Data protection – myTO   Information on data protection

Scroll down

Data protection: your right – our obligation


You can rely on the protection and security of your personal data: the protection of your privacy and your rights when processing personal data is an important concern for onesto GmbH, which we take into account in all of our business processes.


Therefore, we inform you at this point about the basic rules of our handling of personal data. You will always receive further information about collection, processing and usage of personal data, when we collect such information from you.


For further information, you can contact our data protection officer at any time:


Information we collect


“Personal Data” means any information relating to you that is entered by or on behalf of your Company or its authorized users of the myTO system into or derived from their use of the myTO system. It also includes personal data supplied to or accessed by or on behalf of onesto GmbH to provide support for myTO system. Not all of your Company’s data within the myTO system is Personal Data. As a general matter, Personal Data in the myTO system includes the following categories of data:


  • Personal profile data, such as name, contact information, travel preferences, payment information and account numbers for related connected services
  • Organizational information, such as employee identification, cost center, associated approvers information
  • Travel related data, such travel itineraries
  • Expense related data, such as expense information, including images of receipts
  • Mobile data, such as mobile device information and, when enabled, location data
  • Data for associated connected services to support travel needs, such as account, loyalty program or rewards numbers for airlines, railways, hotels or rental cars.


The categories of information about you collected or derived within the myTO system depends, in part, on the myTO system to which your Company has subscribed and how the myTO system is configured for your Company.


You provide Personal Data directly when you enter it in myTO system. In some cases, another user, such as an account administrator, may create an account on your behalf or may provide Personal Data as part of your use of the myTO system at the direction or with permission of your Company.


myTO system may obtain Personal Data from other sources, as well, such as back offices or human resources systems, or from travel agents and travel management companies that work with your Company.


When you use the myTO system, some information like IP address, device or browser information, logs, for example, is automatically collected about your usage and activity on the myTO system to address technical support issues and understand how you use the myTO system.


Privacy protection of persons under 16 years of age on the Internet


Personal data from minors (under 16 years of age) are not intentionally collected by onesto GmbH or used in any form. As a rule, we do not find out the age of the visitor of our websites. However, we do not take any specific actions to particularly protect such data.


Without the express consent of their parents or supervisors, persons under 16 years of age may not transfer any personal data.


How we use your information


Onesto GmbH will use Personal Data within the scope of the myTO system for the following:


  • Providing, operating, hosting, maintaining, connecting, and improving the myTO system, and enabling you to access, use and connect the myTO system
  • Processing and completing transactions within the myTO system, such as booking corporate travel or creating and submitting expense reports.
  • Providing customer service and support, providing you with transactional communications, such as submission or booking confirmations, providing technical notices, updates, security alerts and support and administrative messages
  • Providing you with information and support for related myTO system available to you under your Company’s agreement
  • Understanding how the myTO system are being configured and used, how the myTO system and the user experience can be improved for the benefit of all users, and to develop new products and services
  • Investigating and preventing fraudulent transactions, unauthorized access or other security incidents, and other illegal activities


If your Company has subscribed for service that enable your Company to identify and confirm the location of some or all of their users and communicate with them during events such as natural disasters, attacks, or other risk events, then the myTO system use location information from your profile and travel itineraries in the myTO system or from the check-in location you provide directly through myTO mobile application.


Your rights with regard to the processing of personal data


The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information listed in detail in Art. 15 GDPR.


The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement (Art. 16 GDPR).


The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds mentioned in Art. 17 GDPR applies.


The data subject shall have the right to obtain from the controller restriction of processing where one of the grounds mentioned in Art. 18 GDPR applies.


The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims (Art. 21 GDPR).


Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation (Art. 77 GDPR). The competent supervisory authority in Bavaria is:


Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27
91522 Ansbach


Your data security


The data you provide to onesto GmbH are protected by suitable technical and organizational means with the aim of protecting your data against accidental or deliberate manipulation, loss, destruction, access by unauthorized persons or unauthorized disclosure to third parties. Our security measures are continuously monitored and improved in line with technological developments and organizational possibilities.