A. Why is data protection important?
We, Hamburger Hochbahn AG, are pleased about your interest in hvv switch. With the hvv switch app, hvv switch gives you the opportunity to make use of various mobility services in Hamburg using just one single app and without having to register separately with each individual mobility provider. The long-term aim of hvv switch is to create a simple and reliable alternative to private car usage with the hvv switch app and its integrated mobility offerings.
We take the protection of your privacy very seriously indeed. Your personal data will only ever be processed in accordance with data protection regulations. You can find more information about the purpose and legal basis of the respective processing activities under C. Purpose and legal basis of the processing.
B. Who is responsible?
Hamburger Hochbahn AG, Steinstraße 20, 20095 Hamburg, Germany, is responsible for processing your personal data in relation to your use of the hvv switch app. In addition, the respective mobility provider shall be responsible for processing your personal data when processing a mobility service you have booked using the hvv switch app. You can find out more details about this under E. Will data be passed on to other parties?
If you have any general questions about hvv switch, please contact firstname.lastname@example.org.
C. Purpose and legal basis of the processing
In the following, we will present you with an overview of the purpose and legal basis for processing your personal data. You can find more detailed information about the processing of your personal data and the respective purpose of processing under D. Which personal data is processed for which specific purpose?
Delivery of services
First and foremost, we will process your data in order to be able to execute and invoice the services you make use of. This shall include, for example, the creation of your user account (“hvv switch profile”), as well as information about, booking of and use of mobility services. In order to book and use mobility services, you must enter into a separate contractual relationship with the respective mobility provider, with our involvement. We will then transfer the data required for the respective contract to the mobility provider in question, who shall then be responsible itself for processing this data at its discretion, for the purpose of performing the contract. Additionally, we transmit personal data to our payment provider for the payment process. The legal basis for the data processing is the necessity to fulfil the contract as per Article 6 (1) (b) of the GDPR or to protect legitimate interests (Article 6 (1) (f) of the GDPR).
We shall process your personal data, if and to the extent that this is necessary, to fulfil legal obligations (e.g. tax law storage obligations) (Article 6 (1) (c) of the GDPR).
Enforcement of legal claims
Furthermore, we shall process your personal data if this is necessary to enforce claims or other legal rights. The legal basis for data processing in these cases is the requirement to fulfil the contract with HOCHBAHN (Article 6 (1) (b) of the GDPR) or to protect legitimate interests (Article 6 (1) (f) of the GDPR).
Security of the systems, prevention of criminal offences
Another purpose for processing shall be to safeguard the security of our systems and, for example, to prevent and detect any instances of fraud and other criminal offences. The legal basis for this data processing is the protection of legitimate interests by HOCHBAHN (Article 6 (1) (f) of the GDPR).
Improvement of our services
We are constantly striving to optimise our services. We use anonymous data for this purpose. The legal basis for data processing is the protection of legitimate interests by HOCHBAHN (Article 6 (1) (f) of the GDPR).
D. Which personal data is processed for which specific purpose?
1. Informational use
If you use the hvv switch app for information purposes, i.e. if you have not registered, we shall only process personal data that is necessary for us to enable you to use the hvv switch app. This shall include, for example, the device identification number (DeviceID for Android, IDFA for iOS), language and version of the app, operating system, and the date and time of the request. This automatically collated personal data shall be processed by us in order to ensure a functioning, stable hvv switch app, to enable optimisation of the hvv switch app (e.g. by adapting the app to suit your mobile device) and also to ensure the security of our information technology systems.
Data processing for informational use takes place pursuant to Article 6 (1) (f) of the GDPR.
2. Location data and location tracking
Whenever you request a mobility service using the hvv switch app, e.g. you select a hvv ticket or book a MOIA journey, we shall use the location data contained in the request (e.g. your current location, departure stop, start and destination) to issue you with a valid hvv ticket or to show you booking options for MOIA. We shall also use this information without establishing any personal reference to you to be able to better match the offers in the hvv switch app to demand.
With a view to making sure that we offer you the simplest possible user experience with the hvv switch app, we recommend that you activate location tracking for the hvv switch app. This requires you to consent to the hvv switch app accessing location services using the operating system of the mobile device you are using and its authorisation system. We shall only ever record the location determined by your device if the hvv switch app is open. If location detection is activated, this is usually indicated by a corresponding function on your mobile device. You can agree to or revoke this option of location detection at any time by going to the settings in the operating system of your mobile device. When you start the hvv switch app for the first time, we will ask you once whether you want to activate automatic location tracking.
The data processing for location tracking takes place pursuant to Article 6 (1) (f) of the GDPR.
We do not use location data to create a movement profile of you.
3. Registration for hvv switch
When you register for the hvv switch app, you will choose your login data (e-mail address and password). We shall process this personal data by setting up your user account. You require a user account in order to make use of mobility services in the hvv switch app (by activating them accordingly).
The data processing for registration takes place pursuant to Article 6 (1) (b) of the GDPR.
4. Activation for mobility services
With the hvv switch app, we offer you the opportunity to use the mobility services of various mobility providers, and in the case of hvv ticketing to use our own service as well. Depending on the mobility service in question, this use may require you to provide additional personal data and validation of your personal data.
For example, this might require you to specify and validate:
- Your first and last name
- Your date of birth
- Your mobile phone number
- Your address
- Your payment data
Without the relevant information and validation, it shall not be possible to make use of the mobility service in question.
Data processing for activation here is based on Article 6 (1) (b) of the GDPR.
During the course of activation for the respective mobility service, only personal data required for use of the respective mobility service shall be requested, validated if necessary, and saved to your user account. Any other information added to your user account is optional.
Once your account has been successfully activated for the mobility service you selected, you will no longer be able to delete certain personal data in your user account, as it is mandatory for the use of the selected mobility service. You can make changes to your personal data and re-validate them. If you wish to delete certain personal data that is absolutely necessary for you to use a mobility service, you can do so by contacting our customer service. You will then no longer be able to use that particular mobility service.
With regard to hvv ticketing, we shall process your contact and address data after successful activation, in order to inform you about contractually relevant changes to our products and our mobility service, and to send you other information that is stipulated by law.
5. Booking and use of mobility services
Whenever you buy or reserve or book a mobility service using the hvv switch app, we assign the associated purchase/reservation/booking data to your user account. In this context, we also process your name and the location data you provided in your request for a mobility service. The mobility services you have used (active and completed) are shown in your user account.
The data processing for booking and using mobility services takes place pursuant to Article 6 (1) (b) of the GDPR.
Furthermore, we shall transmit the purchase/reservation/booking data required for the respective mobility service to the mobility provider in question, who shall then be responsibility for processing this data at its own discretion for the purpose of processing and performing the mobility service. You can find out more about the forwarding of data by us under E. Will data be passed on to other parties?
We shall also process personal data in order to settle any further claims (e.g. settlement of incurred damages) resulting from a booking and/or the usage of a service.
If any faults and malfunctions etc. occur in relation to the provision of mobility services, we shall use your contact details to inform you about them, for example via e-mail, SMS, in-app or push message.
6. Payment and billing
In order to be able to use a mobility service via the hvv switch app, you need to enter a valid method of payment in your user account.
We currently offer PayPal as a method of payment. In a first step, you shall need to link your PayPal account to your hvv switch user account. When you link your PayPal account to your hvv switch account, you have the option of transferring personal data already saved in your PayPal account (e.g. name and billing address) to your hvv switch account and saving it there. This gives you the option of entering personal data faster and more conveniently. This information is required if you wish to make use of certain mobility services.
The transfer of your data to PayPal is based on Article 6 (1) (a) of the GDPR (consent) and Article 6 (1) (b) of the GDPR (processing for the performance of a contract).
In order to carry out the payment process and for the purpose of the sale and assignment of our claims against you, we shall transfer personal data to our payment service provider LogPay Financial Services GmbH. Our payment service provider shall then process and save your personal data for the purpose of processing payments, for receivables management, assessing the permissibility of payment methods, and preventing payment defaults.
