A. Why is data protection important?
We, Hamburger Hochbahn AG, are grateful for your interest in hvv switch. Through the hvv switch app, hvv switch enables you to make use of a number of different mobility services in Hamburg using just one single app, without having to register separately with each individual mobility provider. The long-term goal of hvv switch is to create a simple and reliable alternative to private car use with the hvv switch app and its integrated mobility services.
Protecting your privacy is very important to us. Your personal data will only ever be processed in accordance with data protection regulations. You can learn more about the purpose and legal basis of all respective data processing under C. Purpose and legal basis of processing.
B. Who is responsible?
Hamburger Hochbahn AG, sales and transportation division, Steinstrasse 20, 20095 Hamburg, Germany, is responsible for the processing of your personal data in relation to your use of the hvv switch app. With regard to the processing of a mobility service booked by you using the hvv switch app, the respective mobility provider will also be responsible for processing your personal data. You can find out more about this under E. Will data be passed on to third parties?
If you have general questions about hvv switch, please contact firstname.lastname@example.org.
C. Purpose and legal basis of the processing
In the following we provide you with an overview of the purpose and legal basis for any processing of your personal data. A more detailed description of the processing of your personal data and the respective purpose of this processing can be found under D. Which personal data is processed for which specific purpose?
Provision of services
First and foremost, we process your data in order to be able to carry out and invoice the services you have used. This includes, for example, the creation of your user account ("hvv switch profile") as well as the information, booking and use of mobility services. For the booking and use of mobility services, you enter into a separate contractual relationship with the respective mobility provider with our participation. We transmit the data required for the respective contract to the corresponding mobility provider, who processes this data on his own responsibility for the purpose of processing the contract. In addition, we transmit personal data to our payment service provider for the payment process and to our validation service provider in the event of a required driving licence validation. The legal basis for the data processing is the necessity for the fulfilment of the contract with (Art. 6 para. 1 lit. b DSGVO) or the protection of legitimate interests (Art. 6 para. 1 lit. f DSGVO).
We process your personal data if and insofar as this is necessary for the fulfilment of legal obligations (e.g. tax retention obligations) (Art. 6 para. 1 lit. c DSGVO).
Enforcement of legal claims
Furthermore, we process your personal data if this is necessary to enforce claims or other legal claims. The legal basis for data processing in these cases is the necessity for the performance of the contract with HOCHBAHN (Art. 6 para. 1 lit.b GDPR) or the protection of legitimate interests (Art. 6 para. 1 lit. f GDPR).
Security of systems, prevention of criminal offences
Another purpose of processing is to ensure the security of our systems and, for instance, to prevent and detect any instances of fraud and other criminal offences. The legal basis for data processing here is the preservation of legitimate interests by HOCHBAHN (Article 6.1 (f) of the GDPR).
Improvement of our services
We are constantly improving our services. We use anonymised data for this purpose. The legal basis for data processing is the preservation of legitimate interests by HOCHBAHN (Article 6.1 (f) of the GDPR).
D. Which personal data is processed for which specific purpose?
1. Informational use
If you use the hvv switch app for informational purposes, i.e. you have not registered, we only process personal data that is necessary for us to enable you to use the hvv switch app. This includes, for example, the device identification number (DeviceID for Android, IDFA for iOS), language and version of the app, operating system and the date and time of the request. These automatically collected personal data are processed by us in order to be able to ensure a functional, stable hvv switch app, to enable optimisation of the hvv switch app (e.g. through corresponding adaptations of the app for your mobile end device) and also to ensure the security of our information technology systems.
The data processing for informational use is based on Art. 6 Para. 1 lit. f DSGVO).
2. Location data & location tracking
When you request a mobility service via the hvv switch app, e.g. select an hvv ticket, a MOIA ride, a car sharing service (e.g. SIXT share) or an e-scooter, we use the location data contained in the request (e.g. your current location, start stop, start and destination) in order to issue you a valid hvv ticket or to show you booking options for MOIA or to show you available car sharing vehicles or e-scooters in your area and the route to the respective vehicle. In addition, we use this information without establishing a personal connection in order to better adapt the offers in the hvv switch app to the demand.
