Legal

Imprint

car2go Italia S.r.l.
Via M. Camperio 14
20123 Milan
Italy

Email: ciao@share-now.com
Telephone: +39 026 006 3093
Board of Directors: Horacio Reartes, Andrea Leverano, Slavko Bevanda
Company registration: MI 1992410, full paid-up share capital Euro 20,000
VAT no.: 07941590965

Information about online dispute resolution
The European Commission has established an internet platform for online dispute resolution (so called “ODR platform”). The ODR platform is a point of entry for out-of-court resolutions relating to contractual obligations of online sales contracts or online service contracts. You can get to the ODR platform by following the link: https://ec.europa.eu/consumers/odr

SHARE NOW is neither obliged nor willing to participate in out-of-court resolutions before the ODR platform.

Privacy Notice Website

1. Data protection

We are pleased about your visit on our web pages and your interest in our offers. The protection of your personal data is an important concern for us. In this Privacy Notice we explain how we collect your personal data, what we do with it, for what purposes and on what legal basis this is done, and which rights and claims are associated with it for you.

Our Privacy Notice for the use of our web pages does not apply to your activities on the web pages of social networks or other providers that you can reach via the links on our web pages. Please check the web pages of these providers for their privacy notices.

As changes in the law or changes in our internal processes may make it necessary to adapt this Privacy Notice, we ask you to read this Privacy Notice regularly.



2. Controller and applicability

According to the EU General Data Protection Regulation (hereinafter: GDPR) and other national data protection laws as well as other data protection regulations, the controller is:

car2go Italia S.r.l.
Via Manfredo Camperio 14
20123 Milan
Itlay

Phone: +39 02 6006 3093
Email: ciao@share-now.com

This Privacy Notice applies to the Internet offer of car2go Italia S.r.l., which can be accessed under the domain as well as the various subdomains (hereinafter referred to as "our website").

If you have any questions on this Privacy Notice, please contact our data protection officer:

Data Protection Officer
SHARE NOW GmbH
Brunnenstrasse 19-21
10119 Berlin
Germany
Email address: dataprotection@share-now.com



3. Principles of data processing

Personal data means any information relating to an identified or identifiable natural person. This includes, for example, information such as your name, your age, your address, your telephone number, your date of birth, your e-mail address, your IP address or user behaviour. Information for which we cannot establish a relation to your person (or only with a disproportionate effort), e.g. by anonymising the information, is not personal data.

The processing of personal data (e.g. collection, retrieval, use, storage or transmission) always requires a legal basis or your consent. Processed personal data will be deleted as soon as the purpose of the processing has been achieved and there are no longer any legally required retention obligations.

If we process your personal data for the provision of certain offers, we will inform you below about the specific processes, the scope and purpose of the data processing, the legal basis for the processing and the respective storage period.



4. Individual processing operations

4.1. Provision and use of the website

a. Nature and extent of data processing
When you access our website, we collect the personal data that your browser automatically transmits to our servers. This information is temporarily stored in a so-called log file. When you use our website, we collect the following data, that is technically necessary for us to display our website to you and to ensure stability and security:

  • IP address of the requesting computer/device
  • Date and time of access
  • Access status (e.g. whether you were able to access a web page or whether you received an error message)
  • Name and URL of the file accessed
  • Web page from which access was made (referrer URL)
  • Browser used and, possibly, the operating system of your computer/device, as well as the name of your access provider
  • Information on the use of website functions
  • Information on the search terms you may have entered on the website

b. Legal basis
Art. 6 (1) lit. f GDPR serves as the legal basis for the above-mentioned data processing. The processing of the above-mentioned data is necessary for the provision of the website as well as for the prevention and detection of attacks on our website and thus serves the protection of a legitimate interest of our company.

c. Storage period
The above-mentioned data is deleted as soon as it is no longer required for the display of the website. The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object. Further storage may take place in individual cases if this is required by law.



4.2. Registration / User account

a. Nature and extent of data processing
On our website, we offer you the option of registering by providing personal data. With the processed data, we create an individualised user account for you, with which you can use our services.

The following overview shows you in detail which personal data we process when you register:

  • Title
  • Name
  • Surname
  • Date of birth
  • Place of birth
  • Home address
  • Postcode
  • Place of residence
  • Mobile phone number
  • Country
  • City
  • Language
  • Password
  • Magic PIN
  • Promotional code

b. Legal basis
The processing of the personal data outlined above serves the performance of a contract between you and car2go Italia S.r.l. or to implement pre-contractual measures pursuant to Art. 6 (1) lit. b GDPR.

c. Storage period
As soon as the processed data is no longer required for the performance of the contract, it will be deleted. Even after termination of the contract, it may be necessary to store your personal data in order to comply with contractual or legal obligations.

d. Cancellation of the registration / Deletion of the user account
As a user, you have the option of cancelling your registration at any time. You can modify the data stored about you at any time via the settings of your user account.

However, if the processed data is required for the processing/termination of a contract, early deletion of the data is not possible.



4.3. Reserve a car

a. Nature and extent of data processing
On our website, we offer our registered users the possibility of reserving vehicles for a certain period of time and having them delivered to an address of their choice. For this purpose, we process the following personal data from you in addition to the data you have provided for your user account:

  • Delivery address
  • Delivery date
  • Delivery time
  • Selected vehicle category

b. Legal basis
The processing of the personal data outlined above serves the fulfilment of our reservation service in accordance with Art. 6 (1) lit. b GDPR.

c. Storage period
As soon as the processed data is no longer necessary for the fulfilment of our reservation services, it will be deleted.

Even after the service has been provided or the contract has been terminated, it may be necessary to store personal data from you in order to comply with contractual or legal obligations.



4.4. Invitation of additional drivers

a. Nature and extent of data processing
In the course of reserving a vehicle, it is possible to register an additional driver. Adding this option generates a link that the primary driver sends to the additional driver.

The link leads the additional driver to a login area that shows from whom the invitation originates. After the additional driver has logged in or registered, the invitation to the specific trip (vehicle class and other vehicle criteria, starting location, trip area, rental duration) can be accepted or declined. We transmit the decision of the additional driver to the main driver. If no decision is made, the main driver will also be informed accordingly.

b. Legal basis
The processing of the personal data of the main driver (booking of additional driver and transmission of the name and other booking data to the additional driver) is carried out for the performance or initiation of a contract pursuant to Art. 6 (1) lit. b GDPR.

The processing of the additional driver's personal data is also generally carried out to initiate a contract in accordance with Art. 6 para. 1 lit. b GDPR or, if the invitation is not accepted, on the basis of business development interests qualified as an overriding legitimate interest pursuant to Art. 6 (1) lit. f GDPR.

c. Storage period
As soon as the processed data is no longer necessary for the above-mentioned purposes, it will be deleted. Even after termination of the contract, it may be necessary to continue to store personal data in order to comply with contractual or legal obligations.



4.5. SHARE NOW partner

a. Nature and extent of data processing
As part of the registration process, we offer you the opportunity to receive discounts, free products and special offers from our SHARE NOW partners via e-mails, push messages, in-app notifications on our website, as an "in-car-notice" or by post. Your personal data will not be transmitted to the SHARE NOW partners. A list of SHARE NOW partners is available at share-now.com/it/en/collaborations.

b. Legal basis
The processing of your personal data for the data processing for the purpose described above is based on the consent voluntarily given by you in accordance with Art. 6 (1) lit. a GDPR.

c. Storage period
Your personal data will be stored until the purpose of the data processing no longer applies or you have withdrawn your consent.



4.6. Contact form (SHARE NOW for Business)

a. Nature and extent of data processing
On our website, we offer you the opportunity to contact us via a form provided if you are interested in our "SHARE NOW for Business" service. If you use the contact form, the following personal data will be processed:

  • Title
  • Name
  • Surname
  • Name of your company
  • Address
  • Postcode
  • Telephone number
  • Email address
  • Your message to us

The processing of your personal data serves the purpose of classifying your enquiry and responding to you. When using the contact form, your personal data will, in general, not be transferred to third parties.

