Privacy Policy Sixt Ride

In the following we would like to inform you about the types of personal data processed by Sixt Ride and about the purposes of such data processing. We would also like to inform you about important legal aspects of data protection, such as your rights.

Controller

Sixt Ride GmbH & Co. KG, Zugspitzstrasse 1, D-82049 Pullach (hereinafter also referred to as Sixt Ride) is the controller that will process your data.

If you have any questions regarding data protection, please address your query to the following e-mail address: dataprotection-chauffeur@sixt.com

You can also contact our data protection officer by writing to the above-stated address (reference: data protection officer).

Categories of personal data

The following categories of personal data may be processed by us in connection with our services:

  • Master data: These include, for example, a person’s first name, surname, address (private and/or business), date of birth.
  • Communication data: These include, for example, a person’s telephone number, email address (private and/or business) fax number if applicable, as well as the content of communications (e.g., emails, letters, faxes).
  • Contract data: These include, for example, Location and time of pick-up, destination, payment details, and information on loyalty and affiliate programs.
  • Voluntary data: This includes data that you provide to us on a voluntary basis that we do not expressly request from you, such as your preference for a vehicle category, for example.

 

The legal basis for data processing at Sixt Ride

Art. 6 (1) sentence 1 point a) of the General Data Protection Regulation (GDPR): Pursuant to this provision, the processing of your personal data is lawful if and to the extent that you have given your consent to such processing.

Art. 6 (1) sentence 1 point b) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract (e.g., when booking a vehicle).

Art. 6 (1) sentence 1 point c) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for compliance with a legal obligation to which SIXT is subject.

Art. 6 (1) sentence 1 point f) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for the purposes of the legitimate interests pursued by the controller, i.e., Sixt Ride, or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, i.e., you yourself.

 

The purposes of data processing at Sixt Ride

 

  1. Registration and booking

Purposes of data processing

Personal data are collected and processed via websites, the app, the telephone, or an intermediary, for example, if you provide such data, e.g., especially for the purpose of arranging service contracts with third parties for the booking of vehicles, for the purpose of using the platform with a registered account, for the purpose of identification by logging in or for the purpose of communicating with us, e.g., through the forms that you submit to us or by sending e-mails to us. The personal data that we collect include:

  • Master data
  • Communication data
  • Contract data
  • Geolocation data
  • Data about user preferences

We use these data for the purposes described above or for purposes that arise from the respective request, for example, to process specific booking requests or to process your preferences.

The Sixt Ride booking process provides you with the option of storing a credit card and paying for your ride by credit card. (The card will only be charged after the ride has been completed).

Sixt Ride uses a PCI-DSS certified payment service provider (PSP) for credit card payments. This service is required to protect your credit card information.

Sixt Ride itself does not store any of your credit card information. In order to allow you to reuse an already-registered card for future bookings, we simply store a reference number that uniquely identifies your credit card.

For your security and ours, we also use your information to prevent fraud and payment default. For this purpose, we work together with the service provider Kount Inc., 917 Lusk Street, Suite 300, Boise, ID 83706 USA. The service provider analyses your master and contract data to ensure its authenticity and to prevent fraud risks.

Legal basis for the above processing

Art. 6 (1) sentence 1 point b) GDPR applies to data processing for the fulfilment of the data processing contract that was concluded with you for the processing of service contracts with third parties (booking vehicles) as well as for the fulfilment of the platform usage contract that was concluded with you. Art. 6 (1) sentence 1 point f) GDPR applies to the processing of data to the extent required to settle accounts vis-à-vis third parties, to assert our own claims, and to mitigate risks.

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned

Our legitimate interest in processing your personal data for purposes of risk prevention is to avoid fraudulent bookings and payment defaults.

Categories of recipients of your data

We will disclose your data to the following recipients for the purposes named above (in particular to inform the driver company about the booking or to process a payment): financial service providers, risk prevention service providers, SIXT Group companies, and cooperation partners.

  1. Marketing and direct advertising

Purposes of data processing

We process your master data, communication data and contract data for purposes of promoting customer loyalty, implementing loyalty and bonus programmes (including our own programmes and those of our cooperation partners) and optimising customer offers.

You may object to any processing or use of your data for direct marketing purposes at any time. Please send any objections to: Sixt Ride GmbH & Co. KG, , reference: Widerspruch (Appeals), Zugspitzstrasse 1, D-82049 Pullach or by e-mail: dataprotection-chauffeur@sixt.com .

Legal basis for processing

Art. 6 (1) sentence 1 point a) GDPR applies to data processing for purposes of implementing direct marketing measures that require explicit advance consent.

Art. 6 (1) sentence 1 point f) GDPR applies to data processing for purposes of implementing direct marketing measures that do not require explicit advance consent, and of implementing the marketing measures mentioned (→ Purposes of data processing).

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned

Our legitimate interests in using your personal data for purposes of implementing direct marketing measures and the marketing measures mentioned lie in the fact that we want to convince you of our services and promote a lasting customer relationship with you.

Categories of recipients of your data

For the purposes described in the foregoing, we disclose your data to IT service providers, call centres, advertising partners and providers of customer loyalty programmes.

  1. GPS tracking

Purposes of data processing

In order to ensure that customers can conveniently book to be picked-up from their current location by using the Sixt Ride mobile applications (Android and iOS apps), our apps are able to determine your location, provided that you have consented that your GPS data be transmitted in the app. These location data are not stored and are used only to determine the pick-up point. Further, we are able to determine the coordinates of drivers via their mobile phones, even while you are in the vehicle. This helps us to arrange additional bookings and to conduct booked rides and to provide customers with information about their upcoming ride (for instance what time the driver will arrive).

