Data Protection and Data Management of AUSTRAUTO GmbH

1300 Flughafen-Wien, Object 134, Parkhaus 4
Car Rental Center 0A2804, U-SAVE Car Rental

Represented by Mr. Marco Liello Managing Director
Commercial Register Number: FN 485386d
Tax Number: ATU73093038

1. Purpose of the data management policy

The purpose of these guidelines is to ensure that the data management of AUSTRAUTO GmbH (1300 Flughafen-Wien, Object 134, Parkhaus 4, Car Rental Center 0A2804) as the data controller protects at the highest possible level the personal data of all persons with whom the company enters into a legal transaction associated with data management activities. In addition, data management must comply with the constitutional principle of informational self-determination and the provisions of the European Parliament regulation on general data protection. The purpose of these guidelines is also to protect the sensitive information collected by the data controller from information misuse.

2. Scope of the guidelines
The personal scope of these guidelines includes all employees of the company, regardless of the type of legal relationship (employment relationship, order) and all persons who are on the site / in the offices of the company. The material scope of the guidelines includes all personal data managed by the company. The form, the location / storage location of the personal data and the way in which they are obtained do not affect the level of data protection. These guidelines apply to all phases of data management.

3. Legal notice
These guidelines are subject to the following laws:

  • General Data Protection Regulation (of the Republic of Austria)
  • General Data Protection Regulation 2016/679 (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

4.  Data Management Principles and Guidelines
1. Personal data may only be processed for specific purposes, to exercise rights and to fulfill obligations. Each phase of data management must fulfill the data management purpose; the data must be collected and processed in a lawful manner, in good faith and in a manner that is understandable for the person concerned.

2. The personal data managed by AUSTRAUTO GmbH must be appropriate and relevant to data management.

3. Personal data may only be managed to the extent and only for the period that is necessary for the administrative purposes of the personal data.

4. The managed data remains personal until the connection to the data subject can be re-established on the basis of this data. The connection to the data subject can be restored if the data controller has the technical conditions necessary to restore the personal reference.

5. When managing the data, the accuracy, completeness and – if this is necessary for the purpose of data management – the topicality of the data must be guaranteed.

6. Our society only manages data

  • with the consent of the data subject, or
  • for the purpose of fulfilling the data controller’s contractual obligations
  • for the purpose of fulfilling obligations based on statutory orders
  • on binding official call
  • if the processing is necessary for the performance of a task in the public interest, and is ordered by law or by a resolution of the local self-government – on the basis of a legal order, to the extent specified therein (hereinafter: mandatory data management).

7. Personal data can also be managed if obtaining the consent of the data subject turns out to be impossible or involves a disproportionate amount of effort, or the management of personal data

  • is necessary to comply with a legal obligation to which the data controller is subject, or
  • Is necessary to safeguard the legitimate interests of the data controller or a third party, provided that the enforcement of these interests does not outweigh the restriction of the right of the data subject to the protection of their personal data.

8. If the purpose of data management on the basis of the consent of the data subject is the implementation of a written contract concluded with the data controller, the contract must contain all information that the data subject needs to know within the meaning of this Act on the Management of Personal Data, in particular the Scope of the data to be managed, the duration of the data management, the purpose, the fact of the transmission of the data, their recipients and the use of a processor. The contract must clearly state that by signing the contract, the data subject gives their consent to the management of their personal data for the purposes specified in the contract.

5. Rights of the data subjects
1. Before the start of data management, the datasubject must be informed whether the data management is based on their consent or an obligation.

2. The data subject must be informed clearly and in detail about all matters relating to the management of their data, in particular about the purpose and legal basis of data management, about the person responsible for managing and processing the data, about the period of data management, and to whom the data is accessible. The information must also include the rights and legal remedies of the data subject with regard to the management of their personal data.

3. The person concerned has the right to request confirmation from the person responsible as to whether personal data concerning them are being processed; If this is the case, she has a right to information about this personal data and the following information: the purposes of the processing; the categories of personal data that are processed; the recipients or categories of recipients to whom the personal data have been disclosed or are still being disclosed; if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration; the existence of a right to correction or deletion of the personal data concerning you or to restriction of processing by the person responsible or a right to object to this processing; the right to lodge a complaint with a supervisory authority; if the personal data are not collected from the data subject, all available information on the origin of the data. Upon request, the person responsible will provide the data subject with a copy of the personal data that is the subject of the processing. an appropriate remuneration based on the administrative costs. (Right of access.)

4. The person concerned has the right to request the person responsible to correct any incorrect personal data relating to them without delay. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data – including by means of a supplementary declaration. (Right to rectification)

5. The data subject has the right to request the person responsible to delete personal data concerning them immediately, and the person responsible is obliged to delete personal data immediately if one of the following reasons applies (right to be forgotten):

  • The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
  • The data subject revokes their consent and there is no other legal basis for the processing.
  • The data subject objects to the processing in accordance with Article 21 (1) and there are no overriding legitimate reasons for the processing, or the data subject objects to the processing in accordance with Article 21 (2).
  • The personal data was processed unlawfully
  • To fulfill a legal obligation under Union law or the law of the member states
  • The personal data was collected in relation to information society services offered in accordance with Article 8 (1).

6. The data subject has the right to request the controller to restrict processing if one of the following conditions is met:

  • The correctness of the personal data is disputed by the data subject for a period that enables the person responsible to check the correctness of the personal data,
  • The processing is unlawful and the person concerned refuses to delete the personal data and instead requests that the use of the personal data be restricted;
  • The person responsible no longer needs the personal data for the purposes of processing, but the data subject needs them to assert, exercise or defend legal claims, or
  • the person concerned has lodged an objection to the processing in accordance with Article 21 paragraph 1, as long as it has not yet been determined whether the legitimate reasons of the person responsible outweigh those of the person concerned.

7. The person concerned has the right to receive the personal data concerning them that they have provided to a responsible person in a structured, common and machine-readable format and they have the right to transfer this data to another responsible person without hindrance from the responsible person to which the personal data was provided, if

  • the processing is based on consent in accordance with Article 6 (1) (a) or Article 9 (2) (a) or on a contract in accordance with Article 6 (1) (b) and
  • the processing is carried out using automated procedures.
  • When exercising their right to data portability in accordance with Paragraph 1, the data subject has the right to have the personal data transmitted directly from one controller to another, as far as this is technically feasible.

8. The data subject’s request for enforcement of the rights under this chapter will be examined as soon as possible but not more than 15 days after submission. The applicant will be informed of the decision in writing.

6. Personal data security
1. The data controller must design and carry out data management operations in such a way that the privacy of the data subjects is protected.

2. The data controller ensures the security of the data, takes the appropriate technical and organizational measures and defines the appropriate procedural rules in order to comply with the requirements of the Information Act.

3. AUSTRAUTO GmbH protects the data in particular against unauthorized access, modification, forwarding, publication, deletion or destruction, as well as against unintentional destruction, damage or unavailability due to changes in the technology used.

4. AUSTRAUTO GmbH ensures that only employees who are involved in the execution of the task have access to the relevant data and that computer and network security is guaranteed.

5. The data are processed and stored electronically so that the personal data are scanned and stored on the company’s server. The employees of the company in their data processing and data storage tasks work with all means to avoid the knowledge of the data or an identification of the person concerned by unauthorized third parties. The managed personal data are stored separately from each other.
In connection with the stored data, AUSTRAUTO GmbH defines all reasonable technical and organizational measures so that unauthorized third parties do not take knowledge of personal data, has the appropriate virus protection against unauthorized access, and takes every rational measure against impending danger on the Internet. On top of that, the company’s computers are protected by individual passwords, known only to employees who are affected by data management.

6. Our society uses a surveillance camera system to protect human life, physical integrity and property. The recorded recordings are sent to RELEASE Zrt. (1095 Budapest, Dandar Street 22, Hungary) and deleted after 14 days after the recording. Our company defines all reasonable technical and organizational measures to prevent unauthorized third parties from accessing the recordings and defines all reasonable IT, organizational measures against damage, loss, and modification of the recordings.

7. The company has the following website:

The mentioned website has its own data protection mechanisms, whereby the personal data given there is protected against unauthorized access, modification, loss, or deletion of the data, and unauthorized third parties cannot access the data given there.

8. The employees of Austrauto GmbH undertake to keep the personal data received during the performance of their tasks indefinitely. The employees undertake to use the relevant data exclusively to fulfill their obligations and not to pass them on to third parties.

7. Data protection incident and legal remedies
1. The data protection officer reports the data protection incident to the competent authority in accordance with Article 55 without any well-founded delay, possibly no later than 72 hours after becoming aware of the data protection incident, except in the event that the data protection incident does not pose any risks to the rights and freedoms of natural persons. If the registration is not made within 72 hours, the documents stating the reason for the delay must also be attached.

2. If the data protection incident poses a presumably high risk to rights and freedom, the data protection officer must inform the data subject of the data protection incident without a well-founded delay.

3. By submitting an application to the authority, anyone can initiate an investigation referring to a violation of the law relating to the management of personal data, or to the violation of the right to access data of public interest or data that has been made available in the public interest, or refers to the immediate possibility of such legal violations.

4. If you are a foreign citizen, you can contact the data protection authority responsible for your place of residence.

5. If the authority does not initiate administrative or judicial proceedings, it may draw up a report on the investigation it has carried out on the basis of the request.

6. In case of their rights are violated, the person concerned can turn to the court.

The person providing information in the event of a data protection incident:

Mr. Zsigmond Papp Station Manager
Phone: +43 1 7007 36540, Mobile: +43 676 325 7246
E-mail: or
8. Final provisions
These guidelines come into force on June 14th, 2021.