Notes on Data Protection 8mal8.de

A. We are responsible for your data

As a visitor to our website, you expect a high level of quality and competence, not just in terms of our company’s offers and services, but also in the processing of your personal data.

We are responsible for the handling of your personal data, which we process in accordance with the requirements of the European General Data Protection Regulation (GDPR) and other applicable European and German data protection laws, as well as in accordance with your specifications and wishes. Personal data is data by which you can be identified or are identifiable. Your personal data will only be processed by us if this is permitted by law or if you have given your prior consent.

Name and address of the data controller

Dresdner Chauffeur Service 8x8 GmbH
Ostra-Allee 18-20
01067 Dresden

In addition to the above postal address, you can also reach us by e-mail at info@8mal8.de. You will also find further contact information, key points of contact and mandatory details in the company’s Legal Notice (“Impressum”).

It is important to us that you can ascertain at any time from the following information which personal data is collected during your visit to our website and when you use our services, and how we process it afterwards.

B. Our Data Protection Officer

If you have a question about data protection or data security, you can reach our data protection officer by e-mail at datenschutzbeauftragter@ddv-mediengruppe.de or by post at DDV MEDIENGRUPPE GMBH & CO. KG, Data Protection Officer, Ostra-Allee 20, 01067 Dresden.

C. Transmission of personal data to third parties

General information

In order to provide our services, selected personal data may be communicated within our company to certain departments, as well as to affiliated companies or external service providers who are commissioned by us to process data for us in accordance with instructions. Such service providers are contractually obligated by us as processors in accordance with Art. 28 GDPR, insofar as this is standardised by law, and may not use your data for any other purposes. The use of proprietary and third-party services may include, but is not limited to, registration and payment services, customer service/subscription management, marketing/letter shop/newsletter distribution, accounting/collection/receivables management, product management, IT/hosting/maintenance/support, distribution and logistics, web analytics, content recommendation, survey/commentary services, printing services, logistics and shipping or premium distribution. If you have a newspaper subscription, the logistics, in particular, the dispatch or delivery, are carried out by various delivery partners.

Transfer of personal data to third countries

In cases where we transfer data to service providers in third countries outside the EU, this transfer takes place in compliance with the legally regulated permissibility requirements. This transfer is permissible for the performance of a contract, with consent, if this is necessary for the assertion, exercise or defence of legal claims, if there is another exemption pursuant to Article 49 GDPR, if there is an adequacy decision pursuant to Article 45 GDPR or if there are appropriate safeguards pursuant to Article 46 GDPR. Especially US-companies need a certification in accordance with the "EU-US Data Privacy Framework" (DPF) is a prerequisite for data transfer. The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link https://www.dataprivacyframework.gov/s/participant-search. If there is no other legal basis, we conclude the EU standard data protection clauses issued by the European Commission with our service providers in accordance with Art. 46 (2) lit. c) GDPR, checking an appropriate level of data protection in the third country in each individual case.

D. Which data is processed and how long is it stored?

I. Accessing the website and the creation of log files

1. Description and scope of data processing

With every instance that our website is accessed, the following data and information are processed:

Information on the so-called user agent (e.g. browser type, operating system, end device)
IP address of the accessing party
Date and time of access
Website/URL from which the system of the accessing party reaches our website (so-called referrer)
URL of the accessed page

2. Purpose of data processing/legal basis

We collect this data and connection information so that you can view our website and its content correctly, and so that we can determine the causes of any technical problems. Furthermore, for the technical optimisation of our websites and for the purpose of the security of our computer systems and networks, in particular, to detect attacks on our website based on unusual activities.

The legal basis is our legitimate interest (Art. 6 [1] s. 1 lit. f) GDPR) to process data upon accessing the website and store it as “log files” on the website server.

3. Storage period

Log files are stored for a maximum of 7 days and then deleted. If data must be retained for evidence-based reasons, it is exempt from deletion until the incident has been fully clarified.

II. Booking form

1. Description and scope of data processing

In order to facilitate communication between you and us, we provide a form on our website for immediate ride booking.

The following data is processed:

Mandatory information (marked with an asterisk): Pick-up address, date and time, destination address, first name, last name, telephone number, e-mail address
Voluntary information: Number of passengers, method of payment, flight/train no., free text field further details

2. Legal basis/purposes of data processing

When entering the pick-up and destination address, we use Google’s automatic postal address completion. In the process, the IP address of the enquiring party and the content details in the form field are transferred to Google LLC.

The data processing is technically necessary to determine the correct addresses requested by you and thus to provide our agreed service, Section 25 (2) Telecommunications-Telemedia Data Protection Act (TTDSG).

