Privacy policy | Hamburg | hvv switch

Data Privacy

We, Hamburger Hochbahn AG (HOCHBAHN), as the operator of the hvv switch mobility service, take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations.

When you use this website, the hvv switch app or our social media sites, various personal data is collected. Personal data is data with which you can be personally identified.

This privacy policy informs you about which data is processed for which purposes when you use the hvv-switch.de website or our social media sites. Furthermore, you will receive information on the storage period of the data, on the transfer to third parties and on the rights to which you are entitled.

You can find the privacy policy of the hvv switch app here. Further information on data protection at HOCHBAHN can be found here.

A. Responsible body and data protection officer

Responsible body

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, e-mail addresses, etc.).

The responsible body in the sense of data protection law for hvv switch is:

Hamburger Hochbahn AG
Distribution and Transport Economics Department
Steinstr. 20
20095 Hamburg

Phone: +49 40 3288-6363
E-mail: info@hvv-switch.de

Data Protection Officer

We have appointed a data protection officer; you can contact him as follows:

Hamburger Hochbahn AG
Data Protection Unit
Steinstr. 20
20095 Hamburg

E-mail: datenschutzbeauftragter@hochbahn.de

B. Registration for hvv switch

When you register for hvv switch, you are setting up your login details (e-mail address and password). We process this personal data in the context of setting up your user account. Your user account is the prerequisite for you to be able to use mobility services in the hvv switch app (by means of corresponding activations).

The data processing for registration is based on Art. 6 para. 1 lit. b GDPR.

If you use the identification function of hvv switch to access further offers in the hvv, such as hvv Plus, the advantage programme of Hamburger Verkehrsverbund GmbH, our data processing also includes what is necessary to enable these functions. This means that in such a case we pass on your data from the hvv switch account to the Hamburger Verkehrsverbund GmbH or the transport company in the hvv that offers the service requested by you as the responsible body under data protection law. Conversely, we receive data from this company to the extent necessary to enable you to access the service you have requested. You can find out which company this is in each case in the separate data protection notices for the individual offers.

It is important to note that although you have full access to the data generated by the use of the further offers of transport companies with your hvv switch login, we as HOCHBAHN do not. If you decide to use an offer for which you need an hvv switch account, only the corresponding authorisation or an ID is stored in our database, which allows you to "cross over" to the connected system. HOCHBAHN does not have access to the connected system and does not gain knowledge of the data processed there.

As part of providing the identification function, we also record certain usage parameters such as a history of log-ins. This enables us to help users who have problems with their customer account to solve the problem.

C. Use of our website hvv-switch.de

C.1 Hosting

We host the content of our website with Host Europe. The provider is Host Europe GmbH, Hansestraße 111, 51149 Cologne (hereinafter Host Europe). When you visit our website, Host Europe collects various log files including your IP addresses. Details can be found in the Host Europe privacy policy:
https://www.hosteurope.de/en/terms-and-conditions/privacy/ .

The use of Host Europe is based on Art. 6 para. 1 lit. f Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR). We have a legitimate interest in the most reliable presentation of our website. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 Telecommunications Telemedia Data Protection Act (TTDSG), insofar as the consent includes the storage of cookies or access to information in the end device of the user (e.g. for device fingerprinting) as defined by the TTDSG. The consent can be revoked at any time.

C.2 Data collection on this website

C.2.1 Use of cookies

We use so-called "cookies". Cookies are small data packages that are temporarily stored on your terminal device when you visit this website. They contain, for example, information about the language, page settings, your e-mail address and your name (when you log in).

Cookies have various functions. Many cookies are technically necessary, as certain website functions are not available without them (e.g. the shopping cart function or the display of videos). Other cookies are used to evaluate the behaviour of users or to display advertising.

Cookies are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your terminal device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or until they are automatically deleted by your web browser.

In some cases, cookies from third-party companies may also be stored on your terminal device when you visit our site (third-party cookies). These enable us and you to use certain services of the third-party company (e.g. cookies for processing payment services).

Cookies that are necessary to carry out the electronic communication process, to provide certain functions that you have requested (e.g. for the shopping cart function) or to optimise the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified.

We have a legitimate interest in storing necessary cookies for the technically error-free and optimised provision of our services. If consent to the storage of cookies and comparable recognition technologies has been requested, the processing is carried out exclusively on the basis of this consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG); the consent can be revoked at any time.

You can set your browser so that you are informed when cookies are set. In this way, you can allow cookies in individual cases or for certain cases, or generally exclude them, as well as activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited.

If cookies are used by third-party companies or for analysis purposes, we will inform you about this separately within the framework of this data protection declaration and, if necessary, request your consent.

Here you can edit your cookie settings.

C.2.2 Cookie consent with OneTrust

Our website uses the cookie consent technology of OneTrust to obtain your consent to the storage of certain cookies on your terminal device and to document this in accordance with data protection regulations.