In order to offer you the easiest possible user experience with the hvv switch app, we recommend that you activate the location detection for the hvv switch app. This requires that you allow the hvv switch app to access location services through the operating system of the mobile device you are using and its authorisation system. In this context, we then only record the location determined by your device, provided that the hvv switch app is open. If location tracking is active, this is usually indicated by a corresponding function on your mobile device. You can allow or revoke the option of location tracking at any time via the settings in the operating system of your mobile end device. We ask you once when you first start the hvv switch app whether you want to activate automatic location tracking.
The data processing for location tracking is based on Art. 6 Para. 1 lit. f DSGVO).
We do not ever use location data to create a movement profile of you.
You can find the regulations for the location recording in the context of the use of hvv Any in section D.7.
3. Registration for hvv switch
You choose your login details (email address and password) when you register for the hvv switch app. We will process this personal data when setting up your user account. You need a user account in order to be able to make use of mobility services in the hvv switch app (subject to the respective service providers activated in the app).
The data processing for registration is based on Art. 6 para. 1 lit. b DSGVO.
4. Activation for mobility services
The hvv switch app gives you the option to make use of the mobility services of various mobility providers, and in the case of hvv ticketing and the service hvv Any to also avail of our own services. Depending on the mobility service you want to use, additional personal data and validations of your personal data will be required.
For example, this might include specifying and validating your:
- First and last name
- Date of birth
- Mobile phone number
- Driving licence details
- Payment details
If you don’t provide the required information or complete the required validation you will not be able to make use of the respective mobility service.
For certain mobility services, it is also necessary to create a personal PIN. This PIN is then requested again for additional identification of the user before the start of each rental. This is the case, for example, when renting a car sharing vehicle from SIXT share.
The data processing for activation is carried out on the basis of Art. 6 Para. 1 lit. b DSGVO).
With regard to activating a particular mobility service, the only personal data that will be requested is that which is required for using the respective service. This information might need to be validated and will be saved in your user account. Any additional information you provide in your user account is optional.
Once you have successfully activated a particular mobility service, you will no longer be able to delete certain personal data from your user account yourself, as it is required and mandatory for using the mobility service you selected. You can make changes to your personal data, but this new data might have to be validated again. If you want to delete certain personal data that is absolutely necessary for use of a mobility service, you can do this by contacting our customer service. However, you will then no longer be able to use that service.
With regard to hvv ticketing and the service hvv Any, we will process your contact and address data, after your account has been successfully activated, in order to inform you about contract-relevant changes to our products and our mobility services, and to send you other information that is legally required.
In order to use a car sharing service, you must be in possession of a valid driving licence to drive a car. We offer you the option of having your identity and driving licence checked through the hvv switch app, with a video call, as part of the activation process for a car sharing service.
Validation involves your identity being confirmed (by means of a valid identification document that you present), in addition to ownership of a valid driving licence. The data you have already entered in the hvv switch app, which is necessary for activating car sharing services, will also be checked to see if it matches the information on your ID document and driving licence.
If you take advantage of the option of validation via video call in the hvv switch app, recordings of your identity documents and driving licence will be made during the video call. The recordings of your driving licence will be saved by us for the duration of the contractual relationship between you and us, as proof that we have checked and validated your driving licence, but it will not be stored as part of an active customer profile. Rather, the data is blocked by a strict authorisation concept and cannot be accessed on an ongoing basis.
The data processing for the validation of the driving licence is based on Art. 6 para. 1 lit. b) and c) DSGVO.
5. Booking and use of mobility services
If you purchase, reserve or book a mobility service via the hvv switch app, we assign the associated purchase, reservation and booking data to your user account. In this context, we also process, for example, your name and the location data you provide in your request for a mobility service. We display the mobility services you have used (active and completed) in your user account.
The data processing for the booking and use of mobility services is based on Art. 6 para. 1 lit. b DSGVO).
Furthermore, we transmit the purchase/reservation/booking data required for the respective mobility service to the corresponding mobility provider, who processes this data for the purpose of handling the mobility service under its own responsibility. You can find out more about how we pass on data under E. Is data passed on?
We also process personal data for the settlement of further claims (e.g. settlement of damages incurred) resulting from a booking and/or use.
If disruptions or similar occur in connection with the provision of mobility services, we use your contact details to inform you of this, e.g. via e-mail, SMS, in-app or push message.
6. Payment and billing
In order for you to be able to use a mobility service via the hvv switch app, it is necessary to deposit a valid means of payment in your user account.
In order to carry out the payment process and for the purpose of selling and assigning our claims against you, we transmit personal data to our payment service provider LogPay Financial Services GmbH ("LogPay"). Our payment service provider processes and stores your personal data for the purpose of processing payments, managing receivables, evaluating the admissibility of payment methods and avoiding payment defaults.
If you choose credit card as a payment method, the necessary payment information (e.g. credit card provider, credit card holder, credit card number, expiry date and credit card verification number) is stored directly with LogPay. The processing of the personal data is carried out by LogPay as its own responsible party. You can find additional information on this under E.2 Payment service providers.
If you would like to use PayPal as a payment method, it is necessary in a first step that you link your PayPal account with your hvv switch user account. Within the framework of this account linking, you have the option of transferring personal data already stored in your PayPal account (e.g. name and billing address) to your hvv switch user account and saving it there. In this way, we offer you the option of a quicker and more convenient entry of personal data, the provision of which is required for the use of certain mobility services. The transfer of your data to PayPal is based on Art. 6 para. 1 lit. a DSGVO (consent) and Art. 6 para. 1 lit. b DSGVO (processing for the performance of a contract). For each mobility service that you use via the hvv switch app, we create an invoice and process your personal data in this context (e.g. your name, date and place of use of the respective service). We send our own invoices and invoices that we issue on behalf of individual mobility providers exclusively by e-mail.
Due to legal storage obligations, such as obligations under commercial and tax law, we keep invoices for up to ten years. The period begins at the end of the year in which the invoice was created. During the retention period, this personal data is completely blocked and no longer accessible for further data processing.
7. Booking and using hvv Any (check-in/check-out)
With our service hvv Any we offer you the possibility to use hvv transportation without having to deal with the selection of a suitable hvv ticket in advance. You check in the hvv switch app before starting your journey and hvv Any automatically recognizes the route you have taken. For this we need access to the following system services of your smartphone for the purpose mentioned below:
- Location services (GPS) The location services (GPS) are important for determining your locations (e.g. your current location, start stop, start and destination).
- Motion sensor technology The motion sensor technology of your smartphone serves as a support to distinguish walking and cycling trips from the use of our means of transport, among other things.
- Bluetooth and WLAN Bluetooth and WLAN of your smartphone also serve as support to be able to secure the trip determination results, especially for tunnel routes.
- Internet connection The Internet connection is required to ensure smooth communication with our background system. Only there the formation of the journeys and the determination of the prices takes place.
Therefore it is necessary that you also activate or keep active these services during the whole time of using hvv Any.
We use the aforementioned information collected within the framework of hvv Any to record your use of the hvv means of transport. This happens regardless of whether the hvv switch app is open - but only after check-in has taken place. If the required system services are active, this is usually indicated by corresponding icons or functions on your mobile device. You can activate or deactivate these system services at any time via the settings in the operating system of your mobile device. Before using our service hvv Any, i.e. before each so-called check-in, we inform you that the system services and the location detection have to be activated. By using hvv Any you agree that the mentioned systems are used and that the access to your personal data and your movement data is basically permitted for the maintenance of the system operation and the clarification of your customer request.
The data processing for location tracking as well as the use of the aforementioned system service data is based on Art. 6 para. 1 lit. b DSGVO (contract performance). We use this data from you to correctly record your journeys with the hvv means of transport. We do not collect this data to create a movement profile.
7. Customer service
When you contact us, for example by submitting an enquiry or providing feedback, we store this information in order to process your enquiry or respond to your feedback. We will contact you about your enquiry or feedback if this is necessary to resolve your concern.
E. Will data be passed on to other parties?
1. Mobility service providers
Whenever you book and make use of a mobility service you enter into a separate contractual relationship with the respective mobility provider, with our involvement. You decide which mobility services you wish to use and which contract you wish to enter into with them. We then forward the data required for the respective contract exclusively to the respective mobility provider in each case, who will then process that data for the purpose of processing the contract. You must explicitly agree to the transfer of the data required for this process.
We currently work with the following mobility service providers:
MOIA GmbH, Alexanderufer 5, 10117 Berlin
MOIA Operations Germany GmbH, Podbielskistraße 306, 30655 Hanover
Data for activation or changes made by you, e.g. first and last name, validated e-mail address, validated mobile phone number; data relating to a booking request, e.g. start and destination points
|Sixt GmbH & Co. Autovermietung KG, Zugspitzstrasse 1, 82049 Pullach, Germany||
|MILES Mobility GmbH, Leipnizstraße 49, 10629 Berlin, Germany||
Data for activation or as a result of changes made by you, e.B validated first and last name, validated date of birth, validated e-mail address, validated mobile phone number, validated address, validated driver's license data; Data on the booking request, e.B. location data; on request proof of the driving licence check carried out
|TIER Mobility GmbH c/o WeWork, Eichhornstraße 3, 10785 Berlin, Germany||Data for activation in the form of your hvv switch customer number; Data on the booking request, e.B. location data; on request, first and last name, address, validated e-mail address||https://www.tier.app/de/privacy-notice/|
|UMI Urban Mobility International GmbH, Mollstraße 1, 10178 Berlin, Germany||Data for activation or as a result of changes made by you, e.g. validated first and last name, validated date of birth, validated e-mail address, validated mobile phone number, validated address, validated driving licence data; data on the booking request, e.g. location data; on request, proof of the driver's licence check carried out.||https://www.we-share.io/app-privacy|
Voi Technology Germany GmbH, Kaufinger Straße 24, 80331 München
|Activation data in the form of your hvv switch customer number; booking request data, e.g. location data; on request first and last name, address, validated e-mail address.||https://www.voiscooters.com/de/impressum/voi-privacy-policy|
2. Payment service provider
To enable and carry out the payment process and for the purpose of selling and assigning our claims against you, we transmit personal data to our payment service provider LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn ("LogPay"). In addition, we also pass on personal data for the settlement of further claims (e.g. settlement of damages incurred) arising from the booking/use. Our payment service provider processes and stores your personal data for the purpose of processing payments, receivables management, evaluating the admissibility of payment methods and avoiding payment defaults.
For more information about the data processing by LogPay, please visit https://www.logpay.de/DE/datenschutzinformationen/ . Please note that this information also states that if you are not yet known to LogPay, LogPay will transfer your data to credit agencies (such as SCHUFA) to verify your information and creditworthiness to avoid a payment default.
We have integrated a SDK (Software Developer Kit) from PayPal into the hvv switch app to offer you an easy payment method with PayPal. The provider is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg. PayPal uses this SDK for risk management reasons to protect its services and its customers from fraud and abuse. By means of the SDK, PayPal collects and processes your IP address as well as device information, technical usage data and location data. We have no influence on this data transmission and processing. You can find more information about PayPal's data processing at https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.
Mobility budget hvv-m DB Bonvoyo
In order to give you the option of billing the services of the individual mobility providers in the hvv switch app via a mobility budget provided by your employer, we have integrated hvv-m DB Bonvoyo as a possible means of payment. The provider of hvv-m DB Bonvoyo is Deutsche Bahn Connect GmbH ("DB Connect"), Mainzer Landstraße 169, 60327 Frankfurt am Main. If you use this function, the data required for use will be transferred between DB Connect and us. We have no influence on the data processing within DB Connect. You can find more information about data processing within the mobility budget at https://www.deutschebahnconnect.com/produkte/mobilitaetsbudget/DSE_Bonvoyo_App.pdf.
3. Service provider for the display of map services
We have integrated an SDK (Software Developer Kit) of the map service Mapbox into the hvv switch app to enable you to use the hvv switch app easily and reliably. The provider is Mapbox Inc. with headquarters at 740, 15th Street NW, Washington DC, 20005, USA. To use the functions of Mapbox, it is necessary to store your IP address. In addition, device information and location data are also collected and temporarily stored. This information is usually transferred to a Mapbox server in the USA and may be processed there. You can find more information about data processing by Mapbox at https://www.mapbox.com/privacy/ .
You actively decide whether you want to help improve OpenStreetMap and Mapbox maps by collecting anonymized user data. Mapbox uses location data from all integrations to improve their maps, directions, and travel times and provide aggregate insights. To do this, we ask for your consent once when you first launch the hvv switch app. In addition, you have the option to adjust your consent in the privacy settings of the hvv switch app at any time. By giving your consent, you consent to the transfer of data to the USA in accordance with Art. 49 Para. 1 lit. a DSGVO. We would like to point out that the USA currently does not have a level of data protection comparable to the EU and US companies can be obliged by US authorities to hand over your data without you having any effective legal protection options against this.
4. Service provider for driver's license validation
In case of required identification and verification, we transfer personal data to our service provider identity Trust Management AG, Lierenfelder Straße 51, 40231 Düsseldorf, Germany, who complete the identification and verification process for us and act as a processor for us. All personal data is deleted from our service provider seven days after completion of the processing and provision to us.
5. Other service providers used
We use various service providers who process personal data from you on our behalf. These have been carefully selected by us and process the personal data exclusively according to the instructions and under the control of us. In particular, these are the following service providers:
Hosting and operation:
Claranet GmbH, Hanauer Landstraße 196, 60314 Frankfurt am Main, Germany.
Bechtle GmbH, Bernhard-Nocht-Str. 113, 20359 Hamburg-
Sending e-mail and SMS:
Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland
F. Which analysis tools do we use and why?
In order to optimise our marketing activities, we use the service provider Adjust (adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany) and have integrated its SDK (Software Developer Kit) into the hvv switch app. The anonymised data collected using Adjust provides us with information, for instance, about the downloading of the hvv switch app, the online advertising channel through which the download was generated, and the time at which the app was opened. You can find out more about data processing by Adjust by visiting https://www.adjust.com/privacy-policy/.
You actively decide whether you want to allow Adjust to optimise our marketing activities. To this end, we ask for your consent once when you start the hvv switch app for the first time. In addition, you have the option of adjusting or revoking your consent in the privacy settings of the hvv switch app at any time.
Use of this analysis tool is based on Article 6.1 (a) of the GDPR.
We have integrated an SDK (Software Developer Kit) from Google Firebase into the hvv switch app in order to better understand the use of our app and to improve the offer. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Firebase provides various products, of which we use Analytics for Firebase and Crashlytics. The pseudonymized information about the use of our app collected via Google Firebase provides us with information about, for example, the number of app openings in a period of time, app crashes, provides insights into particularly popular features as well as the number of in-app purchases and the total number of users in a certain period of time. For more information on data processing by Google Firebase, please visit https://www.firebase.com/terms/privacy-policy.html .
Legal basis of processing for Analytics for Firebase: You actively decide whether you want to allow the use of Analytics for Firebase to optimize our offer. For this purpose, we ask for your consent once when you first start the hvv switch app. In addition, you have the option to adjust your consent in the privacy settings of the hvv switch app at any time. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) as defined by the TTDSG. You have the option to adjust your consent in the privacy settings of the hvv switch app at any time (revocation of consent).
Legal basis of processing at Crashlytics: At Crashlytics, data on the operation of the app, including the type of operating system used, information on malfunctions during operation (type, time and duration of the malfunction as well as use of the app at the time of the malfunction) and device information are processed. Based on this data, we can obtain an overview of various malfunctions when malfunctions or problems occur during the operation of the hvv switch app and weight them based on their relevance for use in order to ensure efficient troubleshooting and to ensure the stability of the app. The data processing is based on Art. 6 (1) lit. f DSGVO. We have a legitimate interest in identifying and fixing stability problems that affect the quality of the hvv switch app. In this way, we also increase the user-friendliness of the hvv switch App for our customers. Since the data is processed in pseudonymized form and you can prevent the use of this data by the hvv switch app at any time in the privacy settings of the hvv switch app (objection), an overriding opposing legitimate interest is not apparent.
G. How long will my data be stored?
As your contractual partner, Hamburger Hochbahn AG processes and stores your personal data only for as long as is necessary to fulfill its contractual and legal obligations. We differentiate between the various categories of data. In principle, we only retain data from registered customers. This is done only at the request of the customer, so as not to have to store personal data again in the event of repeated use of our offer.
If data is no longer required for the immediate fulfillment of contractual or legal obligations, for example because it relates to sales that have already been invoiced, it is regularly deleted. This does not apply to data whose (temporary) continued storage is required for the following purposes:
- Compliance with retention periods under commercial or tax law: These include, for example, the German Commercial Code and the German Fiscal Code. The retention and documentation periods stipulated there are up to 10 years.
- Preservation of evidence within the framework of the statute of limitations: According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods are generally 3 years, but can also be up to 30 years in individual cases.
H. What are your rights with regard to data protection?
The GDPR grants certain rights to data subjects whose personal data is processed by us. We would like to outline these rights in the following. If you have any questions regarding data protection with respect to hvv switch, please feel free to contact us as the data controller, or to get in touch with our Data Protection Officer. You can find the contact details under B. Who is responsible?
1. Information, deletion & correction
You have the right to request information about your personal data stored by us free of charge at any time. This includes information about the purpose of processing, the category of data used, its recipients and the planned duration of data storage or, if this is not possible, the criteria for determining this duration. Furthermore, you have the right to have the data deleted and/or corrected, in particular if the data is incomplete or incorrect, if it is no longer necessary for the purpose for which it was collected, or if you have withdrawn your consent to the processing.
2. Revocation of consent
If data processing is carried out with your consent, you have the option to revoke this consent at any time. An informal email is sufficient here to make this happen. The legality of the data processing carried out up until the date of revocation will remain unaffected by the revocation.
3. Right of objection
If the data processing is based on a legal legitimate interest on our part, you have the right to object to the data processing. The prerequisite for this are reasons arising from your particular situation (Art. 21 (1) DSGVO).
4. Right to restriction of processing
You have the right to request that the processing of your personal data be restricted. This right to restriction of processing applies in the following cases:
- If you query the accuracy of your personal data stored by us. We will usually need some time to check this.
- For the duration of this review period, you will have the right to request the restriction of the processing of your personal data.
- If your personal data has been processed/ is being processed in a way that is unlawful, you can request the restriction of data processing rather than having your data deleted.
- If we no longer need your personal data, but require it for the exercising, defence or assertion of any legal claims, you will have the right to request the restriction of the processing of your personal data rather than having your data deleted.
- If you have lodged an complaint as per Article 21.1 of the GDPR, a balance must be struck between your interests and our interests. As long as it has not yet been determined whose interests prevail, you will have the right to demand the restriction of the processing of your personal data.
5. Right to data portability
You have the right to have data that we process automatically, based on your consent and/or to fulfil a contract, provided to you or to a third party in a structured, common and machine-readable format. If you request the direct transfer of data to another data controller, this will only be implemented provided it is technically feasible.
6. Right of complaint to a supervisory authority
In the event of a breach of the GDPR, you have the right to lodge a complaint with a supervisory authority. The right of appeal is without prejudice to other administrative or judicial remedies.
In Hamburg, you can contact the official data protection commissioner at:
The Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg.