In the following we would like to inform you about the types of data processed by SIXT and about the purposes of such data processing. We would also like to inform you about important legal aspects of data protection, such as your rights.

 

A: Data controller

 

The party responsible for processing your data (controller) is Eurorent sp. z o.o. ul. Arabska 9, 03-677 Warszawa (hereinafter also referred to as SIXT).


SIXT has appointed the Data Protection Officer (DPO). You may contact with the DPO in any case regarding data protection. Please address your query to the following email address: This email address is being protected from spambots. You need JavaScript enabled to view it., correspondence address: Arabska 9, 03-977 Warszawa, Poland.

 

B: Categories of personal data

 

The following categories of personal data may be processed by us in connection with our services:

  • Master data: These include, for example, a person’s first name, surname, address (private and/or business), date of birth.
  • Communication data: These include, for example, a person’s telephone number, email address (private and/or business) fax number if applicable, as well as the content of communications (e.g. emails, letters, faxes).
  • Contract data: These include, for example, the rental information (vehicle category, pick-up and return dates, pick-up and return branch, booked extras/services), rental contract number, reservation number, driver’s licence data, , license plates of the vehicle you rented, and information on customer loyalty and partner programmes.
  • Financial data such as credit card data
  • Voluntary data: These are data that you provide to us on a voluntary basis, without us having explicitly requested them, and include information such as your preferences with regard to the vehicle’s equipment and category
  • Special data categories: In the event of an accident, damage to the vehicle, or similar incidents, we process data relating to the respective course of events and the damage incurred. These data may be provided by customers, passengers or injured parties. The data processed in such circumstances can include health-related data such as data on injuries, blood alcohol levels, driving under the influence of narcotic substances, and the like.
  • Third-party data: If, within the scope of your vehicle rental, you provided us with personal data of third parties (e.g. family members, second drivers, passengers), then we will also process these data.
  • Location data: Location data are data that we may process when a vehicle is equipped with telematics (cf. → connected vehicles).

 

C: The legal basis for data processing at SIXT

 

Art. 6 (1) point a) of the General Data Protection Regulation (GDPR): Pursuant to this provision, the processing of your personal data is lawful if and to the extent that you have given your consent to such processing.


Art. 6 (1) point b) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for the performance of a contract to which you are party, or in order to take steps at your request prior to entering into a contract (e.g. when making the vehicle reservation).


Art. 6 (1) point c) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for compliance with a legal obligation to which SIXT is subject.


Art. 6 (1) point f) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for the purposes of the legitimate interests pursued by the controller, i.e., SIXT, or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, i.e., you yourself.


Art. 9 (2) point f) GDPR: Pursuant to this provision, certain special categories of personal data can be processed if such processing is necessary for the establishment, exercise or defence of legal claims. These special categories of personal data include the health data of the data subjects.

 

D: The purposes of data processing at SIXT

 

1. Reserving and renting vehicles

 

Purposes of data processing

We process your master data, communication data, contract data, financial data and any data you have provided voluntarily for purposes of implementing your reservations and facilitating the conclusion and performance of your rental contract.

We moreover use the master data, communication data and contract data for customer relations purposes, for example to handle any complaints or changes of reservation that you contact us about.


If you book your vehicle via travel agencies, online travel agencies or other agents, then your master data, communication data, rental information and, if applicable, financial information, will be transferred to us by our partners.


We also use your master data and contract data for purposes of settling accounts (e.g. commissions and sales processing) with, for example, travel agencies, other agencies, franchise partners and cooperation partners. In order to be able to fulfil your reservation request, we transfer your data to partner companies in the event that we do not have the requested vehicle or vehicle type available.


We furthermore use your data for your and our security, for example to avoid payment defaults and to prevent property offences (in particular fraud, theft, embezzlement).


In some rental branches we use a technology that verifies the authenticity of ID documents (especially driver’s licence) and records the data electronically instead of manually.


If you request to pay for your rental by invoice, then we process your master and financial data in order to assess your creditworthiness by obtaining the corresponding information from credit agencies.


Once both contracting parties have fulfilled their obligations under the rental contract, your master data, financial and contract data will be stored until the statutory retention period expires


Legal basis for the above processing


Art. 6 (1) point b) GDPR applies to the processing of data to the extent required to implement reservations, to conclude and perform contracts and for customer relations purposes


Art. 6 (1) point f) GDPR applies to the processing of data to the extent required to settle accounts vis-à-vis third parties, to assert our own claims, and to mitigate risks and prevent fraud.


Art. 6 (1) point c) GDPR applies to the processing of data to the extent required to detect, prevent and investigate criminal offences, to examine and store driver’s licence data, and to comply with preservation periods under commercial and tax law.


Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned
To the extent that data processing is required to perform analyses with a view to preventing damage to our company and our vehicles, our legitimate interests lie in maintaining security for costs and preventing economic disadvantages such as those arising from nonpayment or the loss of our vehicles.


Categories of recipients
For the purposes described in the foregoing (especially for informing the local rental partner about a reservation or for processing of credit card payments with your credit card company), we disclose your data to the following recipients: IT service providers, call centres, collection companies, financial and archive services providers, credit agencies, SIXT group companies, cooperation and agency partners and franchise partners.
As part of our measures to prevent fraud, we also transmit – in situations where third parties have been, or are at risk of being, defrauded – personal data to such third parties having suffered, or at risk of, fraud.

 

2. Marketing and direct advertising

 

Purposes of data processing

We process your master data, communication data and contract data for purposes of promoting customer loyalty, implementing customer loyalty and bonus programmes (including our own and those of our cooperation partners), optimising customer offers, market or public opinion research as well as holding customer events.

You may object to any processing or use of your data for direct marketing purposes at any time. Please send any objections to: Eurorent sp. z o.o. ul. Arabska 9, 03-677 or via email to: This email address is being protected from spambots. You need JavaScript enabled to view it.

 

Legal basis for processing

Art. 6 (1) point a) GDPR applies to data processing for purposes of implementing direct marketing measures that require explicit prior consent.


Art. 6 (1) point f) GDPR applies to data processing for purposes of direct marketing, in forms that do not require explicit prior consent.


Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned
Our legitimate interests in using your personal data for purposes of implementing direct marketing measures and the marketing measures mentioned lie in the fact that we want to convince you of our services and promote a lasting customer relationship with you.

 

Categories of recipients

For the purposes described in the foregoing, we disclose your data to IT service providers, call centres, advertising partners and providers of customer loyalty and bonus programmes.

 

3. Payment by third parties

 

If you rent a vehicle through your employer, we also process your data for the purposes described in this Data Privacy Policy. This also applies to third parties who are paying the invoice.

Legal basis for the above processing.

Art. 6 (1) point b) GDPR applies to the processing of data to the extent required to implement reservations, to conclude and perform rental and framework agreements and for customer relations purposes, otherwise Art. 6 (1) point f) GDPR.

 

Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned

Insofar as the processing of data for the purpose of settling the account with your employer or third parties or for clarification of facts (in particular in the case of accidents or administrative offences) is concerned, our legitimate interest is in being able to assert invoice amounts and other claims or to determine the party against which the damage claim is asserted.


Categories of recipients of your data

We transmit personal data collected during the rental (in particular in the form of invoices and rental agreements, possibly also in the form of monthly statements, as well as possible traffic tickets and accident reports) to your employer or the third party who is to pay your invoice


4. Contractors and their Agents. representatives and employees indicated for contact


Purposes of data processing

If we conclude a cooperation agreement with you, your Employer or contractor, we will process your data in order to correctly implement the concluded contract, as well as to protect claims arising in connection with its performance.

 

Legal basis for the above processing

art. 6 point b) and f) GDPR concerns the verification of provided data in public registers, contacting in matters related to the performance of the Agreement.

art. 6 point. f) GDPR to defend against claims or pursue claims based on the legitimate interest pursued by the data controller.

 

Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned

Our legitimate interest in using your personal data, is to pursue any claims that we may have against you, consisting in our efforts to prevent damage to our company.

 

Categories of recipients

For the purposes described in the foregoing (especially for informing the local rental partner about a reservation or for processing of credit card payments with your credit card company), we disclose your data to the following recipients: IT service providers, call centres, collection companies, financial and archive services providers, credit agencies, SIXT group companies, cooperation and agency partners and franchise partners.

 

5. Damage, accidents, administrative offences

 

Purposes of data processing

If you discover damage to our vehicles, if you or another person cause/causes such damage, or if you or another person are/is involved in an accident with one of our vehicles, then we will process you master data, communication data, contract data, financial data and, if applicable, data concerning health for the following purposes:

  • receiving and processing complaints
  • providing customer services in cases of damage
  • settling claims
  • processing damages resulting from accidents (processing based on information provided by you and third parties such as the police, subsequent renters, witnesses, etc.)

This includes the processing of the aforementioned data categories for purposes of settling claims, for example vis-à-vis insurance companies.


When dealing with damages and accidents, we also process your master data, communication data and contract data for providing damage assistance services.


We also process your master data, communication data and contract data for purposes of fulfilling legal obligations (e.g. providing information to investigating authorities).


Should the competent authorities suspect you of having committed an administrative or criminal offence with one of our vehicles, then we will process not only the master data pertaining to you that we have stored, but also the data conveyed to us by the competent authorities.


