Data protection information of Hamburger Hochbahn AG

As of 17 January 2026

In accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: “GDPR“), this data protection information provides you with details about how we process your personal data and your rights in this regard.

A. Responsible body and data protection officer

The controller responsible for data processing is:

Hamburger Hochbahn AG
Steinstraße 20
20095 Hamburg
Germany

Telephone: +49 (40) 3288-0
Email info@hochbahn.de

You can contact the designated data protection officer at:

Hamburger Hochbahn AG
Data Protection Department
Steinstraße 20
20095 Hamburg
Germany

Email:datenschutzbeauftragter@hochbahn.de

B. What data do we process and for what purpose?

Below, we describe the purposes for which we process your data and how we do so. Here, we provide information about:

Use of our internet offerings hochbahn.de, HOCHBAHN Blog (dialog.hochbahn.de) and schneller-durch-hamburg.de
Social media presence of Hamburger Hochbahn AG
Your application to Hamburger Hochbahn AG
Video surveillance by Hamburger Hochbahn AG
increased transport charges
Communication with Hamburger Hochbahn AG
WhatsApp channel of Hamburger Hochbahn AG
Handling of legal claims
Whistleblower system

B.1 Use of our websites www.hochbahn.de, HOCHBAHN Blog (dialog.hochbahn.de) and schneller-durch-hamburg.de

In this section, we provide information about the processing of personal data on our websites:

B.1.1 External hosting

Our websites are hosted externally. The personal data collected on our websites is stored on the servers of the respective host. This may include IP addresses, contact enquiries, meta and communication data, contract data, contact details, names, website accesses and other data generated via the respective website.

External hosting is carried out for the purpose of fulfilling contracts with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of secure, fast and efficient provision of our online services by a professional provider (Art. 6para. 1lit. f GDPR). If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (Telecommunications Digital Services Data Protection Act, hereinafter: “TDDDG”), insofar as the consent covers the storage of cookies or access to information on the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Our host will only process your data to the extent necessary to fulfil its service obligations and will follow our instructions regarding this data.

We use the following hosting providers:

www.hochbahn.de: Metaways Infosystems GmbH, Schlossstraße 49, 22967 Tremsbüttel, Germany
www.dialog.hochbahn.de: NetUSE AG, Dr.-Hell-Straße 6, 24107 Kiel, Germany
www.schneller-durch-hamburg.de: NetUSE AG, Dr.-Hell-Straße 6, 24107 Kiel, Germany / Technical implementation: Zebralog GmbH, Kaiserstrasse 31, 53113 Bonn, Germany

B.1.2 SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the website operator, our internet services use SSL or TLS encryption.

You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

B.1.3 Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

Browser type and browser version
Operating system used
Referrer URL
Host name of the accessing computer
Time of the server request
IP address

This data is not merged with other data sources.

This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website – for this purpose, the server log files must be collected.

B.1.4 Use of cookies and consent tools

B.1.4.1 Use of cookies

Our websites use so-called "cookies". Cookies are small text files and do not cause any damage to your device. They are either stored temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your device until you delete them yourself or your web browser automatically deletes them.

In some cases, cookies from third-party companies may also be stored on your device when you visit our website (third-party cookies). These enable us or you to use certain services provided by the third-party company (e.g. cookies for processing payment services).

Cookies have various functions. Numerous cookies are technically necessary, as certain website functions would not work without them (e.g. the display of videos). Other cookies are used to evaluate user behaviour or to display advertising.

Cookies that are necessary for the electronic communication process (necessary cookies) or for the provision of certain functions requested by you (functional cookies) or for the optimisation of the website (e.g. cookies for measuring the web audience) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing cookies for the technically error-free and optimised provision of its services. If consent to the storage of cookies has been requested, the storage of the relevant cookies is based exclusively on this consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG); consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases. Furthermore, you can exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

If cookies from third-party companies or for analysis purposes are used, we will inform you separately in this privacy policy and, if necessary, request your consent.

B.1.4.2 Consent with Usercentrics

The website at www.hochbahn.de uses consent technology from Usercentrics to obtain your consent to the storage of certain cookies on your device or to the use of certain technologies and to document this in accordance with data protection regulations. This technology is provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany (hereinafter referred to as "Usercentrics").

When you visit our website, the following personal data is transferred to Usercentrics:

Your consent(s) or the revocation of your consent(s)
Your IP address
Information about your browser
Information about your device
The time of your visit to the website

Furthermore, Usercentrics stores a cookie in your browser in order to be able to assign the consents you have given or their revocation. The data collected in this way is stored until you request us to delete it, delete the Usercentrics cookie yourself or the purpose for data storage no longer applies. Mandatory legal retention obligations remain unaffected.

Usercentrics is used to obtain the legally required consent for the use of certain technologies. The legal basis for this is Art. 6para. 1 lit. c GDPR.

B.1.4.3 Consent with Borlabs Cookie

The dialog.hochbahn.de website uses Borlabs Cookie consent technology to obtain your consent to the storage of certain cookies in your browser or to the use of certain technologies and to document this in accordance with data protection regulations. This technology is provided by Borlabs GmbH, Hamburger Straße 11, 22083 Hamburg (hereinafter referred to as "Borlabs").

When you visit our website, a Borlabs cookie is stored in your browser, in which the consents you have given or the revocation of these consents are stored. This data is not passed on to the provider of Borlabs Cookie.

The collected data is stored until you request us to delete it, delete the Borlabs cookie yourself, or the purpose for data storage no longer applies. Mandatory legal retention periods remain unaffected. Details on data processing by Borlabs Cookie can be found at https://borlabs.io/kb/what-information-does-borlabs-cookie-store/.

Borlabs cookie consent technology is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

B.1.5 Use of plugins and tools

B.1.5.1 Integration of map services

B.1.5.1.1 Google Maps

This site uses the Google Maps map service. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the United States and stored there. The provider of this site has no influence on this data transfer. If Google Maps is activated, Google may use Google Fonts for the purpose of uniform font display. When you access Google Maps, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.

The use of Google Maps is in the interest of an appealing presentation of our online offers and to make it easy to find the locations we have indicated on the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information on your end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Data transfer to the United States is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

For more information on how user data is handled, please refer to Google's privacy policy:
https://policies.google.com/privacy?hl=en.

Google is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.1.5.1.2 OpenStreetMap

We have integrated the OpenStreetMap (OSM) map service into our website. We integrate the map material from OpenStreetMap on the server of the OpenStreetMap Foundation, St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom of Great Britain and Northern Ireland. The United Kingdom of Great Britain and Northern Ireland is considered a third country with a high level of data protection. This means that the United Kingdom of Great Britain and Northern Ireland has a level of data protection that is equivalent to that of the European Union. When using OpenStreetMap maps, a connection is established to the servers of the OpenStreetMap Foundation. In doing so, your IP address and other information about your behaviour on this website may be forwarded to the OSMF. OpenStreetMap may store cookies in your browser or use similar recognition technologies for this purpose.

