KLASS WAGEN GMBH (AUSTRIA)
Effective date: 10.12.2025
Klass Wagen GmbH (“Klass Wagen”, “we”, “our”, “us”) is committed to protecting your personal data and processing it in a transparent and lawful manner. This Privacy Policy explains what data we collect, why we collect it, and how we process it in accordance with Regulation (EU) 2016/679 (GDPR) and the Austrian Data Protection Act (Datenschutzgesetz – DSG).
By using our website, booking a rental, or interacting with us, you agree to the practices described in this Privacy Policy.
Purpose of this Privacy Policy
This Privacy Policy explains how Klass Wagen GmbH (“Klass Wagen”, “we”, “our”, “us”) collects, processes, stores, shares, and protects personal data in accordance with:
Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
The Austrian Data Protection Act (Datenschutzgesetz – DSG)
The Austrian Telecommunications Act 2021 (Telekommunikationsgesetz – TKG 2021)
Austrian accounting and commercial laws (BAO, UGB)
Guidance by the Austrian Data Protection Authority (Datenschutzbehörde – DSB)
This document applies to customers, website users, contractual partners, employees, trainees, job applicants, and any person whose data we process in Austria.
Who We Are
Klass Wagen GmbH
Address: Schwadorf Industrie Strasse 1, 2432 Vienna, Austria
Company Register (Firmenbuch): 652569k
EUID: ATBRA.652569-000
Corporate Purpose: Rental of movable property (excluding weapons, medical devices, aircraft) and commercial activity except regulated professions.
Data Protection Email: dpo@klasswagen.com
This policy covers data processed through:
Our website
Our reservation and vehicle rental systems
Our mobile communication channels (email, WhatsApp, SMS, phone)
Our office and on-site customer service
Insurance and accident handling
GPS & telematics systems
Fraud prevention and risk scoring tools
HR, payroll, and employee training processes
Cookies and tracking technologies
Key GDPR and Austrian legal terms:
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data.
Controller: Entity determining purposes and means of processing — Klass Wagen GmbH.
Processor: Service providers acting on our behalf.
Data Subject: Any person whose data is processed.
Profiling: Automated processing used to evaluate behavior or risk.
Supervisory Authority: Austrian Data Protection Authority (DSB).
DSG: Austrian Data Protection Act.
TKG 2021: Austrian Telecommunications Act governing cookies and tracking.
We follow:
Lawfulness, fairness, transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
3.1 Customer and Driver Data
Name, surname
Date of birth
Address, nationality
Phone number, email
Driver’s license details
ID/passport details
Rental history
3.2 Contract & Payment Data
Contract numbers
Bank cards (processed by external processors)
Billing data
Deposits, refunds
3.3 Vehicle Telematics & GPS Data
Real-time GPS coordinates
Start/stop positions
Speed, direction, ignition status
Incident-related data
3.4 Accident & Insurance Data
Accident descriptions
Police reports
Photos, witness information
3.5 Fraud Prevention & Risk Scoring
Previous rental behaviour
Cross-border attempts
Payment anomalies
Internal reports
3.6 HR & Employee Data
Recruitment documents
Payroll data
Contracts
Training records
Performance-related data
3.7 Communication Data
Phone recordings (if applicable)
WhatsApp business messages
Email correspondence
3.8 Cookies & Tracking Data
IP addresses
Session identifiers
Behavioural analytics
Collected under TKG 2021 only with consent (except essential cookies).
4.1 Contract Performance (Art. 6(1)(b))
Creating and managing reservations
Vehicle rental operations
Payment processing
Providing customer support
4.2 Legal Obligations (Art. 6(1)(c))
Required by:
BAO & UGB (accounting retention: 7 years)
Insurance law
Road Traffic Act when responding to authorities
DSG for certain mandatory disclosures
4.3 Legitimate Interests (Art. 6(1)(f))
Including:
Fraud prevention
Risk scoring
Vehicle safety & GPS tracking
Preventing theft
Ensuring compliance with rental terms
IT and network security
Customer service optimisation
4.4 Consent (Art. 6(1)(a))
Used for:
Marketing communications
Non-essential cookies
Tracking technologies
Optional surveys
4.5 HR Legal Basis
Employment contract
Austrian employment law obligations
Legitimate interest
Consent for optional training or photos
We use:
Essential Cookies
Required for site operation.
Analytics Cookies (consent required)
Google Analytics
Microsoft Clarity
Hotjar
Marketing Cookies (consent required)
Facebook Pixel
AddThis
Brevo Email Tracking
We never activate non-essential cookies without explicit opt-in consent.
We may automatedly evaluate:
Probability of rental misuse
Payment default risk
Cross-border fraud patterns
No automated decision produces legal effects without human review.
We track vehicles in accordance with Austrian DPA guidelines:
Purposes
Theft prevention
Accident management
Contract enforcement
Operational safety
Cross-border misuse prevention
Prohibited Uses
Monitoring customer personal habits
Employee behavioural monitoring unless explicitly lawful
Retention
GPS logs: 7 days, unless associated with an incident (accident, police request).
Retention rules under BAO/UGB + GDPR
We may transfer data outside the EU only with:
Standard Contractual Clauses (SCCs)
Additional safeguards (encryption, access control)
Compliance with the Schrems II ruling
Processors include AWS, Microsoft, Meta, and others.
Processors (examples)
Other recipients
If the CLIENT fails to fulfill payment obligations arising from the rental agreement (including, but not limited to, amounts due for rental fees, fines, administrative charges, penalties, or any other outstanding amounts), and such amounts remain due and unpaid after prior notice, the Company may transfer strictly necessary personal data to:
- debt collection agencies,
- legal consultants,
- lawyers or other entities involved in the enforcement and recovery of outstanding claims,
- judicial or administrative authorities, where required by law.
Such disclosure shall take place exclusively for the purpose of recovering outstanding amounts and is based on the Company’s legitimate interest pursuant to Article 6(1)(f) of Regulation (EU) 2016/679 (GDPR).
The data transferred shall be limited to what is necessary to identify the CLIENT and the claim (for example: name, contact details, contractual data, outstanding amount, relevant supporting documents).
The Company ensures that any such third parties process the data in accordance with applicable data protection legislation, solely for the stated purpose, and are subject to appropriate contractual obligations regarding confidentiality and data security.
Where recipients are established in another Member State of the European Union or in the European Economic Area, personal data may be transferred in accordance with applicable data protection legislation. In the case of transfers outside the EU/EEA, such transfers shall take place only on the basis of appropriate safeguards in accordance with the GDPR.
The CLIENT has the right to object to processing based on legitimate interests in accordance with Article 21 GDPR, on grounds relating to the CLIENT’s particular situation, unless the Company demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the CLIENT, or the processing is required for the establishment, exercise or defence of legal claims.
We implement:
You may request:
Supervisory Authority in Austria
Österreichische Datenschutzbehörde
Barichgasse 40–42, 1030 Wien
www.dsb.gv.at
We process HR data for:
Cross-border HR training is based on:
We do not knowingly process data of persons under 18 unless required for a rental contract and documented guardian consent is received.
Klass Wagen GmbH
Schwadorf Industrie Strasse 1
2432 Vienna, Austria
Email: dpo@klasswagen.com
Customer Support: customercare@klasswagen.com
Microsoft Clarity
We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
Brevo Tracking & Email Marketing
We use Brevo (formerly Sendinblue) to manage our email marketing and automate communications related to bookings, promotions, and cart reminders. When you interact with our emails or visit our website via a Brevo campaign link, certain information is collected using Brevo’s tracking tools.
This includes:
This data helps us improve our communication, detect issues (e.g., abandoned carts), and personalize future messages.
Brevo only processes this data on our behalf and does not share it with third parties. All data is handled in compliance with the General Data Protection Regulation (GDPR) and applicable privacy laws.
We only activate Brevo tracking after you consent to marketing cookies, in compliance with our cookie management platform (Usercentrics/Cookiebot). You can change or withdraw your consent at any time using the “Cookie Settings” link in the footer.
For more details, you can review Brevo’s Privacy Policy.
Contact Forms
When you fill out a form on our website (e.g., to book a vehicle or request a quote), we may send your email address to Brevo to enable follow-up communications. We do not send any personal data to third parties without your consent.
Changes to this policy
We may update this policy. The latest version is always available at:
www.klasswagen.com
(Detailed categorization of all personal data processed by Klass Wagen GmbH)
1. Customer Identification Data
2. Contact Data
3. Contractual & Financial Data
4. Vehicle Usage & Telematics Data
5. Accident, Damage & Insurance Data
6. Fraud Prevention & Risk Scoring Data
7. Communication Data
8. Website & Cookie Data
9. HR & Employee Data
(GDPR Art. 30 Compliant – Summary Format)
Below is the standard RoPA table content.
1. Customer Reservation & Rental Processing
2. Payment Processing
3. GPS & Telematics Tracking
4. Marketing & Analytics
5. Fraud Prevention & Risk Scoring
6. Accident & Insurance Handling
7. HR Processing
(Full processor inventory with purposes)
1. Cloud Infrastructure & Hosting
2. Communication & Marketing
3. Payment Processors
4. Customer Support Tools
5. IT & Security Providers
6. Insurance & Legal Partners
(Only when handling claims)
7. Other Klass Wagen Group Companies
(Required transparency notice for customers in Austria)
1. Purpose of GPS Tracking
Klass Wagen GmbH uses GPS and telematics data strictly for the following purposes:
2. Legal Basis
3. What Data Is Collected
4. Data Retention
5. Who Has Access
6. Prohibited Uses
We do not use telematics data for:
7. Your Rights
You can request:
(Purpose → Category → Legal Basis → Retention → Recipients → Safeguards)
Purpose | Data Categories | Legal Basis | Retention | Recipients | Safeguards |
|---|---|---|---|---|---|
Rental contract creation | ID data, contact data, driving license | Art. 6(1)(b) | 7 years | Insurance, authorities | Encryption, access control |
Payments | Billing, card token | Art. 6(1)(b),(c) | 7 years | Payment processors | PCI-DSS, MFA |
GPS tracking | Telematics | Art. 6(1)(f) | 7 days (longer for incidents) | Police, insurance | Encrypted transmission |
Marketing | Cookies, analytics | Art. 6(1)(a) | 12–24 months | Google, Meta | Consent management |
Fraud prevention | Rental history, scoring | Art. 6(1)(f) | 3 years | Internal | Access logs |
Insurance accidents | Photos, reports | Art. 6(1)(c),(f) | 10 years | Insurance, police | Restricted storage |
HR management | Employment data | Art. 6(1)(b),(c) | Employment + 7 years | Tax authorities | Secure HR systems |
Customer support | Communications | Art. 6(1)(f) | 12 months | Internal | Logging, encryption |
Book Your Car
Privacy Policy Hungary
Application of privacy and data protection policy
Organization name: Klass Wagen Hungary Kft.
Registered office of the organization: 1185 Budapest(a), Üllői út 822.
Person responsible for the content of this policy: Móricz Ferencz
Date of coming into force: January 1st, 2024
Other documents related to this Policy:
Documents and policies that contain, for example, a written statement of consent to data processing or, in the case of websites, a mandatory privacy notice, should be attached to and managed together with the Privacy and Data Protection Policy.
In addition to this policy, please see our Terms and Conditions and Cookie Policy.
This policy sets out rules on the protection of natural persons with regard to the processing of personal data and on the free movement of personal data. It applies to specific data processing activities and to the issuance of instructions and notifications governing data processing.
The obligation to employ (appoint) a data protection officer extends to all public authorities or other bodies with public tasks (irrespective of the data they process), as well as to other organizations whose main activity is the systematic, large-scale monitoring of natural persons or which process a large number of special categories of personal data.
This policy is valid until revoked and applies to officers, employees and the Data Protection Officer within the organization.
Date: Budapest, January 1st, 2024
Móricz Ferencz
Manager of the organization
The purpose of this policy is to harmonize the requirements of the organization's other internal rules on data management activities in order to protect the fundamental rights and freedoms of natural persons and to ensure the appropriate processing of personal data.
The Organization aims to fully comply with the legal requirements on the processing of personal data, in particular Regulation (EU) No 679/2016 of the European Parliament and of the Council, in the course of its activities.
Another important purpose of issuing this policy is to ensure that, by being aware of and complying with it, the organization's employees are able to lawfully handle the data of natural persons.
GDPR (General Data Protection Regulation) is the new EU data protection regulation
Operator: the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are laid down by Union or Member State law, the data controller or the specific criteria for designating the data controller may also be laid down by Union or Member State law;
Processing: any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller;
Personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the data controller, the processor or the persons who, under the direct authority of the data controller or the processor, are authorized to process personal data;
Consent of the data subject: a voluntary, specific, informed and unambiguous expression of the data subject's wishes by which he or she signifies his or her agreement to the processing of personal data relating to him or her by means of an unambiguous statement or affirmation;
Restriction of processing: marking stored personal data for the purpose of restricting their further processing;
Pseudonymization: the processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relate without further information, provided that such further information is kept separate and that technical and organizational measures are taken to ensure that no link can be established between the personal data and identified or identifiable natural persons;
System of record: a set of personal data structured in any way, whether centralized, decentralized or structured according to functional or geographical criteria, which is accessible on the basis of specific criteria;
Data breach incident: a breach of security that results in the accidental or unlawful destruction, accidental or unlawful loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
The processing of personal data must be lawful, fair and transparent for the data subject.
Personal data may only be collected for specified, explicit and legitimate purposes.
The purposes for which personal data is processed must be adequate, relevant and limited to what is necessary.
Personal data must be accurate and up-to-date. Inaccurate personal data must be deleted without delay.
Personal data must be stored in a form which permits identification of data subjects for no longer than necessary. Personal data may be stored for longer periods only if the storage is for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes.
Personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, by the use of appropriate technical or organizational measures.
The data protection principles shall apply to all information relating to an identified or identifiable natural person.
An employee of the organization who is a data controller is liable to disciplinary action, damages, civil and criminal liability for lawful processing of personal data. If an employee discovers that the personal data he or she is processing is inaccurate, incomplete or out of date, he or she must correct it or have it corrected by the person responsible for recording it.
Because individuals may be associated with online identifiers, such as IP addresses and cookie identifiers, provided by the devices, applications, tools and protocols they use, this data, combined with other information, may be matched with, and used to profile and identify, such individuals.
The processing of data and information may only take place if the data subject gives his or her free, specific, informed and unambiguous consent to the processing of his or her data by means of a clear and express affirmative action, such as a written, including electronic, or oral statement.
Consent to the processing of personal data shall also be deemed to be given if the data subject ticks a box to that effect when visiting the website. Silent action, automated ticking of a box by the data controller or inaction shall not constitute consent.
Consent shall also be deemed to be given where a user, in the course of using the electronic services, makes the relevant technical settings or makes a statement or takes an action which, in the relevant context, clearly indicates that the data subject consents to the processing of his or her personal data.
Personal health data includes data relating to the health of a data subject, containing information about his or her past, present or future physical or mental health. This includes:
- Database record/evidence for health services;
- a number, symbol or data attributed to a natural person for the purpose of individually identifying that person for health purposes;
- information obtained from testing or examination of a body part or constituent material, including genetic data and biological samples;
- information relating to the disease, disability, risk of illness, medical history, clinical treatment, or physiological or biomedical condition of the person, regardless of its source, which may be, for example, a doctor or other health professional, a hospital, a medical device or a diagnostic test.
Genetic data is defined as personal data relating to the inherited or acquired genetic characteristics of a natural person and resulting from the analysis of a biological sample taken from that person, in particular chromosome analysis or analysis of deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) or any other element allowing the extraction of information equivalent to that which can be obtained from them.
Children's personal data deserve special protection because they may be less aware of the risks, consequences, safeguards and rights associated with the processing of personal data. This special protection should apply in particular to the use of children's personal data for marketing purposes or for the purpose of creating personal or user profiles.
Personal data must be processed in a manner ensuring an adequate level of security and confidentiality, in particular in order to prevent unauthorized access to or use of personal data and the means used to process personal data.
We are processing your personal data when you interact with us using the contact details available on the Klass Wagen website/Contact Form/Call/E-mail or interact with us via social media messenger functions (e.g. feedback, complaints, enquiries, etc.), we will use your contact details and the data you provide to us to provide you with information and offers regarding our services and products, to resolve the situation reported, to evaluate our customers' satisfaction and to continuously improve the services we offer.
Every reasonable step must be taken to correct or delete inaccurate personal data.
Processing of personal data is lawful if one of the following conditions is met:
As set out above, processing is lawful if it is necessary in the context of a contract or the intention to conclude a contract.
Where the processing is carried out in the performance of a legal obligation to which the data controller is subject or if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing must have a legal basis in Union law or in the law of a Member State.
Processing shall be considered lawful when it is carried out for the purpose of protecting the life of the data subject or the interests of another natural person referred to above. Processing of personal data based on the vital interests of another natural person should, in principle, take place only if there is no other legal basis for the processing in question.
Some types of processing of personal data may serve both important public interests and the vital interests of the data subject, for example when processing is necessary for humanitarian reasons, including when it is necessary to monitor epidemics and their spread or in the event of a humanitarian emergency, in particular a natural or man-made disaster.
The legitimate interest of the data controller - including the data controller with whom the personal data may be shared - or of a third party may constitute a legal basis for processing. Such a legitimate interest may be, for example, where there is a relevant and appropriate relationship between the data subject and the data controller, such as where the data subject is a customer or an employee of the data controller.
