Who is responsible for data processing and who can I contact?
Responsible Body (“Data Controller”):
Hamburger Hochbahn AG
Phone: +49 (40) 3288-0
You can contact our company’s Data Protection Officer at:
Hamburger Hochbahn AG
Data Protection Officer
Phone: +49 (40) 3288-2316
You can contact the official Hamburg data protection authorities at:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 7.OG
The Data Controller is the natural person or legal entity who, either alone or together with others, determines the purposes and means of the processing of personal data (e.g. names, e-mail addresses, etc.).
Which data do we process?
We process personal data that we receive from you within the scope of our business relationship. We also process personal data insofar as this is necessary for the provision of our services, which we receive permissibly from other companies in the “Hamburger Verkehrsverbund HVV” or from other third parties. In addition to contractual data, we process your communication data, which we obtain via your contact with us (e.g. contact form). Moreover, we process your personal data as required in connection with the hvv switch app.
Specifically, we process the following data:
- Contractual data (depending on the product and service, this includes name, address details, date of birth, phone number, e-mail address, bank details, billing and payment data, photo)
- Communication data (name, address, e-mail address, possibly phone number/mobile number)
- Correspondence (e.g. written correspondence with you)
- Advertising and sales data (e.g. for products that are potentially of interest to you)
For what purpose(s) do we process your data and on what legal basis?
In the following, we will inform you about why and on what legal basis we process your data.
- For the fulfilment of contractual obligations (Article 6 (1) (b) of the GDPR). The processing of your personal data is carried out for the performance of contracts with you, as well as for pre-contractual measures.
- For the balancing of interests (Article 6 (1) (f) of the GDPR)
We also process your data, if necessary, to protect the legitimate interests of us or third parties. This is carried out, for example, for the following purposes:
- Ensuring IT security and IT operations
- Advertising or market and opinion research, unless you have opted out of your data being used for this
- Assertion of legal claims and defence in legal disputes
- Consultations and data exchange with credit agencies (e.g. “Schufa”) to determine creditworthiness and default risks
- Video surveillance for the determent, prevention and investigation of criminal offences, the improvement of passengers’ sense of security and the reduction of damage from vandalism.
- In connection with the processing of customer enquiries, complaints, etc.
3. On the basis of your consent (Article 6 (1) (a) of the GDPR)
If you have given us consent to process your personal data for specific purposes, the lawfulness of the processing is given on the basis of this consent. Your consent can be revoked at any time. This shall also apply to any consent given prior to the GDPR coming into force, i.e. before 25 May 2018. Please note that the revocation will only take effect from the date of revocation onwards.
4. On the basis of legal requirements (Article 6 (1) (c) of the GDPR)
We also process your data in order to fulfil legal obligations, e.g. to verify commercial or tax retention periods. The German Commercial Code (“Handelsgesetzbuch”) and German Tax Code (“Abgabenordnung”), for example, should be given particular mention here.
Who will receive access to your data?
Those employees and departments within Hamburger Hochbahn AG (HOCHBAHN) that require your data to fulfil the purposes and legal bases stated above will obtain access to that data. All relevant employees are obliged to comply with data protection regulations. Contract processors employed by us may also receive data for these purposes. These may be, for example, companies in the categories IT services, financial service providers, corruption prevention, document processing, archiving, file disposal, collection, consulting, marketing and sales, creation and distribution of customer tickets, implementation of data analyses for the purpose of demand and/or supply analysis, further optimisation of HVV transport services, or printing services. These contract processors are obliged, within the framework of separate contracts, to confirm and comply with all measures required under data protection law.
How long will your data be saved for?
As your contractual partner, HOCHBAHN processes and saves your personal data only for as long as it is necessary for the fulfilment of the contractual and legal obligations. It should be noted here that our business relationship on a subscription basis is an ongoing obligation that usually lasts for several years. If the data is no longer required for the fulfilment of contractual or legal obligations, it will be deleted on a regular basis, unless any (temporary) further processing is required for the following purposes:
- Fulfilment of commercial or tax retention periods: The German Commercial Code (“Handelsgesetzbuch”) and German Tax Code (“Abgabenordnung”) are noteworthy examples here. The retention and documentation periods stipulated in these regulations are up to 10 years.
- Preservation of evidence within the scope of the statute of limitations: According to Clauses 195 ff. of the German Civil Code (BGB), these periods of limitation are generally 3 years, but can also be up to 30 years in individual cases.
Will data be transferred to any third country or to an international organisation?
We will only transfer your data to countries outside the EU or EEA (so-called “third countries”) if this is required by law or if you have given us your consent to do this. This is not currently the case.
What data protection rights do I have?
Every data subject has the right of access pursuant to Article 15 of the GDPR, the right of rectification pursuant to Article 16 of the GDPR, the right to erasure pursuant to Article 17 of the GDPR, the right to restriction of processing pursuant to Article 18 of the GDPR and the right to data portability pursuant to Article 20 of the GDPR. Furthermore, you have the right to lodge a complaint with a data protection supervisory authority. (Article 77 of the GDPR as per Clause 19 of the German Federal Data Protection Act (BDSG))
To what extent is there automated decision-making in individual cases?
Generally speaking, we do not use fully automated decision-making pursuant with Article 22 of the GDPR to establish and conduct a business relationship. Where we use these procedures in individual cases, we will inform you separately if this is required by law.
Will my data be used for profiling purposes?
We do not make use of automated processing to make any decision about the establishment and execution of a contractual relationship or a business relationship.
Information about your rights of objection
Right of objection in individual cases
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you on the basis of Article 6 (1) (f) of the GDPR (data processing based on a balancing of interests). If you file an objection, your personal data will no longer be processed unless we can prove compelling legitimate reasons for processing that outweigh your interests, rights and freedoms or the processing serves the assertion, exercise or defence of legal claims.
Right to object to the processing of data for direct advertising purposes
In individual cases we process your personal data in order to implement direct advertising. You have the right at any time to object to the processing of your personal data for the purpose of such advertising.
If you send us an enquiry or request using the contact form, your data including the contact details you entered in the form will be stored by us for the purpose of processing your enquiry or request, and in case of any follow-up questions. We will not pass this data on without your consent. This data is processed in accordance with Article 6 (1) (b) of the GDPR, insofar as your enquiry is connected with the fulfilment of a contract or is required for the implementation of pre-contractual measures.
In all other cases the data processing is based on our legitimate interest to effective process enquiries and/or requests addressed to us (Article 6 (1) (f) of the GDPR) or subject to your consent (Article 6 (1) (a) of the GDPR) provided it has been requested. The data entered by you in the contact form will be stored by us until you request us to delete it, or you revoke your consent for storage, or the purpose for which the data is stored ceases to apply (e.g. once your enquiry has been processed). Mandatory legal provisions – and in particular retention periods – shall remain unaffected here.
Cookie Consent with OneTrust
Our website uses OneTrust’s cookie consent technology to obtain your consent to have certain cookies stored on your end device and to document this consent in a manner that complies with data protection regulations.
The provider of this technology is OneTrust LLC with headquarters in the UK and the USA: Cannon Green, 27 Bush Lane, London EC4R 0AA, United Kingdom 1350 Spring Street NW, Suite 500, Atlanta, Georgia 30309, USA
OneTrust is used to store the cookie settings for the entire website. OneTrust stores information about the categories of cookies used by the website and whether users have given or revoked their consent to use each category. This allows us to prevent cookies from being set in each category in the user’s browser if consent is not given.
Use of analysis tools
Our website uses the web analytics service provider Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and enable an analysis of how you use the website. The information generated by the cookie about a user’s use of the website is generally transmitted to and saved by Google on servers in the United States.
Google Analytics cookies are saved and this analysis tool is used on the basis of Article 6 (1) (f) of the GDPR. HOCHBAHN as a website operator has a legitimate interest in analysing user behaviour with a view to optimising both its website and advertising. If consent has been requested (e.g. consent to save cookies), processing will be carried out solely on the basis of Article 6 (1) (a) of the GDPR. Consent may be revoked at any time.
The IP anonymisation function is enabled on this website. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to a Google server in the USA. Only in exceptional cases is the full IP address transmitted to the USA and shortened there.
Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activities and to provide other services associated with the use of this website and the Internet. The IP address transmitted by the user’s browser will not be merged or combined with other Google data.
More information about how Google Analytics treats user data can be found under Google data privacy and security.
We have closed a contract with Google regarding the processing of orders and operate in full compliance with the strict stipulations of the German data protection authorities when using Google Analytics.
