DATA PRIVACY NOTICE

I. Controller

The Controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is the:

Oscar Autovermietung GmbH
Sandstr. 3
80335 Munich
e-mail: [email protected]
Phone no.: +49 89 125039110

Contact details of the data protection officer:

PROLIANCE GmbH
www.datenschutzexperte.de
Leopoldstr. 21
80802 Munich
[email protected]

When contacting the Data Protection Officer, please state the company to which your enquiry relates. Please refrain from enclosing sensitive information such as a copy of an identity card with your request.

II. Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected:

  • Information about the browser type and version used
  • The operating system of the user
  • The IP address of the user
  • Date and time of access
  • Websites that are accessed by the user's system via our website

The data is stored in the log files of our system. This data is not stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for the collection and temporary storage of the data is our overriding legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing and legitimate interest

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

The storage in log files is done to ensure the functionality of the website. In addition, we use the data for the technical optimisation of the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes are also our legitimate interest in data processing according to Art. 6 para. 1 lit. f GDPR.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible.

5. Possibility of objection and withdrawal

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.

III. Booking process on our website & app

1. Description Scope and purpose of data processing

Booking

If you would like to rent a vehicle on our website, we process the data you enter for the purpose of initiating and concluding the contract between you and us and you and the provider. We need your name and address to conclude the brokerage contract with us. The provider needs your name and address for identification purposes. We use your mobile and/or telephone number if we need to contact you urgently, for example in the event of a booking error. We also send the telephone number to the provider you have chosen. It is used, for example, if you are parked in a no-parking zone with the rental car and the provider is informed of this. We need your date of birth to ensure that you are the right age for a rental. We need your driving licence details to check the validity of your driving licence for the provider. We also send your date of birth and driving licence details to check the validity to the provider.

For the payment of the price for the rental car we need your payment details. Your credit card details in case of payment by credit card. You also have the option to pay via Paypal. We transmit the payment data to the payment provider authorised by you. We will not be able to process your booking if you do not provide this information.

App

You can also make vehicle bookings in our app. When you download our app, certain personal data required for this purpose will be transmitted to the corresponding app store (e.g. Apple App Store or Google Play). In particular, the email address, username, customer number of the downloading account, the individual device identification number, payment information and the time of the download will be transmitted to the app store during the download. We have no influence on the collection and processing of this data, which is carried out exclusively by the app store selected by you. Accordingly, we are not responsible for this collection and processing; the responsibility for this lies solely with the app store. We also process device information to make the operation of the app technically possible. Access data includes the IP address, device ID, device type, device-specific settings and app settings, the date and time of the retrieval, time zone, the amount of data transferred and the message whether the data exchange was complete, app crash, browser type and operating system.

2. Legal basis

The legal basis for the processing of your data is the performance of the contract pursuant to Art. 6 para. 1 lit. b GDPR. The legal basis for the processing of access data in the app is our overriding legitimate interest in a functioning and trouble-free app (Art. 6 para. 1 lit. f GDPR).

3. Storage period

After complete processing of the booking, your data will be restricted for further processing and deleted after expiry of the retention periods under tax and commercial law in accordance with Art. 6 para. 1 p. 1 lit. c GDPR.

The access data in the app will be deleted after 2 months at the latest.

4. Receiver

We integrate third-party payment services on our website. We integrate the payment service providers Paypal (Europe) S.à r.l. et Cie, S.C.A. (22-24 Boulevard Royal, L-2449 Luxembourg) and Clearhaus A/S (P. O. Pedersens Vej 2, 8200 Aarhus, Denmark). When you make a booking with us, your payment data (e.g. name, payment amount, account details, credit card number) and personal data (e.g. address, e-mail address, IP address, telephone number) are processed by the payment service provider for the purposes of payment processing and fraud prevention. The respective contractual and data protection provisions of the respective payment service providers apply to these transactions.

IV. Customer account

1. Description and scope of data processing, purpose

If you decide to open a customer account, we will use your data for the purpose of opening the customer account and to store your data for further future bookings on our website or app. In addition, we store your booking history.

2. Legal basis for data processing, revocation

The legal basis is your consent in accordance with Art. 6 para. 1 lit. a GDPR. The deletion of your customer account is possible at any time and can be done either by sending a message to the contact option described in this data privacy notice or via a function provided for this purpose in the customer account. After deletion of your customer account, your data will be deleted unless you have expressly consented to further use of your data in accordance with Art. 6 Para. 1 lit. a GDPR or we are legally obliged to store it (in particular under tax and commercial law).

V. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

We use cookies to make our website functional. Some elements of our website require that the calling browser can be identified even after a page change.

When calling up our website, the user is informed about the use of cookies and, in the case of cookies that are not technically necessary, his or her consent to the processing of personal data used in this context is obtained. In this context, a reference to this data privacy notice is also made.

2. Legal basis for data processing

The use of technically necessary cookies and similar techniques in the category "technically necessary" is based on Section 25 para. 2 no. 2 TTDSG. Subsequent data processing is carried out on the basis of our overriding legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR.

3. Purpose of the data processing

The purpose of using technically necessary cookies is to enable the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change.

4. Duration of storage, withdrawal

Cookies are stored on the user's computer and transmitted from it to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the storage of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

5. Third Party Cookies

We also use third-party cookies on our website. In detail, the following cookie-based tools are used in this context:

a. Google Analytics

Insofar as you have declared your consent, the web analytics service Google Analytics 4, of the provider Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google") is used on this website.

Scope of the processing

Google Analytics uses cookies that enable an analysis of your use of our website.

We use Google Signals. This captures additional information in Google Analytics about users who have activated personalised ads (interests and demographics) and ads can be delivered to these users in cross-device remarketing campaigns.

In Google Analytics 4, the anonymisation of IP addresses is activated by default. Due to IP anonymisation, your IP address will be shortened by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

During your visit to the website, your user behaviour is recorded in the form of "events". Events can be:

  • Page impressions
  • First visit to the website
  • Start of the session
  • Your "click path", interaction with the website
  • Scrolls (whenever a user scrolls to the end of the page (90%))
  • Clicks on external links
  • internal queries
  • Interaction with videos
  • File downloads
  • Ads seen / clicked
  • Language setting

It also records:

  • Your approximate location (region)
  • Your IP address (in shortened form)
  • Technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
  • Your internet provider
  • The referrer URL (via which website/advertising medium you came to this website)

Purposes of the processing

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, and compiling reports on website activity. The reports provided by Google Analytics are used to analyse the performance of our website and the success of our marketing campaigns. 

Receiver

Recipients of the data may be

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor according to Art. 28 GDPR)
  • Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
  • Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

Duration of storage

The data sent by us and linked to cookies are automatically deleted after 14 months. The deletion of data whose retention period has been reached takes place automatically once a month.

b. Meta pixel

If you give your consent, we use functions of the Meta Pixel service of Meta Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. If you do not consent, we will not allow meta pixel cookies.

Scope of the processing

The functions of the meta pixel make it possible to track the behaviour of page visitors after they have been redirected to the provider's website by clicking on a Facebook advertisement ("conversion tracking"). The following data can be collected in the process:

  • Information about actions and activities of visitors to our website, such as searching for and viewing a product or purchasing a product;
  • Specific pixel information such as the pixel ID and the meta-cookie
  • Information about the buttons clicked by visitors to the website
  • Information on the status of disabling/restricting ad tracking
  • Information contained in the HTTP header such as IP addresses, web browser information, page location and referrer.
  • Advertising IDs of devices.

The data collected is anonymous for us as the operator of this website, we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Meta Ireland so that a connection to the respective user profile on Facebook is possible and Meta can use the data for its own advertising purposes in accordance with the Meta data privacy policy. This enables Meta to place advertisements on Facebook pages, but also outside of Facebook. As the site operator, we have no influence on this use of data.

