Data Privacy Policy pursuant to Art. 13 and 14 GDPR

In the following we would like to inform you about the types of data processed by SIXT CRS and about the purposes of such data processing. We would also like to inform you about important legal aspects of data protection, such as your rights.

Controller

The party responsible for processing your data (controller) is Sixt Chauffeur Reservation Systems GmbH & Co. KG, Hausvogteiplatz 2, 10117 Berlin (hereinafter also referred to as SIXT CRS).

Contact information

If you have any questions on data protection, please contact our data protection officer at dataprotection-chauffeur@sixt.com. You can also contact our data protection officer at the following address: Sixt Chauffeur Reservation Systems GmbH & Co. KG, Datenschutzbeauftragter, Hausvogteiplatz 2, 10117 Berlin.

Categories of personal data

The following categories of personal data can be processed by us in connection with our services:

  • Master data: These include, for example, a person’s first name, surname, address (private and/or business), date of birth.
  • Communication data: These include, for example, a person’s telephone number, email address (private and/or business) fax number if applicable, as well as the content of communications (e.g., emails, letters, faxes).
  • Contract data These include, for example, pick-up and drop-off dates and locations, payment information, and information on customer loyalty and partner programmes.
  • Voluntary data: These are data that you provide to us on a voluntary basis, without us having explicitly requested them, and include information such as your preferences with regard to the vehicle’s equipment and category.

The legal basis for data processing at SIXT CRS

Art. 6 (1) point (a) of the General Data Protection Regulation (GDPR): Pursuant to this provision, the processing of your personal data is lawful if and to the extent that you have given your consent to such processing.

Art. 6 (1) point b) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for the performance of a contract to which you are party, or in order to take steps at your request prior to entering into a contract (e.g., when making the vehicle reservation).

Art. 6 (1) point c) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for compliance with a legal obligation to which SIXT CRS is subject,

Art. 6 (1) point f) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for the purposes of the legitimate interests pursued by the controller, i.e., SIXT, or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, i.e., you yourself.

Art. 9 (2) point f) GDPR: Pursuant to this provision, certain special categories of personal data can be processed if such processing is necessary for the establishment, exercise or defence of legal claims. These special categories of personal data include the health data of the data subjects.

 

The purposes of data processing at SIXT CRS

1. Registration and Booking

Purposes of data processing

Personal data is collected for example when using the website, app, telephone or third-partys

Personal data is collected e.g. via the website, app, by telephone, or via intermediaries if you make them available to us, e.g. primarily for the purpose of arranging service contracts with third parties for the booking of vehicles, for the purpose of using the platform on the basis of a registration, for the purpose of identification through a login process or for the purpose of communicating with us, e.g. via forms that you send us, or by sending us e-mails. The personal data we collect includes, but is not limited to:

  • Master data
  • Communication data
  • Contract data
  • Geolocation data
  • User preference data

We process your master data, communication data, contract data, financial data and any data you have provided voluntarily, for purposes of implementing your reservations and facilitating the conclusion and performance of your contract.

In the Sixt CRS booking process, you have the option of depositing a credit card and thus paying for your trip by credit card. (The actual debiting takes place only after the end of the journey).

Sixt CRS has engaged a professional payment service provider (PSP), certified according to the PCI-DSS security standard, for payment processing with credit cards, which is required to protect your credit card data.

Sixt CRS itself does not store any credit card information about you; in order to enable you to reuse an already registered card for future booking processes, we only store a reference number that uniquely identifies your card.

Legal basis for the above processing

Art. 6 (1) point b) GDPR applies to the processing of data to the extent required to implement reservations, to conclude and perform contracts and for customer relations purposes.

Categories of recipients of your data

For the purposes described in the foregoing, we disclose your data to the following recipients: contractual partners for the booking of vehicles (limousine service providers).

Transfer to third countries

If you use our company to reserve vehicles that you want to rent in third countries, we send your personal data to your contracting partner in the third country concerned. The transfer of your data to a third country is based on an adequacy decision by the European Commission. If no adequacy decision by the European Commission exists for the respective third country, then the transfer to that third country will take place subject to appropriate safeguards as per Art. 46 (2) GDPR. We can also transfer your data to a third country subject to the conditions set forth in Art. 49 GDPR. You can request copies of the aforementioned safeguards from SIXT CRS by writing to the address specified above (see → Controller). Third countries are countries outside the European Economic Area. The European Economic Area comprises all countries of the European Union as well as the countries of the so-called European Free Trade Association, which are Norway, Iceland and Liechtenstein.