For each mobility service you make use of in the hvv switch app, we issue an invoice and process personal data about you in relation to this (e.g. your name, date and place of usage of the respective service). We shall issue our own invoices by e-mail only, as with invoices issued on behalf of individual mobility providers.
Due to statutory storage obligations, including obligations under commercial law and tax law, we shall save invoices issued by us for a period of ten years. This period shall begin at the end of the year in which the invoice was issued. During the storage period, this personal data shall be completely restricted, and no longer accessible for further data processing.
7. Customer service
Whenever you contact us, for example by sending us an inquiry or giving us feedback, we save this information in order to process your inquiry or respond to your feedback. We will contact you regarding your inquiry or feedback if this is necessary to clarify and deal with your request.
E. Will data be passed on to other parties?
Whenever you book or make use of mobility services, you enter into a separate contractual relationship with the respective mobility provider, with our involvement. You determine which mobility services you want to use and which contract you want to enter into. We shall then transmit only that data required for the respective contract to the respective mobility provider, who shall in turn process this data at its own discretion for the purpose of processing the contract. You shall explicitly agree to the transfer of the required data for this process.
We currently work together with the following mobility service providers:
MOIA GmbH, Alexanderufer 5, 10117 Berlin
MOIA Operations Germany GmbH, Podbielskistraße 306, 30655 Hanover
Data for activation or changes made by you, e.g. first and last name, validated e-mail address, validated mobile phone number; data relating to a booking request, e.g. start and destination points
Payment service providers
In order to carry out the payment process and for the purpose of the sale and assignment of our claims against you, we shall transfer personal data to our payment service provider LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn, Germany. In addition, we shall pass on personal data for the purpose of settling other claims (e.g. settlement of incurred damages) that have arisen from this booking/usage. Our payment service provider shall then process and save your personal data for the purpose of processing payments, for receivables management, assessing the permissibility of payment methods, and preventing payment defaults.
For more information about data processing by LogPay, please visit https://www.logpay.de/_docs/datenschutzinformationen_logpay_english.pdf
Service providers used
We use various service providers to process your personal data on our behalf. These have been carefully selected by us and process personal data exclusively in accordance with our stipulations and under our jurisdiction. In particular, these include the following service providers:
Hosting and operation:
Claranet GmbH, Hanauer Landstraße 196, 60314 Frankfurt am Main, Germany
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
DATAGROUP SE, Wilhelm-Schickard-Straße 7, 72124 Pliezhausen, Germany
Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA
sms4.de - mobile messaging e.K, Andre Probst, Theodor-Ott-Ring 34, 89182 Bernstadt, Germany
We have integrated an SDK (Software Developer Kit) of the map service Mapbox into the hvv switch app, in order to make use of the hvv switch app simpler and more reliable. The provider is Mapbox Inc. with headquarters at 740, 15th Street NW, Washington DC, 20005, USA. We must save your IP address in order for you to be able to use the functionality of Mapbox. In addition, information about your device and location data are also collected and temporarily saved. This information is usually transferred to a Mapbox server in the USA and may be processed there. We have no control over this data transfer. To learn more about data processing by Mapbox, please visit: https://www.mapbox.com/privacy/.
We have integrated an SDK (Software Developer Kit) from PayPal into the hvv switch app to offer you a simple method of payment with PayPal. The provider is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg. PayPal uses this SDK for risk management reasons to protect its services and its customers from fraud and abuse. With the help of the SDK, PayPal shall record and process your IP address, device information, technical usage data and location data. We have no control over this data transfer and processing. You can find more about PayPal’s data processing at https://www.paypal.com/al/webapps/mpp/ua/privacy-full?locale.x=en_AL
F. Which analysis tools do we use and why?
In order to optimise our marketing activities, we use the service provider Adjust (adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin) and have integrated its SDK (Software Developer Kit) into the hvv switch app. The anonymised data collected using Adjust provides us with information about, for example, the download of the hvv switch app, the online advertising channel via which the download was made, and the time the app was opened. You can learn more about data processing by Adjust by visiting www.adjust.com/privacy-policy/.
