Personal data is stored only for as long as necessary for the purposes for which it is processed, or as required by applicable legal retention obligations (storage limitation). We retain contract and billing data in accordance with statutory retention obligations (in particular under commercial and tax law). Technical log/security data is generally stored only for as long as is necessary to ensure operations, IT security and the investigation of malfunctions/misuse. 

We implement appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data and to protect it against unauthorized or unlawful processing, accidental loss, destruction or damage. 

We take responsibility for compliance with these principles and maintain appropriate documentation and procedures to demonstrate our compliance (accountability). 

LAWFUL BASIS FOR PROCESSING 

We process personal data only where we have a valid legal basis under applicable data protection laws, in particular the EU General Data Protection Regulation (GDPR). Depending on the context, the following lawful bases may apply: 

Consent (Article 6(1)(a) GDPR) 

In certain cases, we process personal data based on your consent. Where consent is required, we will process your personal data only for the specific purposes for which you have given your freely given, informed and unambiguous consent. 

Providing consent is voluntary and, unless otherwise stated, not a condition for entering or performing a contract with us. You may withdraw your consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. 

Contract (Article 6(1)(b) GDPR) 

Where you enter a contract with us, or where processing is necessary to take steps at your request prior to entering into a contract, we process personal data to the extent necessary for the performance of the contract. 

Legitimate Interests (Article 6(1)(f) GDPR) 

We may process personal data where this is necessary for our legitimate interests, for example to operate and secure our website, respond to enquiries or manage business relationships. In such cases, we carefully assess and balance our legitimate interests against your fundamental rights and freedoms to ensure that your interests are not overridden. 

Legal Obligation (Article 6(1)(c) GDPR) 

We process personal data where this is necessary to comply with legal obligations to which we are subject, such as obligations under tax, accounting, anti‑money‑laundering or other applicable regulatory laws. 

TRANSFER AND DISCLOSURE OF PERSONAL DATA 

We may share your personal data with third parties only where this is lawful, necessary, and proportionate for the purposes described in this Privacy Policy. 

We may engage data processors (trusted third‑party service providers) to support the operation of the RentOn platform and the provision of related services (for example, IT services, hosting, payment processing, customer support, or analytics). These processors act solely on our documented instructions, are contractually obliged to implement appropriate technical and organizational security measures and are not permitted to process personal data for their own purposes.  

In certain cases, we may be legally obliged to disclose personal data, for example in response to lawful requests from public authorities, law enforcement agencies, regulatory bodies, or courts. In such cases, data is disclosed only to the extent required by law and based on an appropriate legal basis. 

If personal data is transferred to recipients located outside the European Economic Area (EEA), we ensure that an adequate level of data protection is maintained in accordance with applicable data protection laws. Such safeguards may include in particular: 

Where required, we also implement suitable technical and organizational measures to safeguard personal data transferred to third countries and to mitigate identified risks. 

We may additionally disclose personal data where necessary to establish, exercise, or defend legal claims, or in connection with corporate transactions such as mergers, acquisitions, or restructuring. 

Where audits, compliance reviews, or statutory reporting obligations apply, we may share limited personal data with auditors, advisors, or competent oversight bodies. Any such disclosure is restricted to what is necessary and proportionate for the relevant purpose. 

SHARING PERSONAL DATA OF THIRD PARTIES WITH US 

If you share personal data of third parties with us, you are responsible for ensuring that such sharing has an appropriate legal basis. We may request confirmation or evidence that the data has been provided lawfully. 

We will make reasonable efforts to ensure that any third-party personal data it receives is processed, handled, and protected in accordance with this Privacy Policy. However, it remains your sole responsibility to obtain any necessary consent or authorization from the individuals whose data you share. 

You are also responsible for understanding and complying with any applicable local data protection laws when collecting, processing, or transferring personal data to us. 

AUTOMATED DECISION-MAKING AND PROFILING 

We do not make decisions about you based solely on automated processing, including profiling, that would have a legal or similarly significant effect on you. 

If we do use automated decision-making or profiling in specific areas of our services, we will: 

DATA SECURITY 

To protect your data as comprehensively as possible against unauthorized access, we implement technical and organizational measures and use an encryption method on our website. Your data is transmitted over the internet from your computer to ours and vice versa using TLS encryption. TLS stands for ‘Transport Layer Security’ and is an encryption protocol for data transmission over the internet. You can usually recognize ‘TLS’ by the fact that the padlock symbol in your browser’s status bar is closed and the address begins with https:// 

COLLECTION AND PROCESSING OF PERSONAL DATA ON THIS WEBSITE 

COLLECTION OF ACCESS AND LOG DATA  

When you visit this website, we automatically collect and store certain information in so-called server log files which your browser transmits to us automatically. 

This includes in particular: 

The legal basis for this data processing is the legitimate interest pursuant to Article 6(1)(f) of the GDPR. Our legitimate interest lies in ensuring the security, stability and proper operation of our website, including the detection and defense against unauthorized access or misuse. 