2. Marketing and direct advertising

Purposes of data processing

We process your master data, communication data and contract data for purposes of promoting customer loyalty, implementing bonus programmes and optimising customer offers. The customer loyalty programmes we promote include our own programme and the programmes of our cooperation partners.

We use your email address in order to recommend similar products and services offered by us. You may at any time object to your email address being used without incurring more than the cost of transmission as per the applicable basic fees.

Legal basis for processing

Art. 6 (1) point a) GDPR applies to data processing for purposes of implementing direct marketing measures that require explicit advance consent.

Art. 6 (1) point f) GDPR applies to data processing for purposes of implementing direct marketing measures that do not require explicit advance consent, and of implementing the marketing measures mentioned (→ Purposes of data processing).

Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned

Our legitimate interests in using your personal data for purposes of implementing direct marketing measures and the marketing measures mentioned lie in the fact that we want to convince you of our services and promote a lasting customer relationship with you.

Categories of recipients of your data

For the purposes described in the foregoing, we disclose your data to IT service providers, call centres, advertising partners and providers of customer loyalty programmes.

Transfer to third countries

The transfer of data to third countries takes place within the scope of partner programmes. The transfer of your data to a third country is based on an adequacy decision by the European Commission. If no adequacy decision by the European Commission exists for the respective third country, then the transfer to that third country will take place subject to appropriate safe-guards as per Art. 46 (2) GDPR. We can also transfer your data to a third country subject to the conditions set forth in Art. 49 GDPR. You can request copies of the aforementioned safeguards from SIXT by writing to the address specified above (see → Controller). Third countries are countries outside the European Economic Area. The European Economic Area comprises all countries of the European Union as well as the countries of the so-called European Free Trade Association, which are Norway, Iceland and Liechtenstein.

3. GPS-Tracking

Purposes of data processing

To ensure high quality customer service, Sixt CRS can track the coordinates of the drivers on the mobile phone (GPS tracking). These location data are not stored and are used exclusively to enable the execution of a reserved trip or to inform customers about an upcoming trip. To make it easier for you as a customer to book from your current location as a pick-up location with Sixt CRS mobile applications (Android and iOS Apps), our apps locate your location (if you have agreed to transfer your GPS data in the app). Sixt CRS does not store transaction data at any time.

Legal basis for processing

Art. 6 (1) point a) GDPR applies to data processing for purposes of implementing direct marketing measures that require explicit advance consent.

4. Website

Purposes of data processing

Your personal data is recorded via SIXT CRS websites (e.g mydriver.de) if you actively provide such data to us, for instance as part of a registration procedure, by filling out forms, by sending emails, and, primarily, by making a vehicle reservation. We use these data for the purposes described above or for purposes that arise from the respective request, for example, to process specific reservation requests or preferences.

Security, SSL technology

SIXT CRS has implemented a variety of technical and organisational measures in order to protect your personal data, in particular against random or intentional manipulation, loss, destruction and access by unauthorised persons. These security measures will be continually adapted in accordance with technological developments. The transfer of personal data between your computer and our server invariably takes place by encrypted connection (Secure Socket Layer (SSL).

Online tracking

Some new browsers use “Do not track” functions. If this is the case, our website may not respond to “Do not track” requests or may be unable to retrieve the headers of such browsers. To find out more about what your settings are and about whether you want to deny certain providers access to your information, please click here for the US, here for Canada, and here for Europe (please note that opting out will not mean that you are no longer displayed any advertising at all. Rather, you will still receive generic advertising).

Cookies

Visits to our website may result in information being stored on your computer in the form of “Cookies”. Cookies are small text files that are copied from a web server onto your hard disk. Cookies contain information that can later be read by a web server within the domain in which the cookie was assigned to you. Cookies cannot execute any programmes or infect your computer with viruses. The cookies used by us neither contain personal data nor are they connected to any such data.

Most of the cookies used by us are so-called session cookies, which are required in order to maintain consistency during your visit, for example by ensuring that the preferences you entered when making your reservation request, as well as any other information entered, are remembered for the duration of your session. We also need session cookies in order to ensure that any offers (e.g., promotional offers) you click on are assigned to your request. Session cookies are automatically deleted after each session. We furthermore use cookies in order to determine, when you pay return visits to our website, whether you are interested in certain types of offers. This enables us to be more targeted about the offers we show you on our website. If you are already registered with us and have a customer account, it will be possible for us to compare the information recorded by the cookies used with the information known to us. This in turn enables us to tune our offers more finely to your needs and wishes. These cookies have a lifespan of one year, after which they are automatically deleted. We also need cookies for purposes of settling accounts with our advertising partners, because cookies are able to record the page or promotional campaign that led the customer to us. As with other data, we record this data exclusively in abstract form so as to ensure that it cannot be used to identify the data subject. A cookie of this type has a lifespan of 31 days.

You have the opportunity to accept or to reject cookies. Most web browsers accept cookies automatically. Generally, however, you will be able to adjust your browser settings so as to reject cookies. If you opt to reject cookies, you may find that you are unable to use some of the website’s functions. If you accept cookies, you can opt to delete such accepted cookies at a later point in time. You can delete cookies in Internet Explorer 8 by selecting “Tools” > “Delete Browsing History” and then clicking on the button “Delete Cookies”. If you delete the cookies, all settings controlled by these cookies, including advertising settings, will be deleted, possibly irrecoverably.

Use of Google Analytics (this text is provided by Google, Inc)

This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses so-called "cookies", which are text files placed on your computer to help the website analyse how you use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data collected about you by Google in the manner and for the purposes set out above.

For more detailed information in this regard, please go to tools.google.com/dlpage/gaoptout or to www.google.com/intl/de/analytics/privacyoverview.html (general information on Google Analytics and data protection). We would like to point out that the code “gat._anonymizeIp();” was added to Google Analytics on this website to ensure that only anonymised IP addresses are recorded (IP masking).

Deactivate data analysis with Google Analytics for this website directly by clicking on the following link:

Disable Google Analytics

HotJar Web Analytics Service

The SIXT CRS website uses the HotJar analytics services for purposes of improving customer friendliness and customer experiences. These services can record mouse clicks as well as scroll movements. They can also record information entered on this website via keyboard. Such information is not personalised and thus remains anonymous. HotJar does not record such information on pages that do not use the HotJar system. You can deactivate the HotJar service by contacting HotJar via the following link: https://www.hotjar.com/contact.

Use of Google Maps

SIXT CRS mobile applications, as well as the reservation application and the branch finder application on the website, all use Google Maps API applications. These applications are all essential to the functionality and full availability of the booking service. By using the SixtMobil services, the reservation application or the branch finder application, you declare that you agree with such services and application being subject to the terms of service and the privacy policy of Google. To access Google’s terms of service, please click here. The access Google’s privacy policy, please click here. Google Maps is used to provide customers with the appropriate map section and to show them the nearest branches. The transfer of location data to Google invariably takes place in anonymised form; no further information is provided to Google.

Apple Maps

For users of our iOS app: This app uses Apple Maps applications. These applications are essential for the functionality and complete provision of the booking service. By using this app, you agree to the terms of use and privacy policy of Apple Maps. Apple Maps Terms of Use can be found at https://www.apple.com/legal/internet-services/maps/terms-de.html. Apple's Privacy Policy can be found at https://www.apple.com/legal/privacy/de-ww/.

Facebook

This website integrates so-called social plugins (e.g. "Like-Button") of the social network Facebook, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook"). If you interact with the plugins, e.g. by clicking the "like" button, you as a Facebook registered user can automatically leave a note in your facebook profile telling your network that you like the content you are visiting .

In this respect, our website enables ongoing data exchange with Facebook. Please note that a data exchange or the link already takes place when you access our website and does not depend on the activation of the social plugin / "Like-Button" or on a login to Facebook. If you don't want Facebook to be able to create a personalized motion profile of you, please log out of Facebook. Closing the Facebook page is not enough. Please see the purpose and scope of data collection and the further processing and use of the data by Facebook as well as your rights and setting options for the protection of your privacy at http://www.facebook.com/policy.php.

Disable Facebook tracking

Use of the Facebook Custom Audience service based on Facebook pixels

Our website uses the so-called Facebook pixel created by the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are resident in the EU, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). This tool serves to present users of our website with advertising (“Facebook ads”) that matches their interests during their visits to Facebook. In this way we ensure that our Facebook ads correspond with the interests of the respective users and are therefore not perceived as a nuisance. We also use the Facebook pixel to track how many users click on our Facebook ads. This enables us to assess the effectiveness of those ads, which is useful for statistical and market research purposes. The Facebook pixel is activated by Facebook as soon as you open our website. It can store so-called cookies on your computer. If you log into Facebook after visiting our website, or visit Facebook while still logged in, then Facebook will assign this information to your personal Facebook account. The data recorded about you in no way allows us to draw inferences regarding your identity as a user. The collection and processing of the data by Facebook complies with the provisions of the Facebook Data Policy. For more information in this respect, please go to: https://www.facebook.com/about/privacy. You can, at any time, object to the recording of data by the Facebook pixel and the use of your data to present Facebook ads. To do so, please visit the page specially set up by Facebook for this purpose (when there, see the settings for use-based advertising), while you are still logged in to Facebook: https://www.facebook.com/settings. The settings are platform-independent, meaning that they will be assumed for all devices, whether desktop computers or mobile devices.