The provider of this technology is OneTrust Technology Limited, 82 St John St, Farringdon, London EC1M 4JN, United Kingdom.

OneTrust is used to store cookie settings for the entire website. OneTrust stores information about the categories of cookies used by the website and whether users have given or revoked consent to the use of each category. This allows us to prevent cookies in each category from being set in the user's browser if consent is not given.

OneTrust uses cookies for information storage, which have a normal lifetime of one year, so that the preferences of returning visitors are stored. Details of OneTrust's data processing can be found at:
https://www.onetrust.com/privacy/.

OneTrust's cookie consent technology is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

C.2.3 Server log files

Our provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

  • Browser type and browser version,

  • Operating system used,

  • Referrer URL,

  • Host name of the accessing computer,

  • Time of the server request,

  • IP address.

This data is not merged with other data sources.

The collection of this data is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the technically error-free presentation and optimisation of our website - for this purpose, the server log files must be collected.

C.2.4 Contact form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We do not pass on this data without your consent.

The processing of this data is based on Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR), if this has been requested. Consent can be revoked at any time.

The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after processing your enquiry has been completed). Mandatory legal provisions - in particular retention periods - remain unaffected.

C.2.5 Form for reporting parking offences, soiling and damage at hvv switch points

If you use the report form to send us information about parking offences at hvv switch points, your details, including your first name, surname and email address, will be recorded for the purpose of reporting and processing the parking offence. This data is not stored by HOCHBAHN, but is forwarded to our car park monitoring service provider (PRS Parkraum Service GmbH, Kirchplatz 7, 58739 Wickede (Ruhr), Germany; hereinafter referred to as PRS for short) and processed there when the form is sent. Information on data protection and the handling of your personal data at PRS can be found in their privacy policy.

If you send us information about soiling or damage on hvv switch points, you have the option of providing your name and e-mail address. This information is voluntary. This data is processed by HOCHBAHN. The data you provide will only be used to process your report. If you have provided your name and e-mail address, this information will be deleted immediately after the necessary measures to remove the soiling or repair the damage have been completed. If you decide to report anonymously, no personal data will be stored.

In principle, reporting via the forms and providing your personal data is voluntary. We base the processing on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in eliminating contractual disruptions (parking offences) as well as soiling and damage at hvv switch points and providing the available car sharing parking spaces to our hvv switch customers in the best possible condition. Due to the voluntary nature of your report, we see no legitimate interest on your part that conflicts with or outweighs our legitimate interest.

C.3 Plugins and tools

C.3.1 YouTube with enhanced data protection

This website embeds videos from the website YouTube. The operator of the pages is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in extended data protection mode. According to YouTube, this mode ensures that YouTube does not store any information about visitors to this website before they watch the video. However, the disclosure of data to YouTube partners is not necessarily excluded by the extended data protection mode. Thus, YouTube establishes a connection to the Google DoubleClick network - regardless of whether you watch a video.

As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, YouTube enables you to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, YouTube may store various cookies on your end device after starting a video or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve the user experience and prevent fraud attempts.

If applicable, further data processing operations may be triggered after the start of a YouTube video over which we have no control.

YouTube is used in the interest of an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the end device of the user (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

For more information about YouTube's privacy policy, please visit their privacy policy at: https://policies.google.com/privacy?hl=en.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

C.3.2 Google Maps

This site uses the map service Google Maps. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

To use the functions of Google Maps, it is necessary to save your IP address. This information is usually transferred to a Google server in the USA and stored there. We have no influence on this data transmission. If Google Maps is activated, Google may use Google Fonts for the purpose of uniform display of fonts. When you call up Google Maps, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.

Google Maps is used in the interest of an appealing presentation of our online offers and easy location of the places we indicate on the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the end device of the user (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://privacy.google.com/businesses/gdprcontrollerterms/ and here:
https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

You can find more information on the handling of user data in Google's privacy policy:
https://policies.google.com/privacy?hl=en.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

C.3.3 Spotify

On this website, functions of the music service Spotify are integrated. The provider is Spotify AB, Birger Jarlsgatan 61, 113 56 Stockholm in Sweden. You can recognise the Spotify plugins by the logo on this website. You can find an overview of the Spotify plugins at:
https://developer.spotify.com.

By integrating Spotify, a direct connection between your browser and the Spotify server can be established via the plugin when you visit this website. Spotify thereby receives the information that you have visited this website with your IP address. If you click on the Spotify button while logged into your Spotify account, you can link the content of this website to your Spotify profile. This allows Spotify to associate your visit to this website with your account.

We would like to point out that cookies from Google Analytics are used when using Spotify, so that your usage data can also be passed on to Google when using Spotify. Google Analytics is a tool of the Google Group based in the USA for analysing usage behaviour. Spotify is solely responsible for this integration. We, as the website operator, have no influence on this processing.

The storage and analysis of the data is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the appealing acoustic design of our website. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the end device of the user (e.g. device fingerprinting) as defined by the TTDSG. The consent can be revoked at any time.

For more information, please see Spotify's privacy policy:
https://www.spotify.com/us/legal/privacy-policy/.

If you do not want Spotify to associate your visit to this website with your Spotify user account, please log out of your Spotify user account.

C.4 Analysis tools and advertising

C.4.1 Google Analytics

We use functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables us to analyse the behaviour of website visitors. In doing so, we receive various data from users, such as page views, duration of visit, operating systems used and the origin of the user. This data is assigned to the respective end device of the user. An assignment to a user ID does not take place.

Furthermore, Google Analytics allows us to record your mouse and scroll movements and clicks, among other things. Furthermore, Google Analytics uses various modelling approaches to supplement the data records collected and employs machine learning technologies in the data analysis.

Google Analytics uses technologies that enable the recognition of users for the purpose of analysing usage behaviour (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transferred to a Google server in the USA and stored there.

The use of this service is based on your consent according to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. This consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://privacy.google.com/businesses/controllerterms/mccs/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

Browser plugin

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=en.

You can find more information on how Google Analytics handles user data in Google's privacy policy:
https://support.google.com/analytics/answer/6004245?hl=en.

Google Signals

We use Google Signals. When you visit our website, Google Analytics collects, among other things, your location, search history and YouTube history, as well as demographic data (data from visitors). This data can be used for personalised advertising through Google Signals. If you have a Google Account, the visitor data from Google Signals will be linked to your Google Account and used for personalised advertising messages. The data is also used to compile anonymised statistics on the usage behaviour of our visitors.

Order processing

We have concluded an order processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

C.4.2 Google Ads

We use Google Ads. Google Ads is an online advertising programme of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to display advertisements in the Google search engine or on third-party websites when the user enters certain search terms on Google (keyword targeting). Furthermore, targeted advertisements can be displayed based on the user's data available at Google (e.g. location data and interests) (target group targeting). As a website operator, we can evaluate this data quantitatively by analysing, for example, which search terms led to the display of our advertisements and how many advertisements resulted in corresponding clicks.

The use of this service is based on your consent according to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. This consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://policies.google.com/privacy/frameworks and here:
https://privacy.google.com/businesses/controllerterms/mccs/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

C.4.3 Adjust

In order to optimise our marketing activities, we use the service provider Adjust (Adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin). The purpose of the data processing with Adjust is to analyse the usage behaviour and the way in which the user arrived at the hvv switch app. The usage analyses are evaluated and used to optimise user communication. In the process, data is collected in the measurement and processed pseudonymously. The data is determined by Adjust using various methods. These include the use of advertising IDs, device IDs as well as Adjust reftags and the so-called "hashed fingerprint" (use of publicly accessible device statistics). The data collected via Adjust informs, for example, about the download of the hvv switch App, the online advertising channel through which the download was generated, as well as the time at which the hvv switch App was opened.

The analysis by Adjust helps us to constantly improve communication and to adapt it to your needs. Further information on data processing by Adjust can be found at https://www.adjust.com/privacy-policy/.

The use of this service is based on your consent according to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. This consent can be revoked at any time.

Here you can access the App Store and the Play Store without being redirected via Adjust:

App Store (Apple)
Google Play Store

C.4.4 Google Looker Studio

We use Google Looker Studio - a software of Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google Looker Studio is used to manage and visualise data from the aforementioned analysis tools. We can only analyse data in Google Looker Studio if you have allowed the use of the respective tool.

We use Google Looker Studio for marketing and optimisation purposes, in particular to analyse the use of our website and to continuously improve individual functions and offers as well as the user experience. The statistical evaluation of user behaviour enables us to improve our offer and make it more interesting for you as a user.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. This consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:

https://privacy.google.com/businesses/gdprcontrollerterms/ and here:
https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

D. hvv switch in social networks

We maintain publicly accessible profiles on social networks.

This section of the privacy notice applies to the following social media sites where we provide information about hvv switch:

Detailed information on the social networks we use can be found below.

D.1 Data processing by social networks

Social networks can generally comprehensively analyse your usage behaviour when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media sites triggers numerous data protection-related processing operations, which are described below.

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your account. Under certain circumstances, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create profiles of the users in which the preferences and interests are stored. In this way, you can be shown interest-based advertising within and outside the respective social media presence. If you have an account with the respective social network, you may be shown interest-based advertising on all devices on which you are or were logged in.

Please note that we are not able to track all processing procedures on the social media portals. Depending on the provider, further processing procedures may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection regulations of the respective social media portals.

