disclose your personal data will prevent the conclusion and performance of the contract.

Compliance with a legal obligation to which SANJOCAR SA is subject

Some of your data are processed by SANJOCAR SA to meet its legal obligations:

Comply with its legal obligations, including the applicable accounting rules, in terms of the management of accounts receivable and accounts payable,Manage requests for access, rectification and opposition rights,Manage a list of objections to telephone canvassing,Check the age of the driver at when setting up a car rental contract.Your consent

Subject to your prior consent, SANJOCAR SA may process your data for:

Send you commercial offers on its products and services,Deposit cookies under the conditions described in the Cookie Policy.At any time, you may reconsider your choice and withdraw your consent, in accordance with the terms described in section 5.2 of this Policy, without, however, calling into question the legality of the processing based on consent and implemented prior to withdrawal.

The legitimate interests of SANJOCAR SA

The Company SANJOCAR SA may process your personal data for the purposes of pursuing its legitimate interest, in particular, for the management of commercial relations.

How long is your data kept?Your data are kept by the Company SANJOCAR SA for the time necessary to achieve the purposes referred to in point 1 hereof, plus the statutory limitation periods.

In terms of cookies .

SANJOCAR SA may keep the data for 13 months.

In terms of commercial management and business development.

SANJOCAR SA may keep the data for 3 years from the last contact with SANJOCAR SA and you. (Simplified Standard n°48)

In terms of invoicing .

The Company SANJOCAR SA may keep the data for 10 years (Art L123-22 paragraph 2 of C.COM. Simplified standard n°48)

When it comes to accounting.

The Company SANJOCAR SA may keep the data for 10 years (Art L123-22 paragraph 2 of C.COM. Simplified standard n°48)

For more information on the retention periods of your data, you can contact the DPO of SANJOCAR SA: dpo@gbh.fr.

What are your rights and how do you exercise them?

Your rights to your dataRight of access to your data

You may obtain confirmation from SANJOCAR SA that your data are or are not processed and, where they are, access to all data and information held by SANJOCAR SA .

Right to rectification of your data

You can obtain from the Company SANJOCAR SA, as soon as possible, the rectification of data concerning you which would be inaccurate or erroneous. You can also request that your data be completed, if necessary.

Right to erasure of your data

Unless there are legal exceptions, you may request that SANJOCAR SA delete your data as soon as possible, if in particular, you feel that the processing carried out by SANJOCAR SA on your data is no longer necessary in view of the purposes for which it was collected.

Right to data portability

You can retrieve part of your data in an open and machine-readable format or ask SANJOCAR SA to transmit it to another organization. Only the data that you have provided actively and consciously to SANJOCAR SA are concerned by this right (for example, the data that you have entered in an online form) or data generated during the use of a service or device in connection with the conclusion or management of your contract, which is processed automatically, on the basis of consent or the performance of a contract.

Right of opposition

If your data is processed for prospecting purposes, you may object to it at any time (See section 5.2 of this Policy). Similarly, you may object to the distribution of targeted advertising (Cookies).

Right to limit the processing of your data

You can ask SANJOCAR SA to keep your data without being able to use it, in one of the following cases:

You dispute the accuracy of the data used by SANJOCAR SA,You object to the processing of your data,In case of illicit use but you oppose their erasure,You need it for the recognition, exercise or defense of rights in court.Right to withdraw your consent to the processing of your data

Where the processing of your personal data is based on your consent (sending of our electronic commercial offers, for example), you may withdraw your consent at any time (see point 5.2 of this Policy).

Similarly, to withdraw your consent to cookies, you may do so according to the terms mentioned in the Cookie Policy.

Right to issue post-mortem directives

You have the possibility to define guidelines for the retention, erasure and communication of your data after your death. These guidelines define how you want your rights to your data to be exercised after your death. You can send us these instructions by sending us a letter, with the subject line "Post mortem instructions", to the following address: dpo@gbh.fr You can, at any time, modify or revoke your instructions.

Exercising your rightsTo exercise one of your rights, please send your request to: dpo@gbh.fr or SANJOCAR SA Oficinas Clare Facio Leal, 300m este de Plaza Mayor contiguo a la Clínica Prisma Dental, Rohrmoser, Pavas, San José - specifying “SANJOCAR SA - For the attention of the DPO.

Any request must specify, in subject matter, the reason for the request (exercise of the right of access, opposition, etc.) and the company concerned by the request. The application must also be accompanied by a double-sided copy of a valid piece of identification bearing the applicant’s signature and the address to which the reply must be sent.

The Company SANJOCAR SA will send you its reply within a maximum of one month, from the date of receipt of your request. However, this period may be extended to two months due to the complexity and number of requests.

If you feel, after having contacted the Company SANJOCAR SA, that your IT rights and Freedoms are not respected, you can address a complaint to the CNIL.

Prospecting and targeted advertising

Once you have agreed to receive commercial offers from SANJOCAR SA, you may, at any time, respond to STOP.

In general, for any question relating to this data protection policy or for any request relating to the management of your personal data by SANJOCAR SA, you can send your request by email or mail, as indicated above.

With whom does SANJOCAR SA share your data?The SANJOCAR SA Company may also transmit your data to the following entities where this is necessary to meet one of the purposes referred to in point 1 of this Agreement:

Regarding the collection of payment information your data can be transmitted:

• Paybox (Payment on the website)

How does SANJOCAR SA secure the processing of your data?SANJOCAR SA implements all technical, physical and organizational measures to ensure the security and confidentiality of your data during the collection, processing and transfer of your data.

SANJOCAR SA Company’s infrastructures are protected against malware (viruses, spyware, etc.); the security of your terminal is your responsibility.

In the event that we may use service providers to process part of your data, we undertake to verify that they provide sufficient guarantees to ensure the protection of personal data entrusted to them and to have them sign confidentiality clauses in accordance with Article 28 of the GDPR.

In the event of a breach of personal data, that is to say in the event of a security incident, whether malicious or not and occurring intentionally or unintentionally, resulting in a compromise of integrity, the confidentiality or availability of your personal data, we undertake to comply with the following obligations:

FOR YOU, DATA BREACH CREATES

NO RISK

A RISK

A HIGH RISK

Internal documentation in the “Violation Register”

X

X

X

We inform you as soon as possible

-

-

X

The “Violation Register” contains the following:

The nature of the violation;The categories and approximate number of people involved;The categories and approximate number of files involved;The likely consequences of the violation;The measures taken to remedy the violation and, if necessary, to limit the negative consequences of the violation;If applicable, the justification for the lack of notification to the CNIL or information to the persons concerned.However, and in accordance with the regulations in force, we are not required to inform you of a violation in the following cases:

Your personal data is protected by measures that make it incomprehensible to anyone who is not authorised to access it;Steps have been taken to ensure that the risk is no longer likely to materialize;This communication requires disproportionate efforts on our part, including not having any contact information to inform you.

9. Mandatory FieldsThe fields indicated by an asterisk in our forms are mandatory. The consequences in case of failure to respond are only the lack of consideration of your request. The obligation to provide the requested data is contractual, as it is necessary for the performance of the contract to which you are a party or for pre-contractual measures carried out at your request, in particular in the event of a request for information or quotation concerning our products and services.

Cookies PolicySee Cookies Policy

Privacy by Design/by DefaultWe undertake to integrate the protection of personal data from the conception of a project, a service or any other tool related to the handling of personal data, in particular the minimization of personal data, limitation of the purposes of data collection, respect for the integrity and confidentiality of data, limitation of retention periods.

AccountabilityIn order to respect the principle of Accountability, our company:

• Adopts internal procedures to ensure compliance with the Regulation (IT Charter, Personal Data Protection Charter);

• Keeps a record of any processing carried out under its responsibility or that of the subcontractor (maintenance of the processing register, confidentiality agreements for employees and service providers, company security policy, procedures for managing access requests, rectification, opposition...);

• Conducts Impact Assessments (IAA) for treatments that pose specific risks with respect to rights and freedoms.

The aim is to provide rich documentation to demonstrate compliance with data protection rules at all times.