OpenStreetMap is used in the interest of an appealing presentation of our online offerings and to make it easy to find the locations we have indicated on the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information on the end device of the user (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

B.1.5.2 Integration of video portals

B.1.5.2.1 Integration of YouTube videos

Our websites embed videos from YouTube. The website is operated by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to our website before they watch the video. However, the extended data protection mode does not necessarily exclude the transfer of data to YouTube partners. YouTube establishes a connection to the Google DoubleClick network regardless of whether you watch a video.

As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to associate your surfing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, after starting a video, YouTube may store various cookies on your device or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve user-friendliness and prevent fraud attempts.

After starting a YouTube video, further data processing operations may be triggered over which we have no control.

YouTube is used in the interest of an appealing presentation of our online offerings. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information on your end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Further information on data protection at YouTube can be found in their privacy policy at:
https://policies.google.com/privacy?hl=en

Google is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.1.5.2.2 Vimeo without tracking (Do Not Track)

We use plugins from the video portal Vimeo on our pages. The provider is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA (hereinafter "Vimeo").

When you visit one of our pages equipped with Vimeo videos, a connection to the Vimeo servers is established. The Vimeo server is informed which of our pages you have visited. Vimeo also obtains your IP address. However, we have set Vimeo so that Vimeo will not track your user activities and will not set any cookies.

The use of Vimeo is in the interest of an appealing presentation of our online offerings. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission and, according to Vimeo, on "legitimate business interests". Details can be found here:
https://vimeo.com/privacy.

Further information on the handling of user data can be found in Vimeo's privacy policy at:
https://vimeo.com/privacy.

Vimeo is certified under the EU-U.S. Data Privacy Framework. Additional information on this can be found under point C. EU-U.S. Data Privacy Framework.

B.1.5.3 Authentication with Google reCaptcha

We use Google reCAPTCHA (hereinafter "reCAPTCHA") for authentication on this website. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

reCAPTCHA is used to verify whether the data entered on this website is entered by a human or by an automated programme. To do this, reCAPTCHA analyses the behaviour of the website visitor based on various characteristics. This analysis begins automatically as soon as you enter our website. reCAPTCHA evaluates various information for the analysis (e.g. IP address, length of time spent on the website or mouse movements made by users). The data collected during the analysis is forwarded to Google.

The reCAPTCHA analyses run completely in the background. When you visit our website, there is no indication that an analysis is taking place.

The storage and analysis of the data is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in protecting our web offerings from abusive automated spying and SPAM. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para.1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or the access to information on your end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

For more information about Google reCAPTCHA, please refer to Google's privacy policy and Google's terms of use at the following links:
https://policies.google.com/privacy?hl=en and
https://policies.google.com/terms?hl=en.

Google is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.1.5.4 Social media plugins (Like & Share button)

B.1.5.4.1 Facebook

Elements of the Facebook social network are integrated into this website. This service is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter referred to as "Meta"). However, according to Facebook, the data collected is also transferred to the United States and other third countries.

An overview of the Facebook social media elements can be found here:
https://developers.facebook.com/docs/plugins/?locale=en_en.

When the social media element is active, a direct connection is established between your device and the Facebook server. Facebook receives the information that you have visited this website with your IP address. If you click the Facebook "Like" button while you are logged into your Facebook account, you can link the content of this website to your Facebook profile. This allows Facebook to associate your visit to this website with your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the data transmitted or its use by Facebook. For more information, please see Facebook's privacy policy at:
https://www.facebook.com/privacy/explanation.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited exclusively to the collection of data and its transfer to Facebook. The processing by Facebook after the transfer is not part of the joint responsibility. The obligations incumbent upon us jointly have been set out in a joint processing agreement. The wording of the agreement can be found at:
https://www.facebook.com/legal/controller_addendum.

According to this agreement, we are responsible for providing data protection information when using the Facebook tool and for the data protection-compliant implementation of the tool on our website. , Facebook is responsible for the data security of Facebook products. You can assert your rights as a data subject (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your rights as a data subject with us, we are obliged to forward them to Facebook.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://www.facebook.com/legal/EU_data_transfer_addendum,
https://www.facebook.com/help/566994660333381 and
https://www.facebook.com/policy.php.

Meta is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.1.5.4.2 X plugin

This website incorporates features of the X service. These features are provided by the parent company X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, is responsible for data processing for persons living outside the USA.

When the social media element is active, a direct connection is established between your device and the X server. This provides X with information about your visit to this website. By using X and the "Re-Tweet" or "Repost" function, the websites you visit are linked to your X account and made known to other users. We would like to point out that, as the provider of these pages, we have no knowledge of the content of the data transmitted or its use by X. For more information, please refer to X's privacy policy at:
https://x.com/en/privacy.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25para.1 TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://gdpr.twitter.com/en/controller-to-controller-transfers.html.

You can change your privacy settings on X (formerly Twitter) in your account settings at https://twitter.com/account/settings.

X Corp. is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.1.5.4.3 LinkedIn plugin

Elements of the LinkedIn network may be integrated into our websites. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Each time you visit a page on this website that contains elements from LinkedIn, a connection to LinkedIn's servers is established. LinkedIn is informed that you have visited this website with your IP address. If you click on the LinkedIn "Recommend" button at and are logged into your LinkedIn account, LinkedIn can associate your visit to this website with you and your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the data transmitted or its use by LinkedIn.

The use of this service is based on your consent in accordance with Art. 6 para.1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://www.linkedin.com/help/linkedin/answer/a1343190/datenubertragung-aus-der-eu-dem-ewr-und-der-schweiz?lang=en

Further information on this can be found in LinkedIn's privacy policy at:
https://www.linkedin.com/legal/privacy-policy.

LinkedIn is certified under the EU-U.S. Data Privacy Framework. Additional information on this can be found under point C. EU-U.S. Data Privacy Framework.

B.1.5.4.4 Mastodon share function (norden.social)

Our websites use a plugin that allows you to share content directly on the Mastodon platform. The integration is done via the instance https://norden.social. When you use the "Share" button or a similar function, the following data is transferred to the norden.social servers:

the URL of the content you wish to share,
any additional metadata (title, description),
your IP address and browser information (technically necessary for the transfer).

Data processing is carried out exclusively by the provider of the Mastodon instance. We have no influence on the type and scope of the data collected there. Further information can be found in the privacy policy of norden.social:
https://norden.social/privacy-policy

The share function is provided on the basis of our legitimate interest (Art. 6para. 1 lit. f GDPR) in order to offer you a convenient way to share our content. Use of this function is voluntary.