If there is interest in a future cooperation, the personal data from the contact form is transferred to our lead database. For this, we use the Salesforce Sales Cloud tool from Salesforce.com, Inc. (One Market Street, San Francisco, CA 94105 USA), with whom we have concluded a Data Processing Agreement in accordance with Art. 28 GDPR to ensure the security of your personal data.

Appropriate safeguards may not currently exist for data transfers to the US. There are restrictions on the protection of personal data resulting from the fact that, under US law, security authorities can access data transferred from the EU to the US and use it without restriction to what is strictly necessary. As a data subject without US citizenship, you cannot take legal action against such use. However, we have concluded Standard Contractual Clauses with the service provider to ensure the security of your personal data.

b. Legal basis
The processing of the personal data described above serves the purpose of implementation of pre-contractual measures in accordance with Art. 6 (1) lit. b GDPR.

c. Storage period
As soon as the enquiry you have made has been dealt with and you have no further interest in cooperation, the personal data will be deleted. If your personal data is transferred to our lead database in the event of an existing interest in cooperation, the relevant limitation and retention periods of the national laws, such as the Italian Civil Code (Codice civile) and other relevant local legislation, apply.



4.7. SHARE NOW Rewards

a. Nature and extent of data processing
As part of our so-called SHARE NOW Rewards programme, we offer our participating customers to receive and collect points for vehicle rentals made and to receive various rewards for this. For the purpose of providing the programme, we process your personal data, in particular the customer ID and data relating to the vehicle rental. For this we use the services of the external service provider Talon.One GmbH (Wiener Strasse 10, 10999 Berlin) in order to be able to customise certain conditions or features. We have concluded Data Processing Agreement with the service provider to ensure the security of your personal data.

You can find more information about SHARE NOW Rewards here: share-now.com/it/en/share-now-rewards/

b. Legal basis
Participation in the SHARE NOW Rewards programme is voluntary. Our customers can participate in and register for the programme at any time. The processing of personal data therefore serves the performance of the contract with the participating customer and is based on Art. 6 (1) lit. b GDPR.

c. Storage period
Once the processed data is no longer necessary for the provision of SHARE NOW Rewards benefits, it will be deleted.

Even after the contract has been terminated, it may be necessary to store personal data about you in order to comply with contractual or legal obligations.



4.8. Friend Referral Programme

a. Nature and extent of data processing
If you use the friend referral programme, we process the following personal data of you and of the referred new customer:

  • Customer ID
  • Referral code
  • Customer ID of the referred new customer

The processing of personal data serves the purpose of providing the benefits and to process enquiries or complaints about the Friend Referral Programme.

b. Legal basis
Participation in the Friends Referral Programme is voluntary. Our customers can generate a referral code at any time and then forward it to the referred new customer. The processing of personal data therefore serves the performance of the contract with the existing customer as well as the referred new customer and is based on Art. 6 (1) lit. b GDPR.

c. Storage period
As soon as the processed data is no longer necessary for the provision of the Friend Referral benefits, it will be deleted.

Even after the termination of a contract, it may be necessary to store personal data of the parties involved in order to comply with contractual or legal obligations.



5. Data transfer

We only transfer your personal data to third parties if there is an appropriate legal basis for doing so, in particular if:

  • You have given your explicit consent to this in accordance with Art. 6 (1) lit. a GDPR
  • This is necessary for the performance of a contract with you in accordance with Art. 6 (1) lit. b GDPR
  • There is a legal obligation for the disclosure pursuant to Art. 6 (1) lit. c GDPR
  • The transfer is necessary in accordance with Art. 6 (1)lit. f GDPR for the purposes of legitimate interests, as well as for the establishment, exercise or defence of legal claims and there is no reason to assume that you have an overriding legitimate interest to not transfer your data.
  • External service providers process data on our behalf pursuant to Art. 28 GDPR.



6. Use of cookies and similar technologies

a. Nature and extent of data processing
We use cookies and similar technologies on our website. Cookies are small files that are sent by us to the browser of your terminal device during your visit to our website and stored there. Some functions of our website cannot be offered without the use of technically necessary cookies (“Essential Cookies”). Other cookies, however, enable us and/or third parties to perform different analyses (“Marketing and Functional Cookies”). Cookies are, for example, able to recognise the browser you are using when you visit our website again and to transmit various information to us and/or third parties. With the help of cookies, we can, among other things, design our website more user-friendly and effective for you, for example by tracking your use of our website and determining your preferred settings (e.g. country and language settings). If third parties process information via cookies, they collect the information directly via your browser.

Which cookies and similar technologies are used can be found in the detailed information, in particular on the processing purposes and the personal data processed, as well as on which third parties provide Marketing and Functional Cookies, in the cookie settings. The cookie settings also include a link to the privacy notice of third party cookies providers.

b. Legal basis
The processing of your personal data for the purpose described above, in case of Essential Cookies, is based is based on our interest in providing you with our website, qualified as an overriding legitimate interest pursuant to Art. 6 (1) lit. f GDPR.

The processing of your personal data for the purpose described above, in case of Marketing and Functional Cookies, is based on the consent voluntarily given by you in accordance with Art. 6 (1) lit. a GDPR.

c. Storage period
Your personal data will be stored until the purpose of the data processing no longer applies or you have withdrawn your consent.

d. Browser cookie settings
Users may also deactivate cookies through the browser privacy settings. Below is a list of links to relevant privacy sections of some browsers:



7. Automated decision-making

No automated decision-making takes place, which is solely based on automated processing, including profiling, and resulting in a legal consequence or impairing you in a similar manner.



8. Right to object

When your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, on grounds relating to your particular situation or if the objection is directed against direct marketing. In the case of direct marketing, you have a general right to object, which is implemented by us without provision of a particular situation.



9. Data security and security measures

We are committed to protecting your privacy and treating your personal data confidentially. To prevent manipulation, loss or misuse of your data stored with us, we take extensive technical and organisational protection measures that are regularly reviewed and adapted to technological progress. These include, among other things, the use of recognised encryption procedures (SSL or TLS).
 However, we would like to point out that, due to the structure of the Internet, it is possible that the data protection rules and the above-mentioned security measures are not observed by other persons or institutions that are not within our area of responsibility. In particular, data disclosed unencrypted - e.g. if this is done by email - can be read by third parties. We have no technical influence on this. It is the user's responsibility to protect the data he or she provides against misuse by encrypting it or in any other way.



10. Rights of the data subject

The GDPR gives you the following rights as a data subject whose personal data is being processed:

  • Pursuant to Art. 15 GDPR, you can request access to your personal data processed by us. In particular, you can request access to the purposes of processing, the categories of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it has not been collected by us, the transfer to third countries or to international organisations, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information on its details.


  • Pursuant to Art. 16 GDPR, you can request the rectification of inaccurate or the completion of your personal data stored by us without undue delay.


  • Pursuant to Art. 17 GDPR, you may request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of speech and freedom of information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims.


  • Pursuant to Art. 18 GDPR, you may request the restriction of the processing of your personal data if you contest the accuracy of the data, the processing is unlawful, we no longer need the data and you object to their deletion because you need them to establish, exercise or defend legal claims. You also may have the right under the Art. 18 GDPR if you have objected to the processing pursuant to Art. 21 GDPR.


  • Pursuant to Art. 20 GDPR, you may request to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format or you may request that it be transmitted to another controller.


  • Pursuant to Art. 7 (3) GDPR, you may withdraw your consent at any time. This has the consequence that we may no longer continue the data processing based on this consent for the future.


