Security and data protection

Data Protection Information

Sunny Cars GmbH appreciates your interest in our company and our products and services.

In the following Data Protection Information, we would like to inform you of which personal data we collect, process and, if applicable, transfer, as well as the scope and purpose thereof, when you visit our website and access the products and services available there.

Where this website contains links to the external sites of other providers, you leave our website when you follow these links. The providers of these linked sites, not Sunny Cars GmbH, are solely responsible for compliance with legal data protection provisions on them.

Data protection principles of Sunny Cars GmbH

The protection of your privacy and the security of all commercial data are very important to us and we take them into consideration in our business processes. Data protection and information security are part of our company policy.

We place great importance on protecting your personal data and only process it in compliance with the laws and regulations of the Federal Republic of Germany and superordinate European legislation, including the EU General Data Protection Regulation (GDPR). Your personal data is processed within the scope described below for the purposes explained. This means that we only use your personal data if this is explicitly permitted by data protection laws or you have already given us explicit consent.

Data security

Sunny Cars takes technical and organizational safety precautions in order to protect your personal data provided by us against manipulation, loss, destruction or access by unauthorized persons. This includes in particular that only authorized persons have access to your personal data, and this only to the extent that it is necessary within the scope of the purposes mentioned.  Our security measures are regularly reviewed and constantly improved in line with technological developments. Our employees are obliged to maintain confidentiality.

Definition of terms

The EU General Data Protection Information uses specific terms, which are defined in Article 4, e.g. personal data, processing, pseudonymisation, controllers, processors, recipients, third parties and consent.

Learn more about what certain expressions mean in the context of the General Data Protection Regulation

Name and contact details of the controller

The controller in accordance with the General Data Protection Information, other national data protection laws of the Member States and other legal data protection provisions is:

Sunny Cars GmbH   
Paul-Gerhardt-Allee 42   
81245 Munich   
Germany

Tel.: +49 89 - 82 99 33 900 (main point of contact)   
Fax: +49 89 - 82 99 33 66   
Email: info@sunnycars.de   
Website: www.sunnycars.de

Name and address of the data protection officer

The controller’s data protection officer is:

Dr Eddie Kohfeldt   
Paul-Gerhardt-Allee 42   
81245 Munich   
Germany   
Tel.: +49 89 - 82 99 33 900   
Email: datenschutz@sunnycars.de

Scope of the processing

In principle, we only process our users’ personal data when it is necessary to do so in order to provide a functioning website and for the content and services we offer. Personal data is only processed on the basis of currently applicable legal foundations.

Purposes of the processing

The purposes of the processing of personal data lie in conducting the business of the Sunny Cars Group (Sunny Cars GmbH, Sunny Cars International GmbH and Sunny Cars Vermietungsgesellschaft mbH) and all associated secondary business.

Legal basis for the processing

  • The legal basis for processing personal data that is necessary for the performance of a contract to which the data subject is party is Article 6 (1)(b) GDPR. This also applies for processing operations that are necessary for the implementation of pre-contractual measures.
  • If the processing is necessary for the protection of the legitimate interests of our company or a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Article 6 (1)(f) GDPR forms the legal basis for the processing.
  • When we obtain consent for processing operations for personal data from the data subject, Article 6 (1)(a) GDPR forms the legal basis.
  • When the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6 (1)(c) GDPR forms the legal basis.
  • In the event that the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, Article 6 (1)(d) GDPR forms the legal basis.

Statutory or contractual duties to provide personal data

There may be statutory or contractual requirements for you to provide personal data under certain circumstances, or it may be necessary to do so in order to enter into a contract.

In particular, you may be obliged to provide personal data to us when entering into contracts. Failure to provide the personal data could mean it is not possible to enter into the contract with you.

Transfer of personal data

We only share your personal data with third parties when

  • it is necessary for the performance of an existing contract with you.
  • it is necessary for the protection of our legitimate interests or those of a third party, unless such interests are overridden by your (the data subject’s) interests or fundamental rights and freedoms requiring the protection of personal data.
  • we are legally required to do so.
  • it is necessary for the enforcement of our claims and rights.
  • we receive requests from official institutions (e.g. supervisory authorities or law enforcement authorities, when transfer is necessary for the prevention of threats to public security and order and the prosecution of criminal offences).
  • you have given us your consent thereto.

However, in the case of such transfer, the personal data may only be used for the purpose concerned.

Involvement of external service providers

Like most other companies, we are not specialists in everything. We therefore use service providers to support us in some areas of our business activity, e.g.

  • IT service providers to maintain our infrastructure
  • IT developers to develop our applications
  • IT service provider for business applications (ERP, CRM)
  • Service provider for specific applications used on our website
  • computer centres to securely run our services
  • agencies and printers to send out email newsletters or printed information

We have entered into the legally required contracts on processing that specifically state what the service provider may do with which data. In particular, transfer to third parties is also excluded here. In these contracts, service providers are placed under obligation to comply with the applicable data protection provisions.

Data erasure and storage period

Personal data will be erased or made unavailable as soon as the purpose of storage ceases to apply. Storage can also be carried out if this is provided for by the European or national legislator in Union regulations, laws or other rules to which the controller is subject. Data will only be made unavailable or erased if a storage period prescribed by the aforementioned standards lapses, unless continued storage of the data is necessary.

Details on the processing of personal data

Operation of the website and creation of log files

In principle, you can visit our website without registering or logging in. When you visit our website, data is collected by the web server for the transfer of data (information on the system of the computer used) and sometimes stored in log files on the web server. This data is so-called “usage data”.

Learn more about the creation of log files when you visit our website

Use of cookies

Cookies are not fundamentally evil, but allow user interactions and other   
useful things when using websites. Cookies are small text files that your browser stores on   
instruction of our website in your terminal device. Cookies do not direct anydamage and do not contain viruses. In order to make a visit to our website attractive and to facilitate the use of certain functions we use various cookies to make this possible.

Learn more about the use of cookies

Contact forms and email contact

On our website there is a contact form that can be used to contact us electronically. If you choose this option, the data entered into the entry form will be transferred to us and stored.

Learn more about the processing of data entered when making contact electronically

Phone contact

A service phone number is indicated on our website, that can be used to contact us by phone. If you choose this option, information exchanged may be transferred to our customer database.

Find out more about the processing and storage of personal data when you call us by phone

Subscription to our newsletter

On our website there is the option to subscribe to a free newsletter. When signing up for the newsletter, data from the entry form is transferred to us and stored.

Learn more about the processing of personal data when you sign up for our newsletter

Commenting on our blog

On our website we run a public blog with articles on various topics. Readers can leave comments on individual blog posts. There are various reasons for collecting and processing the personal data of those who leave comments.

Learn more about the processing of personal data when you comment on our blog

Creating an account

On our website we give users the option to register by providing personal data. When doing so, the data is entered into an entry form, transferred to us and stored.

Once you have registered, we give you access to our download portal.

Learn more about the processing of personal data when you register with us

Use of Sunny2go

If you have an existing car rental booking, you can take advantage of the option to receive additional services in connection with your booking via Sunny2go.

Learn more about the processing of personal data when you use Sunny2go

Use of our booking and reservation system

On our website we run a booking portal for hire car reservations.

Your personal data is then collected and processed when you provide this voluntarily, e.g. when booking a hire car.

Learn more about the processing of personal data that you enter into our booking and reservation system

Use of payment services

For certain payment types, you will be redirected to the relevant payment services provider’s website during the payment process. The processing of data is then carried out by the payment services provider.

Learn more about the processing of data entered when using payment services

Use of third-party providers’ add-ons

Like many other companies, we use add-ons from third-party providers (social media, analytics tools, marketing tools, etc.). They enable personal data (e.g. IP numbers, information from pseudonymised cookies, geodata, etc.) to be passed on or automatically transferred to the third-party providers. The nature, scope, purpose and duration of such processing of personal data can differ from case to case.

Learn more about the processing of data by third-party add-ons we use

When you make an application

You have the option to make an application via our website. We solely process the personal data that you send us during an application to carry out the application process.

Learn more about the processing of personal data when you send us an application

Processing of business contacts

For business reasons, we receive or collect contact information from employees and managing directors of other companies as well as from officials or elected representatives of public institutions on various occasions. This information is stored in our contact database as a business contact and may be used for communication.

Find out more about processing and storing of business contacts

Processing of data when visiting the Sunny Cars Facebook page

In addition to our own website, we use a Facebook page for communication and interaction with our customers and prospects. We and Facebook are responsible as joint controllers for processing the personal data of visitors to this site.

Learn more about the processing and storage of personal data when visiting our Facebook page

How and why we process your data when you use our whistleblower hotline

We have set up a whistleblower hotline as part of our compliance management system. You can use it to submit information on situations that are covered by the Hinweisgeberschutzgesetz (HinSchG – German Whistleblower Protection Act).

Learn more how and why we process your data when you use our whistleblower hotline

Your rights as a data subject

If your personal data is processed, you are a data subject in accordance with GDPR and you have the following rights against the controller:

Right of access   
You can request confirmation as to whether and which personal data concerning you is processed by us.

Right to rectification   
You have a right to rectification and/or completion if the processed personal data concerning you is incorrect or incomplete.

Right to erasure (“Right to be forgotten”)   
You can request the personal data concerning you to be erased immediately and the controller is obliged to erase this data immediately where certain grounds apply.

Right to restriction of processing   
Under certain circumstances, you can request restriction of processing of personal data concerning you (e.g. by making it unavailable for use or temporarily removing it from the website, if it is published there).

Right to information   
If you have enforced the right to rectification, erasure or restriction of processing, the controller is obliged to inform all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing.

Right to data portability   
You have the right to receive personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format.

Right to object   
You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is performed in accordance with Article 6 (1)(e) or (f) GDPR.

Right to withdraw the legal data protection declaration of consent   
You have the right to withdraw your legal data protection declaration of consent at any time. The withdrawal of consent will not affect the lawfulness of processing carried out based on the consent prior to withdrawal.

Automated decision-making including profiling   
You have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similar significantly affects you.

Right to lodge a complaint with a supervisory authority   
You have the right to lodge a complaint with a data protection supervisory authority.

Learn more about your rights as a data subject

 

Last updated: January 2024