Legal basis for the above processing

Art. 6 (1) sentence 1 point a) GDPR applies to the processing of data based on your consent; Art. 6 (1) sentence 1 point b) or f)GDPR applies to the collecting of driver location data.

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned

Our legitimate interest in collecting the location data of drivers lies in offering location-related services and features.

  1. Business customers/payment by third parties

If you book a ride through your employer, we also process your data for the purposes described in this Data Privacy Policy. This also applies mutatis mutandi if a third party is to pay the invoice.

Categories of recipients of your data

We transmit personal data collected during the rental (in particular invoice data, including possibly also in the form of monthly statements) to your employer or the third party who is to pay your invoice.

Legal basis for the above processing

Art. 6 (1) sentence 1 point b) GDPR provides for data processing for the purposes of booking and customer relations, otherwise Art. 6 (1) sentence 1 point f) GDPR.

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned

Insofar as the processing of data for the purpose of settling the account with your employer or third parties is concerned, our legitimate interest is in being able to assert invoice amounts and other claims or to determine the party against which the damage claim is asserted. 

 

  1. Cookies and App Analytics

Purposes of data processing

Our websites use “cookies”, and our App uses corresponding analytics tools. Cookies are small text files that are copied from a web server onto your hard disk. Cookies contain information that can later be read by a web server within the domain in which the cookie was assigned to you. Cookies cannot execute any programmes or infect your computer with viruses. The cookies used by us contain no personal data and are not linked to any such data. Analytics tools store data about the use of the app either in the app itself, or they transmit (anonymised) usage evaluations to the operator of the app.

Further information on cookies and deactivating them can be found in the cookie policy of the respective website (accessible via the link in the respective cookie banner or via the “Data Privacy Policy” menu item). You can deactivate app analytics in the app (Info à Data Privacy Policy).

Legal basis for the above processing

Art. 6 (1) sentence 1 point f) GDPR applies where personal data is processed.

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned

Our legitimate interests in processing your personal data via our websites and app lie in our desire to optimise our Internet offering and, as such, offer our customers best possible services and increase customer satisfaction.

Transfer to third countries

If you book rides with us in third countries, we will transfer your personal data to the contract partner in the third country. The transfer of your data to a third country is based on an adequacy decision by the European Commission. If no adequacy decision by the European Commission exists for the respective third country, then the transfer to that third country will take place subject to appropriate safeguards as per Art. 46 (2) GDPR. You can request copies of the aforementioned safeguards from Sixt Ride by writing to the address specified above (cf. → Controller). Third countries are countries outside the European Economic Area. The European Economic Area comprises all countries of the European Union as well as the countries of the so-called European Free Trade Association, which are Norway, Iceland and Liechtenstein. 

Storage duration/criteria for storage duration

Sixt Ride stores your personal data until they are no longer necessary for the purposes for which they were collected or otherwise processed (cf. → Purposes of data processing at Sixt Ride). Where Sixt Ride is under legal obligation to store personal data, it will store personal data for the preservation period stipulated by law. The preservation period for commercial documents, which include bookkeeping documents and accounting records (including invoices), is 10 years. During this period, your data may be subject to restricted use within day-to-day operations if its processing serves no further purposes. The data that are recorded by the mobile phones of drivers (cf. → GPS tracking) are erased after a period of three months.

Your rights

Rights pursuant to Art. 15 – 18 and 20 GDPR

You have the right to, at reasonable intervals, obtain information about your personal data under storage (Art. 15 GDPR). The information you are entitled to includes information about whether or not Sixt Ride has stored personal data concerning you, about the categories of personal data concerned, and about the purposes of the processing. Upon request, Sixt Ride will provide you with a copy of the personal data that are processed.

You also have the right to obtain from Sixt Ride the rectification of inaccurate personal data concerning you (Art. 16 GDPR).

You furthermore have the right to obtain from Sixt Ride the erasure of personal data concerning you (Art. 17 GDPR). We are under obligation to erase personal data in certain circumstances, including if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if you withdraw the consent on which the processing is based, or if the personal data have been processed unlawfully.

Under certain circumstances, you have the right to have the processing of your personal data restricted (Art. 18 GDPR). These include circumstances in which you contest the accuracy of your personal data and we then have to verify such accuracy. In such cases, we must refrain from further processing your personal data, with the exception of storage, until the matter has been clarified.

Should you opt to change to a competitor of Sixt Ride, you have the right either to receive, in a machine-readable format, the data that you provided to us based on your consent or on a contractual agreement with us, or to have us transmit, also in a machine-readable format, such data to a third party of your choice (Right to data portability, Art. 20 GDPR).

No contractual or legal obligations to provide data/consequences of failure to provide data

You are not contractually or legally obliged to provide us with your personal data. Please note, however, that you cannot enter into a contract for our services if we are not permitted to collect and process the data as required for the purposes specified in the foregoing (see → The purposes of data processing at Sixt Ride)

Right to object pursuant to Art. 21 GDPR

If the processing of your data by Sixt Ride is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art. 6 (1) sentence 1 point (e) GDPR) or if it is necessary in the legitimate interests of Sixt Ride, then you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data. Sixt Ride will then end the processing, unless we can present compelling legitimate grounds for such processing that supersede the grounds for ending the processing.

You may object, at any time and without restriction, to the processing of your personal data for purposes of direct advertising.

Right to withdraw consent at any time

If data processing at Sixt Ride is based on your consent, then you have the right to, at any time, withdraw the consent you granted. The withdrawal of consent shall not affect the lawfulness of processing between the time consent was granted and the time it was revoked.

Right to lodge a complaint

You have the right to lodge complaints with the supervisory authority responsible for Sixt Ride. Please send such complaints to the following address:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 27

D-91522 Ansbach

 

Last amended in: February 2019