We do not transfer any personal data as long as you do not actively use the function. When you click the button, you leave our website and interact directly with Mastodon.

B.1.6 Use of analysis tools and advertising

B.1.6.1 Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that helps us integrate tracking or statistics tools and other technologies into our website. Google Tag Manager itself does not create user profiles, store cookies or perform independent analyses. It is used solely for the management and display of the tools integrated via it. However, Google Tag Manager records your IP address, which may also be transferred to Google's parent company in the United States.

The use of Google Tag Manager is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the quick and uncomplicated integration and management of various tools on our website. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information on your end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Google is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.1.6.2 Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables us to analyse the behaviour of visitors to our website. In doing so, we receive various usage data, such as page views, length of stay, operating systems used and the origin of users. This data is assigned to the respective end device of our users. It is not assigned to a user ID.

Furthermore, Google Analytics allows us to record your mouse and scroll movements and clicks, among other things. Google Analytics also uses various modelling approaches to supplement the data sets collected and uses machine learning technologies in data analysis.

Google Analytics uses technologies that enable users to be recognised for the purpose of analysing their behaviour (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is usually transferred to a Google server in the United States and stored there.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the United States is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://privacy.google.com/businesses/controllerterms/mccs/.

Google is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

Browser plugin

You can prevent Google from collecting and processing your data by downloading and installing the browser plugin available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=en.

For more information on how Google Analytics handles your data, please refer to Google's privacy policy:
https://support.google.com/analytics/answer/6004245?hl=en.

Google Signals

We use Google Signals. When you visit our website, Google Analytics collects your location, search history, YouTube history and demographic data (visitor data), among other things. This data can be used for personalised advertising with the help of Google Signals. If you have a Google account, Google Signals links the visitor data to your Google account and uses it for personalised advertising messages. The data is also used to create anonymous statistics on the usage behaviour of our visitors.

B.1.6.3 Google Ads

We use Google Ads. Google Ads is an online advertising programme from Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to display advertisements in the Google search engine or on third-party websites when users enter specific search terms in Google (keyword targeting). Furthermore, targeted advertisements can be displayed based on user data available to Google (e.g. location data and interests) (target group targeting). As the website operator, we can evaluate this data quantitatively, for example by analysing which search terms led to our advertisements being displayed and how many advertisements led to corresponding clicks.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the United States is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://policies.google.com/privacy/frameworks and
https://privacy.google.com/businesses/controllerterms/mccs/.

Google is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.1.6.4 Google Looker Studio

We use Google Looker Studio – software from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Looker Studio is used to manage and visualise data from the aforementioned analysis tools. We can only evaluate data in Google Looker Studio if you have consented to the use of the respective tool.

We use Google Looker Studio for marketing and optimisation purposes, in particular to analyse the use of our website and to continuously improve individual functions and offers as well as the user experience. By statistically evaluating usage behaviour, we can improve our offering and make it more interesting for you as a user.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the United States is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://privacy.google.com/businesses/gdprcontrollerterms/ and here:
https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

Google is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.1.6.5 Deep Media Advertiser Tag

We use the Deep Media Advertiser Tag, a service provided by Deep Media Technologies GmbH, Hohe Bleichen 8, 20354 Hamburg, Germany. The Deep Media Advertiser Tag is a tag management system for managing technologies for marketing and optimisation purposes. It is used in particular to display advertisements that are relevant and interesting to you and to improve campaign performance reports.

When using the Advertiser Tag, pseudonymised online identifiers such as cookies and click IDs may be processed. Deep Media Technologies GmbH is unable to personally identify the user. Data from providers for which the user has given consent within the scope of the data protection settings of this website is processed. The collection and storage of data can be objected to at any time by contacting the respective provider. In the event of an objection, this data will not be passed on to Deep Media Technologies GmbH.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Further information on data use by Deep Media Technologies GmbH can be found here:
https://www.deepmedia.de/en/privacy-information-advertiser-tag/

B.1.6.6 Meta Pixel

We use Meta's visitor action pixel to measure conversions. This service is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter: "Meta"). However, according to Meta, the data collected is also transferred to the USA and other third countries.

This allows the behaviour of our website visitors to be tracked after they have been redirected to our website by clicking on a Meta advertisement. This enables the effectiveness of Meta advertisements to be evaluated for statistical and market research purposes and future advertising measures to be optimised.

The data collected is anonymous to us as the operator of this website; we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Meta, so that a connection to the respective user profile on Facebook or Instagram is possible and Meta can use the data for its own advertising purposes in accordance with the Meta Data Use Policy (https://www.facebook.com/about/privacy/). This enables Meta to place advertisements on Facebook or Instagram pages and other advertising channels. As the website operator, we have no influence over this use of the data.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Meta, we and Meta are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited exclusively to the collection of data and its transfer to Meta. The processing by Meta after the transfer is not part of the joint responsibility. The obligations incumbent upon us jointly have been set out in a joint processing agreement. The wording of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using the Meta tool and for the data protection-compliant implementation of the tool on our website. Meta is responsible for the data security of Meta products. You can assert your rights as a data subject (e.g. requests for information) regarding the data processed by Facebook or Instagram directly with Meta. If you assert your rights as a data subject with us, we are obliged to forward them to Meta.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found at:
https://www.facebook.com/legal/EU_data_transfer_addendum and
https://www.facebook.com/help/566994660333381.

You can find further information on the protection of your privacy in Meta's privacy policy:
https://www.facebook.com/about/privacy/.

You can also deactivate the "Custom Audiences" remarketing function in the ad settings section at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged in to Facebook.

If you do not have a Facebook or Instagram account, you can deactivate usage-based advertising from Meta on the European Interactive Digital Advertising Alliance website:
https://www.youronlinechoices.com/uk/your-ad-choices.

The company is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.1.7 Contacting Hamburger Hochbahn AG via our website

You have the option of contacting us via our websites. The data protection aspects of these contact options are described here. Data protection information on contacting us outside of our website can be found in section 6 of this privacy policy.

B.1.7.1 Enquiries via contact form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the enquiry and in case of follow-up questions.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR, provided that your enquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.

The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to its storage, or the purpose for data storage no longer applies (e.g. after your enquiry has been processed). Mandatory legal provisions – in particular retention periods – remain unaffected.