The communication of input fields marked as mandatory in the enquiry form is necessary, in order to be able to process and carry out your booking. The indication of the need for a child seat is also required for compliance with legal requirements and for the safety of a child passenger. The voluntary provision of further data makes it easier for us to process your booking.

If the processing serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 [1] s. 1 lit. b) GDPR.

In order to justify a legitimate interest of the data controller or a third party, Art. 6 [1] s. 1 lit. f, Art. 49 (1) lit. b) GDPR is the legal basis.

3. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case for the fulfilment of a contract or for the implementation of pre-contractual measures when the data is no longer required for the implementation of the contract. Even after the conclusion of the contract, there may be a need to store personal data of the contractual partner, in order to comply with contractual or legal obligations.

4. Possibility of objection and removal

You have the possibility to object to the data processing at any time and can have the data changed at any time.

If the data is required for the fulfilment of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.

III. Enquiry form and e-mail contact

1. Description and scope of data processing

If you have any questions or requests, please do not hesitate to contact us. To facilitate communication between you and us, we provide an enquiry form on our website. The following data is processed:

Mandatory information (marked with an asterisk): Last name, first name, telephone number, e-mail address, subject
Voluntary additional information: Company, address, further details in the text field

The communication of input fields marked as mandatory in the enquiry form is necessary, in order to be able to process and answer your enquiry. The voluntary provision of further data makes it easier for us to process your enquiry and may speed up the process of initiating a contract.

Alternatively, it is possible to contact us via the e-mail address(es) provided. In this case, the user’s personal data transmitted with the e-mail will be stored.

In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.

We usually store the information from your enquiry for three months after answering the enquiry (in case of further enquiries), if it does not concern commercial or business correspondence; we store these for at least six or ten years.

2. Legal basis/purpose of the data processing

The processing of the personal data from the input mask serves us solely to process the contact. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data.

The legal basis for the processing of the data is Art. 6 [1] s. 1 lit. a) GDPRif the user has given his consent.

3. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it is clear from the circumstances that the matter in question has been properly clarified.

4. Possibility of objection and removal

The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

IV. Ordering a ride by fax

1. Description and scope of data processing

Of course, rides can also be ordered directly by fax.

The following data is collected when ordering by fax:

Fax number, time of transmission, order data, communication data (telephone number, e-mail), further voluntary information.

Legal basis/ purpose of data processing

The processing described serves the purpose of booking journeys, as well as consultation with the customer for order fulfilment.

The legal basis for the processing of the data is Art. 6 [1] s. 1 lit. f) GDPRif the user has given his consent.

3. Duration of storage

4. Possibility of objection and removal

You have the possibility to object to the data processing at any time and can have the data changed at any time.

V. Ordering a ride by telephone

1. Description and scope of data processing

Of course, rides can also be ordered directly by telephone.

The following data is collected when orders are placed by telephone:

Telephone number, exact time of call, order data, further communication data (e.g. e-mail), further voluntary information.

We also make an automated announcement at the beginning of the call to inform you that we are recording our telephone conversations. If you do not wish to do so, you have the option of indicating this in accordance with the voice announcement instructions. We will then end the recording from this point.

2. Legal basis/purpose of the data processing

The processing described serves the purpose of booking journeys, as well as consultation with the customer for order fulfilment.

The recording of conversations is used for quality assurance in customer care. This is also the basis of our legitimate interest.

The legal basis for the processing of the data is Art. 6 [1] s. 1 lit. a) GDPRif the user has given his consent.

In order to justify a legitimate interest of the data controller or a third party, Art. 6 [1] s. 1 lit. f) GDPR is the legal basis.

3. Duration of storage

4. Possibility of objection and removal

You have the possibility to object to the data processing at any time.

VI. Performing journeys – Geotracking

1. Description and scope of data processing

If the travel order booked via our channels is performed, we will inform you in advance that we process further passenger data. In particular, we would like to point out that every journey in our vehicles can be tracked by means of geotracking, even at later points in time, and thus inevitably movement profiles of the passengers are also created in accordance with the driving order.

2. Legal basis/purpose of the data processing

Permanent tracking of our vehicles is necessary for several reasons:

Efficient allocation of transport orders by our dispatchers (quickest possible pick-up, minimisation of routes without passengers)
Proof of actual service provision for the financial accounting department

For the fulfilment of a legal obligation, Art. 6 [1] s. 1 lit. c) GDPRis the legal basis.

3. Duration of storage

The data will be deleted as soon as it is no longer required for the above-mentioned purposes. Even after successful order processing, it may be necessary to store personal data of the contractual partner, in order to comply with contractual or legal obligations.