We also process your master data, communication data, financial data, contract data and, if applicable, data concerning health, for purposes of upholding and asserting any claims that we may have against you, for example claims resulting from non-payment or damage caused to our vehicles.

 

Legal basis for processing

Art. 6 (1) point b) GDPR applies to data processing for purposes of complaints management, providing customer services in cases of damage, and processing damages resulting from accidents.


Art. 6 (1) point c) GDPR applies to data processing for purposes of processing damages resulting from accidents.


Art. 6 (1) point f) GDPR applies to data processing for purposes of settling claims, asserting any claims that we may have against you, and handling claims relating to administrative offences.


Art. 9 (2) point f) GDPR applies to the processing of data concerning health for purposes of establishing, exercising or defending legal claims.


Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned

Our legitimate interests in using your personal data for purposes of settling claims and asserting any claims that we may have against you lies in our desire to ward off damage to our company and to ensure that we can provide our customers with undamaged vehicles. We are moreover obliged, pursuant to our contractual relations with third parties (e.g. insurance companies), to process your data for purposes of settling claims. Our legitimate interests in this respect lie in ensuring our contractual fidelity.


Categories of recipients

For the purposes described in the foregoing, we disclose your data to the following recipients: collecting companies, experts, assistance services providers, lawyers,insurance companies, IT and archive service providers, SIXT group members, agency partners, franchise partners and business partners.

 

6. Connected vehicles

 

Purposes of data processing

SIXT vehicles may have so-called “connected vehicle” functionalities which enable us to process location data as well as vehicle status information such as vehicle locking, vehicle speed, status of sensors and activation of safety systems (e.g. airbags). These data are processed exclusively to prevent property offences if the vehicle is not returned within the agreed rental period or is used outside the contractually agreed region (as well as near the border or in port areas) and to determine, verify and investigate car damages and accidents.

 

Legal basis for processing

Art. 6 (1) point f) GDPR.


Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned

Our legitimate interest in using your personal data to prevent property offences and to determine, verify and investigate car damages and accidents is to protect our vehicle fleet and our contractual and non-contractual rights.


Categories of recipients

For specific countries and car categories we partner with providers of geolocalisation services to prevent property offences.


7. Improving our processes and offerings


Purposes of data processing

We process your master data, communication data and contract data, as well as any data provided voluntarily, for purposes of optimising our processes and offerings.


This involves, for example, compiling and evaluating rental reports, implementing capacity planning to improve vehicle allocation procedures, setting up a data warehouse, analysing and rectifying sources of error, and conducting customer satisfaction surveys.


To improve the quality of our offering and our customer services, we process your master data and contract data on the basis of an algorithm with a view to, for instance, creating profiles and probability values in relation to future rentals and to take-up rates for our offers.


Przetwarzamy również dane podstawowe, dane kontaktowe i dane dotyczące umów w związku z naszą współpracą z partnerami We also process your master data, communication data and contract data in connection with our collaboration with franchise partners, cooperation partners and agency partners, and for purposes of optimising the related processes and offers.


We also process address data originating from external service providers to update our address database and to ensure that the master data we use for contract handling is correct.


Legal basis for the above processing

Art. 6 (1) point a) of the General Data Protection Regulation (GDPR) applies where consent is required to implement measures intended to optimise our processes and offers.

Art. 6 (1) point f) GDPR.


Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned

Our legitimate interests in using your personal data to improve our services and customer services lie in the fact that we want to offer you the best possible services and to sustainably improve customer satisfaction.

 

Categories of recipients

For the purposes described in the foregoing, we disclose your data to the following recipients: IT service providers, call centres, cooperation partners, agency partners and franchise partners.

 

8. Events and donations

 

Purposes of data processing

We may also process your master data and communication data to invite you to events as part of our customer service and customer loyalty activities. We may moreover use your master data and communication data for charitable purposes (e.g. to appeal for donations).


Legal basis for the above processing

Art. 6 (1) point f) GDPR applies to data processing for purposes of acquiring customers, strengthening customer relations and managing busine ss customers.

Art. 6 (1)point c) GDPR applies to data processing to the extent required to comply with commercial and tax retention periods.

 

Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned
Our legitimate interests in using your personal data for customer service, customer loyalty and charitable purposes lie in our desire to, on the one hand, offer the best possible services and sustainably raise customer satisfaction, and, on the other, fulfil the social responsibilities that we, as a large company, are bound to.

 

Categories of recipients
For the purposes described in the foregoing, we disclose data relating to contacts at our business customers to the following recipients: IT and archive service providers, call centres, event organisers.