Demographic features of Google Analytics
This website uses the “demographic features” function of Google Analytics. This allows us to generate reports that contain information about the age, gender and interests of website visitors. This data is sourced from interest-related advertising by Google and visitor data from third-party providers. This information cannot be associated with any specific individual. You may opt out of this feature at any time using the ad preferences in your Google Account or opt out of having your information collected by Google Analytics in general under the option “Objection to data collection”.
User-level and event-level data stored by Google that is linked to cookies, user IDs or advertising IDs (e.g. DoubleClick cookies, Android advertising IDs) is either anonymised or deleted after 24 months. More details about this can be found here.
This website uses Google Ads, an analysis service provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland, as well as conversion tracking as part of Google Ads. For this purpose, Google AdWords places a conversion tracking cookie on your computer’s hard drive (so-called “conversion cookie”) whenever you click on an ad placed by Google. These cookies become invalid after 30 days and are not used for personal identification.
If you visit certain pages on our website, Google may recognise that you clicked on the ad and were directed to that page. The information obtained with the help of conversion cookies is used to generate statistics for Google Ads customers who use conversion tracking. These statistics tell us the total number of users who have clicked on the Google ad and visited a page with a conversion tracking tag. In addition to conversion tracking, we also make use of the following functions:
- Audiences with common interests
- User-defined audiences with common interests
- Custom-intent audiences
- Similar audiences
- Audiences based on demographics and geographical location
We use Google’s remarketing function to reach users who have already visited our website. This enables us to present our advertising to target groups, or audiences, who have already shown an interest in our products or services. Google Ads also utilises Google’s Display Network to measure user behaviour over the past 30 days and the contextual search engine to determine which common interests and characteristics users of our website share.
The saving of “conversion cookies” and the use of this tracking tool are based on Article 6 (1) (f) of the GDPR. HOCHBAHN has a legitimate interest in analysing user behaviour with a view to optimising both its website and its advertising.
In order to optimise our marketing activities, we use the service provider Adjust (adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin) and have integrated its SDK (Software Developer Kit) into the hvv switch app. The anonymised data collected using Adjust provides us with information about, for example, the download of the hvv switch app, the online advertising channel via which the download was made, and the time the app was opened. You can learn more about data processing by Adjust by visiting www.adjust.com/privacy-policy/.
You actively decide whether you want to authorise the use of Adjust to optimise our marketing activities. We shall ask for your consent once when you launch the hvv switch app for the first time. You can also adjust your consent at any time in the privacy settings of the hvv switch app.
Here you can access the App Store as well as the Play Store without being forwarded there via Adjust:
The use of this analysis tool takes place pursuant to Article 6 (1) (a) of the GDPR.
We have integrated an SDK (Software Developer Kit) by Google Firebase into the hvv switch app in order to better understand how our app is used and to improve our service. The provider is Google Inc, 1600 Amphitheatre Party, Mountain View, CA 94043, USA. The anonymised information collected via Google Firebase about the usage of our app provides us with information about the number of app visits in any given period, for example, and gives us access to information about particularly popular features, as well as the number of in-app purchases and the total number of users in a particular period. The data is transferred to Google in the USA and saved there for this purpose. You can find more about data processing by Google Firebase at https://www.firebase.com/terms/privacy-policy.html.
You actively decide whether you want to allow the use of Google Firebase to optimise our service. We shall ask for your consent once when you start the hvv switch app for the first time. You can also adjust your consent at any time in the privacy settings of the hvv switch app
The use of this analysis tool takes place pursuant to Article 6 (1) (a) of the GDPR.
We use “Google reCAPTCHA” (referred to hereinafter as “reCAPTCHA”) on our websites. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. The purpose of reCAPTCHA is to verify whether the data on our websites (e.g. in a contact form) has been entered by an actual person or by an automated program. To this end, reCAPTCHA analyses the behaviour of the website visitor on the basis of various characteristics. This analysis begins automatically as soon as the website visitor “enters” our website. The analysis process involves reCAPTCHA evaluating various items of information (e.g. IP address, duration of the visit to our website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The reCAPTCHA analyses run entirely in the background. Website visitors are not notified that an analysis is being carried out. Data processing carried out is pursuant to Article 6 (1) (f) of the GDPR. We have a legitimate interest in protecting our online offerings from improper, automated spying. You will find more information about Google reCAPTCHA here.
Last updated: March 2020