D.1.1 Legal basis

Our social media presences are intended to ensure the most comprehensive presence possible on the internet. This is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on different legal grounds, which must be stated by the operators of the social networks (e.g. consent within the meaning of Art. 6 para. 1 lit. a GDPR).

D.1.2 Responsible parties and assertion of rights

If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g. Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing procedures of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to object, to data portability and the right to complain to the competent supervisory authority. Furthermore, you can demand the correction, blocking, deletion and, under certain circumstances, the restriction of the processing of your personal data.

D.1.3 Storage period

The data collected directly by us via the social media presence will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your end device until you delete them. Mandatory legal provisions - in particular retention periods - remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see the following section).

D.2 Social networks in detail

D.2.1 Facebook

As part of a joint responsibility, we operate a profile with the name "hvv" on Facebook together with Hamburger Verkehrsverbund GmbH, S-Bahn Hamburg GmbH and Verkehrsbetriebe Hamburg-Holstein GmbH. We also operate the "hvv switch" profile under our own responsibility. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter Meta). According to Meta, the collected data is also transferred to the USA and other third countries.

We have entered into a joint processing agreement (Controller Addendum) with Meta. This agreement defines the data processing operations for which we or Meta are responsible when you visit our Facebook page. You can view this agreement at the following link:
https://www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your advertising settings yourself in your user account. Click on the following link and log in:
https://www.facebook.com/settings?tab=ads.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://www.facebook.com/legal/EU_data_transfer_addendum and https://www.facebook.com/help/566994660333381?cms_id=566994660333381.

For details, please refer to Facebook's privacy policy:
https://www.facebook.com/about/privacy/.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

D.2.3 Instagram

We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and
https://www.facebook.com/help/566994660333381?cms_id=566994660333381.

For details, please see Instagram's privacy policy:
https://help.instagram.com/519522125107875.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

D.2.4 YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

For details, please refer to YouTube's privacy policy:
https://policies.google.com/privacy?hl=en.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

E. Enquiries to the customer service

If you contact us by e-mail, telephone or fax, your enquiry including all personal data resulting from it (name, enquiry) will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent.

The processing of this data is based on Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR), if this has been requested; the consent can be revoked at any time.

The data you send us by contact request will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular legal retention periods - remain unaffected.

F. Storage period

Unless a specific retention period has been specified within this privacy policy, your personal data will remain with us until the purpose for processing the data no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law). If there are legally permissible reasons, the data will be deleted once these reasons no longer apply.

G. Data protection rights

The GDPR grants data subjects whose personal data is processed by us certain rights, which we would like to inform you about here. For this purpose, as well as for further questions regarding data protection at hvv switch, you are welcome to contact us as the data controller or our data protection officer. You can find the contact details in section A.

G.1 Information, deletion and correction

You have the right to request information about your personal data stored by us free of charge at any time. This includes information about the purpose of processing, the category of data used, its recipients and the planned duration of data storage or the criteria for determining this duration. Furthermore, you have the right to have the data deleted and/or corrected, in particular if the data is incomplete or incorrect, if it is no longer necessary for the purpose for which it was collected, or if you have withdrawn your consent to the processing.

G.2 Revocation of consent

Insofar as data processing is carried out with your consent, you can revoke this consent at any time. An informal communication by e-mail is sufficient for this purpose. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

G.3 Right of objection

If the data processing is based on a legitimate interest on our part, you have the right to object to the data processing. The prerequisite for this are reasons arising from your particular situation (Art. 21 para. 1 GDPR).

G.4 Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. The right to restriction of processing exists in the following cases:

  • If you dispute the accuracy of your personal data held by us, we will usually need time to verify this.

  • For the duration of the review, you have the right to request the restriction of the processing of your personal data.

  • If the processing of your personal data has been or is being carried out unlawfully, you can request the restriction of data processing instead of erasure.

  • If we no longer need your personal data but require it to exercise, defend or enforce legal claims, you have the right to request restriction of the processing of your personal data instead of deletion.

  • If you have lodged an objection in accordance with Article 21 para. 1 of the GDPR, we must weigh up your interests against ours. As long as it has not yet been determined whose interests prevail, you have the right to demand the restriction of the processing of your personal data.

G.5 Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a structured, common and machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as this is technically feasible.

G.6 Right of appeal to a supervisory authority

If you believe that we are in breach of data protection law, you have the right to complain to a supervisory authority. The right of appeal is without prejudice to other administrative or judicial remedies. In Hamburg, you can reach the responsible supervisory authority at: Der Hamburger Beauftragte für Datenschutz und Informationsfreiheit (The Hamburg Commissioner for Data Protection and Freedom of Information), Ludwig-Erhard-Str. 22, 20459 Hamburg, e-mail: mailbox@datenschutz.hamburg.de.

Status: November 2023