When processing enquiries and complaints that you send us via the contact form, this data may be forwarded to the departments responsible for handling the respective issues and questions. This primarily concerns forwarding to other transport companies in the Hamburger Verkehrsverbund (Hamburg Transport Association, hereinafter: “hvv”), which provided the transport service or are responsible for certain sales channels and infrastructure operations. Depending on the nature and content of an enquiry or complaint, it may also be forwarded to other departments dealing with the matter in question. This applies in particular to the affiliated companies of Hamburger Hochbahn AG. However, it also includes, for example, P + R Betriebsgesellschaft mbH, Stadtreinigung Hamburg (Hamburg City Cleaning) or the relevant authorities. , forwarding is only carried out to the extent that it is necessary and expedient for the processing of the matter. We base such forwarding to other competent bodies for the purpose of processing enquiries and complaints on an overriding legitimate interest on our part (Art. 6 para. 1 lit. f GDPR). Forwarding enables the quick and comprehensive processing of the matter in question by the body that also has the information required for processing. It relieves you, the customer, of the need to find out in advance about the distributed responsibilities within hvv or within the ownership structure of Hamburger Hochbahn AG. We do not see any conflicting overriding legitimate interest, as the enquiries and complaints in question are submitted to us precisely with the aim and desire that they be processed by the responsible department.

B.1.7.2 Chatbot in the career portal

You have the option of getting quick answers to individual questions via a free chatbot on the Hamburger Hochbahn AG career portal.

We use the chatbot to answer questions from interested parties or applicants as quickly as possible. In addition, interested parties or applicants can send requests for processing to Hamburger Hochbahn AG via digital forms or free input fields in the chatbot. Depending on the content of the enquiry, the chatbot can also forward it directly to the relevant service employee. To enable the conversation to be resumed at a later date, it is evaluated on the basis of your questions and search criteria when you first make contact.

When visiting the chatbot, the user's personal data is processed. This includes:

IP address (not stored)
User ID
Conversation ID
Data entered by the user

When you use the chatbot for the first time, you will be assigned a randomly generated UserID. The UserID remains stored in your browser until you delete your browser history. If you want to use the chatbot again after deleting your browser history, a new randomly generated UserID will be generated. In this case, you may have to re-enter all previously clicked answers or questions or entries. When you use the chatbot again, your browser will send the UserID to it. This allows you to continue a previously interrupted conversation, search or entry in the chatbot at any time (similar to setting cookies on websites). The conversations, searches or entries you have started are also generated and stored in the events on your browser. To continuously improve the chatbot, we record events such as "chatbot was displayed" and click events such as "user clicked on response X". For this purpose, we use conversation IDs, which are generated within the bot's database in the same way as user IDs. They serve as object identifiers and are necessary for the construction of the bot, as database entries require a unique identifier. Data is not processed for any other purposes (e.g. tracking).

We process your data in accordance with Art. 6 para. 1 lit. b GDPR. The legal basis for data processing is a free contract between you and Hamburger Hochbahn AG. In addition, there is a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in ensuring smooth communication with those interested in our job offers or applicants and in ensuring that our services function properly and can be continuously improved.

If the legal basis for data processing ceases to apply, all personal data you have entered will be deleted. Data that is required for contract processing or is subject to statutory retention periods remains unaffected by this.

The chatbot is used within the framework of order processing in accordance with Art. 28 GDPR. The order processor is Solvemate GmbH, Friedrichstraße 123, 10117 Berlin, Germany. All data is processed exclusively by certified operators of data centres within the European Union.

B.1.7.3 Comment function on the HOCHBAHN blog

For the comment function on the dialog.hochbahn.de website, in addition to your comment, information about the time the comment was created and, if you are not posting anonymously, the user name you have chosen will also be stored.

Our comment function stores the IP addresses of users who post comments. As we do not check comments on this website before they are published, we need this data in order to be able to take action against the author in the event of legal violations such as insults or propaganda.

The comments and the associated data are stored and remain on this website until the commented content has been completely deleted or the comments have to be deleted for legal reasons (e.g. offensive comments).

Comments are stored on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time. To do so, simply send us an informal email. The legality of data processing operations that have already taken place remains unaffected by the revocation.

B.1.7.4 Participant contributions and moderation on schneller-durch-hamburg.de

B.1.7.4.1 Participant contributions

The participant contributions you post and make publicly available (e.g. discussion contributions and comments) are stored by us, evaluated in terms of content and may also be published in full under the user name you have chosen after completion of the process or even after this online service has been shut down as part of documentation. Therefore, please use a pseudonym that does not allow third parties to identify you. The evaluation is carried out by us or by other commissioned partners (universities, institutes and research colleges).

If you, as a user of this online service, include personal data in your content (e.g. in the discussion posts or comments you create), (e.g. your email or postal address), we or our commissioned moderators will remove it. You are legally responsible for all content you provide.

For this function on this page, in addition to your contributions, information about the time of creation of the contribution, your email address and, if you do not post anonymously, the user name you have chosen will also be stored.

Our comment function stores the IP addresses of users who post comments. As we can only check comments on this website to a limited extent before they are published, we need this data in order to be able to take action against the author in the event of legal violations such as insults or propaganda.

The posts and the associated data are stored and remain on this website until the commented content has been completely deleted or the posts have to be deleted for legal reasons (e.g. offensive comments). The comments are completely deleted after 5 years at the latest.

The posts are stored on the basis of your consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG). You can revoke your consent at any time. To do so, simply send us an informal email. The legality of the data processing that has already taken place remains unaffected by the revocation.

B.1.7.4.2 Moderation

We or the moderators commissioned by us supervise activated (active) dialogues on this online offering or respond directly to enquiries that you can send to us in the activated areas of the offering.
In addition to deleting personal data in posts or comments, the moderators may hide posts that do not comply with the dialogue rules or change them in consultation with you.
The content of the hidden original post will be stored for up to four weeks after the end of the online phase of each dialogue for internal traceability purposes.
If we commission external moderation, the external moderator is obliged to comply with data protection regulations to the same extent as we are and offers us a contractual guarantee for the secure, reliable and purpose-specific use of personal data.

The moderation of posts is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in providing accurate, neutral information and complying with legal regulations for the protection of individuals.

B.1.8 Event registration

If a registration form for on-site events is temporarily offered via our website and you use it to register for the event, the information you provide will be sent to us by email and used by us for the purpose of preparing, following up on and conducting the event. We reserve the right to process registrations for our events via the service provider pretix GmbH, Berthold-Mogel-Straße 1, 69126 Heidelberg. Information on data protection from the aforementioned provider can be found here:
https://pretix.eu/about/en/privacy

Once the follow-up has been completed, your data (your email address and first and last name) will be deleted, unless you have given your express consent for further storage and processing, for example for the purpose of holding future events.

Your data is stored on the basis of contract fulfilment (Art. 6 para. 1 lit. b GDPR) and consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time. To do so, simply send us an informal email. The legality of the data processing already carried out remains unaffected by the revocation.

B.1.9 Newsletter (schneller-durch-hamburg.de)

If you would like to subscribe to the newsletter offered on the website schneller-durch-hamburg.de, we require your email address and information that allows us to verify that you are the owner of the email address provided and that you agree to receive the newsletter. Further data will not be collected or will only be collected on a voluntary basis.

We use CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter "CleverReach"). CleverReach is a service that can be used to organise and analyse newsletter distribution. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) is stored on CleverReach's servers in Germany or Ireland.

Our newsletters sent with CleverReach enable us to analyse the behaviour of the newsletter recipients. Among other things, we can analyse how many recipients opened the newsletter and how often which link in the newsletter was clicked. With the help of conversion tracking, it is also possible to analyse whether a predefined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletters can be found at:https://www.cleverreach.com/en-de/newsletter-tool/newsletter-reporting/.

Data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.

If you do not want CleverReach to analyse your data, you must unsubscribe from the newsletter. We provide a link for this purpose in every newsletter.

The data you provide for the purpose of receiving the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and will be deleted from the newsletter distribution list after you unsubscribe. Data stored by us for other purposes remains unaffected.

After you unsubscribe from the newsletter distribution list, your email address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interests and our interests in complying with the legal requirements for sending newsletters (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). There is no time limit for storage in the blacklist. You can object to the storage if your interests outweigh our legitimate interest.

For more details, please refer to CleverReach's privacy policy at:https://www.cleverreach.com/en-de/privacy-policy/.

B.2 Social media presence of Hamburger Hochbahn AG

This privacy policy applies to the following social media presences:

B.2.1 Data processing by social networks

We maintain publicly accessible profiles on social networks. The specific social networks we use are listed below.

Social networks can usually analyse your behaviour as a user comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media sites triggers numerous data processing operations relevant to data protection. Specifically:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies stored on your device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you both within and outside the respective social media presence. If you have an account with the respective social network, interest-based advertising can be displayed on all devices on which you are or were logged in.

Please also note that we cannot track all processing operations on social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policies of the respective social media portals.

B.2.1.1 Legal basis

Our social media presence is intended to ensure the most comprehensive presence possible on the internet. This is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on different legal bases, which must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 para. 1 lit. a GDPR).

B.2.1.2 Controller and assertion of rights

When you visit one of our social media sites, we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal.

Please note that, despite our joint responsibility with the social media portal operators, we do not have full control over the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

You have the right to obtain information about the origin, recipient and purpose of your stored personal data at any time and free of charge. You also have the right to object, the right to data portability and the right to lodge a complaint with the competent supervisory authority. Furthermore, you may request the correction, blocking, deletion and, under certain circumstances, the restriction of the processing of your personal data.

B.2.1.3 Storage period

The data collected directly by us via our social media presence will be deleted from our systems as soon as you request deletion, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal provisions – in particular retention periods – remain unaffected.

We have no influence on the storage period of your data stored by the operators of social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).

B.2.2 Social networks in detail

B.2.2.1 Instagram

We operate the "Hamburger Hochbahn AG" profile on Instagram. This service is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and
https://www.facebook.com/help/566994660333381.

For details, please refer to Instagram's privacy policy:
https://help.instagram.com/519522125107875.

Meta is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.2.2.2 Facebook

We operate the "HOCHBAHN Career" profile on Facebook. This service is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter referred to as Meta). According to Meta, the data collected is also transferred to the USA and other third countries.

We have entered into a joint processing agreement (Controller Addendum) with Meta. This agreement specifies which data processing operations we and Meta are responsible for when you visit our Facebook page. You can view this agreement at the following link:
https://www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your advertising settings yourself in your user account. To do so, click on the following link and log in:
https://www.facebook.com/settings?tab=ads.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://www.facebook.com/legal/EU_data_transfer_addendum and
https://www.facebook.com/help/566994660333381.

For details, please refer to Facebook's privacy policy:
https://www.facebook.com/about/privacy/.

Meta is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.2.2.3 X

We use the short message service X. The provider is the parent company X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, Ireland, is responsible for data processing for persons living outside the USA.

You can adjust your X privacy settings yourself in your account. To do so, click on the following link and log in:
https://x.com/settings/account/personalization.

Data transfer to the United States is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://gdpr.x.com/en/controller-to-controller-transfers.html.

For details, please refer to X's privacy policy:
https://x.com/de/privacy.

X Corp. is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.2.2.4 Mastodon (norden.social)

For the short message service Mastodon, we use the technical platform and services provided by the association norden.social e.V., Zum Sebaldsbrücker Bahnhof 1, 28309 Bremen, Germany (hereinafter: “norden.social”). We therefore refer to the privacy policy of norden.social. Information about which data is processed by norden.social and for what purposes can be found in the privacy policy of norden.social. We do not collect or store any data ourselves in the context of the Mastodon social media service. We would like to point out that you use the Mastodon short message service and its functions at your own responsibility.

B.2.2.5 XING

We have a profile on XING. The provider is New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.

For details on how they handle your personal data, please refer to XING's privacy policy:
https://privacy.xing.com/de/datenschutzerklaerung.

B.2.2.6 LinkedIn

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

LinkedIn uses advertising cookies. If you wish to disable LinkedIn advertising cookies, please use the following link:
https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transfer to the United States is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://www.linkedin.com/legal/l/dpa and
https://www.linkedin.com/legal/l/eu-sccs.

For details on how they handle your personal data, please refer to LinkedIn's privacy policy:
https://www.linkedin.com/legal/privacy-policy.

LinkedIn is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.2.2.7 YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on how they handle your personal data, please refer to YouTube's privacy policy:
https://policies.google.com/privacy?hl=en.

Google is certified under the EU-U.S. Data Privacy Framework. For more information, see section C. EU-U.S. Data Privacy Framework.

B.3 Your application to Hamburger Hochbahn AG

We offer you the opportunity to apply for a position with us. You can do this by post, email or via our career portal at https://www.hochbahn.de/de/karriere. Below, we provide information about the scope, purpose and use of your personal data collected as part of the application process. We assure you that your data will be collected, processed and used in accordance with applicable data protection law and all other legal provisions, and that your data will be treated as strictly confidential.

Hamburger Hochbahn AG uses the onlyfy one (by XING) platform provided by New Work SE, Am Strandkai 1, 20457 Hamburg, Germany to process applications. Further information on data protection when registering on the Hamburger Hochbahn AG career portal can be found here:
https://hochbahn.onlyfy.jobs/policy.