Processing of personal data strictly necessary for the prevention of fraud is also considered to be in the legitimate interest of the data controller concerned. Processing of personal data for direct marketing purposes may also be considered to be based on legitimate interest.
In order to establish the existence of a legitimate interest, it is necessary to carefully analyze, inter alia, whether the data subject could reasonably expect, at the time and in the context of the collection of the personal data, that the processing for the purposes for which the data were collected would take place. The interests and fundamental rights of the data subject may override the interests of the data controller where personal data is processed in circumstances where the data subjects do not expect further processing.
The processing of personal data by public authorities, cyber emergency response units, network security incident management units, network operators and providers of electronic communications services and providers of security technology services, to the extent strictly necessary and proportionate to ensure network and information security, shall be deemed to be in the legitimate interest of the data controller concerned.
Processing of personal data for purposes other than those for which they were originally collected is only permitted if the processing is compatible with the original purposes for which the personal data were originally collected. In this case, a separate legal basis other than the legal basis which made the collection of personal data possible is not necessary.
The processing of personal data by public authorities for the purposes of officially recognized religious organizations, as defined by constitutional law or public international law, is considered to be in the public interest.
Where processing is based on consent, the data controller must be in a position to demonstrate that the data subject has given his consent to the processing of his personal data.
Where the data subject gives his or her consent in a written statement which also relates to other matters, the request for consent must be communicated in a manner which is clearly distinguishable from those other matters.
The data subject shall have the right to withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. The data subject shall be informed before consent is given. Withdrawal of consent shall be possible in the same simple manner as giving consent.
In determining whether consent is voluntary, the most important consideration should be that, inter alia, consent to the processing of personal data which is not necessary for the performance of the contract, including for the provision of services, has become a condition for the performance of the contract.
The processing of personal data in connection with information society services offered directly to children is lawful where the child is at least 16 years of age. In the case of children under the age of 16, the processing of children's personal data is lawful only if and to the extent that consent has been given or authorized by the person having parental authority over the child.
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, of genetic data or biometric data revealing the identity of natural persons, of data concerning health and of personal data concerning the sex life or sexual orientation of natural persons shall be prohibited, unless the data subject has given his or her explicit consent to the processing of such personal data for one or more specific purposes.
The processing of personal data relating to decisions on criminal liability and offences and related security measures may only take place if they are processed by a public authority.
Where the purposes for which the data controller processes personal data do not or no longer require the identification of the data subject by the data controller, the data controller shall not be obliged to retain additional information.
Where the data controller can demonstrate that he is unable to identify the data subject, he shall inform the data subject accordingly, where possible by appropriate means.
The principle of fair and transparent processing requires that the data subject is informed about the fact and purposes of the processing.
Where personal data is collected from the data subject, the data subject must also be informed of the obligation to provide the personal data and of the consequences of not providing the data. This information may also be supplemented by standardized icons to provide the data subject with general information on the intended processing in a visible, easily understandable and legible form.
Information concerning the processing of personal data relating to the data subject must be provided to the data subject at the time of collection or, where the data have been collected from a source other than the data subject, within a reasonable time having regard to the circumstances of the case.
The data subject shall have the right of access to the data collected relating to him or her and the right to exercise that right in a simple manner and at reasonable intervals in order to establish and verify the lawfulness of the processing. Every data subject should have the right to be informed, in particular, of the purposes for which personal data is processed and, where possible, of the period for which the personal data is processed,
In particular, the data subject has the right to have his or her personal data erased and no longer processed if the collection or further processing of personal data is no longer necessary in relation to the original purposes of the processing or if the data subjects have withdrawn their consent to the processing.
Where the processing of personal data is carried out for direct marketing purposes, the data subject should have the right to object at any time, free of charge, to the processing of personal data concerning him or her for such purposes.
In order to ensure that the storage of personal data is limited to the period necessary, the data controller will set deadlines for deletion or periodic review.
Periodic review period set by the head of the organization: 1 year.
The data controller shall apply appropriate internal data protection rules to ensure lawful processing. These rules cover the powers and responsibilities of the data controller.
It is the responsibility of the data controller to implement appropriate and effective measures and to be able to demonstrate that the processing activities comply with applicable law.
Such regulation should be made taking into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
The data controller shall implement appropriate technical and organizational measures, taking into account the nature, scope, context and purposes of the processing and the different degrees of risk to the rights and freedoms of natural persons, which vary in likelihood and severity. It shall review and, where necessary, update other internal rules on the basis of these rules.
The data controller or processor shall keep adequate records of the processing activities carried out under his/her authority. Each data controller and processor shall cooperate with the supervisory authority and shall make those records available on request to monitor the processing operations concerned.
Right to request information
Any person may request information, via the contact details provided, about what data the organization processes, on what legal basis, for what purpose, from what source and for how long. The request will be sent to the contact details provided without undue delay and at the latest within 30 days.
Right of correction
Any person may request an amendment to any of his/her data using the contact details provided. Such a request will be dealt with promptly and at the latest within 30 days and the information will be sent to the contact details provided.
Right to deletion
Any person may request the deletion of their data using the contact details provided. Upon request, this must be done without undue delay and at the latest within 30 days, and the information must be sent to the contact details provided.
Right to blocking, restriction
Any person may request the blocking of their data by using the contact details provided. Blocking will last for as long as the reason indicated makes it necessary to store the data. Upon request, this must be done without delay and within a maximum of 30 days, and the information must be sent to the contact details provided.
Right to object
Any person may object to the processing of their data using the contact details provided. The objection will be examined and a substantive decision will be taken as soon as possible from the date of the request, but no later than 15 days, and information about the decision should be sent to the contact details provided.
Enforcement possibilities in relation to data processing
National Authority for Data Protection and Freedom of Information
(Nemzeti Adatv delmi s Inform ci szabads g Hat s g)
Mail address: 1530 Budapest(a), Pf.: 5.
Address: 1125 Budapest(a), Szil gyi Erzs bet fasor 22/C.
Phone number: +36 (1) 391-1400
Fax: +36 (1) 391-1410
e-mail address: ugyfelszolgalat (kukac) naih.hu
URL: https://naih.hu
Coordinates: N 47 30'56''; E 18 59'57''
In the event of a breach of the data subject's rights, the data subject may take the data controller to court. The court shall settle the case out of court. The data subject may, at his/her choice, bring proceedings before the competent court of the place where he/she resides or is domiciled.
Data protection awareness. Professional competence to comply with legislative rules must be ensured. Staff training and awareness of the rules are essential.
Purpose of data processing, criteria and concept of personal data processing should be reviewed. Ensure lawful processing and processing in accordance with the data protection and management policy.
Proper information to the data subject. Attention must be paid to the fact that where processing is based on the data subject's consent, the data controller must, in case of doubt, prove that the data subject has given his or her consent.
The information provided to the data subject should be concise, easily accessible and easily understandable and should therefore be written and presented in clear and simple language.
The transparent processing of personal data requires that the data subject is informed about the fact and purposes of the processing of his or her data. The information must be provided before the processing starts and the right to be informed is incumbent on the data subject during the processing and until the processing ceases.
The main rights of the data subject are:
The data controller shall inform the data subject without undue delay and at the latest within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by two additional months. The obligation to provide information may be ensured through the operation of a secure online system through which the data subject can easily and quickly access the necessary information.
The organization's data management practices must be reviewed and the right to information self-determination must be ensured. At the request of the data subject, data must be erased without undue delay if the data subject withdraws the consent on the basis of which the processing was carried out.
The data subject's consent must unambiguously indicate that the data subject consents to the processing. Where the processing is based on the data subject's consent, the data controller should, in case of doubt, prove that the data subject has consented to the processing operation.
When processing children's personal data, particular attention must be paid to compliance with data processing rules. The processing of personal data in connection with information society services offered directly to children is lawful when the child is at least 16 years of age. In the case of children under the age of 16, the processing of children's personal data is lawful only if and to the extent that consent has been given or authorized by the person having parental authority over the child.
In case of unlawful/unlawful processing or management of personal data, the supervisory authority must be notified. The data controller must make the notification to the supervisory authority without undue delay and, where possible, no later than 72 hours after becoming aware of the personal data breach, unless the personal data breach is unlikely to present a risk to the rights of the natural person.
In certain cases, it may be appropriate for the data controller to carry out a data protection impact assessment prior to processing. The impact assessment should evaluate the impact of the intended processing operations on the protection of personal data. Where the personal data processing supervisory authority concludes that the processing is likely to present a high risk, the data controller should consult the supervisory authority prior to the processing of personal data.
In cases where the main activities involve personal data/information processing/management operations which, by their nature, scope or purposes, require systematic and large-scale monitoring of data subjects, a Data Protection Officer should be appointed. The appointment of such an official/ officer is also intended to enhance data security.
In particular, appropriate measures must be taken to protect data against unauthorized access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or accidental damage, and against inaccessibility resulting from changes in the technology used.
