Data Privacy Policy

In the following we would like to inform you about the types of personal data processed by SIXT RIDE and about the purposes of such data processing. We would also like to inform you about important legal aspects of data protection, such as your rights.

Controller

With the exception in Section 1. Registration – Sixt Account, the party responsible for processing your data (controller) in regard to any content and customer’s bookings and arrangement of transportation services on the following websites: www.sixt.de/ridewww.sixt.com/ridewww.sixt.co.ukwww.sixt.fr/ridewww.sixt.es/ridewww.sixt.it/ride and www.sixt.nl/ride is Sixt Ride GmbH & Co. KG (SIXT RIDE), Zugspitzstraße 1, D-82049 Pullach.

If you have any questions regarding data protection, please address your query to the following e-mail address: dataprotection-chauffeur@sixt.com.

You can also contact our data protection officer by writing to the above-stated address (reference: data protection officer).

Categories of personal data

The following categories of personal data may be processed by us in connection with our services:

  • Master data: These include, for example, a person’s first name, surname, address (private and/or business), date of birth.
  • Communication data: These include, for example, a person’s telephone number, email address (private and/or business) fax number if applicable, as well as the content of communications (e.g., emails, letters, faxes).
  • Contract data: These include, for example, Location and time of pick-up, destination, payment details, and information on loyalty and affiliate programs.
  • Voluntary data: This includes data that you provide to us on a voluntary basis that we do not expressly request from you, such as your preference for a vehicle category, for example. 

The legal basis for data processing at SIXT RIDE

Art. 6 (1) sentence 1 point a) of the General Data Protection Regulation (GDPR): Pursuant to this provision, the processing of your personal data is lawful if and to the extent that you have given your consent to such processing.

Art. 6 (1) sentence 1 point b) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for the performance of a contract (e.g., transportation service agreement) to which you are a party, or in order to take steps at your request prior to entering into a contract (e.g., when booking a vehicle).

Art. 6 (1) sentence 1 point c) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for compliance with a legal obligation to which SIXT is subject.

Art. 6 (1) sentence 1 point f) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for the purposes of the legitimate interests pursued by the controller, i.e., SIXT RIDE, or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, i.e., you yourself. 

The purposes of data processing at SIXT RIDE

1. Registration – Sixt Account

Purposes of data processing

We process master data, communication data, contract data and financial data in a joint database with Sixt GmbH & Co. Autovermietung KG (SIXT), in particular for the purposes of registering and managing Sixt customer accounts, of providing customer relations services and of processing and handling invoices. The respective responsibilities have been determined in an arrangement concerning joint responsibility as joint controllers. In the scope of their joint responsibility under data protection laws, SIXT RIDE and SIXT have made an arrangement determining who is responsible for the compliance with the respective obligations under the GDPR. This refers, in particular, to the rights of data subjects and the fulfilment of the duties to provide information pursuant to Articles 13 and 14 GDPR. 

Legal basis for the above processing

Art. 6 (1) sentence 1 point a) GDPR applies to the processing of data based on your consent; Art. 6 (1) sentence 1 point f) GDPR applies to the processing that is based on the legitimate interest of SIXT RIDE. 

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned

Our legitimate interest in processing your personal data for the purpose of a single Sixt account is that we are thus able to provide our customers with all Sixt services under one single interface and to offer our customers the best possible services, thereby enhancing customer satisfaction. 

Categories of recipients of your data

SIXT RIDE transmits your personal data to SIXT as the joint controller within the meaning of Art. 26 GDPR.

2. Booking

Purposes of data processing

Personal data are collected and processed via websites, the app, the telephone, or an intermediary, for example, if you provide such data, e.g., especially for the purpose of arranging transportation service agreements with third parties transportation service providers for the booking of vehicles, for the purpose of using the platform with a registered account, for the purpose of identification by logging in or for the purpose of communicating with us, e.g., through the forms that you submit to us or by sending e-mails to us. The personal data that we collect include:

  • Master data
  • Communication data
  • Contract data
  • Geolocation data
  • Data about user preferences

We use these data for the purposes described above or for purposes that arise from the respective request, for example, to process specific booking requests or to process your preferences.

The SIXT RIDE booking process provides you with the option of storing a credit card and paying for your ride by credit card. (The card will only be charged after the ride has been completed).

SIXT RIDE uses a PCI-DSS certified payment service provider (PSP) for credit card payments. This service is required to protect your credit card information.

SIXT RIDE itself does not store any of your credit card information. In order to allow you to reuse an already-registered card for future bookings, we simply store a reference number that uniquely identifies your credit card.

For your security and ours, we also use your information to prevent fraud and payment default. For this purpose, we work together with the service provider Kount Inc., 917 Lusk Street, Suite 300, Boise, ID 83706 USA. The service provider analyses your master and contract data to ensure its authenticity and to prevent fraud risks.

Legal basis for the above processing

Art. 6 (1) sentence 1 point b) GDPR applies to data processing for the fulfilment of transportation service agreements concluded between you and third party transportation service providers (booking vehicles), as well as for the fulfilment of the platform usage contract that was concluded with you. Art. 6 (1) sentence 1 point f) GDPR applies to the processing of data to the extent required to settle accounts vis-à-vis third parties, to assert our own claims, and to mitigate risks.

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned

Our legitimate interest in processing your personal data for purposes of risk prevention is to avoid fraudulent bookings and payment defaults.

Categories of recipients of your data

We will disclose your data to the following recipients for the purposes named above (in particular to inform the driver company about the booking or to process a payment): financial service providers, risk prevention service providers, SIXT Group companies, and cooperation partners.

3. Marketing and direct advertising

Purposes of data processing

We perform a range of different marketing measures for advertising purposes, to promote customer loyalty, to optimise customer offers, for market research and survey purposes and for bonus programmes. For this purpose, we process your master data, communication data and contract data and will inform you about our mobility services and suitable extras or additional services, such as mileage deals or recommended insurance coverage.

SIXT RIDE carries out the aforementioned marketing and direct marketing measures on its own behalf and on behalf of the Sixt Group companies listed in the attachment as well as on behalf of SIXT franchise and cooperation partners as well as other partners/cooperations.

Our marketing measures also include prize draws that are usually subject to separate terms and conditions for participation. If you participate in one of our prize draws, we process the data that you provide to us (usually be registering via the respective participation form on our website) in order to be able to participate in the prize draw as far as this is required to carry out and process the prize draw.

You may object to any processing or use of your data for direct marketing purposes at any time. Please send any objections to: Sixt Ride GmbH & Co. KG, , reference: Widerspruch (Appeals), Zugspitzstrasse 1, D-82049 Pullach or by e-mail: dataprotection-chauffeur@sixt.com.

Legal basis for processing

Art. 6 (1) sentence 1 point a) GDPR applies to data processing for purposes of implementing direct marketing measures that require explicit advance consent.

Art. 6 (1) sentence 1 point f) GDPR applies to data processing for purposes of implementing direct marketing measures that do not require explicit advance consent, and of implementing the marketing measures mentioned (→ Purposes of data processing).

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned

Our legitimate interests in using your personal data for purposes of implementing direct marketing measures and the marketing measures mentioned lie in the fact that we want to convince you of our services and promote a lasting customer relationship with you.

Categories of recipients of your data

For the purposes described in the foregoing, we disclose your data to IT service providers, call centres, advertising partners and providers of customer loyalty programmes.

4. GPS tracking

Purposes of data processing

In order to ensure that customers can conveniently book to be picked-up from their current location by using the SIXT RIDE mobile applications (Android and iOS apps), our apps are able to determine your location, provided that you have consented that your GPS data be transmitted in the app. These location data are not stored and are used only to determine the pick-up point. Further, we are able to determine the coordinates of drivers via their mobile phones, even while you are in the vehicle. This helps us to arrange additional bookings and to conduct booked rides and to provide customers with information about their upcoming ride (for instance what time the driver will arrive).

Legal basis for the above processing

Art. 6 (1) sentence 1 point a) GDPR applies to the processing of data based on your consent; Art. 6 (1) sentence 1 point b) or f)GDPR applies to the collecting of driver location data.

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned

Our legitimate interest in collecting the location data of drivers lies in offering location-related services and features.

5. Business customers/payment by third parties

If you book a ride through your employer, we also process your data for the purposes described in this Data Privacy Policy. This also applies mutatis mutandi if a third party is to pay the invoice.

Categories of recipients of your data

We transmit personal data collected during the booking flow (in particular invoice data, including possibly also in the form of monthly statements) to your employer or the third party who is to pay your invoice.

Legal basis for the above processing

Art. 6 (1) sentence 1 point b) GDPR provides for data processing for the purposes of booking and customer relations, otherwise Art. 6 (1) sentence 1 point f) GDPR.

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned

Insofar as the processing of data for the purpose of settling the account with your employer or third parties is concerned, our legitimate interest is in being able to assert invoice amounts and other claims or to determine the party against which the damage claim is asserted.

6. Damage, accidents

Purposes of data processing

In the event of an automobile accident arising out of transportation services arranged for you by SIXT RIDE, we may process your master data, communication data, contract data and, if applicable, data concerning health for the following purposes:

  • Receiving and processing complaints;
  • Providing customer services in cases of damage;
  • Facilitating communication between you and insurance companies;
  • Processing damages resulting from accidents (processing based on information provided by you and third parties such as the police, witnesses, etc.)

We also process your master data, communication data and contract data for purposes of fulfilling legal obligations (e.g. providing information to investigating authorities).

Should the competent authorities suspect of an administrative or criminal offence involving an automobile accident in connection with transportation services arranged for you by SIXT RIDE, then we will process not only the master data pertaining to you that we have stored, but also the data conveyed to us by the competent authorities.

Legal basis for processing

Art. 6 (1) sentence 1 point b) GDPR applies to data processing for purposes of complaints management, providing customer services in cases of damage, and processing damages resulting from accidents.

Art. 6 (1) sentence 1 point c) GDPR applies to data processing for purposes of investigations carried out by competent legal authorities in connection with processing damages and handling claims resulting from accidents.

Art. 9 (2) point f) GDPR applies to the processing of data concerning health for purposes of establishing, exercising or defending the customers legal claims.

Recipients/categories of recipients of your data

For the purposes described in the foregoing, we disclose your data to the following recipients: public authorities (investigating authorities; regulatory authorities; police authorities), experts, assistance services providers, independent transportation service providers, lawyers and insurance companies.

7. Cookies and App Analytics

Purposes of data processing

Our websites use “cookies”, and our App uses corresponding analytics tools. Cookies are small text files that are copied from a web server onto your hard disk. Cookies contain information that can later be read by a web server within the domain in which the cookie was assigned to you. Cookies cannot execute any programmes or infect your computer with viruses. The cookies used by us contain no personal data and are not linked to any such data. Analytics tools store data about the use of the app either in the app itself, or they transmit (anonymised) usage evaluations to the operator of the app.

Further information on cookies and deactivating them can be found in the cookie policy of the respective website (accessible via the link in the respective cookie banner or via the “Data Privacy Policy” menu item). You can deactivate app analytics in the app (Info à Data Privacy Policy).

Legal basis for the above processing

Art. 6 (1) sentence 1 point f) GDPR applies where personal data is processed.

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned

Our legitimate interests in processing your personal data via our websites and app lie in our desire to optimise our Internet offering and, as such, offer our customers best possible services and increase customer satisfaction.

Transfer to third countries

If you book rides with us in third countries, we will transfer your personal data to your contract partner (e.g. third party platform / transportation service provider) in the third country on the basis of an adequate decision according to Art. 45 of GDPR or on the basis of the requirements of Art. 49 (1) (b) or (c) GDPR, insofar as the transfer is necessary to conduct pre-contractual or contractual provisions requested by you.

In all other cases, the transfer of your data to a third country is based on an adequacy decision by the European Commission. If no adequacy decision by the European Commission exists for the respective third country, then the transfer to that third country will take place subject to appropriate safeguards as per Art. 46 (2) GDPR. In particular, as per Art. 46 (2) (c) GDPR, SIXT RIDE will sign the European Commission’s standard data protection clauses with data controllers and processors based in third countries where no adequacy decision exists. You can request copies of the aforementioned safeguards from SIXT RIDE by writing to the address specified above (cf. → Controller). Third countries are countries outside the European Economic Area. The European Economic Area comprises all countries of the European Union as well as the countries of the so-called European Free Trade Association, which are Norway, Iceland and Liechtenstein.

Storage duration/criteria for storage duration

SIXT RIDE stores your personal data until they are no longer necessary for the purposes for which they were collected or otherwise processed (cf. → Purposes of data processing at SIXT RIDE). Where SIXT RIDE is under legal obligation to store personal data, it will store personal data for the preservation period stipulated by law. The preservation period for commercial documents, which include bookkeeping documents and accounting records (including invoices), is 10 years. During this period, your data may be subject to restricted use within day-to-day operations if its processing serves no further purposes. The data that are recorded by the mobile phones of drivers (cf. → GPS tracking) are erased after a period of three months.

Your rights

Rights in the event of joint controllers

Where two or more controllers are jointly responsible for data processing (cf. item 1. Sixt Account), the parties shall fulfil their obligations under data protection laws on the basis of the respective arrangement between the joint controllers. The parties shall inform each other without undue delay of any legal claims asserted by data subjects. They shall provide each other with all the information required to respond to information requests.

Data subjects may assert their rights vis-à-vis either SIXT RIDE or SIXT RENT.

Rights pursuant to Art. 15 – 18 and 20 GDPR

You have the right to, at reasonable intervals, obtain information about your personal data under storage (Art. 15 GDPR). The information you are entitled to includes information about whether or not SIXT RIDE has stored personal data concerning you, about the categories of personal data concerned, and about the purposes of the processing. Upon request, SIXT RIDE will provide you with a copy of the personal data that are processed.

You also have the right to obtain from SIXT RIDE the rectification of inaccurate personal data concerning you (Art. 16 GDPR).

You furthermore have the right to obtain from SIXT RIDE the erasure of personal data concerning you (Art. 17 GDPR). We are under obligation to erase personal data in certain circumstances, including if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if you withdraw the consent on which the processing is based, or if the personal data have been processed unlawfully.

Under certain circumstances, you have the right to have the processing of your personal data restricted (Art. 18 GDPR). These include circumstances in which you contest the accuracy of your personal data and we then have to verify such accuracy. In such cases, we must refrain from further processing your personal data, with the exception of storage, until the matter has been clarified.

Should you opt to change to a competitor of SIXT RIDE, you have the right either to receive, in a machine-readable format, the data that you provided to us based on your consent or on a contractual agreement with us, or to have us transmit, also in a machine-readable format, such data to a third party of your choice (Right to data portability, Art. 20 GDPR).

No contractual or legal obligations to provide data/consequences of failure to provide data

You are not contractually or legally obliged to provide us with your personal data. Please note, however, that you cannot enter into a contract for our services if we are not permitted to collect and process the data as required for the purposes specified in the foregoing (see → The purposes of data processing at SIXT RIDE)

Right to object pursuant to Art. 21 GDPR

If the processing of your data by SIXT RIDE is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art. 6 (1) sentence 1 point (e) GDPR) or if it is necessary in the legitimate interests of SIXT RIDE, then you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data. SIXT RIDE will then end the processing, unless we can present compelling legitimate grounds for such processing that supersede the grounds for ending the processing.

You may object, at any time and without restriction, to the processing of your personal data for purposes of direct advertising.

Right to withdraw consent at any time

If data processing at SIXT RIDE is based on your consent, then you have the right to, at any time, withdraw the consent you granted. The withdrawal of consent shall not affect the lawfulness of processing between the time consent was granted and the time it was revoked.

Right to lodge a complaint

You have the right to lodge complaints with the supervisory authority responsible for SIXT RIDE. Please send such complaints to the following address:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 27

D-91522 Ansbach

Last amended in: August 2020