The data collected is stored in server log files, which your browser automatically transmits to us in encrypted form. We only store the server log files in the event of attacks on our server infrastructure or other legal violations. This extended storage period is based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR and serves solely to preserve evidence. 

We have concluded a data processing agreement with the provider of this website, We use Microsoft Azure with server locations within the European Union (region: [e.g. West Europe]). A data processing agreement pursuant to Art. 28 GDPR and, where applicable, SCCs / DPF have been concluded. 

ENQUIRIES VIA THE CONTACT FORM, EMAIL AND TELEPHONE 

Any personal information you provide to us on a voluntary basis will, of course, be treated as confidential. We use the personal data you provide exclusively to process and respond to your enquiry.  

The processing is based on: 

We store and use contact details and information (such as business correspondence) received from customers and prospective customers for the purpose of processing and initiating the business relationship. You have the right at any time to request information about the data stored about you in the customer database and may request that the data be amended or deleted. 

All personal data that you provide to us with your enquiry will be deleted or anonymized by us no later than 2 years after we have provided you with a final response, provided that no contract is concluded. The two-year retention period is based on the fact that, in isolated cases, you may contact us again regarding the same matter after receiving a reply and refer to the previous correspondence. Experience has shown that, after two years, no further queries follow our replies. 

PROCESSING OF BUSINESS PARTNERS AND CUSTOMERS PERSONAL DATA 

CONTRACTUAL AND PRE-CONTRACTUAL PROCESSING (Article 6(1)(b) GDPR) 

The purposes of data processing arise from the implementation of pre-contractual measures and the fulfilment of obligations arising from the performing contracts (including rental agreements), we process in particular: 

Payment processing is carried out, depending on the chosen payment method, via payment service providers. 

LEGAL OBLIGATIONS (Article 6(1)(c) GDPR) 

The purposes of data processing arise in each individual case from legal requirements. These legal obligations include, for example, retention and documentation obligations under commercial and tax law, as well as processing in response to requests from public authorities. In this context, data may also be transferred to our appointed tax advisors or authorities where legally required. 

LEGITIMATE INTERESTS (Art. 6(1)(f) GDPR) 

We process the contact details of contact persons at customers, prospective customers, suppliers and other business partners for communication by email, telephone and post, as well as for the maintenance and further development of business relationships.  

The legitimate interest here arises from the interest in conducting or initiating the business relationship, as well as in asserting or defending legal claims and ensuring the security of our systems. 

Your data will only be disclosed to third parties to the extent that this is necessary for the performance of a contract, to comply with legal obligations, on the basis of your consent, or within the scope of our legitimate interests. 

RECIPIENTS OF PERSONAL DATA 

Within the scope of contractual relationships, we may engage service providers who process personal data on our behalf as data processors in accordance with Article 28 of the GDPR, or we may transfer data to recipients who process it under their own responsibility. Compliance with data protection regulations is contractually ensured in this regard. 

Recipients/categories of recipients may include, in particular: 

ORDER PROCESSING VIA SHOPIFY 

The RentOn shop is operated via Shopify. Shopify hosts the shop and processes personal data (e.g. account, order, usage and technical data) as part of its operations in order to provide and improve the services. In this context, data may also be transferred to recipients in countries outside your country of residence. 

Shopify Inc. is certified under the EU–U.S. Data Privacy Framework (DPF) / We have entered into Standard Contractual Clauses with Shopify pursuant to Art. 46(2)(c) GDPR. Server location: [EU / USA]. 

Further information on how Shopify processes personal data and what rights you may have vis-à-vis Shopify can be found here: 

Shopify Privacy Portal: https://privacy.shopify.com/en 

ORDER PROCESSING AND DELIVERY  

Disclosure to Jungheinrich (provision of services) 

In order to carry out the rental and service agreements concluded with you, it is necessary to transfer certain personal data to Jungheinrich AG, its affiliated companies or to entities engaged by Jungheinrich for operational processing (in particular, scheduling, delivery, collection, service/maintenance, and appointment coordination). 

In particular, the following data may be processed/transmitted: 

Jungheinrich processes this data on our behalf to fulfil operational services (e.g. delivery/collection/service) as a data processor within the meaning of Article 28 of the GDPR. To this end, we have concluded a data processing agreement (DPA) with Jungheinrich, which obliges Jungheinrich to process personal data exclusively in accordance with our instructions and in compliance with the GDPR, as well as to implement appropriate technical and organizational measures. 

Disclosure to logistics/freight forwarding service providers 

Where necessary for delivery, collection or scheduling, personal data is also disclosed to the relevant logistics/freight forwarding service providers (either directly or via Jungheinrich). This includes: 

These service providers – provided they are integrated into our service chain and act in accordance with our instructions – are contractually bound as data processors in accordance with Article 28 of the GDPR. 

The legal basis for the transfer and processing of data in connection with delivery/service provision is Article 6(1)(b) of the GDPR (performance of a contract/implementation of pre-contractual measures). 

