GDPR Compliance

1 Introduction

Monta understands the importance of treating the personal data of our customers, vendors, business partners, visitors to our website and other persons we interact with, in a confidential and private manner.

Transparency is a fundamental value at Monta, and Monta is committed to following the requirements and obligations in relation to data privacy in accordance with applicable law, including the EU General Data Protection Regulation ("GDPR"). Therefore, we have secure and adequate data processing procedures in place.

This document describes Monta's efforts to be GDPR compliant. This compliments our Privacy Policy.

2 What is "Personal data" and "processing"

"Personal data" is any information relating to an identified or identifiable natural person ("data subject"; e.g., an employee of Monta, an end-user of Monta or a contact person employed at a business partner of Monta); an identifiable natural person is one who can be identified, directly or indirectly, even if only a few persons will be able to identify him/her and even is the probability of identification is low.

Personal data is for instance a name, a phone number, an IP address, a customer ID, a picture, and a fingerprint.

According to the General Data Protection Regulation ("GDPR"), every use or handling of personal data is considered "processing". "Processing" is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Storage of personal data is also considered a processing activity under the GDPR. The processing of personal data includes both automated processing as well as processing other than by automated means if it forms part of a filing system or are intended to form part of a filing system.

Monta's processing includes the following types of personal data about data subjects:

Charge station ID;

User ID;

If applicable, energy company;

EV-driver address;

EV-driver charge card ID;

EV-driver data regarding transactional history;

EV-driver data regarding use (kwh);

EV-driver e-mail address;

EV-driver financial data (bank account, invoice);

EV-driver name;

If applicable, lease company;

Location of charge station;

Vehicle Identification Number (VIN);

Transaction ID.

3 Fundamental requirements for all processing activities

Prior to any processing of personal data, Monta must ensure compliance with certain fundamental legal requirements:

a. the basic principles of the GDPR on processing of personal data, and b. the processing must have a specific legal basis listed in the GDPR.

Below is an overall description of the above-mentioned requirements.

3.1 The general data protection principles

When Monta is processing personal data, Monta must comply with applicable general data protection principles. Compliance with these principles does not in itself ensure the lawfulness of the processing of personal data. A legal basis for the processing is also required.

At any time, Monta must be able to demonstrate that it complies with the basic principles on processing of personal data. If Monta is not in compliance with the principles, the processing of personal data is not lawful and must cease. Please note that not even a consent from the data subject can make the processing lawful if Monta is not able to demonstrate compliance with the principles.

The general principles applicable in relation to processing of personal data are as follows:

3.1.1 Lawfulness, fairness, and transparency

The principles of lawfulness, fairness and transparency define good practice of data processing. Basically, this means that the personal data must be processed on the basis of consent or some other legal basis, and that it must be transparent to natural persons that personal data concerning them are collected, used and otherwise processed, which requires information and communication relating to the processing.

3.1.2 Purpose limitation

Monta may only collect personal data for specified, explicit and legitimate purposes and not process it further in a manner that is incompatible with the initial purposes. Based on this principle, Monta must - at the latest at the time when the personal data is collected - determine the specific purpose of the processing. The purpose must be legitimate and naturally related to the ordinary activities of Monta's business areas. In case of further processing, Monta is subject to further restrictions.

3.1.3 Data minimisation

Monta may only process adequate and relevant personal data. The quantity of the data must be limited to what is necessary in relation to the purposes for which they are processed (see purpose limitation above).

3.1.4 Accuracy

Monta must make sure that personal data are accurate and, where necessary, kept up to date. Inaccurate personal data must be erased or rectified without delay.

3.1.5 Storage limitation

Monta must delete personal data that are no longer necessary for the purposes for which the personal data are processed (see purpose limitation above). In other words, personal data must be deleted on an ongoing basis.

The establishment of routines of deletion is crucial in this respect. The determination of the deletion routines must be based on the purpose of which the personal data was initially collected (see purpose limitation above).

In general, it is essential that storage of personal data is kept to a minimum, and Monta's employees must erase personal data from their personal archive, including email inbox, personal folders, subfolders, desktop, etc. in a structured, well-defined, and regular manner. Further, physical documents must be shredded after it is no longer necessary to process the personal data included in said documents. Generally, when the personal data are stored in the intended IT-systems or archives, it is no longer necessary to also store the personal data privately in email inboxes, subfolders, desktop, etc. However, before erasing personal data, Monta's employees must make sure that the intended erasing complies with internal administrative procedures. In this connection, please note that national rules within the countries of EU/EEA may prescribe minimum retention periods of specific data; e.g. the Danish Bookkeeping Act which stipulates a retention period of 5 years in relation to a company's accounting records.

3.1.6 Integrity and confidentiality

Monta must ensure that personal data is processed with appropriate security to prevent i.a. accidental or unlawful destruction, loss, or alteration and against unauthorized disclosure and abuse.

For example, personal data which is considered confidential or sensitive must always be encrypted in transport, e.g. when it is sent by e-mail.

3.2 The categories of the personal data and the legal basis for the processing

Processing of personal data must be lawful. When deciding what is the legal basis for the processing, it is essential to firstly establish the category of the personal data.

3.2.1 Categories of personal data

Personal data can be divided into different categories depending on the character of the data:

"Ordinary" or "non-sensitive personal data" is for instance names, addresses, contact information, customer ID, credit information, car registration number and other information that is not "sensitive personal data" (non-exhaustive list).

"Sensitive personal data" is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation (exhaustive list).

Personal data can be considered as confidential, depending on the type of information in question. Confidential personal data is not specifically defined in the Data Protection Regulation, but usually includes information that is protected by secrecy provisions in national laws. For instance, information on "CPR numbers (social security numbers)" and "personal data relating to criminal convictions and offences" will as a rule be considered as confidential, as such information is subject to national provisions on secrecy and governed by the Danish Data Protection Act. Special data protection considerations must be taken into account prior to any processing activities e.g., this type of personal data must always be encrypted when it is sent by e-mail – see Monta’s IT policy.

3.2.2 The legal grounds

Ordinary personal data may be processed if for instance:

  • the data subject has given consent;
  • processing is necessary for the performance of a contract with the data subject; e.g. a sales agreement, or in order to take steps at the request of the data subject prior to the entering into a contract; e.g. an employment contract;
  • processing is necessary for compliance with a legal obligation to which Monta is subject to as a controller; e.g. report obligations to national tax authorities; or
  • it is necessary for the purposes of the legitimate interest pursued by Monta, which are not overridden by the interests or fundamental rights and freedoms of the data subject.

3.2.3 Sensitive personal data - exceptions

Sensitive personal data may not be processed, unless a specific exception applies - for instance one of the following:

  • the data subject has given explicit consent;
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of Monta or of the data subject in the field of employment: or
  • processing is necessary for the establishment, exercise or defence of legal claims, e.g. in connection with a specific dispute.

Please note that both a legal ground from section 3.2.2 and an exception from section 3.2.3 must be provided by Monta in order to process sensitive personal data.

4 Data subjects' rights

4.1 Information to be provided to the data subjects

When collecting personal data from the data subject or third parties, Monta must provide information about the processing to the data subject; e.g. the contact person employed at Monta's business partner or the employee of Monta.

As a general rule, the information must be provided to the data subject at the time when the personal data are obtained from the data subject, or within a reasonable period after obtaining the personal data from a third part, but at the latest within one month.

In order to comply with the information requirement, Monta must link to or by other means provide access to the relevant privacy policies.

Please refer to the specific privacy policies for respectively:

  • job applicants,
  • employees in Monta,
  • external business partners, customers, and website visitors (Monta’s external privacy policy)

Monta must take active steps in providing the information, so it is not sufficient to have the policies located on the webpage or the intranet.

4.2 Exercise of data subjects' rights request

The data subjects have a number of rights which Monta is required to handle in a timely manner and in accordance with the data protection rules.

Subject to certain exceptions and limitations, the data subjects have the right to:

  • Request access to their personal data. This right enables the data subjects to receive a copy of the personal data Monta processes about them.
  • Request correction of their personal data.This enables the data subjects to have incomplete or inaccurate personal data that Monta processes about them corrected.
  • Request erasure of their personal data. This right enables the data subjects to request to have their personal data erased prior to the expiry of Monta's usual retention period. This is sometimes referred to as the “right to be forgotten”.
  • Request the restriction of processing of their personal data. This right enables the data subjects, for instance, to ask Monta to suspend the processing of their personal data for a period enabling Monta to verify the accuracy of the personal data if the accuracy of the personal data being processed is contested by them, or if the processing is unlawful and the data subjects oppose to the erasure of the personal data and request restriction of their use instead.
  • Request data portability. This right enables a data subject the right to request Monta to transfer the personal data which Monta have received from the data subjects to them in a structured, commonly used and machine-readable format, and they will then have the right to transmit those personal data to another data controller without hindrance from Monta.
  • Objection to processing of their personal data. This enables the data subjects to object to the processing of their personal data, which is based for instance on Monta's legitimate interests, including profiling based on this legal basis.
  • Request not to be subject to automated individual decision-making, including profiling. This enables the data subjects to request of Monta that they are not subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. (Monta does not as a rule make decisions of this nature based solely on automated processing and without any human assessment whatsoever. Monta would notify the data subjects specifically and on beforehand if we did).

5 Security of personal data processing activities

5.1 Risk assessment

Monta implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk including, i.a., as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Monta has prepared written risk assessments with regards to the processing activities.

Changed or new personal data processing activities need to be risk assessed via our data protection risk assessment tool.

5.2 Data Protection Impact Assessment

If Monta processes personal data that is likely to result in a high risk for the persons whose personal data is being processed, a Data Protection Impact Assessment (“DPIA”) shall be carried out.

A DPIA implies that Monta will, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with data protection requirements.

Adherence to approved codes of conduct or approved certification mechanisms, where applicable, may be used as an element by which to demonstrate compliance with the appropriate technical and organisational measures according to this clause.

6 Data Protection by Design and Data Protection by Default

New products, services, technical solutions, etc. must be designed so they meet the principles of data protection by design and data protection by default settings.

Data protection by design means that when designing new products or services, key considerations to data protection must be shown:

  • Monta will take the following factors into account when acquiring or developing new products, services, technical solutions, etc.: the state of the art, the cost of implementation and the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing of personal data.
  • Monta implements, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate technical and organisational measures, including, i.a., as appropriate pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet data protection requirements and protect the rights and freedoms of data subjects.

Data protection by default requires that relevant data minimisation techniques are implemented:

  • Monta implements appropriate technical and organisational measures ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed.
  • This minimisation requirement applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
  • Such measures shall ensure that by default, personal data are not made accessible without careful consideration.

7 Personal data breaches

By "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Personal data breaches can in outline be categorised as described below, or as breaches of all of the categories at the same time or as any combination of that:

  • Confidentiality breach - an unauthorised or accidental disclosure of, or access to, personal data;
  • Availability breach - an unauthorised or accidental loss of access to, or destruction of, personal data: and/or
  • Integrity breach - an unauthorised or accidental alteration of personal data.

In case of a personal data breach, Monta is required to without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, notify the personal data breach to the relevant data protection supervisory authority, such as the Danish Data Protection Agency, and in some cases also the data subjects affected by the breach.

Even though Monta does its outmost to prevent unauthorized use or other misuse of personal data, mistakes or cyber security attacks may occur. To ensure the handling of personal data breaches in a timely manner and in accordance with the data protection rules, Monta has prepared some guidelines which must be observed in case of a data breach.

8 Use of data processors

Monta’s use of data processors are all included in Monta’s Risk Register. Monta has a risk register where all licensed software is tracked, including who is the account responsible and the number of licenses granted.

Monta is using an external provider called “Openli” to perform due diligences on our data processors and ensure Monta has the sufficient documentation for each provider e.g. DPA/SCC/BCR/ISO certifications.

8.1 Use of data processors

An external data processor is a company, which processes personal data on behalf of Monta and in accordance with Monta’s documented instructions, including for Monta's purposes and by means set out by Monta, e.g. in relation to providers of HR systems, third party IT providers, etc.

When Monta outsources the processing of personal data to data processors, Monta ensures that said company as a minimum implements the same degree of security measures for the protection of personal data protection as Monta. If this cannot be guaranteed, Monta will choose another data processor.

The processing by a data processor is governed by a data processing agreement.

8.2 Data processing agreements

Prior to transfer of personal data to the data processor, Monta assesses whether the data processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects.

After the assessment is carried out and it is determined that the data processor meets such requirements, Monta enters into a written data processing agreement with the data processor.

The data processing agreement ensures that Monta controls the processing of personal data, which takes place outside Monta for which Monta is the data controller and thereby responsible.

9 Third country transfers

Special rules apply if personal data are being transferred to countries outside EU/EEA, so-called third countries. Transfers to third countries may occur in several situations, e.g., by using an IT hosting provider located in a third country.

The Court of Justice of the European Union has ruled that the protection granted to personal data in the EU/EEA must travel with the data wherever it goes. Basically, this means that transferring personal data to third countries cannot be a means to undermine or water down the protection it is afforded in the EU/EEA.

This means for Monta that certain matters must be attended to if personal data is intended to be transferred to a third country:

  • Prior to a transfer to a third country, an appropriate legal transfer ground must be established in accordance with Chapter V of the GDPR such as the standard contractual clauses of the EU Commission;
  • Prior to a transfer to a third country, Monta must make a transfer risk assessment, including an analysis of the third country legislation and practices in order to determine if anything impinges of the effectiveness of the chosen transfer tool;
  • If the transfer risk assessment mentioned above reveals a risk and therefore a possibility of impingement of the effectiveness of the transfer tool, Monta must before a transfer to a third country - typically in collaboration with the data processor/the data importer - ensure the implementation of supplementary measures in order to fill the gaps in the protection and bring it up to a level of protection required by or essentially equivalent to EU law. The effectiveness of said supplementary measures must be assessed in the context of the specific transfer, in light of the third country law and practices and the transfer tool relied on. In principle, supplementary measures may have a contractual (e.g. transparency obligations and obligations to take action), technical (e.g. encryption or multi-party processing) and organisational (e.g. internal policies for governance of transfers and data minimisation measures) nature, and combining such diverse measures may enhance the level of protection and therefore contribute to reach the EU standard of protection; and
  • Monta shall at any time be able to demonstrate the above-mentioned to the relevant data protection supervisory authority; in Denmark, the Danish Data Protection Agency.

In order to meet these requirements concerning third country transfers, Monta has prepared a transfer risk assessment template on contemplated third country transfer to ensure that all mandatory steps and considerations are taken before a transfer to a third country.

Please note that there are exceptions to the requirements above. The requirements only apply if the transfers tool relied on is a safeguard pursuant to Article 46 of the GDPR.

10 Records of processing activities

Monta is required to maintain records of processing activities under Monta's responsibility. The content of the records is:

  • name and contact details;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country, including the identification of that third country and, if relevant, the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data; and
  • where possible, a general description of the applied technical and organisational security measures.

The records of processing activities are internal documents but must be disclosed to the data protection supervisory authority upon request.

Contact us

If you have any questions about the data we hold on you or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Last updated: 26 May 2023