We undertake to comply with the statutory provisions on data protection and endeavor to always take into account the principles of data avoidance and data minimization.
1. name and address of the controller
a) The responsible person
The data controller is:
Spectrum Mobile Ltd.
STATTAUTO Munich CarSharing
Aidenbachstraße 36
81379 Munich
Phone: 089 202057-0
E-mail: data protection [at] stattauto-muenchen [dot] de
The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, e-mail addresses, etc.).
b) The data protection officer
The data protection officer of the controller is:
Maximilian Bründl
Aidenbachstraße 36
81379 Munich
E-mail: data protection [at] stattauto-muenchen [dot] de
2. definitions of terms
We have designed our privacy policy according to the principles of clarity and transparency. However, if there is any ambiguity regarding the use of various terms, the relevant definitions can be found here.
3. legal basis for the processing of personal data
a) Processing of personal data according to the GDPR
We process your personal data such as, for example. Your name and first name, e-mail address and IP address, etc. only if there is a legal basis for this. Here, the following regulations in particular come into consideration according to the General Data Protection Regulation:
- Art. 6 par. 1 p. 1 lit. a GDPR: The data subject has given his/her consent to the processing of personal data concerning him/her for one or more specific purposes.
- Art. 6 par. 1 p. 1 lit. b DSGVO: Processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject.
- Art. 6 par. 1 p. 1 lit. c DSGVO: Processing is necessary for compliance with a legal obligation to which the controller is subject
- Art. 6 par. 1 p. 1 lit. d GDPR: Processing is necessary in order to protect the vital interests of the data subject or another natural person.
- Art. 6 par. 1 p. 1 lit. e DSGVO: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Art. 6 par. 1 p. 1 lit. f DSGVO: Processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
However, at the relevant points in this data protection declaration, we will always point out once again the legal basis on which your personal data is processed.
b) Processing of information according to § 25 par.1 TTDSG
We also process information pursuant to § 25 par.1 TTDSG by storing information on your terminal equipment or accessing information already stored on your terminal equipment. This can be personal information as well as non-personal data, e.g. cookies, browser fingerprints, MAC addresses and IMEI numbers. In this context, terminal equipment is any equipment connected directly or indirectly to the interface of a public telecommunications network for the purpose of transmitting, processing or receiving messages, § 2 (2). No.6 TTDSG.
As a rule, we process this information on the basis of your consent, § 25 Abs.1 TTDSG.
As far as an exception according to § 25 Abs.2 No.1 and No.2 TTDSG is given, we do not require consent. Such an exception exists when we access or store the information solely for the purpose of transmitting a message over a public telecommunications network or when it is absolutely necessary for us to provide a telemedia service that you have specifically requested. You can revoke your consent at any time.
We inform you that the revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
4. disclosure of personal data
The transfer of personal data is also processing within the meaning of the previous section 3. However, we would like to inform you again here separately about the subject of transfer to third parties. The protection of your personal data is very important to us. For this reason, we are particularly careful about sharing your information with third parties.
Therefore, data is only passed on to third parties if there is a legal basis for the processing. For example, we disclose personal data to persons or companies that act as processors for us pursuant to Art. 28 GDPR. A processor is anyone who processes personal data on our behalf – i.e. in particular in a relationship of instruction and control with us.
In accordance with the requirements of the GDPR, we conclude a contract with each of our order processors to oblige them to comply with data protection regulations and thus provide your data with comprehensive protection.
5. storage period and deletion
Your personal data will be deleted by us if it is no longer necessary for the purposes for which it was collected or otherwise processed, the processing is not necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims.
6. SSL encryption
Our app uses SSL encryption for security reasons and to protect the transmission of confidential content, such as requests you send to us as the app provider.
If SSL encryption is activated, the data you transmit to us cannot be read by third parties.
7. collection and storage of personal data as well as their type and purpose of use
a) Download the app
When you download the mobile app, the required information is transferred to the App Store or Play Store, i.e. in particular username, email address and identifier of your store account, time of download, payment information and the individual device identification number. We have no influence on this data collection and are not responsible for it. We process the data only to the extent necessary to download the mobile app to your mobile device.
b) Use of the app
When using the mobile app, we collect the personal data described below to enable the convenient use of the functions. If you would like to use our mobile app, we collect the following data, which is technically necessary for us to offer you the functions of our mobile app and to ensure stability and security:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (concrete page)
- Access status/HTTP status code
- Data volume transferred in each case
- App from which the request comes (API Key (Log) or technical administrator (EBuS system).
- Browser (is only recorded anonymously and aggregated)
- Operating system and its interface (only recorded anonymously and aggregated)
- Language and version of the browser software (only collected anonymously and aggregated).
The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interest follows from the data collection purposes listed above. In no case do we use the collected data for the purpose of drawing conclusions about your person.
c) App tracking and analysis
Our service provider cantamen GmbH, Am Hohen Ufer 3A, 30159 Hannover, Germany (hereinafter cantamen) uses the analytics service Matomo (InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand) to track certain clicks, views, as well as pages from which our app visitors were redirected. However, the collection of this tracking data is completely anonymized using IP anonymization, so that no personal data is collected and no conclusions can be drawn about individuals.
d) Collection of location data
The app can detect your location via GPS/Wi-Fi if you agreed to this sharing in your operating system settings when you installed the app. Here you can also decide between the one-time or permanent collection of location data by the app.
With the help of this position data, we can provide you with quick information, such as nearby car sharing stations and vehicles available there at the requested time period in your immediate vicinity.
This function already exists before logging into an already registered customer account. Insofar as you use the location function before the actual login, we process this location data on our own responsibility on the basis of the consent granted by you in accordance with. Art. 6 par.1 S.1 lit. a) GDPR.
You can deactivate and reactivate the release for the collection of location data in the operating system at any time thereafter. The processing of your personal data remains lawful until the moment we receive your revocation.
e) Login and customer account
To use the booking functions in our app, you need an existing customer account. With this customer account you can log in to our app. To log in, we process your login name (customer number, e-mail address), your freely selectable password and our provider ID.
The collected data is processed here by our service provider cantamen. There is a corresponding order processing contract between us and cantamen according to. Art. 28 par.3 GDPR.
f) Vehicle booking
Insofar as you book a vehicle via our app, we process your car sharing account data, which is necessary for the reservation and invoicing. This is your customer number, start and end of the booking time, the selected vehicle and station, the booking method, and the time and date the booking was made.
In addition, in the event of a booking, we process your trip data, such as start and end time, start and destination, duration of use, number of kilometers driven and the respective vehicle type. These data are the subject of the invoice.
The collected data is processed here by our service provider cantamen. There is a corresponding order processing contract between us and cantamen according to. Art. 28 par.3 GDPR.
g) Cross use
We also offer you the possibility to reserve and book vehicles from other car sharing organizations via our app. In this case, we process your trip data, such as start and end time, start and destination, type and duration of use, route driven as well as vehicle type, the specifically selected vehicle and its vehicle ID and license plate number. This data is provided to us by the respective car sharing organization for billing purposes. In case of cross-use with a Cambio organization, you will be redirected to Cambio’s booking platform from our app.
The collected data is processed here by our service provider cantamen. There is a corresponding order processing contract between us and cantamen according to. Art. 28 par.3 GDPR.
h) Damage report in the app
We also offer you the option of reporting damage or soiling to the booked carsharing vehicle as well as lost property via our app. You must attach at least two photos of the damage or contamination to this notification. You can take this photo directly from the app or upload a corresponding photo to the app, as long as you allow the app camera access or file access.
The collected data is processed here by our service provider cantamen. There is a corresponding order processing contract between us and cantamen according to. Art. 28 par.3 GDPR.
8. rights of the data subject
You have the following rights:
a) Information
In accordance with Art. 15 DSGVO, you have the right to request information about your personal data processed by us. This right to information includes information about
- the processing purposes
- the categories of personal data
- the recipients or categories of recipients to whom your data have been or will be disclosed
- the planned storage period or at least the criteria for determining the storage period
- the existence of a right to rectification, erasure, restriction of processing or opposition
- the existence of a right of appeal to a supervisory authority
- the origin of your personal data, if this data was not collected by us
- the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details
b) Correction
In accordance with Art. 16 DSGVO, you have the right to promptly correct any inaccurate or incomplete personal data stored by us.
c) Deletion
In accordance with Art. 17 DSGVO, you have the right to request the immediate deletion of your personal data from us, insofar as the further processing is not necessary for one of the following reasons:
- the personal data are still necessary for the purposes for which they were collected or otherwise processed
- on the exercise of the right to freedom of expression and information
- for compliance with a legal obligation which requires processing under the law of the European Union or the Member States to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR
- for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes in accordance with. Art. 89 par. 1 GDPR, insofar as the right referred to in Section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing
- for the assertion, exercise or defense of legal claims
d) Restriction of processing
In accordance with Art. 18 DSGVO, you may request the restriction of the processing of your personal data for one of the following reasons:
- You dispute the accuracy of your personal data.
- The processing is unlawful and you object to the erasure of the personal data.
- We no longer need the personal data for the purposes of processing, but you need it to assert, exercise or defend legal claims.
- You object to the processing pursuant to Art. 21 para. 1 GDPR.
e) Information
If you request the correction or deletion of your personal data or a restriction of processing pursuant to Art. 16, Art. 17 para. 1 and Art. 18 DSGVO, we will communicate this to all recipients to whom your personal data has been disclosed, unless this proves impossible or involves a disproportionate effort. You may request that we notify you of these recipients.
f) Transmission
You have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format.
You also have the right to request the transfer of this data to a third party, provided that the processing was carried out with the help of automated procedures and is based on consent pursuant to Art. 6 para. 1 p. 1 lit. a or Art. 9 para. 2 lit. a or on a contract pursuant to Art. 6 para. 1 p. 1 lit. b DSGVO is based.
g) Revocation
Pursuant to Art. 7 para. 3 DSGVO the right to revoke your consent at any time. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. In the future, we may no longer continue the data processing that was based on your revoked consent.
h) Complaint
In accordance with Art. 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.
i) Contradiction
If your personal data is collected on the basis of legitimate interests pursuant to Art. 6 para. 1 p. 1 lit. f DSGVO, you have the right to object to the processing of your personal data in accordance with Art. 21 DSGVO, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right to object, which will be implemented by us without specifying the particular situation. If you wish to exercise your right of revocation or objection, simply send an e-mail to info [at] cantamen [dot] de.
j) Automated decision in individual cases including profiling
You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
- is necessary for the conclusion or performance of a contract between you and us
- is permitted on the basis of legal provisions of the European Union or the Member States to which we are subject and these legal provisions contain appropriate measures to protect your rights and freedoms as well as your legitimate interests
- is done with your express consent
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 DSGVO, unless Art. 9 para. 2 lit. a or g DSGVO applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.
With regard to the cases mentioned in i) and iii), we take reasonable measures to safeguard the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person from our side, to express your point of view and to contest the decision.
9. modification of the privacy policy
If we change the privacy policy, this will be indicated in the app.
Status: 27.09.2023