  • Pursuant to Art. 77 of GDPR, you have the right to lodge a complaint with a supervisory authority. Generally, you can contact the supervisory authority of your habitual residence, your place of work or our company headquarters.



Last updated: September 2021

Privacy Notice App & Service

Table of contents

I. General notes

1. Data protection

2. Controller and applicability

3. Principles of data processing

II. Individual processing operations when using the app

1. Provision and use of the app, use of cookies and similar technologies

2. Permissions of the app

III. Individual processing operations when using our services

1. Registration / user account

2. Validation of driving licence

3. User login (keycloak)

4. Fraud prevention during registration

5. Conclusion and execution of a rental contract for the use of a SHARE NOW vehicle

6. Push notifications

7. Reserve a vehicle

8. Customer service

9. Cross-country and cross-company use of our services

10. Collection and processing of telematics data during the rent & for the purpose of performance of the rental contract

11. Data processing in the context of an accident

12. Geolocation in case of emergencies, serious violations of our Terms and Conditions

13. Position data for fleet utilisation analysis

14. Payment (PayPal / Stripe)

15. Digital refuelling

16. Claims management

17. Sanctions list screening

18. Improving our services and our products/creating user profiles

19. Newsletter

20. Discounts, free products and special offers from SHARE NOW partners

21. SHARE NOW offers on social media

22. Market research/surveys

23. Friend Referral Programme

24. SHARE NOW Rewards

25. Car sharing with FREE NOW

26. Booking via the hvv switch of the Hamburger Hochbahn AG

27. Transfers to third parties

IV. Transfers to third countries or international organisations

V. Are you obliged to provide your personal data and what happens if you do not provide it?

VI. Your data subject rights

VII. Data security and security measures

I. General notes

1. Data protection

We are pleased about your interest in our app and our services. The protection of your personal data is important to us. In this Privacy Notice, we explain how we process your personal data, for what purposes and on what legal basis this takes place and what rights you can assert in this context.

Our Privacy Notice for the use of our mobile app and services does not apply to your activities on the websites of social networks or other providers that you may be able to access via the links within our app. Please inform yourself on the webpages of these providers about their privacy practices.

As changes in the law or changes in our company’s internal processes may make it necessary to adapt this Privacy Notice, we ask you to check this Privacy Notice regularly.

2. Controller and applicability

The controller within the meaning of the EU General Data Protection Regulation (hereinafter: GDPR) and other national data protection laws of the Member States as well as other data protection provisions is:

car2go Italia S.r.l. (hereinafter referred to as "SHARE NOW") Via M. Camperio 14 20123 Milan Italy Telephone: +39 026 006 3093 Email: ciao@share-now.com

This Privacy Notice applies to our mobile app and the services offered.

If you have any questions about data protection or this Privacy Notice, please contact our Data Protection Officer:

Data Protection Officer SHARE NOW GmbH Brunnenstraße 19-21 10119 Berlin Germany Email address: dataprotection@share-now.com

3. Principles of data processing

Personal data means any information relating to an identified or identifiable natural person. This includes, for example, information such as your name, age, address, telephone number, date of birth and email address, but also pseudonymous data such as your customer number or IP address. Information for which we cannot establish a relation to your person (or only with a disproportionate effort) is not personal data.

We only process personal data (e.g. through collection, consultation, use, storage or transmission) if there is a legal basis for doing so. The processed personal data are deleted as soon as the purpose of the processing has been achieved and there are no longer any statutory required retention obligations to comply with.

We inform you about the specific data processing operations, the scope and purpose of the data processing, the legal basis for the processing and the respective storage period below.

II. Individual processing operations when using the app

1. Provision and use of the app, use of cookies and similar technologies

a. Type and scope of data processing

When you download our app, the required information is transferred to the respective app store, thus, in particular, user name, email address and customer number of your account, time of download, payment information and the individual device identification number. In addition, the respective app store independently collects various data from you. We have no influence on this data processing and are not responsible for it. We only process the data insofar as it is necessary for downloading the mobile app to your mobile device.

When you use our app, we collect personal data that your end device either automatically transfers to our servers or that is retrieved from your end device. When you use our app, we collect, in particular, the following data which is technically necessary for us to display our app for you and to ensure its stability and security:

  • IP address of the requesting device

  • Further information about the device used (brand, model name, operating system, app version, language)

  • Date and time of installation or access

  • Name and URL of the accessed site / file

Furthermore, we may need [your device identification, unique number of the end device (IMEI = International Mobile Equipment Identity), unique number of the network subscriber (IMSI = International Mobile Subscriber Identity), mobile phone number (MSISDN), MAC address for WLAN use, name of your mobile terminal device] to provide the services.

Furthermore, we process, among other things, the following additional information for the purpose of error detection or error correction or also for marketing purposes:

  • Access status (e.g. whether you were able to access the app or received an error message).

  • Information on the use of the functions of the app

  • Identifiers for advertising

Within the scope of the use of the app, so-called cookies and similar technologies (hereinafter referred to only as “cookies”) arealso used. Information on users' devices can be stored, enriched, retrieved and managed by means of cookies.

Thereby, it can be differentiated between absolutely necessary cookies and optional cookies.

Absolutely necessary cookies are required for the function of the app and our service: The technical structure of the mobile app requires us to use technologies, in particular, cookies. Without these technologies, our app and our service cannot be used (completely correctly) or certain support functions cannot be enabled. You cannot unselect these cookies if you want to use our app and our service.

Optional cookies when you give your consent: We only place various cookies after you have given your consent which you can select via the Cookie Consent Manager when you first visit our mobile app. The functions are only activated in case you consented and serve, in particular, to enable us to analyse and improve the use of our mobile app and our service, to facilitate your operation via different browsers or end devices, to recognise you when you visit or to place advertising (if applicable, also to align advertising to interests, to measure the effectiveness of advertisements or to display interest-based advertising for you).

You can find detailed information on the individual cookies we use, as well as the option of granting or withdrawing consent individually, in our Cookie Consent Management Tool. You can access it at any time within the app under "Imprint & Privacy/ Privacy Settings".

b. Legal basis

The use of absolutely necessary cookies, which are absolutely necessary for the provision or use of the app and our services, takes place on the basis of Sec. 122 of Legislative Decree 196/2003 (“Codice in materia di protezione dei dati personali”, the “Code”). The further processing of personal data in this context is based on our legitimate interest to provide you with a functioning app and services pursuant to Art. 6 (1) lit. f GDPR.

The use of optional cookies as well as the subsequent processing of personal data takes place exclusively on the basis of corresponding consents of the users pursuant to Sec. 122 of the Code, and on Art. 6 (1) lit. a GDPR. These consents can be withdrawn at any time with effect for the future.

Insofar as the user consents, the consent also applies to the transfer of personal data to third countries outside the European Economic Area (EEA) pursuant to Art. 49 (1) lit. a GDPR.

c. Information on the iOS operating system

In addition, you have various options in the iOS operating system to largely restrict advertising and tracking, which generally takes place via the so-called “Advertising Identifier” (IDFA). This is a unique, but non-personalised and non-permanent identification number for a specific end device, which is provided by iOS. The data collected via the IDFA is not linked to any other device-related information. We use the IDFA, as appropriate, to provide you with personalised advertising and to evaluate your use.

If you select the “Privacy” option in the iOS settings, you can largely deactivate advertising evaluation under “Tracking”. If you activate the function “Allow apps to request tracking”, our app will ask you whether you agree to advertising measures the first time you use it and you can activate or deactivate advertising. In addition, you can select “Apple advertising” and deactivate “Personalised advertising” in the “Privacy” option. In the “Analysis & Improvements” option, you can also deactivate the “Share iPhone Analysis” and “Improve Siri & Dictation” function, which results in no static information about your use of iOS being transferred to Apple. We advise you that you may not be able to use all the functions of our app if you restrict the use of the IDFA.

2. Permissions of the app

For the provision of several of the functions of our app, it is necessary that the app can access certain services and data of your mobile end device/smartphone. Disabling permissions may lead to you not being able to use certain functions of the app.

The permissions can be managed, i.e. activated and deactivated, via the operating system of your mobile end device/smartphone. Depending on the operating system, the permissions are also automatically requested when the app is opened for the first time but can be activated/deactivated again at any time. If you are using a mobile end device/smartphone with iOS, you can view the permissions under Settings -> SHARE NOW and adjust them accordingly. On Android, you can find the permissions under Settings -> Apps -> SHARE NOW.

You can usually activate/deactivate the following permissions via the device:

  • Location/GPS data:

    The authorisation for the access to your location data is required, in particular, to show you nearby SHARE NOW vehicles. The use of the location authorisation is highlighted graphically in your operating system, e.g. by an arrow or other location icon.

  • Notifications:

    The permissions to send push notifications are used, e.g., to show you notifications about finished rentals or other status events or campaigns even if you do not currently have the app open. The notifications can be made by means of sounds, messages and/or symbol indicators.

  • Bluetooth:

    Access to the Bluetooth connection of your mobile end device/smartphone is used, in particular, to open or lock SHARE NOW vehicles.

III. Individual processing operations when using our services

1. Registration / user account

a. Type and scope of data processing

Within our app and also via our website, we offer you the option to register for our service by providing your personal data. With the processed data, we create an individual user account for you with which you can use our services.

The following overview shows you in detail which of your personal data we process in case of a registration:

  • Form of address

  • First name

  • Last name

  • Date of birth

  • Birthplace

  • Residential address

  • Postcode

  • City

  • Mobile telephone number

  • Country for which you are registering

  • Language

  • Payment data

  • Email address

  • Password

  • Magic PIN

  • If applicable, promotional code with which you register

b. Conduct in violation of the contract or unlawful conduct / blocking the account

For the purpose of preventing damage and protecting ownership of our vehicles, as well as in regard to preventing fraud or preventing use in violation of the contract (e.g. breaches of the Terms and Conditions, exceeding the maximum rental period, suspension of payments, outstanding invoices, leaving the scene of an accident, fraud in connection with refuelling, identity fraud or other fraudulent attempts, repeated registration), we reserve the right to document the relevant circumstances, share information with third parties, in particular investigating authorities, and, if necessary, to temporarily block accounts.

c. Legal basis

The processing of the personal data outlined above serves the performance of a contract or in order to take steps prior to entering into a contract between you and SHARE NOW pursuant Art. 6 (1) lit. b GDPR. In addition, the measures to prevent conduct in violation of the contract or unlawful conduct may be justified on the basis of our legitimate interest pursuant to Art. 6 (1) lit. f GDPR.

d. Cancellation of the registration / deletion of the user account

As a user, you have the option of cancelling your registration at any time. You can also change the data stored about you at any time via the settings of your user account. However, if the processed data is required to process/terminate a contract, an early deletion of the data is not possible.

e. Storage period

As soon as the processed data is no longer necessary for the performance of the contract, it will generally be deleted.

However, even after termination of the contract with you, it may be necessary to continue to store certain of your personal data in order to comply with statutory obligations. In particular, we continue to store certain order, customer and contract data for up to 10 years after termination of the contract with you on the basis of statutory retention obligations (especially tax and commercial law regulations). If the type of customer communication is also tax-relevant customer communication, this will also only be deleted after 10 years. However, in this case, your data will be stored and used exclusively for these purposes (compliance with retention obligations).

2. Validation of driving licence

a. Type and scope of data processing

In order to ensure that you, as our customer, have the necessary driving licence (validation of driving licence) to be able to use our service (vehicle sharing/vehicle rental), we carry out a validation of the driving licence before you use our service for the first time and at regular intervals thereafter. Only when this has been successful can you rent our vehicles. We are required to carry out a validation of the driving licence for legal reasons. For the purpose of the validation of the driving licence, photographs of your driving licence (front and back) and a current portrait picture (“selfie”) must be taken which are processed by us for the validation of the driving licence. The driving licence data is read out electronically from the pictures of the driving licence and checked for authenticity. In addition, a comparison is made between the portrait pictures (“selfie”) provided by you and the photo on your driving licence. In this process, so-called biometric data (personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of this natural person, such as facial images) of you within the meaning of Art. 9 (1) GDPR may also be processed.

The validation of the driving licence is partly carried out by our service provider Jumio (21 Worship Street, London, EC2A 2DW, United Kingdom) on our behalf and within the scope of data processing pursuant to Art. 28 GDPR. The processing takes place in the United Kingdom and therefore outside the EU or the European Economic Area (EEA). However, the EU Commission has determined that an adequate level of protection comparable to the GDPR is guaranteed in the United Kingdom. Data transfers to the United Kingdom are therefore permissible pursuant to Art. 45 GDPR.

b. Legal basis

The processing of your personal data for the validation of the driving licence is necessary pursuant to Art. 6 (1) lit. c GDPR for the compliance with our legal obligation as we must determine that our customers are in possession of a valid driving licence pursuant to Sec. 116 of Legislative Decree 285/1992 (Road Traffic Act - “Nuovo Codice della Strada”) in order to avoid criminal liability on the part of SHARE NOW as the keeper of the vehicles.

Insofar as the photographs of your driving licence and your portrait pictures (“selfies”) and special categories of personal data pursuant to Art. 9 (1) GDPR are processed (biometric data), this is based on your consent, Art. 6 (1) lit. a in connection with Art. 9 (2) lit. a GDPR. Giving your consent is voluntary and you can withdraw it at any time with effect for the future. However, without the successful validation of your driving licence, you will not be able to use our service or carry out vehicle rentals with us.

c. Storage period

As soon as the processed data is no longer necessary for the outlined purposes, it will be deleted. In the case of our service provider Jumio, your data will already be deleted after 14 days. We generally store the data for the duration of the customer relationship. Even after termination of the contract, it may be necessary to store personal data from you in order to comply with contractual or legal obligations.

3. User login (keycloak)

a. Type and scope of data processing

When using our app for the first time, you will be asked to log in via your SHARE NOW user account. For this purpose, we use the single sign-on solution “keycloak” from the provider Red Hat Limited (6700 Cork Airport Business Park, Kinsale Road, Cork, Ireland) for one-time user authentication. For the purpose of the authentication, after you have entered your user name and password, a so-called keycloak token is created which cross-checks your information once with the information from our user directory in order to validate your identity.

b. Legal basis

Art. 6 (1) lit. f GDPR serves as the legal basis for the aforementioned data processing. The processing is necessary for the purposes of user authentication and user identification and thus serves to pursue our legitimate interest.

c. Storage period

As soon as the aforementioned data is no longer required for user authentication, it will be deleted. This generally happens by your logout.

4. Fraud prevention during registration

a. Type and scope of data processing

In order to protect ourselves and our honest customers from damage caused by fraudulently created accounts and by payment defaults for other reasons, we use the services of “Emailage”, a service for risk assessment by LexisNexis Risk Solutions EU Ltd. (hereinafter “Emailage”) based in Ireland. The checks are carried out as part of the registration or each time a new means of payment is indicated.

In this context, your last name and first name, your email address and your postal address are transferred to Emailage for the purpose of risk assessment. Emailage stores the data and determines a risk score on the basis of a mathematical-statistical process. This risk score is mainly determined on the basis of the email address and data regarding your name. Address data is mainly used for unique identification and for comparison with further information. There is no discrimination on the basis of a particular address. Further information on data processing by Emailage can be accessed at https://risk.lexisnexis.com/products/lexisnexis-emailage.

The score value determined by Emailage does not result in an automated decision pursuant to Art. 22 GDPR. Rather, exceeding a certain score value regularly leads to a manual check by persons from our responsible specialist department.

a. Legal basis

The processing of your personal data is based on our legitimate interest in preventing fraud pursuant to Art. 6 (1) lit. f GDPR and is in accordance with the legal arguments of recital 47 sentence 6 and recital 71 sentence 3 GDPR.

b. Storage period

As soon as the processed data is no longer required for the outlined purposes, it will be deleted at SHARE NOW.

5. Conclusion and execution of a rental contract for the use of a SHARE NOW vehicle

a. Type and scope of data processing

In order to conclude and perform a rental contract for the use of a SHARE NOW vehicle, it is necessary for us to process the following additional personal data from you:

  • Start and end position of the rental

  • Distance travelled in km

  • Time and date as well as duration of the rental

In addition, we process your data outlined above for the following purposes:

Performance of the rental contract when renting via app

To perform the rental contract, you must open our vehicles with our app. This is carried out by entering your self-created PIN as well as the Bluetooth function of your smartphone or via “Global System for Mobile Communication” (GSM) in connection with your location data, if you have enabled it. You have the option to deactivate access to your location or the Bluetooth function at any time. Not enabling your location data and not activating Bluetooth may result in functional restrictions.

When opening and locking the vehicles with the app, locking and unlocking errors, e.g. a window left open before the vehicle is returned, are displayed for error correction.

The rental is started via the app and/or via vehicle controls (by confirming the corresponding buttons).

To end the rental, you must lock the vehicle again via the app. The locking takes place via the Bluetooth function of your smartphone or via GSM then in connection with your location data, provided you have granted access to them. You have the option of deactivating access to your location or the Bluetooth function at any time. Not enabling your location data and not activating Bluetooth can lead to functional restrictions.

For proper return and invoicing, we check whether you are in the business area or at a suitable location with the vehicle and whether a return can take place. For proper invoicing, we process your time of use, the mileage and the tank or load level and we check the vehicle location to determine whether a journey may be completed in accordance with our Terms and Conditions.

b. Legal basis

The processing of the personal data outlined above is necessary for the performance of our rental service pursuant to Art. 6 (1) lit. b GDPR.

c. Storage period

As soon as the processed data is no longer necessary for the performance of our rental services, it is deleted.

Even after termination of the contract, it may be necessary to store your personal data in order to comply with contractual or statutory obligations, in particular, with the statutory retention obligations (e.g. from the Italian Civil Code (Codice Civile) and other relevant local legislation).

6. Push notifications

a. Type and scope of data processing

The app informs you about our so-called SHARE NOW Radar with push notifications that are sent to your end device. With this function you will be notified as soon as a vehicle is available in a previously defined area.

You can activate/deactivate the push notifications at any time as follows: Android: Settings -> Apps -> SHARE NOW -> Notifications -> “Block all”; iOS: Settings -> Notifications -> SHARE NOW -> Allow notifications -> Off.

For the purpose of sending out push notifications, we use the Google Firebase tool by Google Ireland Ltd. (Google Building Gordon House, 4 Barrow Street, Dublin D04 E5W5, Ireland). User data is transferred to Google Firebase exclusively in pseudonymised form.

b. Legal basis

The processing of the personal data outlined above serves to perform a contract between you and SHARE NOW or in order to take steps prior to entering into a contract pursuant to Art. 6 (1) lit. b GDPR.

c. Storage period

As soon as the data is no longer necessary for the performance of the SHARE NOW Radar service, it will be deleted.

7. Reserve a vehicle

a. Type and scope of data processing

On our website, we offer our registered users the option to reserve vehicles for a certain period of time and having them delivered to an address of their choice. For this purpose, we process the following personal data in addition to the data you have provided for your user account:

  • Delivery address

  • Delivery date

  • Delivery time

  • Selected vehicle category

b. Legal basis

The processing of the personal data outlined above serves the performance of our reservation service pursuant to Art. 6 (1) lit. b GDPR.

c. Storage period

As soon as the processed data is no longer necessary for the performance of our reservation services, it is deleted.

Even after termination of the contract, it may be necessary to store your personal data in order to comply with contractual or legal obligations, in particular, with the statutory retention obligations (e.g. from the Italian Civil Code (Codice Civile) and other relevant local legislation).

8. Customer service

a. Type and scope of data processing

If you contact our customer service by email or telephone, we process the information and data you provide. The processing of your data serves the purpose of allocating and processing your request.

For the purpose of processing your requests, we use eGain of the external service provider eGain Corporation (St Catherine’s House, Oxford Street, Newbury, Berkshire RG14 1JQ, GB). The processing takes place in the United Kingdom and therefore outside the EU or the European Economic Area (EEA). However, the EU Commission has determined that an adequate level of protection comparable to the GDPR is guaranteed in the United Kingdom. Data transfers to the United Kingdom are therefore permissible pursuant to Art. 45 GDPR. For the purpose of legally justifying the data processing, we have concluded a corresponding data processing agreement with the service provider.

Any further collection and processing of your personal data, such as the recording of telephone conversations, will only take place on the basis of your prior consent.

b. Legal basis

The processing of the personal data outlined above is based on our legitimate interest in processing your request pursuant to Art. 6 (1) lit. f GDPR.

If you have agreed to the recording of a telephone call, your consent pursuant to Art. 6 (1) lit. a GDPR serves as the legal basis for the data processing. You can withdraw this consent at any time with effect for the future.

c. Storage period

Customer requests are documented for the duration of the contractual relationship and deleted after the lapse of the statutory retention and limitation periods (e.g. from the Commercial Code (“Handelsgesetzbuch”, HGB), Fiscal Code (“Abgabenordnung”, AO) etc.).

9. Cross-country and cross-company use of our services

a. Type and scope of data processing

If you use or rent a vehicle from another local SHARE NOW entity outside of Italy or another SHARE NOW partner company (franchise partner as an independent company and controller under the GDPR), we transfer your personal data (master data/registration data) provided during registration and validation to the respective local SHARE NOW entity or SHARE NOW partner company in order to enable the vehicle rental for you there.

b. Legal basis

The transfer of your personal data serves the performance of a contract with you and the respective local SHARE NOW entity or the respective SHARE NOW partner company or in order to take steps prior to entering into a contract pursuant to Art. 6 (1) lit. b GDPR.

c. Storage period

We store your master data for the duration of our contractual relationship. Subsequently, this data is deleted after the lapse of the statutory retention and limitation periods (e.g. from the Italian Civil Code (Codice Civile) and other relevant local legislation).

10. Collection and processing of telematics data during the rent & for the purpose of performance of the rental contract

a. Type and scope of data processing

When you rent a vehicle, so-called telematics data are collected and processed for various purposes. This is done, in particular, to be able to ensure that we can always offer you roadworthy vehicles and provide the contractually agreed functions.

This includes, in particular, the following information:

  • Status of the central locking system

  • Status of the immobiliser

  • Detection and monitoring of the ignition status

  • Status of the mileage counter

  • Location data (usually only the beginning and end of the rent)

  • Voltage detection of the on-board electrical system

  • Tyre pressure

  • Speed

  • Triggering of safety systems such as airbags

  • Tank capacity

  • Status key/fuel card in the so-called key card holder

  • Status of vehicle doors and windows (open/closed)

In addition, certain information helps us to monitor the contractual use of our vehicles and to retrace damage events. In some vehicles, for example, we use suitable sensors to detect damage to the vehicle (“Damage Detection”). For this purpose, we use a solution from our service provider, carValoo GmbH (ThyssenKrupp Allee 1, 45143 Essen) which processes the data on our behalf. The data collection is only vehicle-related and not customer-related. An assignment to a specific user account is only made depending on the certain event.