The collection and transfer of event data is carried out by us and Meta Ireland as joint controllers. We have entered into a Joint Controller Agreement with Meta Ireland which sets out the division of data protection responsibilities between us and Meta Ireland. In this agreement, we and Meta Ireland have agreed, that we are responsible for providing you with all information pursuant to Articles 13, 14 GDPR about the joint processing of personal data and that Meta Ireland is responsible for enforcing the rights of data subjects under Articles 15 to 20 GDPR in relation to personal data held by Meta Ireland following the joint processing.

Meta Ireland is the responsible party for the further processing of the transmitted event data.

Meta Ireland also uses the event data to report on the impact of our advertising campaigns and other online content and to provide analysis and insights about users and their use of our website, products and services. For this purpose, we transfer personal data contained in the Event Data to Meta Ireland. The personal data transferred is processed by Facebook Ireland as our processor.

Purpose of the processing

The purpose of the data processing is to evaluate the effectiveness of the Facebook ads for statistical and market research purposes and to optimise future advertising measures.

Receiver

The information generated by the cookie about the use of the online offer by the user is usually transmitted to Meta in the USA, Meta Platforms, Inc., Deborah Crawford 1601 Willow Road Menlo Park, California 94025, and stored there.

Duration of storage

The data sent by us and linked to cookies are automatically deleted after 3 months.

c. Hotjar web analysis

If you have given your consent, we use the web analytics tool Hotjar, Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St. Julian's STJ 3141 Malta on our website. Hotjar allows us to analyse your usage behaviour on our website in a pseudonymised form.

Scope of the processing

Hotjar uses cookies that enable an analysis of your use of our websites. The following data is processed:

  • HTTP data: This is log data that is technically generated via the Hypertext Transfer Protocol (Secure) (HTTP(S)) when using the web analysis tool Hotjar used on the website: This includes IP address, type and version of your internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.
  • Hotjar end device data: Data generated by the web analysis tool Hotjar and assigned to your terminal device: This includes a unique ID to (re)identify returning users (so-called "Hotjar User ID") as well as the IP address to identify the region in which the user is located based on the first three groups of the IP address.
  • Hotjar measurement data: Device-related raw data (so-called "dimensions" and "measurement values") that are collected and analysed when using our website: This primarily includes information about the sources through which users access our web offer, information about the location, the browser and the end device used, information about the use of the website (in particular page impressions, frequency of calls and length of stay on called pages, mouse tracking data) as well as information about the fulfilment of certain goals. The data is assigned to the Hotjar user ID assigned to your end device. As a result, device-related usage profiles are created in which all device-related raw data are combined into one Hotjar user ID. We do not combine the data that we collect via Hotjar with the data from your registration or other data in order to identify you personally (i.e. on the basis of your civil name).
  • Hotjar report data: Data contained in aggregated segment- and device-related reports that are generated based on the analysis of raw device-related data.
  • Recordings of the meeting and the duration of the meeting are possible.

Purpose of the processing

The purpose of data processing is to increase the efficiency of our use of resources for our website and the satisfaction of our visitors as well as the usage-based optimisation of our website by measuring the use of our website. Here, the focus is primarily on the handling of special features of our web offer.

Receiver

Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta. Hotjar Ltd uses the subcontractor Amazon Web Services EMEA SARL ("AWS") 38 Avenue John F. Kennedy, L-1855 Luxembourg for hosting and has instructed AWS to use a European server location for data processing. However, AWS may also access the servers in Germany from so-called third countries in order to carry out maintenance work in the event of faults and malfunctions.

Duration of storage

The data will be deleted after 12 months at the latest.

d. Google Ads

We use the Google Ads (Conversion) Tracking service from the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Scope of the processing

Google Ads (Conversion) enables us to monitor the success of ads placed via Google. The data processed are:

  • Google Ads log data: This is data that is technically generated when using the Google AdWords tool used on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)). This includes IP address, type and version of your internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.
  • Usage data: Usage data includes clicks on ads, time spent on the website and information about websites visited.
  • Conversion event: The conversion event summarises the results of the conversion.

Purpose of the data processing

The purpose of the data processing is to track the reach of ads placed via Google (AdWords). When you click on our ad placed via Google, Google stores a cookie for conversion tracking on your terminal device. If you then visit our website linked in the ad and the cookie has not yet expired, we can recognise that you have clicked on the ad and have been redirected to our website. We can only recognise clicks on our own ads, not any clicks on ads of other Google customers. Google uses the cookies, among other things, to bill us for the costs of the ads. We only receive the evaluations and other information in aggregated anonymous form and cannot assign the information to any natural person.

Receiver

The recipient of the data is Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) as a processor. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as a service provider.

Duration of storage

The cookies lose their validity after 30 days, do not contain any personal data apart from the cookie ID and do not serve to identify you.

e. Microsoft Ads

We use the service Microsoft Ads from the provider Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland).

Scope of processing and purpose

We use this technology to present you with interest-based advertisements on other websites in the Microsoft advertising network. The advertisements relate to content you have previously viewed on our websites.

When you access our websites via Microsoft Ads, a cookie is set on your computer. In addition, a UET tag is integrated on our websites. This is a code which, in combination with the cookie, stores pseudonymised data about the use of the website. The tag, in combination with the cookie, collects pseudonymised data to track what actions you take on our websites after clicking on a Microsoft Ads advertisement. The data collected includes the time spent on the website, which areas of the website were accessed and which ad brought you to the website. We only learn the total number of users who clicked on a Bing ad and were then redirected to the conversion page. No personal information about the user's identity is shared. In addition, Microsoft can track your usage behaviour across multiple of your electronic devices through so-called cross-device tracking. Microsoft uses the data to optimise its own services. If you have a Microsoft account, the data collected may be linked to your account.

Receiver

The recipient of the data is Microsoft Ireland Operations Limited. However, Microsoft may store the data on worldwide servers of other Microsoft companies.

Duration of storage

The data will be deleted after 1 month at the latest.

f. Youtube

On the website, video files are occasionally made available for playback in a YouTube frame. The operator of the corresponding plugins is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA (hereinafter "YouTube").

Scope of data processing, purpose

For the satisfaction of our customers, we occasionally integrate YouTube files. If you play the video, you access the website www.youtube.de of Google Inc. via the frame itself. We have no influence on the scope of the data and the handling of your data by Google Inc. that results from accessing the Youtube website. Google Inc. itself is legally responsible for this. Google processes your data in the USA, among other places.

g. Legal basis

The legal basis for the processing of the data by the aforementioned tracking providers is your consent pursuant to Art. 6 para. 1 lit. a GDPR.

h. Transfer of data to third countries

Insofar as the aforementioned tracking service providers process data outside the EU or the EEA and there is no level of data protection corresponding to the European standard, our service providers have concluded EU standard contractual clauses with their service provider to establish an appropriate level of data protection. If our service provider is based in a third country, we have concluded EU standard contractual clauses for the protection of personal data directly with the service provider. For the USA, an adequacy decision of the EU Commission is available and applies to companies that have certified themselves under the Data Privacy Framework. A comparable level of data protection as in the EU applies to the transfer of data. This includes the providers Microsoft Corporation, Google LLC and Meta Platforms, Inc. For the other providers, there is currently no level of data protection comparable to the EU. We have taken the aforementioned measures here.

i. Right to withdraw

You can withdraw your consent at any time with effect for the future by calling up the cookie settings in the bottom left corner (circular green button) and changing your selection there. The lawfulness of the processing carried out on the basis of the consent up to the withdrawal remains unaffected by this.

You can also prevent the storage of cookies from the outset by configuring your browser software accordingly. However, if you configure your browser to reject all cookies, this may result in limited functionality on this and other websites.

You can also prevent the collection of the data generated by the cookie and related to your use of the website to the respective provider as well as the processing of this data by not giving your consent to the setting of the cookie or by declaring your objection under the following links:

Further information on data protection and the cookies used by the respective provider can be found on the website under

The provision of the data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation for you to provide the data.

VI. Newsletter

1. Description and scope of data processing

On our website, you have the option of subscribing to a free newsletter. When registering for the newsletter, the data from the input mask is transmitted to us. For this purpose, it is sufficient to enter the e-mail address.

2. Legal basis for data processing

The legal basis for the processing of the email address is the consent of the user according to Art. 6 para. 1 lit. a GDPR.

3. Purpose of the data processing

The collection of the user's email address is used to deliver the newsletter.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. Accordingly, the user's email address will be stored until you have unsubscribed from the newsletter. To do so, you can contact the e-mail address given above or use the unsubscribe link provided in the newsletter.

VII. Contact us

1. Description and scope of data processing

You have the option of contacting us at any time by e-mail or telephone with your request. The data you provide as part of your enquiry will be transmitted to us and stored.

2. Legal basis for data processing

The legal basis for the processing of the contact request is our legitimate interest according to Art. 6 para. 1 lit. f GDPR in answering your request or, in the case of a request based on a contractual relationship, Art. 6 para. 1 lit. b GDPR. In the case of legitimate interest, our interest outweighs the interest of the user, as we assume that the user is interested in processing their request.

3. Purpose of the data processing

We process your contact details for the purpose of processing the contact request.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the information in your enquiry, this is the case when it can be inferred from the circumstances that the facts concerned have been conclusively clarified.

VIII. Social media

1. LinkedIn

We use the platform and services of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter "LinkedIn"). You are using our LinkedIn page and its functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating).

Joint Controllership

We are only joint controllers with LinkedIn for the processing of so-called "Insights data" insofar as this data is used for the creation of so-called "Page Insights". We have concluded an agreement with LinkedIn in the context of joint controllership, which you can access here. The agreement relates to data processing that is collected in connection with a visit to or interaction with our LinkedIn profile, but only insofar as this data is also (subsequently) processed for "Page Insights". "Page Insights" include analytics services that help the operator of a LinkedIn profile to better understand interactions with your pages. The purpose of the data processing is to create aggregated statistics for LinkedIn profile operators. LinkedIn provides more information on this here: https://www.linkedin.com/help/linkedin/answer/a547077/linkedin-page-analytics-overview?lang=en. The information available to data subjects on data for "Page Insights" indicates how and when "Insights Data" is collected and used to create "Page Insights":

  • When a LinkedIn member visits, follows or engages with the site, LinkedIn processes personal data to provide insights into usage to the site operator.
  • LinkedIn processes data that the member has provided to LinkedIn, such as data on function, country, industry, seniority, company size and employment status from a member's profile.
  • LinkedIn processes information about how a member has interacted with your company page, for example whether a member is a follower.

When you visit our LinkedIn page, LinkedIn collects, among other things, your IP address and other information that is present on your device in the form of cookies. This information is used to provide us, as the operator of the LinkedIn page, with statistical information about the use of the LinkedIn page. We do not receive any personal data from LinkedIn in this context.

The data collected about you in this context is processed by LinkedIn and may be transferred to countries outside the European Union. LinkedIn describes what information it receives and how it is used in its user agreement and privacy policy. For more information, please see LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy. Should you wish to exercise a data subject right to which you are entitled under the GDPR, please note that we cannot fully comply with these rights without LinkedIn. With regard to LinkedIn's processing, we ask you to contact LinkedIn directly. The respective responsibilities, in particular with regard to the protection of data subject rights, can be found in the Page Insights Addendum. LinkedIn assumes primary responsibility for compliance with the GDPR obligations for the joint processing of "Insights Data". This includes the fulfilment of the following data subject rights:

  • the right of access (Art. 15 GDPR),
  • the right to erasure (Art. 17 GDPR),
  • the right to restriction of processing (Art. 18 GDPR),
  • the right to data portability (Art. 20 GDPR) and
  • the right to object (Art. 21 GDPR).

Further details on how to exercise these rights are provided by LinkedIn in its privacy policy under point 4.

In addition, we are also solely responsible for certain data processing. We process the following data for communication with LinkedIn users in order to offer our information service:

  • User interactions (postings, likes etc.)
  • Profile name and data provided by the user in the course of conversation, e.g. for processing enquiries
  • statistical surveys on target group advertising

The provision of your data is voluntary. However, visiting our profile is not possible without us or LinkedIn processing personal data.

Purposes and legal basis of data processing

Processing is carried out for the purpose of responding to your enquiries or communicating with you and to publish information about events and services provided by us.

The legal basis to process personal data for the purpose of responding to enquiries that serve a (future) conclusion of a contract is Art. 6 para. 1 lit. b GDPR, in other cases our overriding legitimate interest according to Art. 6 para. 1 lit. f GDPR. The legitimate interest is the effective provision of information to users, customers and interested parties and communication with these persons as well as our external presentation.

Transfer to a third country

Insofar as personal data is transferred to LinkedIn servers in the USA and stored and processed there, LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland has concluded the standard data protection clauses of the EU Commission with the LinkedIn companies based in the USA, which permit the transfer of personal data to the USA in individual cases.

Duration of storage

After your request has been dealt with, the personal data you have provided will be deleted from our systems. If you interact with us publicly, for example by leaving a comment or "liking" a post, this data remains publicly accessible on the site until it is deleted by us or you. Insofar as legal retention obligations require longer storage, your data will only be stored for this purpose and blocked for other purposes.

2. Instagram and Facebook

You are useing our Facebook and Instagram page and their functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating).

Joint Controllership

We and Meta Platforms Ireland Limited, 4 Grad Canal Square, Dublin 2, Ireland (hereinafter "Meta") as the provider of Instagram and Facebook are jointly responsible for the processing of personal data via our profile. The joint responsibility agreement is available at: https://www.facebook.com/legal/controller_addendum.

Under the agreement, Meta is responsible for informing data subjects about the processing. Meta's privacy policy is available at: https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect. Data subjects may assert their rights against any of the controllers. For more information about the data Meta shares with us, please visit https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect.

In addition, we are also solely responsible for certain data processing. We process the following data for communication with users in order to offer our information service:

  • User interactions (postings, likes etc.)
  • Profile name and data provided by the user in the course of conversation, e.g. for processing enquiries

The provision of your data is voluntary. However, visiting our profile is not possible without us or Meta processing personal data.

Purposes and legal basis of data processing

Processing is carried out for the purpose of responding to your enquiries or communicating with you and to publish information about events and services provided by us.

The legal basis for processing for the purpose of responding to enquiries that serve a (future) conclusion of a contract is Art. 6 para. 1 lit. b GDPR, in other cases our legitimate interest according to Art. 6 para. 1 lit. f GDPR. The legitimate interest is the effective provision of information to users, customers and interested parties and communication with these persons as well as our external presentation.

Transfer to a third country

Meta may transfer personal data to Meta servers in the USA. This data is stored and processed there. For the USA, there is an adequacy decision of the EU Commission and applies to companies that have certified themselves under the Data Privacy Framework. Meta has certified itself. A comparable level of data protection as in the EU applies to the transfer of data.

Duration of storage

After your request has been dealt with, the personal data you have provided will be deleted from our systems. If you interact with us publicly, for example by leaving a comment or "liking" a post, this data remains publicly accessible on the site until it is deleted by us or you. Insofar as legal retention obligations require longer storage, your data will only be stored for this purpose and blocked for other purposes.

3. Snapchat

We use the instant messaging service Snapchat. Snapchat is a US provider of Snap Inc, 2772 Donald Douglas Loop N, Santa Monica, CA, USA. You are using Snapchat and the corresponding functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating).

We and Snap Inc. as the provider of Snapchat are jointly responsible for the processing of personal data via our profile. Snapchat's privacy policy is available at: https://values.snap.com/de-DE/privacy/privacy-center. Data subjects may exercise their rights against any of the controllers.

In addition, we are also solely responsible for certain data processing. We process the following data for communication with users in order to offer our information service:

  • User interactions (postings, likes etc.)
  • Profile name and data provided by the user in the course of conversation, e.g. for processing enquiries

The provision of your data is voluntary. However, visiting our profile is not possible without us or Snapchat processing personal data.

Purposes and legal basis of data processing

Processing is carried out for the purpose of responding to your enquiries or communicating with you and to publish information about events and services provided by us.

The legal basis for processing for the purpose of answering enquiries that serve a (future) conclusion of a contract is Art. 6 para. 1 lit. b GDPR, in other cases our legitimate interest according to Art. 6 para. 1 lit. f GDPR.

The legitimate interest is the effective provision of information to users, customers and interested parties and communication with these persons as well as our external presentation.

Transfer to a third country

Snap Inc. is a US provider. During the use of the service, data is processed outside the EU or the EEA. There is no level of data protection in the USA that corresponds to the European standard. A transfer of data to the USA and access by US authorities to the data stored by Snap, Inc. cannot be ruled out. In the USA you do not have the same rights as within the EU or EEA. For this reason, we have concluded EU standard contractual clauses with the service provider to protect your data.

Duration of storage

After your request has been dealt with, the personal data you have provided will be deleted from our systems. If you interact with us publicly, for example by leaving a comment or "liking" a post, this data remains publicly accessible on the site until it is deleted by us or you. Insofar as legal retention obligations require longer storage, your data will only be stored for this purpose and blocked for other purposes.

IX. Receiver

Within our company, those departments that need your data to fulfil our contractual and legal obligations will receive access to it. Service providers and subcontractors employed by us (e.g. technical service providers, transport companies, waste disposal companies) may also receive data in order to fulfil our contractual and legal obligations. Your data will only be passed on to recipients outside the company if this is permitted or required by law, if the transfer is necessary for the processing and thus the fulfilment of the contract or, at your request, for the implementation of pre-contractual measures or if you have given us your consent to do so. We have concluded a contract processing agreement with our service providers, who act on our behalf and according to our instructions, in accordance with Art. 28 GDPR. Categories of recipients in this case are

  • Providers from the IT sector
  • Customer management system provider
  • Email marketing provider
  • Analysis and marketing tools provider

In the course of using our website, your personal data may be transferred outside the European Economic Area (EEA). Such processing is only carried out to fulfil contractual and business obligations and to maintain your business relationship with us. If the level of data protection does not meet the requirements of the GDPR, we have provided suitable guarantees. For this purpose, we have concluded standard contractual clauses of the European Commission and taken further measures to protect personal data.

X. Rights of the data subject

Pursuant to Art. 15 para. 1 GDPR, you have the right to request information free of charge about the personal data we have stored about you. In addition, you have the right to have your personal data corrected (Art. 16 GDPR), deleted (Art. 17 GDPR), restricted from processing (Art. 18 GDPR) and transferred (Art. 20 GDPR) if the legal requirements are met.

If the data processing is based on Art. 6 para. 1 lit. e or f GDPR, you have the right to object according to Art. 21 GDPR. If you object to data processing, it will not be carried out in the future unless the controller can demonstrate compelling legitimate grounds for further processing that outweigh the interest of the data subject in objecting. If the data processing is based on consent pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, you may withdraw your consent at any time with effect for the future without affecting the lawfulness of the previous processing.

In the aforementioned cases, please contact us in writing or by e-mail using the contact details above.

You also have the right to lodge a complaint with a data protection supervisory authority. The data protection supervisory authority of the federal state in which you live or in which the controller has its registered office is responsible.

XI. Automated decision making/profiling

We do not carry out automated decision making or profiling (an automated analysis of your personal circumstances).

XII. Amendment of this data protection notice

Due to the further development of our website and offers on it or due to changed legal or official requirements, it may be necessary for us to change this data protection notice. The version available on our website at any given time is valid.

Please adjust, should you choose a longer storage period, please note: if the personal data, especially the IP-address, is anonymized, so that no recovery of the personal data is possible, three month is fine.

Please adjust, should you choose a longer storage period, please note that Oscar is only allowed to store personal data for as long as it is actually needed to achieve the purpose. Courts and data protection authorities tend to be strict about the length of time you can store data for marketing and analytics purposes. You can also store the data longer, with some risk of regulatory action (e.g. fines) or damages from the individual. In the case of Google Analytics, Google Analytics 4 only allows storage for up to 14 months.