In order to protect electronically managed data files in registers, appropriate technical measures should be taken to ensure that the data stored in those registers cannot be directly linked to the data subject and attributed to him or her.
When designing and implementing data security, the state of the art should be taken into account. Among several possible data processing solutions, the one which ensures the highest level of protection of personal data should be chosen, unless this would impose a disproportionate burden on the data controller.
The appointment of a Data Protection Officer is mandatory on the basis of the following criteria:
Where the appointment of a responsible official is mandatory, the following rules shall apply:
The Data Protection Officer shall be appointed on the basis of professional competence and, in particular, expert knowledge of data protection law and practice and the ability to perform the duties of a data controller.
The data controller may be an employee of the data controller or of the processor, but may also carry out his/her tasks under a service contract.
The name and contact details of the Data Protection Officer must be published by the data controller or processor and communicated to the supervisory authority.
The data controller must ensure that the responsible official is involved in all aspects of personal data protection in an appropriate and timely manner. It must be ensured that the necessary resources are available to maintain the level of expertise of the official responsible for personal data.
The officer shall not accept instructions from anyone in relation to the performance of his/her duties. The data controller or processor shall not dismiss or sanction the official in connection with the performance of his/her duties. The person responsible shall be directly answerable to the data controller's or processor's top management.
Data subjects may contact the Data Protection Officer on all matters concerning the processing of their personal data and the exercise of their rights.
The Officer shall be subject to obligations of confidentiality or data protection in the performance of his/her duties.
The responsible official may also perform other tasks, but there must be no conflict of interest in relation to these tasks.
A data breach is a breach of security that results in the accidental or unlawful destruction, accidental or unlawful loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A personal data breach may cause physical, material or moral harm to individuals, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or misuse of their identity, if not adequately and timely addressed.
The competent supervisory authority shall be notified without undue delay and at the latest within 72 hours of any data protection incident, unless it can be demonstrated, in accordance with the principle of accountability, that the data protection incident is unlikely to present a risk to the rights and freedoms of natural persons.
The data subject must be informed without delay if the personal data breach is likely to lead to a high risk to the rights and freedoms of the natural person in order to enable him or her to take the necessary precautions.
The organization may also process personal data in the context of its activities and for administrative and record-keeping purposes.
Processing shall be based on the data subject's free and explicit consent, based on adequate information. After detailed information, including on the purposes, legal basis and duration of the processing and the rights of the data subject, the data subject shall be informed of the voluntary nature of the processing. Consent to processing shall be given in writing.
Data processing for administrative and record-keeping purposes serves the following purposes:
The processing of data as described above is based on a legal obligation, on the one hand, and on the other hand, the data subject has given his/her explicit consent to the processing of his/her data (e.g. for the purpose of an employment contract or when registering as a partner on a website, etc.).
In the case of written documents (such as CVs, job applications, other proposals, etc.) containing personal data, the data subject's consent must be presumed. After case closure, documents must be destroyed in the absence of consent for further use. The fact of destruction shall be recorded in a report.
In the case of processing for administrative purposes, personal data is included only in case files and records. The processing of these data lasts until the document on which the processing is based is deleted.
The processing for administrative and record-keeping purposes should be reviewed annually to ensure that the storage of personal data is limited to the necessary period and that inaccurate personal data should be deleted without delay.
Compliance with the law must also be ensured in the case of processing for administrative and data retention purposes.
If the organization wishes to carry out processing that is not covered by this policy, it must first amend these internal rules accordingly or add additional rules or regulations appropriate to the new purpose of the processing.
Documents and policies that contain, for example, a written statement of consent to data processing or, in the case of websites, a mandatory privacy notice, should be attached to and managed together with the Privacy and Data Protection Policy.
If the CLIENT fails to fulfill payment obligations arising from the rental agreement (including, but not limited to, amounts due for rental fees, fines, administrative charges, penalties, or any other outstanding amounts), and such amounts remain due and unpaid after prior notice, the Company may transfer strictly necessary personal data to:
- debt collection agencies,
- legal consultants,
- lawyers or other entities involved in the enforcement and recovery of outstanding claims,
- judicial or administrative authorities, where required by law.
Such disclosure shall take place exclusively for the purpose of recovering outstanding amounts and is based on the Company’s legitimate interest pursuant to Article 6(1)(f) of Regulation (EU) 2016/679 (GDPR).
The data transferred shall be limited to what is necessary to identify the CLIENT and the claim (for example: name, contact details, contractual data, outstanding amount, relevant supporting documents).
The Company ensures that any such third parties process the data in accordance with applicable data protection legislation, solely for the stated purpose, and are subject to appropriate contractual obligations regarding confidentiality and data security.
Where recipients are established in another Member State of the European Union or in the European Economic Area, personal data may be transferred in accordance with applicable data protection legislation. In the case of transfers outside the EU/EEA, such transfers shall take place only on the basis of appropriate safeguards in accordance with the GDPR.
The CLIENT has the right to object to processing based on legitimate interests in accordance with Article 21 GDPR, on grounds relating to the CLIENT’s particular situation, unless the Company demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the CLIENT, or the processing is required for the establishment, exercise or defence of legal claims.
We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
We use Brevo (formerly Sendinblue) to manage our email marketing and automate communications related to bookings, promotions, and cart reminders. When you interact with our emails or visit our website via a Brevo campaign link, certain information is collected using Brevo’s tracking tools.
This includes:
This data helps us improve our communication, detect issues (e.g., abandoned carts), and personalize future messages.
Brevo only processes this data on our behalf and does not share it with third parties. All data is handled in compliance with the General Data Protection Regulation (GDPR) and applicable privacy laws.
We only activate Brevo tracking after you consent to marketing cookies, in compliance with our cookie management platform (Usercentrics/Cookiebot). You can change or withdraw your consent at any time using the “Cookie Settings” link in the footer.
For more details, you can review Brevo’s Privacy Policy.
Contact Forms
When you fill out a form on our website (e.g., to book a vehicle or request a quote), we may send your email address to Brevo to enable follow-up communications. We do not send any personal data to third parties without your consent.
This Privacy Policy explains how we collect, use and protect any information about you. It also informs you how you can contact Klass Wagen if you have any concerns about this document, and we are happy to answer your questions. If you are interested in how we use cookies and related technologies, please see our Cookie Policy.
We may change this Policy at any time, so please check this Privacy Policy on a regular basis for updates.
We offer a wide range of car rental services online, including products and services such as insurance through our website, mobile apps, email and text messaging, social networks ("platforms") and in doing so, we must enter into various service agreements. This Policy applies to all personal data that we collect in the course of carrying out the aforementioned activities or when you contact us by email, live chat, telephone or post.
The personal data means information relating to a person who can be identified by that data or by linking it with other information. Common examples of personal data handled by Klass Wagen during its daily operations include names, addresses, telephone numbers and other contact details, driver's license, etc.
a) If you are a customer/potential customer of KLASS WAGEN:
We cannot help you make a reservation or request a quote without receiving certain information from you. In order to obtain a booking or a booking offer, we ask you for the essential information we need to provide you with the requested services. This may include your name, age, date and place of birth and contact details (e-mail, address and telephone number). It may include identification information such as passport, identity card and driving license or information needed for payments (cards or bank accounts).
In addition, we collect information from your computer when you use one of our platforms, even if you do not make a booking, and in this regard please also refer to our Cookie Policy, available here. This information may include your IP address, the browser you are using and language settings.
If you contact us (e.g. by phone, email or social media), we will also collect the information provided through these sources.
Once you have made your booking, subject to your consent, we may ask you to provide a review to help us improve our service and to ensure that future customers receive quality service.
You may make a booking on behalf of another person, for example a friend, family member or colleague. In this situation, make sure that person knows that you are providing us with their data and that they have agreed to the way we handle personal data (as described in this Policy). This is your responsibility.
When you make a booking, we record on which platform it was made and how it came to our platform (for example, if it came from another website).
Even if you do not make a booking, we may automatically collect certain information when you visit our platforms, and in this regard, please refer to our Cookie Policy.
We may also obtain information about you from social media platforms, our business partners and other third parties. For example:
We may combine any of this information with information you provide to us directly.
b) If you are an collaborator/representative/employee of a KLASS WAGEN collaborator:
We may obtain personal data about you when you provide a service to us or interact with us in the course of our business. The main categories of data we may process in these situations include: contact information (first name, last name, address, telephone number) or identification information (ID card, passport) or payment information (bank card or bank account).
See the section "Why do we collect and use your personal data?" for more details.
a) If you are a customer/potential customer of KLASS WAGEN:
We require your personal data in order to be able to book your vehicle and to ensure that you receive the best service available. These are the main reasons why we collect your personal data, but there may be other reasons.