4. Possibility of objection and removal

As a user, you have the option to object to data processing at any time.

VII. Performing patient transport operations

1. Description and scope of data processing

If an ambulance service is provided, we will inform you in advance that we may process further data on the passenger and/or at least gain further insight into the health data of the data subject. In particular, we would like to point out that any patient transport can only be carried out by means of a transport certificate issued by a doctor and approved by the health insurance company.

Individual patient data is required for the billing of the journey vis-a-vis the responsible health insurance company. Billing is done via a central billing portal for these health insurance services.

As a minimum, we become informed of this data via the transport document:

Patient’s home address, health insurance fund, insurance number, co-payment exemption, attending physician, duration of treatment (multiple orders via a transport certificate possible), type of illness, if applicable, type of treatment.

2. Legal basis/purpose of the data processing

The submission of a medical transport certificate is mandatory, in order to be able to invoice such journeys to the competent health insurance fund.

For the fulfilment of a legal obligation, Art. 6 [1] s. 1 lit. c) GDPR is the legal basis.

3. Duration of storage

The transport certificate is sent with the invoice to the responsible billing office of the respective health insurance fund. A copy does not remain with us, so that only the simple order data remains in our system.

4. Possibility of objection and removal

As a user, you have the option to object to data processing at any time.

VIII. “SZ Card”

1. Description and scope of data processing

Only SZ subscribers can take advantage of the SZ Card. It must be presented to the driver before the start of the journey, in order to receive a discount on our trips. In this context, we only collect the passenger’s full name, in order to be able to grant the bonus. No other data is apparent to us, except that the passenger has a subscription to the “Sächsische Zeitung”.

2. Legal basis/purpose of the data processing

Granting of discounted conditions for holders of the SZ Card. Showing the SZ Card is purely proof of the relevant entitlement.

The legal basis for processing the data for the establishment and fulfilment of contracts, as well as for the implementation of pre-contractual measures, is Art. 6 [1] s. 1 lit. b) GDPR.

3. Duration of storage

No data is collected or stored in connection with your SZ subscription. There is only a note in the travel order that the customer has an SZ Card, in order to be able to justify differences to the normal fare later. The data is stored for the duration of the statutory periods.

IX. Advertising

1. Postal advertising and customer analyses

In order to enable us to provide you with information about current offers and promotions, we process your data from orders and subscriptions, as well as other data collected outside the internet for our customer analyses, market research purposes and postal advertising. Our analyses are regularly subject to pseudonymisation.

2. E-mail advertising

We will only use your contact details for advertising beyond the contract-related use if you have consented to this (Art. 6 [1] s. 1 lit. a) GDPR).

If you no longer wish to receive advertising, you can withdraw your consent at any time by using the “unsubscribe” link in every e-mail or by contacting us at the above address.

3. Telephone advertising

Telephone advertising does not take place at present.

4. Competitions and sales promotions

If you participate in our competitions or sales promotions, we and our cooperation partners will process your data to carry out the competition or sales promotion, as well as for advertising by post and our internal customer analyses.

5. Storage period for advertising

We store your data collected for advertising purposes as long as the advertising purpose exists, or until we receive a revocation of your consent or your objection to the processing of your data for advertising purposes.

XI. Careers

For your applications to our job advertisements, we will forward you to our Bertelsmann parent company and the applicant portal. You can find the information on data protection here https://jobsearch.createyourowncareer.com/content/Privacy-Policy/?locale=de_DE

E. Analyses and evaluations on the website

We participate in the Interactive Advertising Bureau Europe (“IAB Europe”) Transparency & Consent Framework (“TCF”) and adhere to the IAB Europe TCF specifications and guidelines.

CMP Didomi

We use the consent management tool (CMP) Didomi, of Didomi SAS, 137 Bd de Sébastopol, 75002 Paris, France with identification number 7. The CMP supports us in the transparent presentation of data processing processes and enables the storage and retrieval of the user’s consent decision for the respective data processing, so that our accountability obligation under data protection law can be fulfilled in accordance with Article 5 (2) GDPR. Didomi, as a processor, is tasked with processing for the purpose of storing and retrieving the user’s consent profile, date and time of visit, device information, browser information, CookieID and DeviceID, as well as the consent profile “consent” or “refusal”. The legal basis is the fulfilment of a legal obligation, Art. 6 (1) lit. c) GDPR. Evidence of withdrawal of consent previously given will be kept for 13 months. The retention is based on our accountability according to Art. 5 (2) GDPR and the regular limitation periods. Didomi’s privacy policy can be found at https://privacy.didomi.io/.

