Data privacy information for Interested Parties, Customers and Authorised Drivers
According to the Data Protection Basic Regulation (GDPR) Article 13 (obligation to inform the person concerned about the collection of personal data), Article 14 (obligation to inform when personal data was not collected from the person concerned) and Article 21 (obligation to inform).
We appreciate your interest in our company and our services. The protection of your personal data is very important to us. We are subject to the provisions of the Data Protection Basic Regulation (GDPR) of the German National Data Protection Law new (BDSG (neu)) and of the telemedia law.
We have taken technical and organisational measures to ensure that we follow the data protection regulations. Here, we describe how we collect, use, process and share your data if you are an interested party, a customer or an authorised driver.
When cambio, we, us or our is used, the cambio company with whom you signed a contract is meant. That company is responsible for your data (controller).
Name and adress of the controller | Name and contact of the company data protection officer | Personal data by category | Sources of data | Duration of data storage | Purposes of data processing | Categories of recipients of personal data | Your rights | Right to object | Right of appeal through an oversight authority | Obligation to provide data | Automated decision-making in individual cases | Security | E-Mails
The controller for interested parties, customers and authorised drivers is the cambio company (your cambio contractual partner), with whom you are, or would like to become, a customer or authorised driver.
Name and contact data of the company Data Protection Officer for all cambio companies except cambio Lüneburg:
3G Business Datenschutz GmbH
Tel.: 0162 1007910
E-Mail: Martin Mielke
Name and contact data of the company Data Protection Officer cambio Lüneburg:
Datenschutzbeauftragter der Campus Management GmbH
- Basic personal data (e.g. family name, given name, date of birth, address)
- Communications data (e.g. telephone numbers, e-mail addresses)
- Recordings of telephone conversations with the booking centre
- Bank information (account holder and IBAN)
- Driving licence information
- Credit history (SCHUFA information or CRIF Bürgel GmbH information)
- Basic contract data
- Invoicing information (e.g. invoices, credit notes)
- Contract history
- Booking information (e.g. length of use, kilometres driven)
- Place where you pick up the car at the beginning of the trip
- Place where you return the car at the end of the trip
- Information on use that deviates from the terms and conditions
- Information on accidents and administrative offense proceedings
- Payment data (e.g. payments)
In the cases of online-validation:
- Picture of the driving license
- Picture of the identity document
- Your picture
- We receive your personal, communications, bank and driving licence data from you.
- If you registered via one of our partners (e.g. registration agency, public transport company, mobility platform, a car sharing provider in the booking alliance), we receive the necessary data from the relevant partner.
- We receive your credit history based on a request from the SCHUFA (for private customers) or the CRIF Bürgel GmbH (for corporate customers).
- The basic contract data stems from the tariff that you select, the agreed-upon conditions and the available options (roaming/cross-use/vehicle selection).
- Invoices and booking information arise through the course of your contractual relationship with us, your bookings and vehicle use.
- For roaming, user data is provided to us by the car sharing provider in the booking alliance (your car sharing provider) for the billing of services.
- In the cases of online-validation we receive the data from you.
The personal data processed by us is required for the initial consultation, the preparation of the contractual documents and for wrapping up a contract. Please note that a contractual relationship is possible only if personal data can be processed and, if necessary, forwarded to the appropriate authorities (e.g. to law enforcement authorities in the case of a hit and run).
Purpose: for the performance of a contract
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Basis for processing: The processing of personal data is necessary according to Article 6 Paragraph 1 Letter b) GDPR for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Purpose: for the protection of the legitimate interests of the controller
Data is processed for the settlement of accidents and damage to vehicles.
Basis for processing: The processing is required according to Article 6 Paragraph 1 Letter f) GDPR processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Purpose: for the fulfilment of legal obligations
In the case of accidents or violations of the Road Traffic Act, we, as holder of the vehicles, must transfer data to the relevant authorities.
Basis for processing: The processing of personal data is required according to Article 6 Paragraph 1 Letter c) GDPR for the fulfilment of a legal obligation (§ 21 StVG owner liability) which the responsible party is subject to.
We use your e-mail address to send you information about our services if you have agreed to this through the selection of the relevant option in your customer area.
Basis for processing: The processing of personal data is lawful according to Article 6 Paragraph 1 Letter a) GDPR based on consent of the person concerned.
Personal data is not used for any other purposes.
Data processing and booking service through the cambio Mobilitätsservice GmbH & Co KG and the cambio CarSharing Service GmbH
The data required for the performance of services is processed and stored on your behalf by the cambio Mobilitätsservice GmbH & Co KG (Data Processing and Website) and the cambio CarSharing Service GmbH (Booking Service). It is thus necessary to transfer data to these companies. Data protection is taken into account through contractual agreements according to Article 28 GDPR.
Data transmission for cross-use cambio Germany, Stadtteilauto Münster and cambio Belgium
When you book and use a car through another German cambio company, through cambio Belgium or through Stadtteilauto Münster, we transfer the name of our company, your customer number and your name to the company through which you book and use the car via the software of cambio Mobilitätsservice GmbH & Co.KG. There, your data is saved in the booking, the journey data and in the bill to us. In the case of violation of the Road Traffic Act, accidents, damages or fines, your data will be transferred to the damage manager of the company whose vehicle you were driving.
Data transmission for roaming to other car sharing providers
If you, as our customer so choose, you may use vehicles from other car sharing providers (roaming). You must select the car sharing provider when booking and, in making this selection, you must agree to the transfer of your personal data to that provider. We then transfer the name of our company, your name, your address, your date of birth, your telephone number, your e-mail address and your customer card information to the software service provider of the car sharing provider of your choice. It makes the data available to the car sharing provider within its software. After the completion of your journey, we receive the use data from your journey in order to invoice you for it.
The transfer and processing of this data takes place automatically through the software made available by the cambio Mobilitätsservice GmbH & Co KG.
Data transmission for roaming customer of another car sharing provider books a cambio vehicle
If you, as a customer of another car sharing provider, would like to use one of our cars, you must select our car sharing company when booking and thereby consent to the transfer of your personal data. The software service provider of your car sharing provider then transfers the name of its company, your name, your address, your date of birth, your telephone number, your e-mail address and your customer card information to us. At the conclusion of your journey, we make the use data available to your car sharing provider for billing purposes.
The transfer and processing of this data takes place automatically through the software service provided by cambio Mobilitätsservice GmbH & Co KG.
Data transfer if you are an authorised driver on the main contract of a customer
If you use our vehicles as an authorised driver to the main contract of a customer, the invoice goes to the main customer. To this end, we transfer your name and your booking data (date and time of your booking, kilometres driven, cancellation time and driving notes if applicable) to the customer with the invoice.
Data transfer in the case of online-validation
The online-validation chat is based on the software of Userlike UG, Probsteigasse 44-46, 50670 Köln. The software stores the data securely till deletion on servers within Germany. Further information and the applicable data protection provisions of Userlike are retrievable under https://www.userlike.com/de/data-privacy.
Other transfers of data
In the case of an accident, your personal data (name, address, contact information) will be forwarded to our and opposing lawyers and/or insurance companies. For purposes of financial accounting the data will be forwarded to tax consultants. In cases of dunning procedures or attachment procedures the data will be forwarded if necessary to the appropriate authorities.
Data transfer to the SCHUFA
cambio transfers data collected within the framework of the contractual relationship about the application, the carrying out and the termination of the business relationship and data on behaviour contrary to the contract or fraudulent behaviour to the SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden.
The legal basis for this transfer is Article 6 Paragraph 1 Letter b and Article 6 Paragraph 1 Letter f of the Data Protection Basic Regulation (GDPR). Transfers on the basis of Article 6 Paragraph 1 Letter f GDPR may only occur insofar as this is necessary for the protection of the legitimate interests of cambio or third parties and is not outweighed by the interests or basic rights and basic freedoms of the person whose data must be protected. The exchange of data with the SCHUFA also serves the fulfilment of legal obligations to carry out credit checks of customers (§ 505a and 506 of the German Civil Code).
The SCHUFA processes the data received and also uses it for purposes of profile development (scoring) in order to give it to their contractual partners in the European Economic Area, Switzerland and other third countries (insofar as such an arrangement of the European Commission exists) to, among other things, assess the creditworthiness of natural persons. Further information on the activities of the SCHUFA can be found in the SCHUFA information sheet Article 14 GDPR or online at www.schufa.de/datenschutz.
Data transfer to CRIFBÜRGEL
Within the framework of the contractual relationship, cambio transfers personal data for application, carrying out and termination of the business relationship and data on behaviour contrary to the contract or fraudulent behaviour to the CRIF Bürgel GmbH, Radlkoferstraße 2, 81373 Munich.
The legal basis for these transfers is Article 6 Paragraph 1 Letter b and Article 6 Paragraph 1 Letter f of the Data Protection Basic Regulation (GDPR). Transfer based on Article 6 Paragraph 1 Letter f GDPR may only take place insofar as this is required to protect the legitimate interests of cambio or third parties and does not outweigh the interests or basic rights and freedoms of the affected person, whose personal data is to be protected. The exchange of data with the CRIF Bürgel GmbH also serves the fulfilment of legal obligations with regard to carrying out credit checks of customers (§ 505a and 506 of the German Civil Code).
The CRIF Bürgel GmbH processes the data received and also uses it for purposes of profile development (scoring) in order to give their contractual partners in the European Economic Area, Switzerland and other third countries (insofar as such an arrangement of the European Commission exists) information on, among other things, the assessment of the creditworthiness of natural persons. Further information on the activities of the CRIF Bürgel GmbH can be found in the CRIF-Bürgel information sheet or online at www.crifbuergel.de/de/datenschutz.
You have the right to information in accordance with Article 15 GDPR, the right to be informed according to Article 16 GDPR, the right to deletion according to Article 17 GDPR, the right to restriction of processing according to Article 18 GDPR and the right to data portability from Article 20 GDPR. In addition, there is a right to appeal through a data protection oversight authority (Article 77 GDPR).
There is a basic right to object to the processing of personal data by cambio according to Article 21 EU GDPR.
However in such a case the use of cambio vehicles is no longer possible.
If you would like to take advantage of this right, please contact:
Data Protection Officer for all cambio companies except cambio Lüneburg:
E-Mail: Stefan Weisfeld
Data Protection Officer cambio Lüneburg:
Data Protection Officer of Campus Management GmbH
For fundamental concerns/complaints with regard to the processing of your data, you may contact the responsible data protection oversight authorities.
You can find an overview of the data protection oversight authorities on the Internet site of the German Data Protection and Freedom of Information Officer (bfdi) www.bfdi.bund.de or https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
Within the framework of our business relationship, you must provide only the personal data which is required for registration and for carrying out a business relationship or which we are legally obliged to collect. Without this data, we must refuse to enter into a contractual agreement or to fulfil a contract or we must terminate an existing contract.
We do not make use of any automated processing, including profiling, for causation of a decision on the establishment and conduct of a business relationship (Article 22 GDPR).
We employ technical and organisational security measures to protect the data we administer. If you are registered as an interested party or a customer, a secure connection (SSL-encrypted) will be opened. The transferred data is protected from external access by unauthorised persons through a series of firewalls.
Please note that the content that you send us per e-mail is not encrypted. Thus, by this medium, the security of sensitive data and content cannot be guaranteed from unauthorised access and from forgery. Messages that you send to us via the contact the customer centre form, on the other hand, are secure as they are encrypted.
Disclaimer: The data privacy statement is in German. This translation of the original German document is exclusively informational and not legally valid.
Status as of April 2020