We may use your personal data in the following ways:
We are processing your personal data when you interact with us using the contact details available on the Klass Wagen website/Contact Form/Call/E-mail or interact with us via social media messenger functions (e.g. feedback, complaints, enquiries, etc.), we will use your contact details and the data you provide to us to provide you with information and offers regarding our services and products, to resolve the situation reported, to evaluate our customers' satisfaction and to continuously improve the services we offer.
b) If you are a collaborator/representative/employee of a KLASS WAGEN collaborator:
We will process the personal data you provide to us to carry out our specific business, and this will include:
In order to process your personal data, we rely on the following legal bases:
There are several commercial partners integrated into the services we offer and, in some cases, we may share your personal data with them. We will also disclose your personal data to third parties such as: payment service providers, marketing partners and, in some cases, public authorities.
Our business partners: We work with business partners around the world. Some of our partners offer or promote our services, while also helping other partners to promote their own travel-related services (including insurance). Our business partners include Booking Holding Group Inc (Agoda.com, Booking.com, priceline.com, KAYAK and OpenTable). When you make a booking on their platform, they will send us some of the personal data you have provided. Similarly, we may disclose certain information about your booking to them if you have made a booking through them. If the partner provides customer support services, we will send them your booking details in order to provide you with the support you have requested. In either of these cases, the handling of your personal data will be governed by the privacy notices of these business partners. When you make a booking on a trading partner's website, please also consult their privacy statement to see how your personal data is processed. When you purchase a product or service provided by one of our business partners, we will send them the personal data requested in order to provide that product or service to you. We may also exchange information about our users with our business partners in order to detect/prevent fraud, but only as strictly necessary.
Competent Authorities: We may also disclose personal data to public authorities or investigative bodies if we are required to do so by law (or any regulation equivalent to a law). This may include court orders, subpoenas and orders arising from legal proceedings and investigations. We may also disclose your personal data if it is strictly necessary to prevent, detect or resolve fraud and other criminal activity. We may also need to disclose your personal data to protect our rights or property or the rights or property of our business partners.
Third Party Service Providers: We may use external service providers to process your personal data on our behalf. For example, we may use your personal data to bill for services provided to us or by us, to arrange payments, payment guarantees or payment refunds.
Members of our group of companies (this includes our subsidiaries, the parent company, and all its subsidiaries), as reasonably necessary for the purposes set out in this policy.
Your personal data may also be disclosed to professional advisors (including lawyers, attorneys, auditors, consultants, and accountants), professional bodies, tax authorities, courts, and the police if required by law or to protect and uphold our rights and interests.
We will check any third parties we use to ensure that they can provide sufficient safeguards about the privacy and security of your data. We will have written contracts with them that provide warranties about the protections they will offer your data and their compliance with our data security standards and international transfer restrictions.
If the CLIENT fails to fulfill payment obligations arising from the rental agreement (including, but not limited to, amounts due for rental fees, fines, administrative charges, penalties, or any other outstanding amounts), and such amounts remain due and unpaid after prior notice, the Company may transfer strictly necessary personal data to:
- debt collection agencies,
- legal consultants,
- lawyers or other entities involved in the enforcement and recovery of outstanding claims,
- judicial or administrative authorities, where required by law.
Such disclosure shall take place exclusively for the purpose of recovering outstanding amounts and is based on the Company’s legitimate interest pursuant to Article 6(1)(f) of Regulation (EU) 2016/679 (GDPR).
The data transferred shall be limited to what is necessary to identify the CLIENT and the claim (for example: name, contact details, contractual data, outstanding amount, relevant supporting documents).
The Company ensures that any such third parties process the data in accordance with applicable data protection legislation, solely for the stated purpose, and are subject to appropriate contractual obligations regarding confidentiality and data security.
Where recipients are established in another Member State of the European Union or in the European Economic Area, personal data may be transferred in accordance with applicable data protection legislation. In the case of transfers outside the EU/EEA, such transfers shall take place only on the basis of appropriate safeguards in accordance with the GDPR.
The CLIENT has the right to object to processing based on legitimate interests in accordance with Article 21 GDPR, on grounds relating to the CLIENT’s particular situation, unless the Company demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the CLIENT, or the processing is required for the establishment, exercise or defence of legal claims.
We also transfer the personal data we process to countries outside the European Economic Area ("EEA"), for example, when one of our service providers uses personnel or equipment located outside the EEA - for example, a cloud service provider located in the United States. We have put in place adequate safeguards to protect your privacy, fundamental rights and freedoms and the exercise of your rights, for example, we have established an adequate level of data protection, usually through EU Standard Contractual Clauses based on the European Commission's model clauses or other available safeguards. If you would like to see a copy of any relevant provisions, please contact us.
Our systems and procedures have been organized so as to include all reasonable security measures necessary to protect your personal data against unauthorized access and destruction, in accordance with Portuguese and European legislation on personal data. In addition, we have specific procedures and restrictions (technical and physical) that limit the access and use of the personal data we hold. Only authorized personnel may access this personal data and only for authorized and specific purposes.
We do not provide services to children under 18 and reserve the right to remove any information we may receive from them. We may receive information about children in certain cases, for example, in the event of an insurance claim or customer service dispute. If this happens, we will only collect and use this information with the consent of the child's guardian or parent.
We will keep your personal data for a period that depends on the purpose for which it was obtained and the nature of the data. We will retain your personal information no longer than is necessary to fulfill the purposes described in this Privacy Notice, unless a longer retention period is permitted by law. We implement appropriate measures to ensure that your personal information is securely and consistently destroyed when no longer needed.
In specific circumstances, we may store your personal information for long periods of time in order to have an accurate record of your dealings with us in the event of any complaints or challenges or if we reasonably believe that there is a possibility of litigation relating to your personal information or the negotiations made.
Except in certain cases provided for by law and in certain scenarios, depending on the processing activity we carry out, you have the right to request access, correction or deletion of your personal data, as well as to request data portability. You also have the right to object to the processing of your personal data in certain cases. If we process your personal data on the basis of your consent, you may withdraw it for the future at any time. You can also lodge a complaint with a supervisory authority.
If you would like more information about your data protection rights, including your rights to access data and correct incorrect data, please contact us and send an e-mail to privacy@klasswagen.com. We may request additional information to confirm your identity and for security reasons before disclosing the requested personal information. We reserve the right to charge a fee where permitted by law, for example, if your request is manifestly unfounded or excessive.
If you believe that we are in breach of our obligations under data protection laws, you may lodge a complaint with the competent National Authority for the Supervision of Personal Data Processing, located at. G-ral Gheorghe Magheru, Sector 1, 010336, Bucharest, Romania, anspdcp@dataprotection.ro.
Klass Wagen Portugal SRL a single-member company (operating under the trade name of Klass Wagen) controls the way in which your personal data is processed, acting as a data controller within the meaning of applicable data protection legislation. Klass Wagen Portugal SRL is a joint stock company, incorporated under Portuguese law, with registered office at Alameda dos Oceanos, Edifício n.º 41 O, 3rd Floor, Office 32B, Post Code 1990-203, Lisbon.
If you have questions, concerns or comments about our practices or this Privacy Notice, please send an e-mail to privacy@klasswagen.com.estora.
If you don't want to take advantage of our special offers, price discounts and the support of the Klass Wagen team to finalize your booking, use the Opt out button.
We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
We use Brevo (formerly Sendinblue) to manage our email marketing and automate communications related to bookings, promotions, and cart reminders. When you interact with our emails or visit our website via a Brevo campaign link, certain information is collected using Brevo’s tracking tools.
This includes:
This data helps us improve our communication, detect issues (e.g., abandoned carts), and personalize future messages.
Brevo only processes this data on our behalf and does not share it with third parties. All data is handled in compliance with the General Data Protection Regulation (GDPR) and applicable privacy laws.
We only activate Brevo tracking after you consent to marketing cookies, in compliance with our cookie management platform (Usercentrics/Cookiebot). You can change or withdraw your consent at any time using the “Cookie Settings” link in the footer.
For more details, you can review Brevo’s Privacy Policy.
Contact Forms
When you fill out a form on our website (e.g., to book a vehicle or request a quote), we may send your email address to Brevo to enable follow-up communications. We do not send any personal data to third parties without your consent.
We appreciate your interest in our products and services and would like to give you some important facts about how we handle and protect your personal data.
Klass Wagen is fully committed to protecting the privacy of the personal data of our customers, partners and suppliers. This privacy policy is designed to help you understand what information we collect, why we collect it, and how you can update, manage, export and delete your information. The policy also contains the security measures that Klass Wagen takes to protect such data and your rights in relation to it.
By "Klass Wagen Websites" we mean any web page (website, landing page, subdomain, etc.) owned, managed or under the umbrella of Klass Wagen. By using this website, you consent to the collection, processing and transfer of your data as described in this policy.
Please check this section regularly as the policy may be subject to changes or updates. Any significant changes to this policy will be notified.
In addition to this policy, please see our Terms and Conditions and Cookie Policy.