You actively decide whether you want to authorise the use of Adjust to optimise our marketing activities. We shall ask for your consent once when you launch the hvv switch app for the first time. You can also adjust your consent at any time in the privacy settings of the hvv switch app.
The use of this analysis tool takes place pursuant to Article 6 (1) (a) of the GDPR.
We have integrated an SDK (Software Developer Kit) by Google Firebase into the hvv switch app in order to better understand how our app is used and to improve our service. The provider is Google Inc, 1600 Amphitheatre Party, Mountain View, CA 94043, USA. The anonymised information collected via Google Firebase about the usage of our app provides us with information about the number of app visits in any given period, for example, and gives us access to information about particularly popular features, as well as the number of in-app purchases and the total number of users in a particular period. The data is transferred to Google in the USA and saved there for this purpose. You can find more about data processing by Google Firebase at https://www.firebase.com/terms/privacy-policy.html.
You actively decide whether you want to allow the use of Google Firebase to optimise our service. We shall ask for your consent once when you start the hvv switch app for the first time. You can also adjust your consent at any time in the privacy settings of the hvv switch app
The use of this analysis tool takes place pursuant to Article 6 (1) (a) of the GDPR.
G. What rights do you have in relation to data protection?
The GDPR (General Data Protection Regulation) grants certain rights to “data subjects” whose personal data is processed by us. We would like to inform you about these here. You’re welcome to contact us as the body responsible for data protection, or our appointed Data Protection Officer, if you have any questions about this or any other questions about data protection relating to hvv switch. You will find our contact details under B. Who is responsible?
1. Access, erasure and rectification
You have the right to request information about your personal data saved by us at any time and free of charge. This shall include information about the purpose of the processing, the category of data used, its recipients and the planned duration of the data storage or, if this isn’t possible, the criteria for determining this duration. You also have the right to have the data erased and/or corrected, in particular if the data is incomplete or incorrect, if it is no longer necessary for the purpose for which it was originally recorded, or if you have withdrawn your consent to the processing of this data.
2. Right to withdraw consent
If the data processing is carried out with your consent, you can revoke this consent at any time. An informal notification by e-mail is sufficient for this purpose. The legality of the data processing carried out up to the point of withdrawal of consent shall remain unaffected by the revocation.
3. Right to object
If the data processing is carried out on the basis of a legal interest on our part, you have the right to object to the processing of your data. This requires that there are specific pertinent reasons arising from your particular situation (Article 21 (1) of the GDPR).
4. Right to restriction of processing
You have the right to request that the processing of your personal data be restricted. The right to limit processing shall be valid in the following cases:
- If you dispute the accuracy of your personal data that is saved with us. In most cases we shall require some time to verify this.
- For the duration of the review, you have the right to request that we limit the processing of your personal data.
- If the processing of your personal data is or has been unlawful, you can request that the data processing be restricted instead of requesting for your data to be erased.
- If we no longer require your personal data, but need it to exercise, defend or assert legal claims, you have the right to demand restriction of the processing of your personal data instead of the erasure of this data.
- If you have lodged an objection under Article 21(1) of the GDPR, a balance must be struck between your interests and our interests. If it hasn’t yet been established whose interests outweigh the interests of the other party, you have the right to demand that the processing of your personal data be restricted.
5. Right to data portability
You have the right to have data that we process automatically on the basis of your consent or for the performance of a contract handed over to you or to a third party in a structured, standardised and machine-readable format. If you request the direct transfer of the data to another responsible body, this shall only be done insofar as it is technically feasible.
6. Right to lodge a complaint with a supervisory authority
In the event of any breaches of the GDPR, you shall have a right to complain to a supervisory authority. This right to lodge a complaint is without prejudice to other administrative or judicial bodies. In Hamburg, the official data protection officer can be contacted at: The Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg.