Data Privacy

1. Privacy Policy

In the following we would like to inform you about the types of data processed by Zippy7 and about the purposes of such data processing. We would also like to inform you about important legal aspects of data protection, such as your rights.

Our contact details

Zippy7 Autorent GmbH

Reichstrasse 4, 2401 Fischamend, Österreich

Phone: +43 664 153 1881

E-mail: info@zippy7.com

Website: www.zippy7.com

Please note we reserve the right to change or modify this privacy policy at any time. Any changes will be posted onto the website and we would also inform you about the changes via email.

1. Definitions (Art. 4 GDPR)

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

2. Principles relating to processing of personal data (Art. 5 GDPR)

The data controller shall follow the principles that personal data shall be: 

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) GDPR, not be considered to be incompatible with the initial purposes (‘purpose limitation’); 

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); 

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); 

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR subject to implementation of the appropriate technical and organizational measures required by GDPR in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); 

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’). 

The data controller shall be responsible for, and be able to demonstrate compliance with the principles above (‘accountability’).

3. Data controller

The party responsible for processing your data (data controller) is Zippy7 Autorent GmbH (hereinafter also referred to as Zippy7).

4. Categories of personal data

• Master data: These include, for example, a person’s first name, surname, address (private and/or business), date of birth. 
• Communication data: These include, for example, a person’s telephone number, email address (private and/or business) fax number if applicable, as well as the content of communications (e.g. emails, letters, faxes).
• Contract data: These include, for example, the rental information (vehicle category, pick-up and return dates, pick-up and return branch, booked extras/services), rental contract number, reservation number, driver’s license data, driver’s license photograph, license plates of the vehicle you rented, and information on customer loyalty and partner programmes. 
• Financial data such as credit card data. 
• Voluntary data: These are data that you provide to us on a voluntary basis, without us having explicitly requested them, and include information such as your preferences with regard to the vehicle’s equipment and category. 
• Special data categories: In the event of an accident, damage to the vehicle, or similar incidents, we process data relating to the respective course of events and the damage incurred. These data may be provided by customers, passengers or injured parties. The data processed in such circumstances can include health-related data such as data on injuries, blood alcohol levels, driving under the influence of narcotic substances, and the like. The health-related data are the special category of personal data.
• Third-party data: If, within the scope of your vehicle rental, you provided us with personal data of third parties (e.g. family members, second drivers, passengers), then we will also process these data. In this case, you should declare simultaneously with the acceptance of this privacy policy that you have authorisation to share the data of third parties with us. In the course of enforcing a claim created by third parties in connection with the share of their personal data, we exclude our liability.

5. The legal basis for data processing at Zippy7 

Art. 6 (1) sentence 1 point a) of the General Data Protection Regulation (GDPR): Pursuant to this provision, the processing of your personal data is lawful if and to the extent that you have given your consent to such processing. You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before your withdrawal.

Art. 6 (1) sentence 1 point b) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for the performance of a contract to which you are party, or in order to take steps at your request prior to entering into a contract (e.g. when making the vehicle reservation). 

Art. 6 (1) sentence 1 point c) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for compliance with a legal obligation to which Zippy7 is subject. 

Art. 6 (1) sentence 1 point f) GDPR: Pursuant to this provision, the processing of your personal data is lawful if such processing is necessary for the purposes of the legitimate interests pursued by the data controller, i.e., Zippy7, or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, i.e., you yourself. 

Art. 9 (2) point f) GDPR: Pursuant to this provision, certain special categories of personal data can be processed if such processing is necessary for the establishment, exercise or defense of legal claims. These special categories of personal data include the health data of the data subjects.

6. The purposes of data processing
7. Reserving and renting vehicles 

Purposes of data processing 

We process your master data, communication data, contract data, financial data and any data you have provided voluntarily for purposes of implementing your reservations and facilitating the conclusion and performance of your rental contract. We moreover use the master data, communication data and contract data for customer relations purposes, for example to handle any complaints or changes of reservation that you contact us about. If you book your vehicle via travel agencies, online travel agencies or other agents, then your master data, communication data, rental information and, if applicable, financial information, will be transferred to us by our partners. We also use your master data and contract data for purposes of settling accounts (e.g. commissions and sales processing) with, for example, travel agencies, other agencies, franchise partners and cooperation partners. We are furthermore legally obliged – for purposes of preventing and investigating criminal offenses – to compare your master and communication data with official perpetrator lists provided to us. Such comparisons also serve to ward off dangers and to facilitate prosecution by the state authorities. We furthermore use your data for your and our security, for example to avoid payment defaults and to prevent property offenses. Once both contracting parties have fulfilled their obligations under the rental contract, your master data, financial and contract data will be stored until the statutory retention period expires.

