INFORMATION NOTICE ON THE

PROTECTION OF PERSONAL DATA

At CFL Mobility, the customer is our primary concern.

And naturally, the protection of your personal data is a priority for us, and for each CFL Group entity

that may have reason to process your personal data.

This notice provides you with the information you need. It explains how we gather, use, share, store

and protect your personal information. It also informs you about your rights and how to enforce them.

1. Who is in charge of the processing?

CFL Mobility, established and having its registered office at L-1616 Luxembourg, 9 Place de la Gare and

registered with the Luxembourg Trade and Companies Register under number B213407, is the

controller of the personal data about you that we process.

In this capacity we are responsible for the way in which we gather, use, share, store and protect your

personal information.

2. Which categories of personal data are processed and for what purposes?

CFL Mobility offers a car sharing service.

For this mission, we collect and process a number of items of personal data about you.

Depending on the purpose for which we do so, the categories of personal data are:

- identification data (surname, first name, address, telephone number, etc.),

- data on personal characteristics (date of birth, sex, nationality, identity document, driving

license and/or other administrative identification documents, etc.),

- electronic identification data (IP address, cookies, e-mail address, etc.),

- financial data (credit card or bank account numbers) related to your purchase of services,

- data on the composition of your household for subscribing certain types of services,

- data on your profession, employment,

- photos from your justificatory documents,

- geolocation data (date, time, distance travelled, GPS points) managed by the on-board

computer of the rented vehicle,

- fuel card data (where was the fuel filled up, when, price, etc.).

In certain cases, we also handle particular categories of personal data defined as sensitive data,

namely:

- data on offences or convictions,

- health data.

In all cases, the CFL undertake to ensure that the data are collected for the specific purposes and that

the processing is adequate, relevant and limited to what is necessary for the purpose for which they

are processed.

The intended purposes are:

- the management of our contractual relations and related services (fuel, insurance, etc.),

- the creation and management of customer accounts,

- commercial customer management,

- customer needs analysis,

- personalising your access to the system,

- managing the geolocation data integrated in the on-board computer of the rented vehicle,

- complaints management,

- incident management (breakdown assistance, accidents, ...) and the management of loss

claims involving the rented vehicle,

- the prevention and treatment of offences,

- the management of pre-litigation or litigation disputes, the management of collection

requests, the management of reminders and debt recovery,

- the development of statistics,

- prospecting and marketing,

- the management and the sending of our newsletter if you agree to our sending it.

Further information on geolocation data processing can be found in Appendix 1.

3. How do we collect, process and use your data?

We collect and use the personal data that you provide to us when you create a customer account via

our website or, in the case of a contract between CFL Mobility and another legal person ("B2B"), under

the terms and conditions set out in the contract signed between the parties, as well as each time you

use our services.

Personal information can also be collected using cookies, web beacons and other similar technologies

when you visit our website or mobile application.

For each purpose described above, the collection and processing of your data are:

• performed in conformity with the applicable regulations governing the protection of personal

data. These include the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the

Council of 27 April 2016 on the protection of natural persons with regard to the processing of

personal data and the free movement of such data, and repealing Directive 95/46/EC (General

Data Protection Regulation)), the related Guidelines and the national legislation implementing the

GDPR where appropriate,

• and legally founded

o either on the fact that the processing of your personal data is necessary for the performance

of the car sharing contract to which you are party or the carrying out of pre-contractual

measures undertaken at your request,

o or on the basis of your consent,

o or on the fact that the processing is necessary to fulfil a legal obligation to which we are

subject as controller,

o or on an interest recognized as legitimate.

4. Who has access to your data?

We see to it that your personal data is processed in a way that respects the purposes stated above.

To provide you with best quality services, these data are shared with certain departments CFL Group

company departments, in Luxembourg, in strict compliance with the missions entrusted to them. The

main departments here are:

• the CFL Legal and Insurance Department,

• the CFL Internal Audit Department,

• the CFL IT Department,

• the CFL Finance Department,

• the CFL Passengers Department.

5. Where are your data processed, to where are they transferred?

Your data is processed by CFL Mobility, which takes all appropriate technical and organizational

measures to protect the security of your personal data and, first and foremost, their confidentiality,

integrity and availability.

Strictly within the context of the purposes mentioned above and whenever necessary, we share your

personal data with our business partners (software suppliers, payment service providers, external call

centre, etc.), as well as to our auditors, our legal advisers, the Luxembourg administration and other

competent national or foreign authorities, in order to provide our services.

Where data is transferred, we contractually require our providers to guarantee the security and

confidentiality of your personal data by means of appropriate technical and organizational measures

in accordance with the regulations. We also watch to ensure that these guarantees are complied with.

6. How long do we keep your data?

We keep your personal data for as long as they are needed for the purpose for which they are

processed and as long as necessary for us to fulfil our obligations resulting from limitation periods

and/or any other legal provisions.

7. What are your rights with respect to your personal data?

Under the conditions provided by the regulations, you have the right to:

• access the personal data that we hold on you,

• have rectified any data that is inaccurate or incomplete,

• have your data deleted in certain cases, for example, whenever your data are no longer necessary

for the intended purpose and we no longer have any contractual or legal obligation to store them,

• request that limits be placed on the processing of your personal data, for example, limiting the

processing of data of which you dispute the accuracy for the time we need to verify your request,

• request the portability of your personal data to allow them to be transmitted to you a structured,

commonly used and readable format or be transferred to another controller,

• withdraw your consent at any time (unless the processing is based on a legal basis other than your

consent) to the processing of your personal data, but without compromising the legality of the

consent-based processing prior to such withdrawal,

• oppose the processing of your data solely for the pursuit of our legitimate interests or prohibit us

from processing them, including for direct marketing,

• file a complaint with the competent personal data protection authority, either or your country

and/or the Grand Duchy of Luxembourg (Commission Nationale pour la Protection des Données –

CNPD, located at 1, avenue du Rock'n'Roll , L-4361 Esch-sur-Alzette - www.cnpd.public.lu).

8. Contacting us and exercising your rights?

You may address your questions regarding the processing of your personal data and/or exercise your

above-mentioned rights by contacting the CFL Mobility Data Protection Officer (DPO):

• on our website www.flex.lu by clicking on the link gdpr.cfl.lu ,

• by post to:

CFL Mobility

To the attention of the Data Protection Officer - (Déléguée à la Protection des Données - DPO)

Gare de Wasserbillig

L-6630 Wasserbillig.

Any complaint relating to the processing of your personal data may be addressed to the above-

mentioned postal address or to the supervisory authority of the Grand Duchy of Luxembourg, i.e. the

National Commission for Data Protection (Commission Nationale Pour la Protection des Données –

CNPD, 1, avenue du Rock'n'Roll, L-4361 Esch-sur-Alzette - www.cnpd.public.lu).

9. How do we update this information notice?

In order to comply with the regulations in force, CFL Mobility undertakes to update this information

notice whenever necessary.

The latest version is posted on our website www.flex.lu.

Appendix 1

Use of a vehicle equipped with a tracking system

Software for managing vehicles, reservations and customers, as well as related data, is used for CFL

Mobility's FLEX vehicle sharing. All vehicles are equipped with an on-board computer in order to

manage the booking and unlocking of the vehicle, as well as for detecting its position.

The location system is intended solely to ensure the operational functioning of the reservation system,

such as for example to check whether a vehicle has been returned to the intended location.

The state of the vehicle and, in the case of certain events, its position are transmitted to the software

via the on-board computer. These data are processed on the server of our Swiss-based software and

hardware suppliers, and stored in accordance with European Union rules on the protection of personal

data. This also applies to customer data.

Upon request, personal data may be transmitted to the authorities under the relevant laws, for

example in case of a misdemeanour.

On the other hand, in the event of an accident or breakdown, if the vehicle is reported as missing, or

in the event of a malfunction, CFL Mobility can identify the vehicle's most recent position. CFL Mobility

will not expressly use any of these data in any form for the purposes of locating or tracing customers.

Similarly, the acquisition of data relating to the routes taken is not of a continuous nature.

In addition, some vehicles are equipped with the new European emergency call system, which, in the

event of an accident, automatically sends data to a rescue centre. In this case too, the vehicle's position

is located according to European Union rules. CFL Mobility has no influence on these data, and does

not have access to them.