Depending on the respective vehicle, telematics data is either collected directly by us or by the respective vehicle manufacturer (in the case of BMW vehicles: Bayerische Motoren Werke Aktiengesellschaft, Petuelring 130, 80788 Munich) or third-party providers used by us (Invers GmbH, Untere Industriestraße 20, 57250 Netphen/Siegen) or transferred to them. Insofar as this is necessary in the respective context, we have concluded data processing agreements with the vehicle manufacturers / service providers concerned pursuant to Art. 28 (3) GDPR.

Please note that the respective vehicle manufacturer (OEM) may collect personal data directly from you if you, as the driver of the respective vehicle, use special functionalities or services (digital services that connect the vehicle to the Internet, such as special telematics services, driver assistance systems, connections for mobile end devices but also entertainment offers and traffic services) of the respective vehicle brand (“Connected Car Services”). For these processing activities, the respective vehicle manufacturer or companies selected by the vehicle manufacturer are generally the controller within the meaning of the GDPR and not SHARE NOW. Please ensure that you delete all personal data that you may have provided to the vehicle manufacturer or the respective company or that have been collected via the corresponding services after the end of the rental. Please refer to the privacy notice of the respective vehicle manufacturer or company for information or contact them directly if you have any questions to that end.

b. Legal basis

Insofar as the processing is necessary for the performance of a contract concluded with you, this is based on Art. 6 (1) lit. b GDPR. Otherwise, the processing is based on our legitimate interests within the meaning of Art. 6 (1) lit. f GDPR for the analysis, elimination and allocation of damage to our vehicles or damage events.

c. Storage period

For the purpose of processing customer requests and other concerns, we store the telematics data in our customer database for 90 days. In individual cases, data may also be stored for a longer period. This applies, in particular, if it is necessary for the enforcement of legal claims. In this case, the relevant statutory retention and limitation periods (e.g. from the Italian Civil Code (Codice Civile) and other relevant local legislation) regularly apply.

11. Data processing in the context of an accident

a. Type and scope of data processing

In the event of an accident with a SHARE NOW vehicle, we process the personal data collected in this context (this also includes the telematics data described above) in order to process and settle the accident claim internally and/or externally (with the respective other party involved in the accident, our insurance company or the other party's insurance company).

b. Legal basis

Data processing in the context of accident settlement and processing serves the performance of our contract pursuant to Art. 6 (1) lit. b GDPR.

c. Storage period

Should an accident have occurred, this data is archived by us in accordance with the regular statutory limitation period for a period of up to 3 years after the lapse of the year in which the event occurred. Please note, however, that it may be necessary to store this data in order to comply with contractual or legal obligations.

12. Geolocation in case of emergencies, serious violations of our Terms and Conditions

a. Type and scope of data processing

In order to determine whether there are objective facts that indicate an emergency situation or a serious breach of our Terms and Conditions (in particular, theft, vandalism, leaving the contractually agreed area of use (cf. Sec. 9 (3) of the SHARE NOW Terms and Conditions), exceeding the maximum permissible rental period) and to enable processing, if necessary also contacting the customer concerned, the geolocation of the rented vehicle is transferred every 1-2 minutes together with master data, communication data and telematics data of the vehicle renter to the backend of Daimler Mobility Services GmbH, Fasanenweg 15-17, 70771 Stuttgart, Germany or in case a BMW vehicle is used to Bayerische Motoren Werke Aktiengesellschaft, Petuelring 130, 80788 Munich. The respective company processes the information on the geolocation of the vehicles on our behalf pursuant to Art. 28 GDPR. For this purpose, we have concluded a data processing agreement with the companies in order to ensure the protection of your personal data. This data is only retrieved in cases where one of the situations described has occurred or there are objective indications that such a violation of our Terms and Conditions has occurred.

Furthermore, in certain individual cases, if there are suspicious circumstances that indicate a violation of the Terms and Conditions or corresponding emergencies, it is possible that a current rental/drive is tracked in real time, in order to prevent, e.g., in particular, a loss of the vehicle.

b. Legal basis

The data processing is necessary for the performance of the contract between you and SHARE NOW and is furthermore based on our legitimate interests. The data processing is thus justified pursuant to Art. 6 (1) lit. b GDPR (violations of the Terms and Conditions) as well as Art. 6 (1) lit. f GDPR (emergency situations).

c. Storage period

If none of the events described have occurred, the processed information is deleted immediately. If a breach has occurred, we will archive this data in accordance with the regular statutory limitation period for a period of up to 3 years after the end of the year in which the event occurred.

Even after the review has been completed, it may be necessary to store personal data from you in order to comply with contractual or legal obligations.

13. Position data for fleet utilisation analysis

a. Type and scope of data processing

We process the start and end positions of our vehicles as well as, if applicable, the positions of interim interruptions to the drive in order to analyse and optimise the use of the vehicle fleet. This information is processed purely on a vehicle-related basis without establishing a direct personal reference. Based on the same data, we also create statistics to predict the future use of our vehicles without establishing a direct personal reference.

b. Legal basis

The data processing is carried out on the basis of our legitimate interest in a needs-based management of our offer pursuant to Art. 6 (1) lit. f GDPR.

c. Storage period

The analysis data is stored until the purpose for which it was collected has been achieved or has ceased to exist and is then deleted.

14. Payment (PayPal / Stripe)

a. Type and scope of data processing

For the purpose of payment for a completed drive, the following personal data is processed:

  • Name

  • Email address

  • If applicable, further contact details

  • Credit card information

  • Customer ID

  • Billing and transaction data

Depending on the payment method you choose, we transfer your personal data to our payment service providers.

In the case of payment by credit card, a transfer takes place to the payment service provider Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, US). In addition, we use the services of Stripe for the early detection of fraudulent behaviour by calculating a so-called risk score on the basis of the data described. The use of these services does not result in an automated decision pursuant to Art. 22 GDPR. You can find further information on data protection at Stripe at: https://stripe.com/de/privacy.

Appropriate safeguards possibly may not currently exist for data transfers to the US. There are restrictions on the protection of personal data resulting from the fact that, under US law, security authorities can access data transferred from the EU to the US and use it without restriction to what is absolutely necessary. As a data subject without US citizenship, you cannot take legal action against such use. However, we have concluded standard contractual clauses with the service provider to ensure the security of your personal data.

In the case of payment via PayPal, there is a transfer to PayPal S.à r.l. et Cie, S.C.A. (22-24 Boulevard Royal, L-2449 Luxembourg). You can get further information on data protection at Paypal at: https://paypal.de/privacy

b. Legal basis

Data processing for the purpose of payment for the conducted drive by you is necessary for the performance of a contract between you and SHARE NOW and is based on Art. 6 (1) lit. b GDPR. Data processing for the purpose of fraud prevention with the help of Stripe is based on our legitimate interests pursuant to Art. 6 (1) lit. f GDPR.

c. Storage period

As soon as the processed data is no longer required for the performance of the contract, it is deleted. However, even after termination of the contract, it may be necessary to store personal data from you in order to comply with contractual or statutory obligations, in particular, with the statutory retention obligations (e.g. from the Italian Civil Code (Codice Civile) and other relevant local legislation).

15. Digital refuelling

a. Type and scope of data processing

Customers have the option of refuelling our vehicles at partner petrol stations. The respective fuel costs are released via our app. However, this is only possible if the respective vehicle is located in the vicinity of a partner petrol station (radius of 100 - 300m). It is therefore necessary to enable the location data in our app. If these are deactivated, this will lead to a restriction of function. Within the scope of the process, we process the following personal data from you for the purpose of billing fuel costs, preventing fuel fraud and misfuelling and providing our customer support in the event of disruptions to the payment process:

  • Location data,

  • Transaction data (quantity refuelled, costs),

  • Master data of customers,

  • Telematics data (e.g. fuel level)

b. Legal basis

Data processing in connection with the “Digital Refuelling” service is necessary for the performance of a contract between you and SHARE NOW and is based on Art. 6 (1) lit. b GDPR. Data processing for the purpose of fraud prevention is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR.

c. Storage period

As soon as the processed data is no longer required for the performance of the contract, it is deleted. However, even after termination of the contract, it may be necessary to store personal data from you in order to comply with contractual or statutory obligations, in particular, with the statutory retention obligations (e.g. from the Italian Civil Code (Codice Civile) and other relevant local legislation).