 

9. Cookies


Purposes of data processing
Our websites use “cookies”. Cookies are small text files that are copied from a web server onto your hard disk. Cookies contain information that can later be read by a web server within the domain in which the cookie was assigned to you. Cookies cannot execute any programmes or infect your computer with viruses. The cookies used by us neither contain personal data nor are they connected to any such data.


Further information on cookies and on deactivating them can be found in the cookie policy of the respective website (accessible via the link in the respective cookie banner and under the menu item “privacy policy”).

 

Legal basis for the above processing

The legal basis for this data processing is found in Art. 6 (1) point f) GDPR, as far as personal data is processed.


Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned
Our legitimate interests in processing data via our websites lie in our desire to optimise our internet offering and, as such, offer our customers best possible services and increase customer satisfaction.


E: Transfer to third countries


If you use our services to reserve vehicles that are to be rented in a third country, we transmit your personal data and the data of any additional drivers to our business partners in such third country. This also applies if you use partner programmes from third countries. In cases of damage and/or accidents suffered in a third country, we may send your personal data and data of any additional drivers to the competent authorities and to insurance companies in such third country.


The transfer of your data to a third country is based on an adequacy decision by the European Commission. If no adequacy decision by the European Commission exists for the respective third country, then the transfer to that third country will take place subject to appropriate safeguards as per Art. 46 (2) GDPR. You can request copies of the aforementioned safeguards from SIXT by writing to the address specified above Third countries are countries outside the European Economic Area. The European Economic Area comprises all countries of the European Union as well as the countries of the so-called European Free Trade Association, which are Norway, Iceland and Liechtenstein.


We would like to inform you that in connection with the use of IT services providers located in Third countries, your personal data may be transferred to a third country. The legal basis for such transfer is the standard contractual clauses.


F: Storage duration/criteria for storage duration


SIXT stores your personal data until they are no longer necessary in relation to the purposes for which they were collected or otherwise processed. If you have not rented with SIXT for six years, your customer account will be deleted for inactivity. We carry out this deletion routine once a year. Where SIXT is under legal obligation to store personal data, it will store personal data for the preservation period stipulated by law and no longer than for the limitation period according to the provisions of polish law. During this period, your data may be subject to restricted use within day-to-day operations if its processing serves no further purposes.


G: Your rights

 

1. Rights pursuant to Art. 15 - 18, 20 GDPR


You have the right to, at reasonable intervals, obtain information about your personal data under storage (Art. 15 GDPR). The information you are entitled to includes information about whether or not SIXT has stored personal data concerning you, about the categories of personal data concerned, and about the purposes of the processing. Upon request, SIXT will provide you with a copy of the personal data that are processed.
You also have the right to obtain from SIXT the rectification of inaccurate personal data concerning you (Art. 16 GDPR).
You furthermore have the right to obtain from SIXT the erasure of personal data concerning you (Art. 17 GDPR). We are under obligation to erase personal data in certain circumstances, including if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if you withdraw the consent on which the processing is based, and if the personal data have been unlawfully processed.
Under certain circumstances, you have the right to have the processing of your personal data restricted (Art. 18 GDPR). These include circumstances in which you contest the accuracy of your personal data and we then have to verify such accuracy. In such cases, we must refrain from further processing your personal data, with the exception of storage, until the matter has been clarified.
Should you opt to change to a different vehicle rental company, you have the right either to receive, in a machine-readable format, the data that you provided to us based on your consent or on a contractual agreement with us, or to have us transmit, also in a machine readable format, such data to a third party of your choice (Right to data portability, Art. 20 GDPR).

 

2. No contractual or legal obligation to provide data/consequences of failure to provide data


You are not contractually or legally obliged to provide us with your personal data. Please note, however, that you cannot enter into a vehicle rental contract with us or avail of other services provided by us if we are not permitted to collect and process the data as required for the purposes specified in the foregoing.

 

3. Right to object pursuant to Art. 21 GDPR


If the processing of your data by SIXT is performed on the legal basis of legitimate interests of SIXT, then you have the right to object at any time, on grounds relating to your particular situation, to the processing of your data. SIXT will then end the processing, unless we can present compelling legitimate grounds for such processing that supersede the grounds for ending the processing.
You may object, at any time and without restriction, to the processing of your personal data for purposes of direct advertising.

 

4. Right to withdraw consent at any time


If data processing at SIXT is based on your consent, then you have the right to, at any time, withdraw the consent you granted. The withdrawal of consent shall not affect the lawfulness of processing between the time consent was granted and the time it was revoked.

 

5. Right to lodge a complaint


You have the right to lodge complaints with the supervisory authorities according to Art. 77 GDPR
Prezes Urzędu Ochrony Danych Osobowych
ul. Stawki 2
00-193 Warszawa

 

Last update: September 2020 r.