EUROPCAR INTERNATIONAL S.A.S.U., 13 ter Boulevard Berthier, 75017, Paris, France, (hereinafter ”EUROPCAR”) and The Key to Mobility Services GmbH, Schwalbacher Str. 72, 65760 Eschborn, Germany (hereinafter ”K2M”) have joined their forces (together referred to as “we”, “us” or “our(s)”) to offer you a multi-modal mobility solution through this application (hereinafter “App”).

To use it, you will have to provide your personal data for different purposes in particular to create and access your personal account and additional services. For these purposes, we are acting mainly as joint controllers. The cases in which K2M acts as a separate controller are expressly pointed out to you in the respective section of this Privacy Policy.

To offer you the multi-modal mobility App with different Mobility Service Providers (hereinafter ”MSP”), your personal data will also be transmitted with different parties such as the respective MSP or Payment Service Provider (hereinafter ”PSP”), depending on the services that you choose. This transmission will only occur, if you request the use of one service from a MSP through the App. In that context, the MSP will act as an independent Data Controller based on its own Privacy Policy.

When you communicate your Personal Data to us or when we collect Personal Data about you, we undertake to use it in accordance with this Privacy Policy. In the following you will be informed about what personal data is involved, how it is processed and what rights you are entitled to in this regard, in particular with regard to the General Data Protection Regulation (EU) 2016/679 (GDPR).

By Personal Data, we mean data that identifies you directly, but also data that identifies you indirectly.

The categories of Personal Data that we collect include the following:

• Identity and contact details (such as name, address, phone number, email address, date of birth)
• Identification data (such as driver’s licence and ID Card)
• Contract and booking data (such as selected vehicle, time of booking)
• Data relating to the use of the App and settings (such as country, language, time zone, IP addresses and other information strictly necessary to provide the requested services collected through tracking technologies), preferences, IT-usage data
• Data relating to customer satisfaction (such as ratings and surveys)

The following data is only processed by K2M as a separate controller:

•  Invoice Data (such as invoice amount, date and number of invoice)

To operate the App and provide you with the reququested services we will process the above mentioned categories of data. Therefore the information necessary will be stored on your device or already existing information will be accesses by us, so-called Cookies. We will only use those Cookies, if this is strictly necessary for technical reasons or for the functionality of the App and its services, that you have requested. This will be data regarding your identity, identification and contact details as well as data regarding the usage of the App itself, e.g. geodata to operate the map view, and data regarding your bookings. For more information regarding the processed categories of data and purposes and legal basis for this we refer to the above Sec. 1 and the following Sec. 3.

We collect and process your Personal Data for various purposes and on the following legal basis:

The following only applies to K2M as a separate controller:

4.1. Categories of recipients

Your Personal Data may be communicated to our employees, our authorized representatives and third parties in order to provide you the services that you choose; in particular:

• to the MSPs with whom you book a mobility service;
• to our subcontractors, in particular our IT service providers for hosting, maintenance or development purposes, who assist us in providing you with our services;
• to marketing agencies to help us analyse your customer satisfaction.

We may also disclose your personal data in accordance with applicable laws and regulations to the relevant authorities, if requested to act as such.

4.2. International transfers

We may also transfer your data to a country outside the European Economic Area (EEA), for example the United States of America. This transfer takes place in compliance with the special requirements of Art. 44 - 49 GDPR, whereby the appropriate level of protection is guaranteed in particular either by an adequacy decision of the European Commission pursuant to Art. 45 GDPR, concluded EU standard contractual clauses pursuant to Art. 46 para. 2 lit. c and d GDPR or binding internal data protection regulations pursuant to Art. 47 GDPR. You can access and view the EU standard contractual clauses on the website of the European Commission or request a copy directly from us.

Your Personal Data is kept for different periods of time, depending on the purposes of the processing concerned.

The following only applies to K2M as a separate controller:

Within the limits and conditions allowed by the regulations in force, you can:

• access your Personal Data and obtain further information on the characteristics of the processing we carry out;
• have your Personal Data corrected, updated and deleted, it being specified that deletion can only be carried out when (i) the data is no longer necessary in relation to the purposes for which it was processed, (ii) you withdraw your consent and there is no other legal basis for the processing, (iii) you object to the processing of your personal data and there is no compelling legitimate reason for the processing, (iv) your personal data has been processed unlawfully, (v) the personal data must be deleted in order to comply with one of our legal obligations;
• receive the personal data you have provided us with in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party when the processing of your personal data (i) has been carried out by automated means and (ii) is based on your consent or on the execution of a contract binding us;
• request the restriction of the processing of your Personal Data, which means that we will not be able to use your Personal Data for a defined period of time. You can exercise this right when: (i) you dispute the accuracy of your personal data for a period of time that allows us to verify the accuracy of your personal data; (ii) the processing of personal data is unlawful and you object to the deletion of your personal data and instead demand that its use be restricted; (iii) we no longer need your Personal Data but they are still required for the establishment, exercise or defence of legal claims; (iv) you object to the processing for reasons relating to your particular situation, while we are checking whether the legitimate reasons pursued by us take precedence over your own;
• withdrawing your consent to data processing based on your consent;
• submit a complaint to a supervisory authority;

Right of objection

You have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, insofar as there are grounds for doing so that arise from your particular situation or the objection is directed against general direct marketing or direct marketing tailored to you. In the latter case, you have a general right to object, which we fulfil regardless of your particular situation.

If you would like to know more about the provisions of this Privacy Policy,you can contact us at the following addresses:

To exercise your rights, you must prove your identity by clearly indicating your surname, first name and any useful information enabling us to identify you (such as your postal address or date of birth). You must also give us the e-mail address or the physical address to which you would like the reply to be sent to you.

We are committed to protect your Personal Data. In particular, we use appropriate physical, technical and organizational security measures to prevent unauthorized or unlawful processing, accidental loss, destruction or damage of your Personal Data.

This Privacy Policy has the status as of January 2024. We are permitted to modify our Privacy Policy anytime in compliance with Art. 13 GDPR.

EUROPCAR INTERNATIONAL S.A.S.U. and The Key to Mobility Services GmbH (collectively “Parties”) jointly operate this Europcar Mobility App. The subject of joint responsibility according to Art. 26 GDPR is the processing of customer data, in particular contact data, identification data, booking data, data relating to the use of this App, as well as data relating to your satisfaction. The data is maintained centrally in the shared system and kept up to date in order to be able to carry out the business relationship and process your concerns efficiently. The parties have recorded the details of the collaboration and the operation of the shared system in an agreement.

To fulfill your data subject rights in connection with this joint responsibility, you may contact either Party.