16. Claims management

a. Type and scope of data processing

In the event of payment default of outstanding claims, we engage the external service providers GFKL PayProject GmbH, Part of Loweel Group, Am Europa-Center 1b, 45145 Essen or PAIR Finance GmbH, Hardenbergstraße 32, 10623 Berlin with claims management.

b. Legal basis

Data processing in the context of receivables management is necessary for the performance of a contract between you and SHARE NOW pursuant to Art. 6 (1) lit. b GDPR.

c. Storage period

After the conclusion of the respective case and furthermore after the purpose of processing has ceased to exist, the personal data is deleted. However, even after the conclusion of the case it may be necessary to store your personal data in order to comply with contractual or statutory obligations, in particular, with the statutory retention obligations (e.g. from the Italian Civil Code (Codice Civile) and other relevant local legislation).

17. Sanctions list screening

a. Type and scope of data processing

We match the customer data you provided during registration with sanctions lists in line with the legal requirements.

b. Legal basis

The processing outlined above is mandatory by law and is therefore based on Art. 6 (1) lit. c GDPR.

c. Storage period

The personal data is stored until the purpose for which it was collected has been achieved or has ceased to exist and is then deleted.

18. Improving our services and our products/creating user profiles

a. Type and scope of data processing

For the purpose of improving our services and tailoring our products even better to your needs, we combine data on the use of our products and services to your profile and can thus inform you in accordance with your interests.

In doing so, we also process personal data from you that is collected during a vehicle rental. This includes, among other things, location data and contract-related data originating from the use of our mobility services. If you use mobility services or connected car services in this context, location data and movement data (in particular GPS data) will be generated. We can process the data transferred to us by the vehicle in order to assess, e.g., in which area and when you use mobility offers or to track your vehicle position. This way, we can display suitable advertising or available mobility offers for you in your vicinity when you park your vehicle. The collection and processing of this data enables us to better analyse our own products and ultimately improve them for all customers. You can access further information and the wording of the consent in the app under “Profile/Edit profile/Mailing & privacy settings”.

b. Legal basis

The data processing is carried out on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR which you can give via our app under “Profile/Edit profile/Mailing & privacy settings” and withdraw it at any time with effect for the future (by activating/deactivating the checkbox).

c. Storage period

The personal data is stored until the purpose for which it was collected has been achieved or has ceased to exist and will then be deleted.

19. Newsletter

a. Type and scope of data processing

On the basis of our contractual relationship with you, we will inform you about current offers, novelties of our service and other news and use the name and contact details provided to us during registration for this purpose.

In connection with the dispatch of the newsletter, we use the Salesforce Marketing Cloud, a tool by Salesforce.com, Inc. (One Market Street, San Francisco, CA 94105 USA) with whom we have concluded a data processing agreement pursuant to Art. 28 GDPR to ensure the security of your personal data.

Appropriate safeguards may not currently exist for data transfers to the US. There are restrictions on the protection of personal data resulting from the fact that, under US law, security authorities can access data transferred from the EU to the US and use it without restriction to what is absolutely necessary. As a data subject without US citizenship, you cannot take legal action against such use. However, we have concluded standard contractual clauses with the service provider to ensure the security of your personal data.

As part of the dispatching of newsletters, it is also possible that we send you surveys or give you the option to participate in prize competitions. Participation in these campaigns takes place on a voluntary basis.

b. Legal basis

The processing of your personal data for the newsletter dispatch is based on our legitimate interests to inform you on offers, similar services and other related news, in accordance with Art. 6 (1) lit. f GDPR. You can unsubscribe from the newsletter at any time by clicking on the corresponding unsubscribe link within our newsletter.

c. Storage period

The storage period depends on the duration of the contractual relationship with our customers. After unsubscribing from the newsletter by opting out, the opt-out is stored so that you no longer receive newsletters.

20. Discounts, free products and special offers from SHARE NOW partners

a. Type and scope of data processing

Based on your declaration of consent given during registration (https://www.share-now.com/it/en/registration/personal-data/), your contact details are used to inform you about current offers from SHARE NOW partners via email, push notification, in-app notification, on the SHARE NOW website, in-car-notice or via post. A list of partners can be viewed at https://www.share-now.com/de/en/collaborations/. Your personal data will not be transferred to the partners.

b. Legal basis

The processing of your personal data is based on your consent pursuant to Art. 6 (1) lit. a GDPR which you can withdraw at any time with effect for the future.

c. Storage period

Your personal data will generally be processed and stored until you withdraw your consent.

21. SHARE NOW offers on social media

a. Type and scope of data processing

On networks such as Facebook, Instagram, Snapchat, LinkedIn or Google, SHARE NOW itself cannot display individual offers. Generally, only the respective provider has this option. To enable us to address our customers with individual offers, we use your pseudonymised or hashed data (email address, telephone number, IDFA, Google Play Service ID) - provided you have given your consent for this during registration (during registration ((https://www.share-now.com/fr/en/paris/registration/personal-data/)  - to assign it to one or more target groups with the respective network provider. Thereby, the hashed data is only used once and it is not possible for us to identify you or your device individually.

As part of the processing, we use the tool Salesforce Advertising Studio of salesforce.com Germany GmbH (Erika-Mann-Str. 31, 80636 Munich, Germany), with whom we have concluded a corresponding data processing agreement to ensure the security of your personal data.

b. Legal basis

The processing of your personal data is based on your consent pursuant Art. 6 (1) lit. a GDPR which you can withdraw at any time with effect for the future.

c. Storage period

The personal data is stored until the purpose for which it was collected has been achieved or has ceased to exist and are then deleted.

The personal data is also deleted as soon as the consent has been withdrawn by the customer.

22. Market research/surveys

a. Type and scope of data processing

For the purpose of quality assurance and improving our services and products, we conduct personalised market research and personalised opinion surveys in which you can participate on a voluntary basis. Hereby we process the personal data collected from you as part of the processes.

b. Legal basis

The processing of your personal data is based on your consent pursuant Art. 6 (1) lit. a GDPR. The consent can be withdrawn at any time with effect for the future.

c. Storage period

The personal data is stored until the purpose for which it was collected has been achieved or has ceased to exist and are then deleted.

The personal data are also deleted as soon as the consent has been withdrawn by the customer.

23. Friend Referral Programme

a. Type and scope of data processing

If you use the Friend Referral Programme, we process the following personal data of you or the referred new customer:

  • Customer number

  • Recommendation code

  • Customer number of the referred new customer

The purpose of processing personal data serves to provide the benefits of the programme and for processing inquiries or complaints about the Friend Referral Programme.

b. Legal basis

Participation in the Friend Referral Programme is voluntary. Our customers can generate a recommendation code at any time and then forward it to the referred new customer. The processing of the personal data therefore serves the performance of the contract with the existing customer and with the referred new customer, respectively, and is based on Art. 6 (1) lit. b GDPR.

c. Storage period

As soon as the processed data is no longer necessary for the provision of the Friend Referral benefits, it is deleted.

Even after termination of the contract, it may be necessary to store personal data of the parties involved in order to comply with contractual or statutory obligations (e.g. from the Italian Civil Code (Codice Civile) and other relevant local legislation).

24. SHARE NOW Rewards

a. Type and scope of data processing

As part of our so-called SHARE NOW Rewards Programme, we offer our participating customers the option to receive and collect points for vehicle rentals made and to receive various rewards for this. For the purpose of provision of the programme, we process your personal data, in particular, the customer ID and data relating to the vehicle rental. Hereby, we use the services of the external service provider Talon.One GmbH (Wiener Straße 10, 10999 Berlin) in order to be able to customise certain conditions or features individually. We have concluded a data processing agreement with the service provider pursuant to Art. 28 GDPR to ensure the security of your personal data.

You can receive further information on SHARE NOW Rewards here: https://www.share-now.com/it/en/share-now-rewards/

b. Legal basis

Participation in the SHARE NOW Rewards Programme is voluntary. Our customers can participate in and register for the programme at any time. The processing of personal data therefore serves the performance of the contract with the participating customer and is based on Art. 6 (1) lit. b GDPR.

c. Storage period

Once the data processed is no longer necessary for the provision of SHARE NOW Rewards benefits, it is deleted.

Even after termination of the contract, it may be necessary to store personal data from you in order to comply with contractual or statutory obligations (e.g. from the Italian Civil Code (Codice Civile) and other relevant local legislation).

25. Car sharing with FREE NOW

a. Type and scope of data processing

SHARE NOW offers a car sharing service in cooperation with FREE NOW (Intelligent Apps GmbH, Neumühlen 19, 22763 Hamburg, Germany) via the FREE NOW passenger app and rents out SHARE NOW vehicles in this way. SHARE NOW and FREE NOW act as joint controllers in the arrangement of the car sharing services and have concluded an agreement pursuant to Art. 26 GDPR. The parties have jointly determined the order of processing of passengers' personal data for each processing step therein. Due to the data processing by joint controllers, your personal data will be processed by both FREE NOW and SHARE NOW when you use the FREE NOW passenger app.

SHARE NOW and FREE NOW process the following personal data:

  • User data (first and last name, unique user ID, data regarding the driving licence, validation photographs, GPS location data, passenger ID, email address)

  • Vehicle and tour data (vehicle ID, minutes used, distance, cost, tour start and destination, time of booking, price paid, error codes, reservation and vehicle status).

  • Device and usage data (IP address, country code, app version, business area, payment transaction data, device ID).

  • If applicable, we will share information with FREE NOW about any possibly existing reasons for obstruction, such as account blocking, breaches of the Terms and Conditions, lack of verification, etc.

Despite the existence of joint responsibility, the parties fulfil the obligations under data protection law within the scope of their respective responsibilities. Pursuant to Articles 15 to 22 of the GDPR, you can assert your data subject rights under the GDPR against each individual controller.

You can find further information on processing by FREE NOW at: https://free-now.com/de/passenger-privacy-policy/.

b. Legal basis

Without the above-mentioned processing of personal data, the car sharing services cannot be offered to you via the FREE NOW passenger app. The data processing is necessary for the conclusion and performance of the rental contract pursuant to Art. 6 (1) lit. b GDPR. This includes, among other things, the processing of customer inquiries and complaints, invoice processing, the processing of insurance-related or police inquiries and accident management.

c. Storage period

As soon as the processed data is no longer required for the performance of the contract, it is generally deleted.

However, even after termination of the contract with you, it may be necessary to continue to store certain of your personal data in order to comply with statutory obligations. In particular, we continue to store certain order, customer and contract data for up to 10 years after termination of the contract with you on the basis of statutory retention obligations (especially tax and commercial law regulations). If the type of customer communication is also tax-relevant customer communication, this will also only be deleted after 10 years. However, in this case, your data will be stored and used exclusively for these purposes.

26. Transfers to third parties

a. Type and scope of data processing

In addition, we transfer your personal customer data (name, address) to third parties if this is necessary to enable these third parties to contact you and so that these third parties can assert claims directly against you in the event of claims against SHARE NOW that are not obviously unfounded, for example resulting from parking violations in private areas.

We also transfer your personal customer data (name, address, vehicle rental data, if applicable) to authorities, courts and other public bodies, external consultants or other authorised third parties, insofar as this is permissible under applicable law, e.g., if the processing is necessary to pursue the legitimate interests of SHARE NOW. This may be the case, e.g., if you commit a regulatory offence during a rental.

b. Legal basis

Data processing is carried out on the basis of fulfilment of our legal obligation pursuant to Art. 6 (1) lit. c GDPR and on our legitimate interests such as ensuring the assessment of claims pursuant to Art. 6 (1) lit. f GDPR.

c. Storage period

The personal data will be stored until the purpose for which it was collected has been achieved or has ceased to exist and will then be deleted. In addition, the relevant statutory limitation periods of the national laws apply.

IV. Transfers to third countries or international organisations

If personal data is otherwise transferred to third countries or international organisations or, in certain cases, access to personal data from third countries is made possible, e.g., for maintenance work or technical support, this is done on the basis of appropriate safeguards within the meaning of Art. 44 et seq. GDPR.

If no adequacy decision has been issued by the European Commission for the third country concerned pursuant to Art. 45 GDPR, we regularly base the data transfer on so-called EU standard contractual clauses adopted by the European Commission which we have concluded with the recipients of the data and - where necessary, if applicable - on additional technical and organisational measures to ensure a sufficient level of data protection. Further, transfers of personal data may be made in certain individual cases on the basis of the derogation provisions pursuant to Art. 49 GDPR.

V. Are you obliged to provide your personal data and what happens if you do not provide it?

The provision of personal data generally takes place on a voluntary basis. However, the processing of certain personal data is necessary for the use of individual services. Without this data, we are regularly unable to offer the respective service or provide individual services.

  • Your data subject rights

The GDPR gives you the following rights as a data subject of a processing of personal data:

  • Pursuant to Art. 15 GDPR, you have the right to obtain information about your personal data processed by us. In particular, you can obtain information about the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the envisaged storage period, the existence of a right to request rectification, erasure, restriction of processing or to object, the existence of a right to lodge a complaint, the source of your data if it has not been collected by us, about a transfer to third countries or international organisations and about the existence of automated decision-making including profiling.

  • Pursuant to Art. 16 GDPR, you have the right to obtain rectification of inaccurate or completion of incomplete personal data from you stored by us without undue delay.

  • Pursuant to Art. 17 GDPR, you may have the right to obtain erasure of your personal data stored by us, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.

  • Pursuant to Article 18 GDPR, you may have the right to obtain restriction of processing of your personal data if you contest the accuracy of the data, the processing is unlawful or we no longer need the data and you object to their deletion because they are required for the establishment, exercise or defence of legal claims. You also have the right under Art. 18 GDPR if you have objected to the processing pursuant to Art. 21 GDPR.

  • Within the prerequisites of Art. 20 GDPR, you may have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or you may have the right to transmit those data to another controller.

  • Pursuant to Art. 7 (3) GDPR, you can withdraw your consent once given at any time. This has the consequence that we may no longer continue the data processing based on this consent for the future.

  • Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. Generally, you can contact the supervisory authority of your habitual residence, your place of work or our company headquarters.

Right to object

When your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, insofar as there are grounds for doing so relating to your particular situation or the objection is directed against direct marketing. In the case of direct marketing, you have a general right to object, which is implemented by us without specifying a particular situation.

To exercise your rights, please use the contact details stated above under I. 2 to contact the controller or our Data Protection Officer.

VI. Data security and security measures

We are obliged to protect your privacy and treat your personal data as confidential. To prevent manipulation, loss or misuse of your data stored with us, we take extensive technical and organisational security measures that are regularly reviewed and adapted to technological progress. These include, among other things, the use of recognised encryption procedures (SSL or TLS). However, we would like to point out that, due to the structure of the Internet, it is possible that the provisions of data protection and the above-mentioned security measures are not observed by other persons or institutions outside of our area of responsibility. In particular, data disclosed unencrypted - e.g. if this is done by email - can be read by third parties. We have no technical influence on this. It is the user's responsibility to protect the data they provide against misuse by encrypting it or in any other way.

Last updated: June 2022