Data protection information for interested parties, customers and authorized drivers

Responsible entity

The responsible entity for interested parties, customers and authorized drivers is the cambio-company (your cambio contract partner) with which you would like to become or are a customer or an authorized driver.

Data protection officer of all cambio-companies (except Lüneburg)
Stefan Weisfeld
Rutenstr. 8
28203 Bremen
Email: info@weisfeld.it

Data protection officer cambio Lüneburg
Sebastian Ernst
Data Protection Officer of Campus Management GmbH
ernst@campuslueneburg.de

Categories of personal data

Categories of personal data that are processed
• Personal master data (e.g. surname, first name, date of birth, address)
• Communication data (e.g. telephone numbers, e-mail addresses)
• Records of telephone calls made to the booking center
• Bank data (account holder and IBAN)
• Driver's license data    
• Creditworthiness data (Schufa information or CRIF Bürgel GmbH information)
• Contract master data
• Billing data (e.g. invoices, credit notes)
• Contract history
• Booking data (e.g. useful life, kilometers driven)
• Location of vehicle pickup at start of trip
• Location of vehicle return at end of trip
• Information on deviating usage compared to the GTCs
• Data on accidents and administrative offence procedures
• Payment data (e.g. incoming payments)

In case of online validation:
• Photo of driver's license
• Photo of the identity document
• Your photo
• Chat transcript

Origin of the data

• We receive the personal master data, communication data, bank data and driver's license data from you.
• If you register via one of our partners (e.g. registration office, public transport, mobility platform, CarSharing provider in the booking network), we receive the necessary data from the corresponding partner.
• We receive the creditworthiness data on the basis of a query from SCHUFA (for private customers) or CRIF Bürgel GmbH (for corporate customers).
• The contract master data results from the plans you have selected, the agreed conditions and the possible options (roaming/cross-use/vehicle selection).
• Billing data, booking data, data about the place of vehicle pick-up and vehicle return arise in the course of your contractual relationship with us, your bookings and the use of the vehicles.
• When roaming, usage data is transmitted to us by the CarSharing provider in the booking network (your CarSharing provider) for billing purposes.
• During online validation, we receive the data from you.

Duration of data storage

As far as necessary, we process and store your personal data for the duration of the business relationship, which includes, for example, the initiation and execution of a contract.
In addition, we are subject to various storage and documentation obligations, which result, among other things, from the German Commercial Code (HGB), the German Fiscal Code (AO). The periods specified there for storage or documentation are two to ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which can be up to thirty years, for example, according to §§ 195 ff. of the German Civil Code (BGB), whereby the regular limitation period is three years.

Data processing purposes

The personal data processed by us are necessary for the initial consultation, the preparation of the contract documents and a conclusion of the contract. We point out that a contractual relationship is only possible if the personal data is processed and, if necessary, forwarded to the respective authorities (e.g. to criminal prosecution authorities in the event of a hit-and-run) on the basis of legal requirements.

Purpose: To fulfill contractual obligations
The data is processed for the initiation and fulfillment of the contract, for the booking and use of the vehicles as well as for the contract-related support of the customers.
Basis for processing: the processing of personal data is necessary, pursuant to Article 6(1)(b) DS-GVO, for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject.

Purpose: To safeguard the legitimate interests of the controller.
The data are processed for the purpose of handling accidents and damage to vehicles.
Basis for processing: Processing is necessary pursuant to Article 6(1)(f) of the GDPR for the purposes of safeguarding the legitimate interests of the controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

Purpose: To comply with legal obligations
In the event of accidents or violations of the Highway Code, we as the owner of the vehicles must forward data to the competent authorities.
Basis for processing: Pursuant to Article 6(1)(c) DS-GVO, the processing of personal data is necessary for compliance with a legal obligation (Section 21 StVG Keeper Liability) to which the controller is subject.

Processing based on consent
We use your e-mail address to send you information about our service if you have consented to this in your customer area by selecting the appropriate option. Basis for processing: the processing of personal data is lawful under Article 6(1)(a) DS-GVO based on the consent of the data subject.