Upon entering into the rental contract, you are being informed, you understand and expressly agree that the car may be equipped with a tracking device in order to determine the location of the car in the case of theft and/or other damage to the car. Installation of the tracking device is prevention of criminal offense. 

Legal basis for the above processing 

If you would like to reserve and rent a vehicle, Art. 6 (1) sentence 1 point a) GDPR applies to the processing your data to start the reservation and renting of the vehicle.

Art. 6 (1) sentence 1 point b) GDPR applies to the processing of data to the extent required to implement reservations, to conclude and perform contracts and for customer relations purposes. 

Art. 6 (1) sentence 1 point c) GDPR applies to the processing of data to the extent required to detect, prevent and investigate criminal offenses, to examine and store driver’s license data, and to comply with preservation periods under commercial and tax law. 

Art. 6 (1) sentence 1 point f) GDPR applies to the processing of data to the extent required to settle accounts vis-à-vis third parties, to assert our own claims, and to mitigate risks and prevent fraud. 

As part of our measures to prevent fraud, we also transmit – in situations where third parties have been, or are at risk of being, defrauded – personal data to such third parties having suffered, or at risk of, fraud.

To conclude and perform your rental contract, we have a recourse to the following data processors:

1. VIP-DATA d.o.o.

registered seat: Ulica grada Vukovara 269D, 10000 Zagreb, Croatia 

website: www.renteon.com

e-mail: info@renteon.com

2. ViaBTC Technology LTD.

registered seat: Room 1907 ,19/F, LEE GARDEN ONE, 33 HYSAN AVENUE, CAUSEWAY BAY, Hong Kong

website: www.viawallet.com

e-mail: support@viawallet.com

3. Registrierkasse Pocketbill

registered seat: Karajangasse 7 Top 1 1200 Wien

website: www.pocketbill.at

e-mail: office@pocketbill.at

2. Marketing and direct advertising 

Purposes of data processing 

We process your master data, communication data and contract data for purposes of promoting customer loyalty, implementing customer loyalty and bonus programmes (including our own and those of our cooperation partners), optimizing customer offers, market or public opinion research as well as holding customer events (see also → Events and donations). You may object to any processing or use of your data for direct marketing purposes at any time. Please send any objections to:Zippy7 Autorent GmbH. via email to: info@zippy7.com 

Legal basis for processing 

Art. 6 (1) point a) GDPR applies to data processing for purposes of implementing direct marketing measures that require explicit prior consent. 

Art. 6 (1) point f) GDPR applies to data processing for purposes of implementing direct marketing measures that do not require explicit Page 4 V2.1 prior consent, and of implementing the marketing measures mentioned (→ Purposes of data processing). Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned 

Our legitimate interests in using your personal data for purposes of implementing direct marketing measures and the marketing measures mentioned lie in the fact that we want to convince you of our services and promote a lasting customer relationship with you. Categories of recipients 

For the purposes described in the foregoing, we disclose your data to IT service providers, call centers, advertising partners and providers of customer loyalty and bonus programmes. 

3. Business customers/payment by third parties 

If you rent a vehicle through your employer, we also process your data for the purposes described in this Data Privacy Policy. This also applies mutatis mutandi if a third party is to pay the invoice. In this case, you should declare simultaneously with the acceptance of this privacy policy that you have authorisation to share the data of third parties with us. In the course of enforcing a claim created by third parties in connection with the share of their personal data, we exclude our liability.

Categories of recipients of your data

We transmit personal data collected during the rental (in particular in the form of invoices and rental agreements, possibly also in the form of monthly statements, as well as possible traffic tickets and accident reports) to your employer or the third party wh2o is to pay your invoice. 

Legal basis for the above processing Art. 6 (1) sentence 1 point b) GDPR applies to the processing of data to the extent required to implement reservations, to conclude and perform rental and framework agreements and for customer relations purposes, otherwise Art. 6 (1) point f) GDPR. 

Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned 

Insofar as the processing of data for the purpose of settling the account with your employer or third parties or for clarification of facts (in particular in the case of accidents or administrative offenses) is concerned, our legitimate interest is in being able to assert invoice amounts and other claims or to determine the party against which the damage claim is asserted. 

4. Damage, accidents, administrative offenses 

Purposes of data processing 

If you discover damage to our vehicles, if you or another person cause/causes such damage, or if you or another person are/is involved in an accident with one of our vehicles, then we will process you master data, communication data, contract data, financial data and, if applicable, data concerning health for the following purposes: 

• receiving and processing complaints 

• providing customer services in cases of damage 

• settling claims 

• processing damages resulting from accidents (processing based on information provided by you and third parties such as the police, subsequent renters, witnesses, etc.) 

This includes the processing of the aforementioned data categories for purposes of settling claims, for example vis-à-vis insurance companies. 

When dealing with cases of damage and accidents, we also process you master data, communication data and contract data with a view to providing help in the form of our Zippy7 damage assistance services and mobility guarantee. 

We also process your master data, communication data and contract data for purposes of fulfilling legal obligations (e.g. providing information to investigating authorities). 

Should the competent authorities suspect you of having committed an administrative or criminal offense with one of our vehicles, then we will process not only the master data pertaining to you that we have stored, but also the data conveyed to us by the competent authorities. 

We also process your master data, communication data, financial data, contract data and, if applicable, data concerning health, for purposes of upholding and asserting any claims that we may have against you, for example claims resulting from non-payment or damage caused to our vehicles. 

Legal basis for processing 

Art. 6 (1) sentence 1 point b) GDPR applies to data processing for purposes of complaints management, providing customer services in Page 5 V2.1 cases of damage, and processing damages resulting from accidents. 

Art. 6 (1) sentence 1 point c) GDPR applies to data processing for purposes of processing damages resulting from accidents. 

Art. 6 (1) sentence 1 point f) GDPR applies to data processing for purposes of settling claims, asserting any claims that we may have against you, and handling claims relating to administrative offenses. 

Art. 9 (2) point f) GDPR applies to the processing of data concerning health for purposes of establishing, exercising or defending legal claims. 

Legitimate interest, to the extent that Art. 6 (1) sentence 1 point f) GDPR applies to the type of processing concerned 

Our legitimate interests in using your personal data for purposes of settling claims and asserting any claims that we may have against you lies in our desire to ward off damage to our company and to ensure that we can provide our customers with undamaged vehicles. We are moreover obliged, pursuant to our contractual relations with third parties (e.g. insurance companies), to process your data for purposes of settling claims. Our legitimate interests in this respect lie in ensuring our contractual fidelity. 

Categories of recipients 

For the purposes described in the foregoing, we disclose your data to the following recipients: public authorities (investigating authorities; regulatory authorities; police authorities), collecting companies, experts, assistance services providers, lawyers and insurance companies. 

5. Processing based on statutory provisions 

Purposes of data processing 

We process your master data, communication data, contract data and financial data for purposes of fulfilling the legal obligations to which Zippy7 is subject. These require us to process data, for example in order to comply with duties of disclosure vis-à-vis authorities and to comply with the processing requirements as stipulated by commercial and tax law provisions (e.g. the preservation period for bookkeeping documents and accounting records). 

Legal basis for processing 

Art. 6 (1) sentence 1 point c) GDPR 

Categories of recipients 

The authorities may require us to disclose your data to them for the purposes described above. 

6. Improving our processes and offerings 

Purposes of data processing 

We process your master data, communication data and contract data, as well as any data provided voluntarily, for purposes of optimizing our processes and offerings. 

This involves, for example, compiling and evaluating rental reports, implementing capacity planning to improve vehicle allocation procedures, setting up a data warehouse, analyzing and rectifying sources of error, and conducting customer satisfaction surveys. 

To improve the quality of our offering and our customer services, we process your master data and contract data on the basis of an algorithm with a view to, for instance, creating profiles and probability values in relation to future rentals and to take-up rates for our offers. We also process your master data, communication data and contract data in connection with our collaboration with franchise partners, cooperation partners and agency partners, and for purposes of optimizing the related processes and offers (cf. → Reserving and renting vehicles). We also process address data originating from external service providers to update our address database and to ensure that the master data we use for contract handling is correct. 

Legal basis for the above processing 

Art. 6 (1) sentence 1 point a) of the General Data Protection Regulation (GDPR) applies where consent is required to implement measures intended to optimize our processes and offers. Art. 6 (1) sentence 1 point f) GDPR. Legitimate interest, to the extent that 

Art. 6 (1) point f) GDPR applies to the type of processing concerned 

Our legitimate interests in using your personal data to improve our services and customer services lie in the fact that we want to offer you the best possible services and to sustainably improve customer satisfaction. 

Categories of recipients 

For the purposes described in the foregoing, we disclose your data to the following recipients: IT service providers, call centers, cooperation partners, agency partners and franchise partners. 

7. Cookies 

Purposes of data processing 

Our websites use “cookies”. Cookies are small text files that are copied from a web server onto your hard disk. Cookies contain information that can later be read by a web server within the domain in which the cookie was assigned to you. Cookies cannot execute any programmes or infect your computer with viruses. The cookies used by us neither contain personal data nor are they connected to any such data. 

Further information on cookies and on deactivating them can be found in the cookie policy of the respective website (accessible via the link in the respective cookie banner and under the menu item “privacy policy”). 

Legal basis for the above processing 

The legal basis for this data processing is found in Art. 6 (1) sentence 1 point b) (precontractual processing) and f) GDPR, as far as personal data is processed. 

Legitimate interest, to the extent that Art. 6 (1) point f) GDPR applies to the type of processing concerned 

Our legitimate interests in processing data via our websites lie in our desire to optimise our internet offering and, as such, offer our customers best possible services and increase customer satisfaction. 

7.Storage duration/criteria for storage duration

Zippy7 stores your personal data until they are no longer necessary in relation to the purposes for which they were collected or otherwise processed (cf. → Purposes of data processing at Zippy7). If you have not rented with Zippy7 for six years, your customer account will be deleted for inactivity. We carry out this deletion routine once a year. Where Zippy7 is under legal obligation to store personal data, it will store personal data for the preservation period stipulated by law. The preservation period for commercial documents, which include bookkeeping documents and accounting records (including invoices), is up to 10 years. During this period, your data may be subject to restricted use within day-to-day operations if its processing serves no further purposes. 

8. Your rights 
9. Rights pursuant to Art. 15 – 18, 20 GDPR 

You have the right to, at reasonable intervals, obtain information about your personal data under storage (Art. 15 GDPR). The information you are entitled to includes information about whether or not Zippy7 has stored personal data concerning you, about the categories of personal data concerned, and about the purposes of the processing. Upon request, Zippy7 will provide you with a copy of the personal data that are processed. You also have the right to obtain from Zippy7 the rectification of inaccurate personal data concerning you (Art. 16 GDPR). You furthermore have the right to obtain from Zippy7 the erasure of personal data concerning you (Art. 17 GDPR). We are under obligation to erase personal data in certain circumstances, including if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if you withdraw the consent on which the processing is based, and if the personal data have been unlawfully processed. Under certain circumstances, you have the right to have the processing of your personal data restricted (Art. 18 GDPR). These include circumstances in which you contest the accuracy of your personal data and we then have to verify such accuracy. In such cases, we must refrain from further processing your personal data, with the exception of storage, until the matter has been clarified. Should you opt to change to a different vehicle rental company, you have the right either to receive, in a machine-readable format, the data that you provided to us based on your consent or on a contractual agreement with us, or to have us transmit, also in a machinereadable format, such data to a third party of your choice (Right to data portability, Art. 20 GDPR). 

2. No contractual or legal obligation to provide data/consequences of failure to provide data 

You are not contractually or legally obliged to provide us with your personal data. Please note, however, that you cannot enter into a vehicle rental contract with us or avail of other services provided by us if we are not permitted to collect and process the data as required for the purposes specified in the foregoing (cf. → The purposes of data processing at Zippy7) 

3. Right to object pursuant to Art. 21 GDPR 

If the processing of your data by Zippy7 is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Art. 6 (1) sentence 1 point (e) GDPR) or if it is necessary in the legitimate interests of Zippy7, then you have the right to object at any time, on grounds relating to your particular situation, to the processing of your data. Zippy7 will then end the processing, unless we can present compelling legitimate grounds for such processing that supersede the grounds for ending the processing. You may object, at any time and without restriction, to the processing of your personal data for purposes of direct advertising. 

4. Right to withdraw consent at any time 

If data processing at Zippy7 is based on your consent, then you have the right to, at any time, withdraw the consent you granted. The withdrawal of consent shall not affect the lawfulness of processing between the time consent was granted and the time it was revoked. 

5. Right to lodge a complaint 

You have the right to lodge complaints with the supervisory authority responsible for Zippy7: Österreichische Datenschutzbehörde Barichgasse 40-42 1030 Vienna Austria, Telefon: +43 1 52 152-0, E-Mail: dsb@dsb.gv.at

6. Remedies (Art. 77 and 78 GDPR)

Right to an effective judicial remedy against a supervisory authority: You have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them and you have the right to an effective judicial remedy where the supervisory authority which is competent does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged. 

Right to an effective judicial remedy against a controller or processor: You have the right to an effective judicial remedy where you consider that your rights under GDPR have been infringed as a result of the processing of your personal data in non-compliance with GDPR. 

9. Personal data breach (Art. 33 and 34 GDPR)

Notification of a personal data breach to the supervisory authority: In the case of a personal data breach, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The data controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. 

Communication of a personal data breach to the data subject: When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject referred above shall not be required if any of the following conditions are met: (a) the data controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; (b) the data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred above is no longer likely to materialize; (c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. If the data controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the above conditions are met.

This Privacy Policy shall enter into force by publication on the website, on the 01.03.2022 and shall remain in force until it is withdrawn.

Fischamend, 01.03.2022