 

Google AdWords/Double Click:

Advertising shown by us is based on the interest in products our customers previously exhibited. We record information about our customers’ surfing patterns for purposes of providing them with interest-based online advertising. For this, cookies are stored on the respective user’s computer; these contain a multiple-digit identification number. If you do not agree with having your user behaviour analysed, you can adjust your browsers settings so as to prevent analysis cookies from being set. Please note, however, that this may prevent you from being able to use in full all the functions of this website.

The search engine program Google AdWords, provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Google), facilitates the systematic display on our website of advertising based on Google search terms. For this, Google sets a cookie in the user’s browser as soon as an advert appearing in the Google search or advertising network is clicked on.

For options on how to object to such tracking, please go to: https://www.google.com/ads/preferences.

Through its AdWords cookie-based conversion methods, Google can measure the number of people who, after clicking on an AdWords advert, went on to purchase or use the product/service offered. To the extent that Google Ads link to offers from this website, this website will receive statistics from Google about the number of purchases made after clicking on the respective Google AdWords advert.

The options for disabling this tracking function are as follows: You can adjust your browser so as to block the setting of cookies by the domain googleadservices.com or by third parties in general. You can also delete the Google conversion cookie in your browser’s cookie settings.

This website uses Google Remarketing on the basis of Doubleclick, another Google Inc service, to display interest-based advertising. The process of reviewing the pages shown and of allocating adverts is based on a pseudonymous identification number in the Doubleclick cookie. The cookie-generated information about the pages shown is then transferred to and stored on Google servers for evaluation purposes. To read the Google Privacy Policy, please go to https://www.google.de/policies/privacy.

For options on how to object to such tracking, please go to: https://www.google.com/ads/preferences

Further objection options:

You can also object to interest-based advertising by Google and by other advertising networks on the following website:

https://www.youronlinechoices.com/de/praferenzmanagement

Optimizely

This website uses Optimizely, a web analytics service offered by Optimizely Inc. (631 Howard Street, Suite 100, San Francisco, CA 94105, United States) that serves to simplify and conduct A/B testing for purposes of optimising and further developing this website. The information generated by the cookie about your use of the website will generally be transmitted to and stored on an Optimizely server.

The options for disabling this tracking function are as follows: You can deactivate Opitimizely tracking at any time by following the corresponding instructions at https://www.optimizely.com/opt_out.

ADITION

Our website uses the ADITION service provided by ADITION technologies AG, Oststraße 55, 40211 Düsseldorf, Germany. ADITION sets cookies to control and optimise the ways in which advertising measures implemented by ADITION customers are displayed. It can, for example, maximise the display frequency of advertising for users. When setting cookies, ADITION does not store any personal data such as names, email addresses, or any other personal information. All information gathered is anonymised and comprises technical data such as, for example, the advertising frequency and advertising date of advertising measures, as well as the browsers used and operating systems installed. All data gathered is stored on servers located within the Republic of Germany. For information on ADITION’s Data Privacy Statement, please go to www.adition.com/en/privacy/. You can object to such data processing by using an opt-out cookie. For more information in this respect, please go tohttps://www.adition.com/datenschutz/?optout=trueAdTraxx.

Refined Ads

To evaluate and optimise our website and to generate advertising that is more relevant to you, we use the tracking system Refined Ads created by Refined Labs GmbH (Residenzstr. 7, 80333 Munich, Germany). This system uses cookies to record user data and compile anonymous user profiles based on it. It does not attribute these data to personal user data.

You can object to such data processing by using an opt-out cookie. For more information in this respect, please go to https://www.refinedlabs.com/datenschutz-refined-ads.

Google Tag Manager

The platform uses the Google Tag Manager. This service allows website tags to be managed through an interface. The Google Tag Manager only implements tags. This means that no cookies are used and no personal data is collected. The Google Tag Manager triggers other tags, which in turn collect data if necessary. However, the Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, it remains valid for all tracking tags if they are implemented with the Google Tag Manager.

Legal basis for the above processing

Art. 6 (1) point f) GDPR applies where personal data is processed.

Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned

Our legitimate interests in processing your personal data via our website lie in our desire to optimise our internet offering and, as such, offer our customers best possible services and sustainably increase customer satisfaction.

Categories of recipients of your data

Your data is only transmitted to third parties if this is necessary for performance of the contract, for example, in order to inform a local rental partner about your reservation or to process a credit card payment through your credit card company. In such cases, we transmit your data to IT service providers, call centres, collection companies, financial services providers, agency partners, franchise partners and other cooperation partners.

We moreover transmit data to Google, Inc and Facebook Ireland Ltd. in the aforementioned scope (see → Purposes of data processing).

As part of our measures to prevent fraud, we also transmit – in situations where third parties have been, or are at risk of being, defrauded – personal data to such third parties having suffered, or at risk of, fraud.

Transfer to third countries

If business customers use our services to reserve vehicles that are to be rented in a third country, we transmit the personal data of the driver to our contractual and business partners in such third country. The transfer of your data to a third country is based on an adequacy decision by the European Commission. If no adequacy decision by the European Commission exists for the respective third country, then the transfer to that third country will take place subject to appropriate safeguards as per Art. 46 (2) GDPR. You can request copies of the aforementioned safeguards from SIXT by writing to the address specified above (see → Controller). Third countries are countries outside the European Economic Area. The European Economic Area comprises all countries of the European Union as well as the countries of the so-called European Free Trade Association, which are Norway, Iceland and Liechtenstein. 

 

Storage duration/criteria for storage duration

SIXT CRS stores your personal data until they are no longer necessary in relation to the purposes for which they were collected or otherwise processed (see → Purposes of data processing at SIXT CRS). Where SIXT CRS is under legal obligation to store personal data, it will store personal data for the preservation period stipulated by law. The preservation period for commercial documents, which include bookkeeping documents and accounting records (including invoices), is 10 years (Section 257 (4) of the German Commercial Code). During this period, your data may be subject to restricted use within day-to-day operations if its processing serves no further purposes.

 

Rights of data subjects

Rights pursuant to Art. 15 – 18 and 20 GDPR

You have the right to, at reasonable intervals, obtain information about your personal data under storage (Art. 15 GDPR). The information you are entitled to includes information about whether or not personal data concerning you are stored, about the categories of personal data concerned, and about the purposes of the processing. Upon request, SIXT CRS will provide you with a copy of the personal data that are processed.

You also have the right to obtain from SIXT CRS the rectification of inaccurate personal data concerning you (Art. 16 GDPR).  

You furthermore have the right to obtain from SIXT CRS the erasure of personal data concerning you (Art. 17 GDPR). We are under obligation to erase personal data in certain circumstances, including if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if you withdraw the consent on which the processing is based, and if the personal data have been unlawfully processed.

Under certain circumstances, you have the right to have the processing of your personal data restricted (Art. 18 DSGVO). These include circumstances in which you contest the accuracy of your personal data and we then have to verify such accuracy. In such cases, we must refrain from further processing your personal data, with the exception of storage, until the matter has been clarified.

Should you opt to change to a competitor of SIXT CRS, you have the right either to receive, in a machine-readable format, the data that you provided to us based on your consent or on a contractual agreement with us, or to have us transmit, also in a machine-readable format, such data to a third party of your choice (Right to data portability, Art. 20 GDPR).

No contractual or legal obligations to provide data/consequences of failure to provide data

You are not contractually or legally obliged to provide us with your personal data. Please note, however, that you cannot enter into a vehicle rental contract with us or avail of other services provided by us if we are not permitted to collect and process the data as required for the purposes specified in the foregoing (see → The purposes of data processing at SIXT CRS).

Right to object pursuant to Art. 21 GDPR

If the processing of your data by SIXT is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art. 6 (1) point e) GDPR) or if it is necessary in the legitimate interests of SIXT CRS, then you have the right to object at any time, on grounds relating to your particular situation, to the processing of your data. SIXT CRS will then end the processing, unless we can present compelling legitimate grounds for such processing that supersede the grounds for ending the processing.

You may object, at any time and without restriction, to the processing of your personal data for purposes of direct advertising.

Right to withdraw consent at any time

If data processing at SIXT CRS is based on your consent, then you have the right to, at any time, withdraw the consent you granted. The withdrawal of consent shall not affect the lawfulness of processing between the time consent was granted and the time it was revoked.

Right to lodge a complaint with the supervisory authority

You have the right to lodge complaints with the supervisory authority responsible for SIXT CRS. Please send such complaints to the following address:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Friedrichstraße 219

10969 Berlin

 

Last amended in: May 2018