Information collected on our platform falls under the scope of the General Data Protection Regulation 2016/679 (Regulation (EU) 2016/679), also known as GDPR and the ePrivacy Directive (2002/58/EC).
If you require further information about how we use your personal data, you can email us at dpo@klasswagen.ro.
Klass Wagen SRL (with the trade name Klass Wagen) has been active for more than a decade in the field of car rental, becoming the national market leader in the segment of vacation travel. Our fleet of over 3000 cars is present in Romania (main airport cities) and in Hungary (Budapest). We offer a wide range of services related to online car rental, including products and services related to this field.
Klass Wagen SRL has its headquarters in Timisoara, 16 Decembrie 1989 Blvd. no. 35, Timis County, and its head office in Otopeni, 289, Calea Bucurestilor, Ilfov County, Romania. It is registered in the Trade Register under no. J35/351/2005, with fiscal code no. 17197919.
Contact data:
Phone number: +40374020002
E-mail: romania@klasswagen.com
E-mail Human Resources: hr@klasswagenE-ma.com
Customer Relations Department: customercare@klasswagen.com
We use a third-party server to host our website, AWS (Amazon).
Our website server automatically logs the IP address that you use to access our website, as well as other information about your visit, such as the accessed pages, the requested information, the date and time of the request, the source of the access to our website (e.g., the website or URL (link) that referred you to our website), and the version of your browser and operating system.
Our provider collects and stores server logs to ensure IT network security. This includes analyzing the log files to help identify and prevent unauthorized access to our network, distribution of malicious code, predicting DDOS and other cyber-attacks by detecting unusual or suspicious activity.
If we are not investigating suspicious or potential criminal activity, we will not make or allow our provider to make any attempt to identify you based on information collected through server logs.
By accessing or using any part/function of our website, you agree to accept and abide by the terms, conditions and policies stated and/or available via hyperlink and acknowledge that you are of legal age according to applicable national law. If you do not accept the terms, conditions and policies set out in this documentation, then you should not continue to use our website.
The content of the Klass Wagen Websites: images, text, web graphics, scripts, software, design rights, model rights, patents, trademarks, constitute the entire property of Klass Wagen and are protected by copyright and related rights laws and by intellectual and industrial property laws. The use without the consent of Klass Wagen of any of the elements listed above is punishable under the laws in force.
Klass Wagen may provide the user/customer with the right to use in a described form certain content of the website by means of an agreement. This agreement applies strictly to the defined content(s), for a period of time set out in the agreement and only to the person(s) permitted to use such content(s), and may not use any other content of the Klass Wagen Websites.
The use on the Klass Wagen Websites of any trademarked name does not constitute advertising for that company. Klass Wagen assumes no responsibility and cannot be blamed for any damages arising from the use of the contents of the website.
Please report any possible copyright infringement noticed on the website to dpo@klasswagen.ro.
In general, the personal data we collect is provided by you via email, telephone, through the Klass Wagen website (by processing bookings, adding a review, etc.), social media networks, or during meetings we may have with you.
When we have an active recruitment process, we will collect data about you from specialized online platforms (eJobs, LinkedIn, etc.) or from the CVs you send us directly, or through open recruitment projects in specialized online platforms.
Also, when you interact with us on social media (i.e. like, share, comment, review, etc.), we will inevitably have access to information about you, in particular data that you have made public on your social media profile.
Please find below the purposes for which we process your personal data, who has access to your data, and how we store it.
1.We process data about you when you interact with us using the contact details available on our website, contact form or our social media accounts.
When you interact with us using the contact details available on the Klass Wagen website/Contact Form/Call/E-mail or interact with us via social media messenger functions (e.g. feedback, complaints, enquiries, etc.), we will use your contact details and the data you provide to us to provide you with information and offers regarding our services and products, to resolve the situation reported, to evaluate our customers' satisfaction and to continuously improve the services we offer.
Personal data
First name, last name, phone number, email address, Internet Protocol (IP), cookie ID, data you have made public on your social media profile and any other data you voluntarily submit to us.
Lawfulness of processing
We process your data to take steps at your request prior to the conclusion of a contract (Art. 6/1/b of Regulation (EU) 2016/679)
In pursuit of our legitimate interest to respond to any queries, complaints or recommendations you send us and to improve our services and the experience we provide to our customers (Art. 6/1/f of Regulation (EU) 2016/679).
With whom we may share your data
Providers of IT services for our company (hosting and web hosting), or providers to whom we outsource certain technical support services for our website, cybersecurity monitoring and intrusion detection, or providers of customer relationship management systems
Email provider: Microsoft - Office 365
Social media platforms: Facebook, Instagram, LinkedIn, Youtube.
Members of our group of companies (this includes our subsidiaries, the parent company, and all its subsidiaries), as reasonably necessary for the purposes set out in this policy.
Your personal data may also be disclosed to professional advisors (including lawyers, attorneys, auditors, consultants, and accountants), professional bodies, tax authorities, courts, and the police if required by law or to protect and uphold our rights and interests.
Regulators and other state authorities if required by legal or statutory requirements.
We will only disclose your personal data to the extent that this is strictly necessary to achieve the intended purpose. We have taken all reasonable steps to ensure that external service providers who have access to your data have also implemented physical, electronic and managerial security measures to protect your data.
2.We process data about you when you interact with us using our contact forms and when you send us a data access request
When you interact with us using the contact form we will use your contact data and the data you provide to us in the course of communicating with you to deal with your subscription request, data update, data verification or your wish to be forgotten. To exercise your legal rights under the GDPR, we must first identify you and process your data.
Personal data
First name, last name, telephone number, e-mail address, address, date of birth, relationship to the data subject if the application is completed on behalf of another person, other information you voluntarily submit to us.
Lawfulness of processing
We process your data in order to comply with our legal obligations under GDPR (Art. 6/1/c of Regulation (EU) 2016/679).
With whom we may share your data
IT service providers for our company (hosting and web hosting), or vendors to whom we outsource certain technical support services for our website, cybersecurity monitoring and intrusion detection, or customer relationship management system providers
Email provider: Microsoft - Office 365
Members of our group of companies (this includes our subsidiaries, the parent company, and all its subsidiaries), as reasonably necessary for the purposes set out in this policy.
Your personal data may also be disclosed to professional advisors (including lawyers, attorneys, auditors, consultants, and accountants), professional bodies, tax authorities, courts, and the police if required by law or to protect and uphold our rights and interests.
Regulators and other state authorities if required by legal or statutory requirements.
We will only disclose your personal data to the extent that this is strictly necessary to achieve the intended purpose. We have taken all necessary steps to ensure that external service providers who have access to your data have also implemented physical, electronic and managerial security measures to protect your data.
How long we will store the data
We will store your data in our communications database for a maximum of 12 months after your last interaction.
Where the data is stored
Data recorded through the Klass Wagen website will be stored on the servers of the web hosting providers who provide the data storage.
Data transmitted via email will be stored Microsoft - Office 365 (Austria) and AWS (Amazon).
Data we download locally will be stored on our secure, local and cloud servers.
3.We process data about you when you react to content on social media or share information on the website
You can find us on Facebook, Instagram, YouTube, LinkedIn. Whenever you interact with us through our social media accounts (e.g. comments, likes, reviews, shares, etc.) we will have access to your publicly available data on your profile.
Personal data
Your name, photograph, any publicly accessible information from your social media profile, or voluntarily communicated by you.
Lawfulness of processing
We process your personal data in order to respond to your request before entering into a contract (Art. 6/1/b of Regulation (EU) 2016/679),
Pursuing our legitimate interest (Art. 6/1/f of Regulation (EU) 2016/679) to respond to any questions, suggestions or complaints you may submit and to improve our services and the experience we provide to our customers, and in addition, pursuing our legitimate interest to keep you informed of news Ascensos publishes that may be of interest to you.
With whom we may share your data
IT service providers for our company (hosting and web hosting), or vendors to whom we outsource certain technical support services for our website, cybersecurity monitoring and intrusion detection, or customer relationship management system providers.
Social media platforms: Facebook, Instagram, YouTube, LinkedIn.
Members of our group of companies (this includes our subsidiaries, the parent company, and all its subsidiaries), as reasonably necessary for the purposes set out in this policy.
Your personal data may also be disclosed to professional advisors (including lawyers, attorneys, auditors, consultants, and accountants), professional bodies, tax authorities, courts, and the police if required by law or to protect and uphold our rights and interests.
Regulators and other state authorities if required by legal or statutory requirements.
We will only disclose your personal data to the extent that this is strictly necessary to achieve the intended purpose. We have taken all reasonable steps to ensure that external service providers who have access to your data have also implemented physical, electronic and managerial security measures to protect your data.
How long we will store the data
Data shared with social media platforms will be stored by them in accordance with their own policies.
Where is the data stored
Data shared with social media platforms will be stored by them in accordance with their own policies, located in the European Union or the USA.
Data we download locally will be stored on our secure, local and cloud servers.