Other processing purposes
The personal data will not be processed for other purposes.

Categories of recipients of the personal data

Data processing and booking service by cambio Mobilitätsservice GmbH & Co KG and cambio CarSharing Service GmbH.
We have the data necessary to provide the service processed and stored by cambio Mobilitätsservice GmbH & Co KG (data processing and website) and cambio CarSharing Service GmbH (booking service) on your behalf. It is therefore necessary to forward data to these companies. Data protection is taken into account through contractual agreements in accordance with Art. 28 DS-GVO.

Data transfer for cross-use - cambio Germany, Stadtteilauto Münster and cambio Belgium
If you book and use a car with another German cambio company, with cambio Belgium or Stadtteilauto Münster, we transfer within the software of cambio Mobilitätsservice GmbH & Co. KG we transfer the name of our company, your customer number and your first and last name to the company where you booked and use the car. Your data will then be stored there in the booking, the trip data and in the invoice to us. In the event of violations of road traffic regulations, accidents, damage or fines, your data will be transferred to the claims management of the company with whose vehicle you drove.

Data transfer when roaming to other CarSharing providers
If you as our customer wish, you can use vehicles from other CarSharing providers (roaming). To do this, you must select the CarSharing provider when booking and agree to the transfer of personal data to this provider during the selection process. We will then transmit the name of our company, your name, address, date of birth, telephone number, e-mail address and customer card data to the software service provider of the CarSharing provider you have selected. The latter makes the data available to the CarSharing provider within its software.  After completion of your trip, we receive the usage data for your trip in order to bill you for it.
The transmission and processing of this data is automated by us through the software provided by cambio Mobilitätsservice GmbH & Co KG.

Data transmission during roaming - customer of another CarSharing provider books cambio vehicle
If you want to use our vehicles as a customer of another CarSharing provider, you must select our CarSharing company when booking and agree to the transfer of personal data. The software service provider of your CarSharing provider will then transmit the name of his company, your name, address, date of birth, telephone number, e-mail address and customer card data to us.  After completion of your trip, we provide your CarSharing provider with the usage data for billing the trip.
The transmission and processing of this data is automated by us through the software provided by cambio Mobilitätsservice GmbH & Co KG.

Data transmission if you are authorized to drive for the main contract of a customer
If you use our vehicles as an authorized driver for a customer's main contract, invoicing is done to the main customer. For this purpose, we transmit your name and booking data (date and times of your booking, the kilometers driven, any cancelled times and your driving note) to the customer with the invoice.

Data transmission for online validation
The chat for online validation takes place with the help of the software of the company Userlike UG, Probsteigasse 44-46, 50670 Cologne. Userlike stores the data exclusively on secure servers in Germany until it is deleted. The data protection information of Userlike can be viewed at www.userlike.com/de/data-privacy.

Newsletter dispatch
The dispatch of our cambio newsletter is partially realized via an external newsletter provider.  The service provider works on our behalf and is therefore exclusively bound by instructions.  We transmit the following data to the service provider: e-mail address, first name, last name. The data is stored exclusively on secure servers in Germany until it is deleted.

Other forwardings
In the event of an accident, your personal data (name, address, contact details) will be forwarded to our own and opposing lawyers and/or insurance companies. For financial accounting purposes, we forward data to tax consultants. In order to obtain a dunning notice or, if applicable, a garnishment order, data is forwarded to the competent courts and bailiffs.

Data transmission to SCHUFA
cambio transmits personal data collected in the context of the contractual relationship regarding the application, the execution and the termination of the business relationship as well as data regarding non-contractual behavior or fraudulent behavior to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. The legal basis for these transfers is Article 6(1)(b) and Article 6(1)(f) of the General Data Protection Regulation (DS-GVO). Transfers on the basis of Article 6(1)(f) DS-GVO may only take place insofar as this is necessary to protect the legitimate interests of cambio or third parties and does not override the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. The exchange of data with SCHUFA also serves to fulfill legal obligations to conduct creditworthiness checks of customers (§ 505a and 506 of the German Civil Code).
SCHUFA processes the data received and also uses it for the purpose of profiling (scoring) in order to provide its contractual partners in the European Economic Area and in Switzerland and, where applicable, other third countries (insofar as there is an adequacy decision on these by the European Commission) with information on, among other things, the assessment of the creditworthiness of natural persons. More detailed information on SCHUFA's activities can be found in the SCHUFA information sheet pursuant to Art. 14 DS-GVO or viewed online at www.schufa.de/datenschutz-dsgvo/.