B.3.1 Scope and purpose of data collection

When you send us an application, we process your associated personal data (e.g. contact and communication data, application documents, notes taken during interviews, etc.) to the extent necessary to decide whether to establish an employment relationship. The processing of personal data in the context of an application procedure is based on Art. 6 para. 1 lit. b GDPR in conjunction with § 26 Bundesdatenschutzgesetz (Federal Data Protection Act, hereinafter: “BDSG”, initiation and implementation of the employment relationship) and Art. 6 para. 1 lit. c GDPR (legal obligation to process employee data). In certain cases, we process your data to protect a legitimate interest of ours or of third parties (Art. 6 para. 1 lit. f GDPR). A legitimate interest exists, for example, if your data is necessary for the assertion, exercise or defence of legal claims in the context of the application process (e.g. claims under the Allgemeines Gleichbehandlungsgesetz (General Equal Treatment Act)). In the event of a legal dispute, we have an overriding legitimate interest in processing the data for evidence purposes.

If you provide information in your application documents that contains special categories of personal data within the meaning of Art. 9 para.1 GDPR (e.g. information that allows conclusions to be drawn about your sexual orientation; information about your health; information that allows conclusions to be drawn about your ethnic origin or religion), we will also only process this data within the legally permissible framework.

B.3.2 Registration for application management

You can register for application management at www.hochbahn.de under the "Careers" section. We will only use the data you enter for the purpose of using this service. Further information on data protection when registering on the Hamburger Hochbahn AG career portal can be found here:
https://hochbahn.onlyfy.jobs/policy.

B.3.3 Data retention period

If we are unable to offer you a position, you decline a job offer or withdraw your application, we reserve the right to store the data you have provided for up to 6 months from the end of the application process (rejection or withdrawal of the application) on the basis of our legitimate interests (Art. 6 para.1 lit. f GDPR). The data will then be deleted and the physical application documents destroyed. The storage serves in particular for evidence purposes in the event of a legal dispute. If it is apparent that the data will be required after the six-month period has expired (e.g. due to an impending or pending legal dispute), deletion will only take place when the purpose for further storage no longer applies.

Data may also be stored for a longer period if you have given your consent (Art. 6 para.1 lit. a and Art. 9 para. 2 lit. a GDPR as well as § 26 para. 2 BDSG) or if statutory retention obligations prevent deletion.

B.4 Video surveillance by Hamburger Hochbahn AG

B.4.1 Surveillance with permanently installed cameras in buildings and vehicles

Video surveillance in our facilities and vehicles is an important security measure for preventing and prosecuting criminal offences. Video surveillance is carried out to enforce our property rights, prevent criminal offences and assert, exercise or defend legal claims. The legal basis for video surveillance is Art. 6 para. 1 lit. f GDPR, whereby our interests arise from the aforementioned purposes. In addition, as a transport company, we have a legitimate interest in ensuring the safety of passengers and employees when using our vehicles and facilities. Insofar as special categories of personal data are processed, this is done on the basis of Art. 9 para. 2 lit. f in conjunction with Art. 6 para. 1 lit. f GDPR.

The images from video surveillance in our facilities and vehicles are recorded on a so-called "ring buffer" for a maximum of 72 operating hours (depending on the vehicle type or operating facility). This data is therefore constantly overwritten automatically, unless the recording has been retrieved or backed up within the maximum recording period for the purpose of investigating criminal offences or special incidents.

In the course of monitoring construction sites, contractors may be commissioned to carry out video surveillance.

B.4.2 Documentation of events with mobile cameras (so-called bodycams)

Body-worn cameras (so-called bodycams) may be used by the inspection and security services, in particular for the purpose of investigating and preventing criminal offences, protecting the life, health and freedom of employees and passengers, securing evidence of incidents and prosecuting criminal offences. The video recording also includes the corresponding audio recording.

Where necessary, those affected will be informed in individual cases that the camera is being switched on. The legal basis for the use of bodycams is Art. 6 para. 1 lit. f GDPR, whereby our interests arise from the aforementioned purposes. In addition, as a transport company, we have a legitimate interest in ensuring the safety of passengers and employees when using our vehicles and facilities. Insofar as special categories of personal data are processed, this is done on the basis of Art. 9 para. 2 lit. f in conjunction with Art. 6 para. 1 lit. f GDPR. The recordings are automatically deleted unless they are required for law enforcement or evidentiary purposes. Recordings made are automatically transferred to a secure server at the end of the shift and are stored there for a maximum of 14 days. After this period, they are automatically and audit-proof deleted, unless the recording is required for law enforcement or evidentiary purposes.
If a recording is secured as evidence (e.g. for handover to the police or public prosecutor's office), it will only be stored for as long as necessary for this purpose and will then be deleted.

B.4.3 Disclosure of video recordings

Within the ownership structure of Hamburger Hochbahn AG, Hamburger Hochbahn-Wache GmbH, Hühnerposten 1, 20097 Hamburg, is responsible for evaluating video data. Video data may be passed on to investigative or law enforcement authorities in the event of suspected criminal offences as part of investigations. However, this only happens if there is a legal basis for such disclosure. This may be the case, in particular, if the police or other security authorities take action as part of so-called hazard prevention and request access to the video surveillance data.

B.5 Increased transport charges

For the purpose of managing personal data of passengers who violate the conditions of carriage, the following data is processed:

Surname, first name, date of birth, place of birth, gender
Contact details (place of residence, postcode, street, house number)
Incident data (e.g. date, time, line, inspection stop, ID details, ticket type, passenger behaviour if applicable, legal representative)

The legal basis is Art. 6 para. 1 lit. b GDPR; processing is carried out for the performance of a contract to which the data subject is party. In order to fulfil the contract of carriage between Hamburger Hochbahn AG and the passenger, data processing is necessary with regard to compliance with the conditions of carriage and fare regulations. The contractual basis is the Joint Conditions of Carriage, fare regulations and fares in the Hamburg Transport Association (hereinafter referred to as "hvv Community Tariff") in their currently valid version.

Processing continues to be carried out on the basis of Art. 6 para. 1 lit. f GDPR in order to safeguard the overriding legitimate interests of the responsible body. Hamburger Hochbahn AG has a legitimate interest in ensuring that all passengers comply with the conditions of carriage and fare regulations, in particular that they have a valid ticket. Customers who violate these regulations may be subject to an increased fare or a contractual penalty in accordance with the existing regulations. Personal data and incident data are processed in this context.

Hamburger Hochbahn-Wache GmbH, Hühnerposten 1, 20097 Hamburg, is responsible for processing the increased fare within the Hamburger Hochbahn AG group of companies. Possible recipients of the data are debt collection agencies, investigating authorities and law firms.

As your contractual partner, Hamburger Hochbahn AG processes and stores your personal data only for as long as is necessary to fulfil its contractual and legal obligations. Personal data will be deleted after two years in accordance with the hvv Community Tariff, provided that no further violation of the hvv community tariff is detected, unless its (temporary) continued storage is necessary to fulfil legal obligations (e.g. retention obligation in accordance with § 257 of the Handelsgesetzbuch (German Commercial Code) or § 147 of the Abgabenordnung (German Fiscal Code)).

B.6 Communication with Hamburger Hochbahn AG

Information on communicating with us via our website can be found in section B.1.7 of this privacy policy.

B.6.1 Enquiries by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your enquiry, including all resulting personal data (name, enquiry), will be stored and processed by us for the purpose of processing your request.

The data you send us will remain with us until you request us to delete it, revoke your consent to its storage, or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions – in particular statutory retention periods – remain unaffected.

When processing enquiries and complaints that you send us, this data may be forwarded to the departments responsible for handling the respective issues and questions. This primarily concerns forwarding to other transport companies in the hvv that have provided the transport service or are responsible for certain sales channels and infrastructure operations. Depending on the nature and content of an enquiry or complaint, it may also be forwarded to other departments dealing with the matter in question. This applies in particular to the affiliated companies of Hamburger Hochbahn AG. However, it also includes, for example, P + R Betriebsgesellschaft mbH, Stadtreinigung Hamburg (Hamburg City Cleaning) and the relevant authorities. Forwarding only takes place to the extent that it is necessary and expedient for the processing of the request. We base such forwarding to other competent bodies for the purpose of processing enquiries and complaints on an overriding legitimate interest on our part (Art. 6 para. 1 lit. f GDPR). Forwarding enables the quick and comprehensive processing of the matter in question by the body that also has the information required for processing. It relieves you, as a customer, of the need to find out in advance about the distributed responsibilities within the hvv or within the ownership structure of Hamburger Hochbahn AG. We do not see any conflicting overriding legitimate interest, as the enquiries and complaints in question are submitted to us precisely with the aim and desire that they be processed by the responsible body.

B.6.2 Audio and video conferences

We use online conference tools, among other things, for communication purposes. The specific tools we use are listed below. If you communicate with us via video or audio conference over the internet, your personal data will be collected and processed by us and the provider of the respective conference tool.

The conference tools collect all data that you provide/use to use the tools (e-mail address and/or your telephone number). Furthermore, the conference tools process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other "context information" related to the communication process (metadata).

Furthermore, the provider of the tool processes all technical data necessary for the processing of online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker, and the type of connection.

If content is exchanged, uploaded or otherwise made available within the tool, it is also stored on the tool provider's servers. Such content includes, in particular, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared during use of the service.

Please note that we do not have full control over the data processing operations of the tools used. Our options are largely determined by the corporate policy of the respective provider. For further information on data processing by the conference tools, please refer to the privacy policies of the respective tools, which we have listed below this text.

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 para. 1 lit. b GDPR). Furthermore, the use of the tools serves to generally simplify and accelerate communication with us or our company (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). If consent has been requested, the use of the relevant tools is based on this consent; consent can be revoked at any time with effect for the future.

The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you request us to delete it, revoke your consent to its storage or the purpose for its storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal retention periods remain unaffected.

We have no influence on the storage period of your data stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.

We use the following conference tools:

We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland ("Microsoft"). For details on data processing, please refer to the Microsoft Teams privacy policy:
https://privacy.microsoft.com/en-us/privacystatement.

Microsoft is certified under the EU-U.S. Data Privacy Framework. Additional information can be found under point C. EU-U.S. Data Privacy Framework.

B.7 WhatsApp channel of Hamburger Hochbahn AG

We operate the public WhatsApp channel "HOCHBAHN" to provide information about activities and offers. The service is provided by: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. WhatsApp is a company of Meta Platforms Inc., USA.

Data processing by WhatsApp

When you follow our WhatsApp channel or interact with posts (e.g. by reacting to them), WhatsApp processes personal data on its own responsibility, in particular:

Technical usage data (e.g. IP address, device information, timestamp)
Interaction data (e.g. clicks on content, reactions)
Profile information that you have stored in WhatsApp (e.g. profile name or profile photo), insofar as this is visible to us based on your privacy settings.

We ourselves do not have access to your telephone number and cannot send you direct messages. When you visit the channel, your data is always processed by WhatsApp or Meta for their own purposes.
Further information can be found here:
https://www.whatsapp.com/legal/privacy-policy.

WhatsApp determines the storage period for the data independently. We do not store any personal data from the channel.

Data processing by Hamburger Hochbahn AG

Hamburger Hochbahn AG does not store any personal data that WhatsApp provides us from the channel. We only receive aggregated statistics (e.g. number of subscribers, reach). The legal basis for our processing is Art. 6 para. 1 lit. f GDPR (legitimate interest in public relations and information).

You can object to processing within the channel at any time by unsubscribing or leaving the channel.

B.8 Handling of legal claims

If you communicate with us in connection with the processing of legal claims, in particular in connection with accidents, the information under B.6 applies.

If you assert a claim for damages and/or monetary compensation against us or we assert such a claim against you, we require certain information from you in order to assess the claim. We require this information in order to be able to check, for example, whether a loss has occurred, how high the loss is and whether and to what extent liability exists. It is not possible to examine the claim asserted without processing your personal data. This involves the following categories of data: personal data (e.g. name, address, contact details); including special categories (e.g. health data) where applicable. The legal basis for this processing of personal data is Art. 6 para. 1 lit. c GDPR. If special categories of personal data (e.g. your health data) are required for this purpose, we will generally obtain your consent in accordance with Art. 9 para.2 lit. a in conjunction with Art. 7 GDPR.

Insurance companies

Claims are settled either by us or by insurance companies from which we have purchased cover. For liability cases, this is the Haftpflichtgemeinschaft Deutscher Nahverkehrs- und Versorgungsunternehmen (HDN) or the Haftpflichtgemeinschaft Deutscher Nahverkehrs- und Versorgungsunternehmen Allgemein (HDNA) VvaG, both based at Arndtstraße 26, 44787 Bochum, Germany. We have insured other risks with other insurance companies. In the event of a claim, it is necessary to forward your claim details to HDN/HDNA or other insurance companies so that they can check whether the damage incurred is covered. In addition, HDN/HDNA or other insurance companies may support our company with their special expertise in assessing benefits and evaluating procedures.

External service providers, in particular solicitors

In order to fulfil our legal and contractual obligations, namely the examination, pursuit and defence of claims, we sometimes use external service providers, namely solicitors.

Other recipients

In addition, we may transfer your personal data to other recipients, such as health insurance companies and authorities, in order to fulfil statutory notification obligations (e.g. social security institutions, financial or law enforcement authorities).

B.9 Whistleblower system

We use the "easyline" whistleblower system provided by Compliance Kompakt GmbH, Stresemannstraße 1, 21335 Lüneburg.

The easyline whistleblower system is an internal reporting channel within the meaning of Directive (EU) 2019/1937 (the Whistleblower Directive), which is implemented in Germany by the Hinweisgeberschutzgesetz (Whistleblower Protection Act, hereinafter: ”HinSchG”). It serves to give our employees, business partners, customers and other persons who come into contact with Hamburger Hochbahn AG in the course of their professional activities the opportunity to report facts that have come to their attention and that indicate serious misconduct within our company. For this purpose, your data will be processed if you provide it to us. However, you can also remain anonymous when making a report, as you can when communicating with us in other ways.

We only collect and process personal data that you disclose in your report. We do not have access to your IP address. Cookies are not set. This means that it is your personal data (if you do not submit an anonymous report) and the personal data of third parties, if this is apparent in your report.

The personal data you disclose will be processed for the purpose of evaluating your report and any subsequent case handling by internal or external case handlers who are bound to confidentiality.

We recommend that you submit your report anonymously. If you disclose your identity despite our recommendation, we will treat your data as strictly confidential. However, it cannot be ruled out that third parties affected by your report may have to be informed of the source of the data concerning them in accordance with Art. 14 GDPR. It is therefore possible that those affected may be informed of your identity. If necessary, this notification must be made within one month of the report, as is generally required by law, but at the latest when it no longer seriously impairs the investigation of the facts or the necessary measures. You should take this into account when deciding whether to disclose your identity.

If you disclose your data, you thereby implicitly declare your consent to its processing in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke this consent in accordance with Art. 7 GDPR; however, this is ineffective if the data has been passed on with your consent and the aforementioned notification of affected third parties has already taken place.

We also cannot rule out the possibility that your data may have to be disclosed to an authority or court in accordance with applicable law (Art. 6 para. 1 lit. c GDPR).

Please limit the entry of personal data of third parties to what is absolutely necessary for the evaluation and processing of your report.

The legal basis for the processing of third-party personal data, which is essential for the evaluation of your report and the possible subsequent case processing, is our overriding legitimate interest in being able to investigate internal grievances and to ensure effective and anonymous processing (Art. 6 para. 1 lit. f GDPR). Taking into account the legal obligation to which we are subject (Art. 6 para. 1 lit. c GDPR) to provide a reporting channel, we cannot see any conflicting legitimate interest.

Your report and any subsequent communication with you is stored in encrypted form in the IT system and is not accessible to unauthorised persons. The sole key to protected communication consists of a case ID and a password, which are generated by the system after you submit your report and communicated to you. You are requested to log in at regular intervals using your password and the case ID assigned to your report in order to take note of messages from our case handlers and answer any questions. We and any internal or external case handlers commissioned by us have password-protected access to communicate with you.

For necessary internal investigations of the facts, external case handlers commissioned by us and bound to particular confidentiality may be informed about the content of the report and the subsequent communication with the respective whistleblowers.

We ensure the security of the data we collect and process by taking technical and organisational measures to guarantee this protection. Only we or, if applicable, case workers designated by us have access to the content of the reports. This may be a qualified external body, such as a law firm, or a case worker from our company who is bound to secrecy and is independent. The content of your reports is immediately encrypted and stored on the platform. Any subsequent communication with you is also encrypted. Decryption only takes place when you log in with your case ID and password or when case handlers from our side log in.

The platform's IT administrator and host do not have access to the content of the report or communication with you at any time. The servers on which the reports are stored are located in the Federal Republic of Germany. The processing of personal data by IT administrators and hosts is carried out on our behalf and strictly in accordance with our instructions on the basis of corresponding contracts for order processing in accordance with Art. 28 GDPR.

The data contained in the report and further communication will not be transferred outside the EU/EEA at any time.

If you have provided us with your personal data in the dialogue, it will be stored for as long as is necessary to investigate and make a final assessment of the reported matter. Once the report has been processed, this data will be deleted in accordance with legal requirements.

C. EU-U.S. Data Privacy Framework

We also use service providers who are certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). The EU-U.S. DPF is an agreement between the European Union and the United States that is intended to ensure compliance with European data protection standards when data is processed in the United States. Every company certified under the EU-U.S. DPF undertakes to comply with these data protection standards. Further information on this can be found at the following link: https://www.dataprivacyframework.gov/. If a company is certified under the EU-U.S. DPF, data is transferred to the United States in accordance with Art. 45 GDPR; on the basis of an adequacy decision by the European Commission dated 10 July 2023. Such an adequacy decision makes it possible to transfer personal data from the EU to the third country in question without the need for further transfer instruments or additional measures.

D. Data protection rights

The GDPR grants certain rights to data subjects whose personal data is processed by us, which we would like to explain to you here. If you have any questions about this or other data protection issues at Hamburger Hochbahn AG, please feel free to contact us as the responsible body or our data protection officer. You will find the contact details in section A.

D.1 Information, deletion and correction

You have the right to request information about your personal data stored by us at any time and free of charge. This includes information about the purpose of the processing, the category of data used, its recipients and the planned duration of data storage or the criteria for determining this duration. Furthermore, you have the right to have the data deleted and/or corrected, in particular if the data is incomplete or incorrect, is no longer necessary for the purpose for which it was collected, or if you have revoked your consent to its processing.

D.2 Withdrawal of consent

If data processing is carried out with your consent, you can revoke this consent at any time. An informal notification by e-mail is sufficient for this purpose. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

D.3 Right to object

If data processing is carried out on the basis of a legitimate interest on our part, you have the right to object to the data processing. This requires reasons arising from your particular situation (Art. 21para. 1 GDPR).

D.4 Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the verification, you have the right to request the restriction of the processing of your personal data.
If the processing of your personal data was or is unlawful, you can request the restriction of data processing instead of deletion.
If we no longer need your personal data, but you need it to exercise, defend or assert legal claims, you have the right to request the restriction of the processing of your personal data instead of its deletion.
If you have lodged an objection pursuant to Art. 21 para. 1 GDPR, a balance must be struck between your interests and ours. As long as it is not yet clear whose interests prevail, you have the right to request the restriction of the processing of your personal data.

D.5 Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a structured, commonly used and machine-readable format. If you request the direct transfer of the data to another controller, this will only be done if it is technically feasible.

D.6 Right to lodge a complaint with a supervisory authority

If you believe that the processing of your personal data violates data protection law, you can lodge a complaint with the competent supervisory authority, without prejudice to any other administrative or judicial remedy. The competent supervisory authority is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
(The Hamburg Commissioner for Data Protection and Freedom of Information)
Ludwig-Erhard-Straße 22
20459 Hamburg
Germany
Email: mailbox@datenschutz.hamburg.de
Website: datenschutz-hamburg.de