ORDER PROCESSING AND PAYMENT 

We use external payment service providers (PSPs) to process payments. Depending on the chosen payment method, the personal data required for this purpose is transferred to the respective payment service provider. 

Depending on the payment method and checkout configuration, we process in particular: 

As a rule, we do not receive complete payment data (e.g. full card/account details) from the payment service providers, but rather status information (e.g. ‘payment successful/declined’) and transaction references for allocation. 

Personal data is processed for the following purposes: 

The processing of personal data for payment is based on: 

The payment service providers generally process the payment data as independent controllers within the meaning of the GDPR (not as processors), as they carry out payment processing and, where applicable, risk assessments under their own responsibility (e.g. within the framework of banking and payment law obligations and their own fraud prevention systems). 

Specific: Billie (purchase on account / payment terms / credit check where applicable) 

If you select ‘Invoice’ as your payment method, payment processing is handled by Billie. Depending on the specific arrangements, this may involve a (partially) automated risk assessment, which could result in the ‘Invoice’ payment method not being offered or being declined. In this case, you can usually switch to an alternative payment method. 

The legal basis for this data processing is our legitimate interest pursuant to Article 6(1)(f) of the GDPR, which is based on obtaining information about the actions and visitors to our pages. 

This processing of personal data is carried out by the social media platform and us as so-called joint controllers pursuant to Article 26 of the GDPR. In the case of joint responsibility, a separate agreement must be concluded. 

LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum 

YouTube: https://business.safety.google/controllerterms/ 

If you wish to object to specific data processing over which we have control (e.g. deletion of comments), please contact us using the details provided above. 

Note:  

The provision of your data is neither required by law nor by contract, nor is it necessary for the conclusion of a contract. You are not obliged to provide your personal data. The consequence of not providing your data is that you will not be able to communicate with us via our social media pages, interact with us or take part in the competition. To contact us, please use the email address provided above. 

Data processing by the operator of the social media platform: 

In addition to us, there is also the operator of the social media platforms themselves. From a data protection perspective, this operator is also regarded as a further controller carrying out its own data processing. This means that the operator is also a separate controller under the GDPR. However, we have only limited influence over the data processing carried out by the operator. Where we can exert influence (e.g. through parameterisation), we work within the scope of our capabilities to ensure that the operator of the social media platform handles data in accordance with data protection regulations. In many instances, however, we cannot influence the data processing carried out by the operator of the social media platform, nor do we know exactly what data they process. The respective operator provides information on the processing of personal data in their own privacy policy: 

LinkedIn: https://de.linkedin.com/legal/privacy-policy? 

YouTube: https://policies.google.com/privacy?hl=de 

When using the platform, your personal data is generally also processed by the respective platform operator on servers in third countries, in particular in the USA. Certain third countries have been granted an ‘adequacy decision’ by the European Commission. This means that the legal situation regarding the protection of privacy in these countries is comparable to that in the EU or the EEA. Certifications under the adequacy decision for the USA, the Data Privacy Framework, exist for Meta Platforms Inc (Facebook, Instagram), LinkedIn and Google (YouTube). In all other cases, we enter into so-called standard contractual clauses with the platform operators regarding the transfer of personal data to third countries.  

The provision of your data is not required by law or contract, nor is it necessary for the conclusion of a contract. You are not obliged to provide your personal data. If you do not provide your data, you will not be able to communicate with us via our social media pages, interact with us or take part in the competition. 

YOUR RIGHTS 

Under GDPR you as a data subject have certain rights concerning your personal data processed by us: 

Right of Access: You have the right to obtain confirmation as to whether we process your personal data. If we do, you can request access to that data and information about the purposes of processing, the categories of data involved, the recipients (or categories of recipients), the planned retention period, the source of the data (if not collected directly from you), and the existence of any automated decision‑making, including profiling. 

Right to Rectification: You have the right to request correction of any inaccurate personal data we hold about you and to have incomplete data completed. 

Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data where: 

Please note that this right may not apply in certain cases, such as compliance with legal or regulatory obligations (e.g. statutory retention duties) or the establishment, exercise, or defense of legal claims. 

Right to Restriction of Processing: You can ask us to restrict the processing of your personal data if: 

Right to Object: You have the right to object to processing of your personal data at any time relating to your particular situation where processing is based on legitimate interests or carried out in the public interest. If you object to processing for direct marketing purposes, we will stop processing your data for that purpose immediately. 

Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw your consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. 

Right to Data Portability: You have the right to receive personal data that you have provided to us, in a structured, commonly used, and machine‑readable format, and to request that we transfer it to another controller where technically feasible and legally permissible. 

Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates applicable data protection laws. As a rule, you may contact the supervisory authority of your usual place of residence, workplace or our company headquarters. 

Contact details for the competent data protection authority: 

Berlin Commissioner for Data Protection and Freedom of Information 

Address: 

Alt-Moabit 59-61 

10555 Berlin 

Entrance: Alt-Moabit 60 

Telephone: +49 30 13889-0