4.We process your data for commercial and marketing communications
We may send you information about the services we offer if you have requested this information or if you are already our customer and this information may be of particular interest to you.
Personal data
Name, surname, e-mail address, telephone.
Lawfulness of processing
We process your data in order to take steps at the request of the data subject prior to the conclusion of a contract (Art. 6/1/b of Regulation (EU) 2016/679).
We process data on the basis of your consent (Art. 6/1/a of Regulation (EU) 2016/679), for marketing communications.
We will process data in the legitimate interest if you are already our customer and we consider that the information could be of great interest to you (Art. 6/1/f of Regulation (EU) 2016/679).
With whom we may share your data
IT service providers for our company (hosting and web hosting), or vendors to whom we outsource certain technical support services for our website, cybersecurity monitoring and intrusion detection, or customer relationship management system providers.
Members of our group of companies (this includes our subsidiaries, the parent company, and all its subsidiaries), as reasonably necessary for the purposes set out in this policy.
Your personal data may also be disclosed to professional advisors (including lawyers, attorneys, auditors, consultants, and accountants), professional bodies, tax authorities, courts, and the police if required by law or to protect and uphold our rights and interests.
Regulatory and other state authorities, if required by legal or statutory requirements.
We will only disclose your personal data to the extent strictly necessary to achieve the purpose for which we are collecting it. We have taken all necessary steps to ensure that external service providers who have access to your data have also implemented physical, electronic and managerial security measures to protect your data.
How long we will store the data
In the case of processing carried out for legitimate interest, when you are already our customer, we will process your data for the duration of the contract and will continue to do so for a further 5 years after termination of the contract.
Commercial communications (e.g. requests for quotations, negotiations, etc.) that have not resulted in the conclusion of a contract will be retained for 12 months from the date of the last interaction.
Where is the data stored
Data registered through the Klass Wagen website will be stored on the servers of the web hosting providers who provide the data storage.
Data that we download locally will be stored on AWS (Amazon) Servers).
5.We process your data when you place a reservation on the Klass Wagen website
We use this information about you for all activities relating to the processing, amendment and cancellation (if necessary) of bookings on www.klasswagen.com/ro/.
Personal data
Full name, surname, date of birth, passport, ID card, driving license, data of other tourists for whom the reservation is made, including data of minors - if applicable, e-mail, telephone, billing address or information required for payments (card or bank accounts).
Lawfulness of processing
We process your data for the conclusion and performance of a contract (Art. 6/1/b of Regulation (EU) 2016/679).
With whom we may share your data
IT service providers for our company (hosting and web hosting), or providers to whom we outsource certain technical support services for our website, cybersecurity monitoring and intrusion detection, or providers of customer relationship management systems.
Third party payment processors: PayU and Shift4.
Members of our group of companies (this includes our subsidiaries, the parent company, and all its subsidiaries), as reasonably necessary for the purposes set out in this policy.
Your personal data may also be disclosed to professional advisors (including lawyers, attorneys, auditors, consultants, and accountants), professional bodies, tax authorities, courts, and the police if required by law or to protect and uphold our rights and interests.
Regulators and other state authorities if required by legal or statutory requirements.
We will only disclose your personal data to the extent that it is strictly necessary to achieve the intended purpose. We have taken all reasonable steps to ensure that external service providers who have access to your data have also implemented physical, electronic and managerial security measures to protect your data.
How long we will store the data
The data recorded in your account on the www.klasswagen.com/ro platform will remain accessible until you decide to close your account.
The data recorded when making a reservation without having an account registered in the platform will be kept for a maximum of 5 years from the moment of closing the reservation.
The data recorded in the financial-accounting documents (e.g. invoices, card payments, reimbursement payments, etc.) will be kept in the archive for 5 years, starting from the end of the financial year during which they were drawn up, in accordance with the periods of the Accounting Law no. 82/1991 and Order 2634/2015.
Where is the data stored
Data registered via Klasswagen.com/ro will be stored on the servers of the web hosting providers, who provide data storage.
Data shared with other platforms (PayU and Shift4) will be stored by them according to their own policies, located in the European Union.
Data that we download locally will be stored on AWS (Amazon) Servers).
6.We collect information about you when you place a reservation by phone or physically with one of Klass Wagen's agencies
We use this information about you for all activities related to processing, modifying and canceling (if necessary) reservations placed by telephone or physically at one of the Klass Wagen agencies.
Personal data
Full name, surname, date of birth, passport, ID card, driving license, data of other tourists for whom the reservation is made, including data of minors - if applicable, e-mail, telephone, billing address or information required for payments (card or bank accounts).
Lawfulness of processing
We process your data for the conclusion and performance of a contract (Art. 6/1/b of Regulation (EU) 2016/679).
With whom we may share your data
IT service providers for our company (hosting and web hosting), or providers to whom we outsource certain technical support services for our website, cybersecurity monitoring and intrusion detection, or providers of customer relationship management systems.
Third party payment processors PayU and Shift4.
Telephone central application: Zoiper.
Members of our group of companies (this includes our subsidiaries, the parent company, and all its subsidiaries), as reasonably necessary for the purposes set out in this policy.
Your personal data may also be disclosed to professional advisors (including lawyers, attorneys, auditors, consultants, and accountants), professional bodies, tax authorities, courts, and the police if required by law or to protect and uphold our rights and interests.
Regulators and other state authorities if required by legal or statutory requirements.
We will only disclose your personal data to the extent that this is strictly necessary to achieve the intended purpose. We have taken all necessary steps to ensure that external service providers who have access to your data have also implemented physical, electronic and managerial security measures to protect your data.
How long we will store the data
Data recorded at the time of making a telephone or physical reservation will be kept for a maximum of 5 years from the time the reservation is finalized.
Data recorded in financial-accounting documents (e.g. invoices, card payments, reimbursement payments, etc.) will be kept in the archive for 5 years, starting from the end of the financial year during which they were drawn up, in accordance with the periods of the Accounting Law No. 82/1991 and Order 2634/2015.
Where is the data stored
Data recorded through klasswagen.com/ro will be stored on the servers of the web hosting providers, which provide data storage.
Data shared with other platforms will be stored by them in accordance with their own policies, located in the European Union.
Data we download locally will be stored on Azure (Microsoft) Servers).
7.We process your data in order to facilitate an easy and pleasant navigation on the Klass Wagen website
When you visit our website, we collect data about you through online identifiers (cookies and IP), which are stored in log files.
We use this information so that we can design our website to better tailor it to the needs of our users. We may also use your address. IP address to help diagnose possible malfunctions of our servers and to administer our website, maintain the security of our website and prevent fraud, authorize use of the services available on our website, analyze trends, track visitors' movements, and gather broad demographic information to help identify visitors' preferences.
You can find more information about cookies, as well as how to delete cookies and disable tracking by visiting the Cookie Policy available on our website.
Personal data
Internet Protocol (IP), general computer location, device (county level), website viewing history, timestamp, request/action, browser type and version, and operating system.
Other information that is generated while using our website, including when, how often and under what circumstances you use it.
Lawfulness of processing
We use cookies to make your browsing on our website easy and pleasant, in our legitimate interest (Art. 6/1/f of Regulation (EU) 2016/679).
Non-essential cookies are not used without your consent (Art. 6/1/a of Regulation (EU) 2016/679).
With whom we may share your data
IT service providers for our company (hosting and web hosting), or vendors to whom we outsource certain technical support services for our website, cybersecurity monitoring and intrusion detection, or customer relationship management system providers.
Third parties that place cookies: Google, Hotjar, Facebook, AddThis.
Members of our group of companies (this includes our subsidiaries, the parent company, and all its subsidiaries), as reasonably necessary for the purposes set out in this policy.
Your personal data may also be disclosed to professional advisors (including lawyers, attorneys, auditors, consultants, and accountants), professional bodies, tax authorities, courts, and the police if required by law or to protect and uphold our rights and interests.
Regulators and other state authorities if required by legal or statutory requirements.
We will only disclose your personal data to the extent that this is strictly necessary to achieve the intended purpose. We have taken all necessary steps to ensure that external service providers who have access to your data have also implemented physical, electronic and managerial security measures to protect your data.
How long we will store the data
There are session cookies and persistent cookies. While session cookies are deleted when you close your browser, persistent cookies may have a different lifetime, depending on the purpose they fulfill.
More information about the lifetime of the cookies we use can be found in our Cookie Policy.
Where is the data stored
Data collected through our own cookies will be stored on AWS (Amazon) servers).
Data collected through third parties who place cookies will be stored on their servers located in the European Union, the UK or the USA.
8.We process data about you when you make a request to schedule a discussion with us
There may also be times when we will contact you by phone, email or SMS in order to respond to your queries and requests, to carry out the rental agreements you have entered into or to finalize a booking you have started and not completed.
Personal data
Full name, surname, date of birth, passport, identity card, driving license, details of other tourists for whom the reservation is made, including details of minors - if applicable, e-mail, telephone, billing address or payment information (card or bank account details).
Lawfulness of processing
We process your data in order to respond to your request before concluding a contract (Art. 6/1/b of Regulation (EU) 2016/679),
Pursuing our legitimate interest in responding to any questions or requests you send us in order to improve the services and experience we provide to our customers (Art. 6/1/f of Regulation (EU) 2016/679).
With whom we may share your data
IT service providers for our company (hosting and data storage), vendors to whom we outsource certain technical support services for our website, or customer relationship management system providers.
Members of our group of companies (this includes our subsidiaries, the parent company, and all its subsidiaries), as reasonably necessary for the purposes set out in this policy.
Your personal data may also be disclosed to professional advisors (including lawyers, attorneys, auditors, consultants, and accountants), professional bodies, tax authorities, courts, and the police if required by law or to protect and uphold our rights and interests.
Regulators and other state authorities if required by legal or statutory requirements.
We will only disclose your personal data to the extent strictly necessary to achieve the purpose for which we are collecting it. We have taken all necessary steps to ensure that external service providers who have access to your data have also implemented physical, electronic and managerial security measures to protect your data.
How long we will store the data
We will store your data in our communications database for a maximum of 12 months after your last interaction.
Where is the data stored
Data recorded through our website will be stored on Azure (Microsoft) servers).
Data transmitted by email will be stored on Azure (Microsoft) servers).
Data we download locally will be stored on Azure (Microsoft) servers).
If the CLIENT fails to fulfill payment obligations arising from the rental agreement (including, but not limited to, amounts due for rental fees, fines, administrative charges, penalties, or any other outstanding amounts), and such amounts remain due and unpaid after prior notice, the Company may transfer strictly necessary personal data to:
- debt collection agencies,
- legal consultants,
- lawyers or other entities involved in the enforcement and recovery of outstanding claims,
- judicial or administrative authorities, where required by law.
Such disclosure shall take place exclusively for the purpose of recovering outstanding amounts and is based on the Company’s legitimate interest pursuant to Article 6(1)(f) of Regulation (EU) 2016/679 (GDPR).
The data transferred shall be limited to what is necessary to identify the CLIENT and the claim (for example: name, contact details, contractual data, outstanding amount, relevant supporting documents).
The Company ensures that any such third parties process the data in accordance with applicable data protection legislation, solely for the stated purpose, and are subject to appropriate contractual obligations regarding confidentiality and data security.
Where recipients are established in another Member State of the European Union or in the European Economic Area, personal data may be transferred in accordance with applicable data protection legislation. In the case of transfers outside the EU/EEA, such transfers shall take place only on the basis of appropriate safeguards in accordance with the GDPR.
The CLIENT has the right to object to processing based on legitimate interests in accordance with Article 21 GDPR, on grounds relating to the CLIENT’s particular situation, unless the Company demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the CLIENT, or the processing is required for the establishment, exercise or defence of legal claims.
Klass Wagen pays great attention to the protection of your data and applies appropriate technical and organizational measures to ensure the protection of the processed personal data appropriate to the risks and protected data categories, in particular, it protects the data against its sharing with unauthorized persons, its acquisition by an unauthorized person, its processing in violation of applicable laws as well as against data change, loss, damage or destruction.
However, remember that unfortunately no data transmission is guaranteed to be 100% secure.
If you suspect a breach of your data privacy, please contact us immediately at: dpo@klasswagen.ro.
Important: After the data retention period has expired, your data will be deleted. If we consider that this data could help us improve the quality of our products or services, we will continue to use this data only after irreversible anonymization of this data.
Klass Wagen websites may contain links to other websites that are not owned or controlled by Klass Wagen.
Please note that we are not responsible for the privacy practices of other websites or third parties. We encourage you to be aware when you leave our website and to read the privacy policies of each and every website that may collect personal information.
We process data of persons under the age of 18, only with the consent of their legal representative, for the proper performance of the services contracted by the minors' legal representatives.
We may receive information about persons under the age of 18 through fraud or deception of a third party. If we are notified of this, as soon as we verify the information, when required by law, we will immediately obtain the consent of the legal representative to use the information or, if we are unable to obtain such consent, we will delete the information from our servers. If you wish to notify us of our receipt of information about persons under the age of 18, please do so by sending an e-mail to dpo@klasswagen.ro.
We use a number of third parties to provide us with services that are necessary to run our business or to help us run our business and who process your information for us on our behalf, namely:
These partners operate both inside and outside the European Economic Area ("EEA").
List of international partners with whom we share data:
Third parties that place cookies: Google, Facebook, Hotjar, AddThis
Online platforms: Facebook, Instagram, TikTok, LinkedIn
Personal data may be stored and processed in any country where we engage service providers. We may transfer Personal Data we retain about you to recipients in countries other than the country in which the Personal Data was originally collected, including to the United States. These countries may have data protection rules that are different from those in your country. However, we will take steps to ensure that any such transfers comply with applicable data protection laws and that your personal data remains protected in accordance with the standards described in this Privacy Policy. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may have the right to access your personal data.
Where applicable law requires us to ensure that an international transfer of data is governed by a data transfer mechanism, we use one or more of the following mechanisms:
EU standard contractual clauses with a data recipient outside the EEA or UK.
Verification that the recipient has implemented binding corporate rules.
We will also ensure that all our international partners have taken additional steps to provide adequate safeguards, enforceable rights and effective legal remedies. The role of these measures is to provide additional safeguards to data subjects that the transfer of data under standard contractual clauses or binding corporate rules provides a level of protection equivalent to that guaranteed within the European Union.
As a data subject you have specific legal rights in relation to your personal data that we collect and process.Klass Wagen respects your rights and ensures that we take your interests into account.
Withdrawal of consent: If the processing is carried out on the basis of your consent, you may withdraw your consent to the processing at any time.
Correction of data: If you notice that we hold inaccurate personal data, you may at any time ask us to rectify your personal data. We make reasonable efforts to keep personal data - which is used on an ongoing basis and in our possession or control - accurate, complete, current and relevant, based on the latest information available to us.
Restriction of Processing: If you are in one of the situations below, you may ask us to restrict the processing of your data:
challenge the accuracy of personal data for the period during which we need to verify the accuracy,
processing is unlawful and you request restriction of processing rather than erasure of personal data,
we no longer need your personal data, but you request them for the establishment, exercise or defense of a right, or
you object to processing during the period in which we verify that our legitimate grounds override your rights.
Access to your data: You may ask us for information about the personal data we hold about you, including information about what categories of data, what it is used for, where we collected it from, whether it is not collected directly from you, and to whom it has been disclosed, if applicable. You can obtain a copy from us, free of charge, containing the personal data we hold about you. We reserve the right to charge a reasonable fee for abusive requests.
Right to portability: Upon request, we will transfer personal data to another controller, where technically possible, provided that the processing is necessary for the performance of a contract. Rather than receiving a copy of your personal data, you may request that we transfer your data directly to another controller specified by you.
Right of deletion: you can obtain from us the deletion of your personal data if:
your data is no longer necessary for us in relation to the purposes for which it was processed;
you object to further processing of your personal data (see Right to object below);
your personal data has been processed unlawfully;
withdraw your consent on the basis of which the processing is taking place.
Unless the processing is necessary:
Please note!
Time: We will try to resolve your request within 30 days. However, the period may be extended for reasons relating to the specific legal right or complexity of the request.
Restricting access: In certain situations, we may not be able to grant you access to all or part of your personal data due to restrictions provided by law. If we refuse your request for access, we will inform you of the reason for the refusal.
Impossibility of identification: In some cases, we may not be able to identify the personal data due to the lack of identifiers provided in the request you submit to us. In such cases, if you do not provide additional identifying information, we will not be able to fulfill your request to exercise your legal rights as described in this section.
To exercise your legal rights, please contact our Data Protection Officer in writing at dpo@klasswagen.ro.
We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
We use Brevo (formerly Sendinblue) to manage our email marketing and automate communications related to bookings, promotions, and cart reminders. When you interact with our emails or visit our website via a Brevo campaign link, certain information is collected using Brevo’s tracking tools.
This includes:
This data helps us improve our communication, detect issues (e.g., abandoned carts), and personalize future messages.
Brevo only processes this data on our behalf and does not share it with third parties. All data is handled in compliance with the General Data Protection Regulation (GDPR) and applicable privacy laws.
We only activate Brevo tracking after you consent to marketing cookies, in compliance with our cookie management platform (Usercentrics/Cookiebot). You can change or withdraw your consent at any time using the “Cookie Settings” link in the footer.
For more details, you can review Brevo’s Privacy Policy.
When you fill out a form on our website (e.g., to book a vehicle or request a quote), we may send your email address to Brevo to enable follow-up communications. We do not send any personal data to third parties without your consent.
This version has been updated on June 04, 2025.