Data protection supplement to the whistleblower hotline (Whistlefox)

We have set up a whistleblower hotline as part of our compliance management system. You can use it to submit information on situations that are covered by the Hinweisgeberschutzgesetz (HinSchG – German Whistleblower Protection Act) or which we otherwise have a legitimate interest in learning about.

We have engaged the law firm Heuking Kühn Lüer Wojtek as an outsourced internal reporting office (hereinafter: “reporting office”) to receive and examine this kind of information.

Information can be submitted to the reporting office using an online form, by telephone, by e-mail, by post or in person.

Information intended for the reporting office can be submitted anonymously.

Using the reporting office is voluntary.

When you submit a report to the reporting office, it will record the information that you have sent. This includes your personal data, if you disclose this, and generally also the names and other personal data of the people that you mention in your report. More details on how the reporting office handles your personal data can be found in the office’s data privacy notice.

a)     Categories of personal data that we process:

After the reporting office has reviewed the information you have submitted, it sends us a report that may contain the following personal data:

  • Names and other personal data of the whistleblower only if the whistleblower does not wish to remain anonymous and has given their consent that the report may be forwarded to us.
  • Names and other personal data of the people who are mentioned in the report that result from the information it contains.

Other personal data may be collected and processed by us in the course of the ongoing investigation of the reported issue and the further handling of the matter.

b)    Purposes of data processing, legal basis

The data sent to us by the reporting office is processed in order to handle and manage reports of compliance violations, breaches of legal provisions and breaches in connection with our business operations by employees, customers, suppliers and other third parties.

If you disclose your identity and have agreed that your name may be forwarded to us by the reporting office, the legal basis for the processing of your personal data as a whistleblower is your consent (Article 6(1) sentence 1 (a) GDPR).

If the report involves situations that are covered by the HinSchG, section 10 HinSchG provides the legal basis for the processing of personal data concerning you as a whistleblower and concerning the data subject(s) referred to in the report.

Outside the scope of the HinSchG, the legal basis for the processing of personal data concerning you as a whistleblower and concerning the data subject(s) referred to in the report is our legitimate interest in detecting and preventing breaches of the law and misconduct (Article 6(1) sentence 1 (f) GDPR). A legitimate interest in detecting and preventing breaches of the law and misconduct exists if we are required by law to do so in specific areas. Moreover, violations of this kind can not only cause significant economic losses, but also lead to a considerable loss of reputation.

If the data subject is one of our employees, the legal basis for processing in the course of the handling or further investigation of the situation that has been reported is additionally provided by section 26(1) sentence 1 of the Bundesdatengeschutzgesetz (BDSG – German Federal Data Protection Act) (processing for purposes of the employment relationship) or section 26(1) sentence 2 BDSG (processing in order to detect criminal offences) and, if applicable, our legitimate interest as described above (Article 6(1) sentence 1 (f) GDPR).

c)    Disclosure to third parties

The confidential handling of all reports and data by the reporting office is ensured at all times and in every step of processing. This relates in particular to the personal data of the whistleblower and to the personal data of the data subject(s) referred to in the report. Only pre-defined, authorised individuals who are required to handle data in strict confidence have access to incoming reports and information about the processing of reports and follow-up measures.

If the report concerns another company in our group of companies, we will forward the contents of the report and the results of the further investigation of the situation to the respective company.

We may possibly forward the contents of the report and the results of the further investigation of the situation in question to courts, authorities and other public agencies. This can be the case if we are required by law to disclose the data or if this is necessary in order to establish, exercise or defend legal claims.

In the course of the investigative actions and if legal claims are established, exercised or defended, we may additionally draw on the support of law firms or auditing companies.

Furthermore, we may involve (technical) service providers to help investigate and handle the situation that has been reported; they will work for us as a processor within the meaning of Article 28 GDPR and on the basis of appropriate agreements and will be subject to our instructions. They may also be informed of the contents of the whistleblowing report, but in any case will be required to handle the data in question in strict confidence.

Notwithstanding the observance of confidentiality, personal data of the whistleblower and the data subjects may be disclosed to authorities, courts or third parties in exceptional circumstances. This is the case when it is mandatory for us to disclose this information, for example in the context of an official investigation (e.g. as part of preliminary criminal investigations) or if this necessary in order to establish, exercise or defend legal claims. In certain circumstances, we may also be required to disclose the reported information to the data subjects referred to in the report.

d)    Duration of data storage

Personal data will be stored for as long as this is necessary to investigate the report and implement any follow-up measures that may be taken or for as long as we have a legitimate interest or for as long as is stipulated by law. The data will then be erased in accordance with the legal requirements.
 

Sunny Cars
Fully comprehensive insurance
Customary liability coverage
Additional liability insurance in the amount of EUR 10 million
Vehicle theft protection
Refund of towing costs
Refund for damage to the vehicle
Reimbursement for burglary damage in the event of theft
Refund of costs for loss of/damage to vehicle keys and documents
Refund of damage processing charge
Availability in emergencies
Exclusive access to Sunny2go
Changes to the reservation until 24h before the start of the rental period
Free cancellation protection
Unlimited mileage
Fuel policy 'Return as pick up'
All local taxes & airport fees
Secure payment options
Buyer protection
All services at a glance
No Deposit
Online Check-In
Fast Lane
Contactless Pick-up
Pick-up via smartphone
Additional driver
Young Driver
Young Car
Hotel delivery
One-way rental
Child car seat
GPS
Winter tyres
Snow Chains
More additional options
All services at a glance
Concierge service
Entry regulations
Digital travel guide
Tours and activities
Smart Delay Service
Map function
Route tips
Relaxed search for a parking space
Calendar of Events
My Booking
eSim
Media Box
All about Sunny2go
General information
Picking up and dropping off a rental car
Insurances and what you should know about them
Changes & cancellations
Payment
Breakdowns & accidents
Miscellaneous terms
All questions on one view