All further information on integrated partners (IAB, as well as Non-IAB; with consent or otherwise deemed technically necessary as per Section 25 [2] Telecommunications-Telemedia Data Protection Act [TTDSG]), which are controlled via the CMP, can be found under Cookie settings and the revocation of the CMP in the explanations on partners.

F. THIRD PARTY PLUG-INS/WIDGETS (SOCIAL MEDIA)

Company presences in social media

Facebook and Instagram pages

When you visit our Facebook or Instagram page, which we use to inform you about our company, events or individual products from our range, certain information about you is processed. The sole data controller of this processing of personal data is Meta Platforms Ireland Limited (Ireland/EU - “Meta”). Further information on the processing of personal data by Meta can be found at https://www.facebook.com/privacy/explanation.

Meta offers the possibility to object to certain data processing; information and opt-out options in this regard can be found at https://www.facebook.com/settings?tab=ads.

Meta provides us with anonymised statistics and insight for our Facebook and Instagram page that help us understand the types of actions people take on our page (known as “page insights”). These page insights are created based on certain information about people who have visited our site. This processing of personal data is carried out by Meta and us as joint data controllers. The processing serves our legitimate interest to evaluate the types of actions taken on our site, and to improve our site based on these findings. The legal basis for this processing is Art. 6 [1] s. 1 lit. a) GDPR. We cannot associate the information obtained through page Insights with individual Facebook profiles that interact with our Facebook page. With Meta, a “Page Insights Supplement regarding the Data Controller” is (automatically) concluded with us as the operator of a Fanpage with page insights. Details of the processing of personal data for the purposes of generating page insights and the agreement entered into between us and Meta can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data as well as https://www.facebook.com/legal/terms/page_controller_addendum.

In relation to this data processing, you have the possibility to assert your data subject rights (see “Your rights”), including against Meta. Further information on this can be found in Meta’s privacy policy at https://www.facebook.com/privacy/explanation.

Please note that, according to the meta data protection regulations, user data is also processed in the USA or other third countries. Meta only transfers user data to countries for which an adequacy decision has been issued by the European Commission in accordance with Art. 45 GDPR or on the basis of appropriate guarantees in accordance with Art. 46 GDPR.

Xing company profile page

When you visit our Xing company profile page which we use to inform you about our company, events or individual products from our range, certain information about you is processed. For further information on the processing of personal data by New Work SE., please visit https://privacy.xing.com/de/datenschutzerklaerung.

LinkedIn company page

When you visit our LinkedIn company page which we use to inform you about our company, events or individual products from our range, certain information about you is processed. For further information on the processing of personal data by LinkedIn Corporation, please contact https://de.linkedin.com/legal/privacy-policy?trk=content_footer-privacy-policy.

Your rights as a data subject

I. Disclosure of information

If you have any questions about the processing of your personal data by us, we will, of course, be happy to provide you with information about the data concerning you.

II. Right to rectification, erasure, right to restriction of processing and right to data portability

In addition, you have the right to rectification, erasure, restriction of processing and objection to processing if the legal requirements are met. If the legal requirements are met, you have the right to receive the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable format.

III. Your point of contact

In all these cases, please contact our data protection officer (see section B. above) at the communication addresses given there.

IV. Right to lodge a complaint with a competent data protection supervisory authority

Finally, you have the right to lodge a complaint with a competent data protection supervisory authority.

For our offer is this the Sächsische Datenschutz- und Transparenzbeauftragte, Devrientstraße 5, 01067 Dresden.

V. Right of objection

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6 [1] s. 1 lit. e) or f) GDPR; this also applies to profiling based on these provisions.

The data controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information provider services – and notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures using technical specifications.

VI. Right to revoke your declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until revocation.

VII. Advertising blacklist

After receiving your objection to the processing of your personal data for advertising purposes or the revocation of your consent, we are obliged under data protection law, and in accordance with the requirements of the German data protection supervisory authorities, to include the data required for this purpose (name, address, e-mail address) in our internal advertising blacklist and to store (block) it permanently – for this purpose only – and to use it for comparing with our future advertising files. In this way, compliance with your objection or the revocation of your consent can be permanently ensured.

VIII. Automated decision in individual cases – including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

IX. Change of the purposes of the processing

If we change the purposes of the processing over time, we will inform you in advance by updating this privacy notice.

H. Amendment of the data protection notice

From time to time, it is necessary to adapt the content of this information on data protection for data collected in the future. We, therefore, reserve the right to change this information at any time. We will also publish the amended version of this information on data protection here. When you visit us again, you should, therefore, read the information on data protection again.

Current status: December 2023