This policy sets out how Season Car Rental Limited (“Season Cars”) collects, stores, secures, retains and disposes of personal data in connection with our website, bookings, vehicle hire and marketing activity, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). It applies to all staff, contractors and third-party processors who handle personal data on our behalf.
2.1 Overall accountability for data protection sits with Season Cars’ senior management.
2.2 Day-to-day data protection queries, subject access requests and breach reporting are handled by our designated Data Protection Lead.
We handle personal data in line with the UK GDPR principles:
• Lawfulness, fairness and transparency — we only process data where we have a valid legal basis, and we tell people how we use their data (see Privacy Policy).
• Purpose limitation — we collect data for specified purposes and do not use it for unrelated purposes without a further legal basis.
• Data minimisation — we only collect data that is necessary (e.g. we ask for a DVLA Check Code, not a full copy of a driving record, unless referral to insurers requires more).
• Accuracy — we take reasonable steps to keep data accurate and up to date, and correct it on request.
• Storage limitation — we do not keep data longer than necessary; see the Retention Schedule at Section 6.
• Integrity and confidentiality (security) — we protect data using the measures described at Section 7.
• Accountability — we document our decisions, keep this policy and the Privacy Policy up to date, and can demonstrate compliance if asked by the ICO.
The lawful basis for each processing purpose is set out in our Privacy Policy, Section 5. This policy incorporates that table by reference.
As part of insurance eligibility checks, we process criminal offence data — motoring convictions and offence codes (Hire Terms, clause 11; Privacy Policy, Section 6). This is the only category of special/criminal offence data we currently process; we do not intentionally collect health data, racial or ethnic origin, religious beliefs, or other special category data, and staff should refer any such data received incidentally (e.g. a mobility-related request) to the Data Protection Lead rather than storing it as part of a standard booking record.
Our Appropriate Policy Document for criminal offence data, required under DPA 2018 Schedule 1 Part 4, covers:
• The condition relied on: the “insurance purposes” condition (Sch. 1, Part 3, para 20) — processing is necessary for an insurer, or for us acting on an insurer’s instructions, to assess risk for insurance purposes, and cannot practicably be done with the data subject’s explicit knowledge without prejudicing that assessment;
• Retention and erasure: motoring conviction data is kept only for as long as needed to assess and document eligibility for the specific hire, then securely deleted — see the Retention Schedule at Section 6;
• Safeguards: access to conviction data is restricted to staff directly involved in eligibility checks and our insurers/brokers; it is not used for any other purpose (e.g. marketing) and is not shared beyond those necessary for the insurance assessment.
| Data category | Retention period | Disposal method |
|---|---|---|
| Website enquiries / quotes (no booking made) | 12 months from last contact | Deleted / anonymised |
| Booking contracts, invoices, payment records | 6 years from end of hire | Deleted, subject to statutory accounting requirements |
| Driving licence, passport, proof of address copies | Duration of hire + 12 months | Securely deleted, unless needed for a live dispute/claim |
| Motoring conviction / criminal offence data | Duration of the eligibility assessment for that hire only | Securely deleted immediately once no longer needed for that purpose |
| Vehicle condition reports / collection & return photos | 12 months from end of hire, or until dispute resolved | Deleted |
| CCTV footage (if applicable) | 30 days | Automatically overwritten |
| Marketing consent / preference records | Until consent withdrawn, then indefinitely on suppression list | Retained on suppression list only |
| Accident / insurance claim records | As required by our insurer, typically up to 7 years | Deleted once insurer confirms no longer required |
We apply the following technical and organisational measures:
• Encryption of personal data in transit (TLS) and, where supported by our providers, at rest;
• Role-based access control, so staff can only see the personal data needed for their role;
• No storage of full card numbers on our own systems — card payments and deposits are handled by a PCI-DSS-compliant payment provider;
• Staff training on data protection and secure handling of ID documents (licences, passports, proof of address) at induction and periodically thereafter;
• Due diligence and a written data processing agreement with each processor before onboarding (see Section 8);
• Secure disposal of physical documents (e.g. cross-shredding) and secure deletion of electronic records at the end of their retention period.
We use the following third parties to process personal data on our behalf. Each is subject to a data processing agreement requiring them to protect personal data to at least the standard required by UK GDPR.
| Processor | Purpose | Location / safeguard |
|---|---|---|
| Mailchimp (Intuit Inc.) | Email marketing platform — sending newsletters and promotional emails | United States (safeguards: UK IDTA / UK–US Data Bridge) |
| Mandrill (Mailchimp Transactional) | Transactional email delivery — booking confirmations, deposit release notices | United States (safeguards: UK IDTA / UK–US Data Bridge) |
| Fast SMS | SMS delivery — marketing texts and operational messages (e.g. collection reminders) | United Kingdom |
| Payment services provider | Card payment and security deposit processing | To be confirmed / named |
| Website hosting / IT support provider | Hosting of www.seasoncars.com and supporting infrastructure | To be confirmed / named |
Where a processor is based outside the UK (currently Mailchimp and Mandrill, both US-based), we rely on a recognised safeguard — the UK’s International Data Transfer Addendum to the EU Standard Contractual Clauses, and/or the UK–US Data Bridge, provided the receiving party is certified under the relevant framework. We review this position periodically and if we appoint any new non-UK processor, we confirm an equivalent safeguard is in place before data is transferred.
10.1 Any suspected or actual personal data breach (e.g. lost device, unauthorised access, misdirected email containing ID documents) must be reported to the Data Protection Lead immediately, and in any event within 24 hours of discovery.
10.2 The Data Protection Lead will assess the risk to individuals and, where the breach is likely to result in a risk to people’s rights and freedoms, report it to the ICO within 72 hours of becoming aware of it, in line with UK GDPR Article 33.
10.3 Where a breach is likely to result in a high risk to affected individuals (e.g. exposure of driving licence or passport data), we will also notify those individuals directly and without undue delay, in line with Article 34.
10.4 We keep a written record of all breaches, whether or not they were reportable to the ICO, including what happened, the data involved, and the action taken.
11.1 Requests to access, correct, delete or port personal data, or to object to or restrict processing, should be sent to info@seasoncars.com and are logged and verified by the Data Protection Lead.
11.2 We respond within one calendar month of receiving a request and confirming the requester’s identity. This period may be extended by a further two months for complex or numerous requests, with the requester informed of the extension and reason within the first month.
11.3 We do not charge a fee for a request unless it is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request, explaining why.
We carry out a DPIA before starting any new processing activity that is likely to result in high risk to individuals — for example, introducing vehicle telematics/tracking, CCTV, a new automated insurance-decisioning tool, or a significant change to how we collect or share motoring conviction data. Our processing of criminal offence data for insurance eligibility (Section 5) has been assessed as requiring documented safeguards (the Appropriate Policy Document) rather than a full DPIA, but this should be revisited if the scale or nature of that processing changes materially.
All staff who handle personal data receive data protection training at induction and refreshed at least annually. This policy, and the linked Privacy Policy and Marketing Policy, are reviewed at least annually, and sooner if there is a material change to our processing activities, our processors, or the law.
Season Car Rental Limited, Arch 56, Ingate Place, Battersea, London SW8 3AG.
Email: info@seasoncars.com | Telephone: 0207 046 0048.