Data transmission to CRIFBÜRGEL
cambio transmits personal data collected within the scope of the contractual relationship to CRIF Bürgel GmbH, Radlkoferstraße 2, 81373 Munich, Germany, for the purpose of applying for, implementing and terminating this business relationship, as well as data on non-contractual behavior or fraudulent behavior.
The legal basis for these transfers is Article 6(1)(b) and Article 6(1)(f) of the General Data Protection Regulation (DS-GVO). Transfers on the basis of Article 6(1)(f) DS-GVO may only take place insofar as this is necessary to safeguard the legitimate interests of cambio or third parties and does not override the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. The exchange of data with CRIF Bürgel GmbH also serves the purpose of fulfilling legal obligations to carry out creditworthiness checks on customers (Sections 505a and 506 of the German Civil Code).
CRIF Bürgel GmbH processes the data received and also uses it for the purpose of profiling (scoring) in order to provide its contractual partners in the European Economic Area and in Switzerland and, where applicable, other third countries (insofar as an adequacy decision by the European Commission exists for these) with information on, among other things, the assessment of the creditworthiness of natural persons. More detailed information on the activities of CRIF Bürgel GmbH can be found in the CRIF Bürgel information sheet or viewed online at www.crifbuergel.de/datenschutz.

Your rights

You have the right to information according to Art. 15 DS-GVO, the right to correction according to Art. 16 DS-GVO, the right to deletion according to Art. 17 DS-GVO, the right to restriction of processing according to Art. 18 DS-GVO and the right to data portability from Art. 20 DS-GVO. In addition, there is a right of appeal to a data protection supervisory authority (Art. 77 DS-GVO).

Right of objection

In principle, there is a right to object to the processing of personal data by the controller in accordance with Article 21 EU GDPR.
However, we would like to point out that it will then no longer be possible to use the cambio website.
Should you wish to assert these rights, please contact:

Data protection officer of all cambio companies (except cambio Lüneburg)
Stefan Weisfeld
Rutenstr. 8
28203 Bremen
Germany
Email: info@weisfeld.it

Data Protection Officer cambio Lüneburg
Sebastian Ernst
Data Protection Officer of Campus Management GmbH
ernst@campuslueneburg.de

Right of complaint to a supervisory authority

In the event of fundamental concerns/complaints regarding the processing of your data, you can contact the competent data protection supervisory authority. An overview of the data protection supervisory authorities can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information (bfdi) at www.bfdi.bund.de or www.bfdi.bund.de/DE/Service/Anschriften/anschriften_table.

Obligation to provide data and consequences of failure to provide data

Within the scope of our business relationship, you are only required to provide the personal data that is necessary for the establishment and execution of a business relationship or that we are legally obligated to collect. Without this data, we will usually have to refuse to conclude the contract or execute the order, or will no longer be able to perform an existing contract and may have to terminate it.

Automated decision making in individual cases

We do not use automated processing including profiling to reach a decision on the establishment and performance of the business relationship (Article 22 DS-GVO).

Security

We use technical and organizational security measures to protect the managed data. If you have registered as an interested party or customer, a secure connection (SSL-encrypted) is established.  The transmitted data is prevented from external access by unauthorized persons by a series of firewalls.

Emails

Please note that content that you send us by email is transmitted unencrypted. This means that the security of sensitive data and content against unauthorized access and falsification cannot be guaranteed. Short messages that you send to us via the "Contact the Customer Office" form, on the other hand, are secure because they are transmitted in encrypted form.