Data protection information of Hamburger Hochbahn AG

In accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), we hereby inform you about the processing of your personal data by us and about the rights to which you are entitled in this context.

A. Who is responsible for data processing and whom can I contact?

 
The data controller is:

Hamburger Hochbahn AG
Steinstraße 20
20095 Hamburg

Phone: +49 40 3288-0
E-mail: info@hochbahn.de

You can reach the appointed data protection officer at:

Hamburger Hochbahn AG
Stabsstelle Datenschutz (Data Protection Security Unit)
Steinstraße 20
20095 Hamburg

Telephone: +49 40 3288-2316
E-mail: datenschutzbeauftragter@hochbahn.de

B. What data do we process and for what purpose?

Below we describe for what purposes and how we process your data. We provide information here about:

1. Use of our Internet offering hochbahn.de
2. Our social media presence
3. Your application to Hamburger Hochbahn AG
4. Video surveillance in the buildings and vehicles of Hamburger Hochbahn AG
5. News transmission via Telegram or Notify
6. Communication with Hamburger Hochbahn AG

1. Use of our Internet offering hochbahn.de

1.1 SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as site operator.

You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

1.2 Cookies

Our internet pages use so-called "cookies". Cookies are small text files and do not cause any damage to your terminal device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your end device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or until they are automatically deleted by your web browser.

In some cases, cookies from third-party companies may also be stored on your terminal device when you enter our site (third-party cookies). These enable us or you to use certain services of the third-party company (e.g., cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g., the display of videos). Other cookies are used to evaluate the behaviour of users or to display advertising.

Cookies that are necessary to carry out the electronic communication process (necessary cookies) or to provide certain functions you have requested (functional cookies) or to optimise the website (e.g., cookies to measure the web audience) are stored based on Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing cookies for the technically error-free and optimised provision of its services. If consent to the storage of cookies has been requested, the storage of the cookies in question is based exclusively on this consent (Art. 6 para. 1 lit. a GDPRand § 25 para. 1 Telecommunications Telemedia Data Protection Act (TTDSG)); consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases. Furthermore, you can exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited.

If cookies are used by third-party companies or for analysis purposes, we will inform you about this separately within the framework of this data protection declaration and, if necessary, request your consent.

1.3 Consent with Usercentrics

This website uses the consent technology of Usercentrics to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in a data protection compliant manner. The provider of this technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, website: https://usercentrics.com (hereinafter "Usercentrics").

When you access our website, the following personal data is transferred to Usercentrics:

• Your consent(s) or the revocation of your consent(s)
• Your IP address
• Information about your browser
• Information about your terminal
• Time of your visit to the website

Furthermore, Usercentrics stores a cookie in your browser in order to be able to allocate the consents granted to you or their revocation. The data collected in this way is stored until you request us to delete it, delete the Usercentrics cookie yourself or the purpose for storing the data no longer applies. Mandatory legal storage obligations remain unaffected.

Usercentrics is used to obtain the legally required consent for the use of certain technologies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

Job processing

We have concluded a contract on order processing (DPA) with the above-mentioned provider. This is a contract required by data protection law, which ensures that the provider only processes the personal data of visitors to our website in accordance with our instructions and in compliance with the GDPR.

1.4 Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

• Browser type and version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Time of the server request
• IP address

This data is not merged with other data sources.

The collection of this data is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website - for this purpose, the server log files must be collected.

1.5 Use of plugins and tools

1.5.1 Integration of Google Maps

This site uses the map service Google Maps. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transmitted to a Google server in the Unites States and stored there. The provider of this site has no influence on this data transmission. If Google Maps is activated, Google may use Google Fonts for the purpose of uniform font display. When you call up Google Maps, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.

The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy location of the places indicated by us on the website. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Insofar as a corresponding consent has been requested, the processing is carried out exclusively based on Art. 6 para. 1 lit. a GDPRand § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in your terminal device (e.g., device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

Data transfer to the Unites States is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

More information on the handling of user data can be found in Google's privacy policy: https://policies.google.com/privacy?hl=en.

1.5.2 Integration of YouTube videos

This website embeds videos from the website YouTube. The website is operated by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to our website before they watch the video. However, the transfer of data to YouTube partners is not necessarily excluded by the extended data protection mode. Thus, YouTube establishes a connection to the Google DoubleClick network - regardless of whether you watch a video.

As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, after starting a video, YouTube may store various cookies on your end device or use comparable recognition technologies (e.g., device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve the user experience and prevent fraud attempts.

If necessary, further data processing operations may be triggered after the start of a YouTube video, over which we have no influence.

YouTube is used in the interest of an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Insofar as a corresponding consent has been requested, the processing is carried out exclusively based on Art. 6 para. 1 lit. a GDPRand § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in your terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

For more information about privacy at YouTube, please see their privacy policy at:
https://policies.google.com/privacy?hl=en.

1.5.3 Authentication with Google reCaptcha

We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on this website for authentication. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

The purpose of reCAPTCHA is to check whether the data entry on this website is made by a human or by an automated programme. For this purpose, reCAPTCHA analyses the behaviour of the website visitor based on various characteristics. This analysis begins automatically as soon as our website is entered. For the analysis, reCAPTCHA evaluates various information (e.g., IP address, time spent on the website or mouse movements made by users). The data collected during the analysis is forwarded to Google.

The reCAPTCHA analyses run completely in the background. When you visit our website, you will not be notified that an analysis is taking place.

The storage and analysis of the data is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in protecting our web offers from abusive automated spying and from SPAM. Insofar as a corresponding consent has been requested, the processing is carried out exclusively based on Art. 6 para. 1 lit. a GDPRand § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in your terminal device (e.g., device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

For more information about Google reCAPTCHA, please see the Google Privacy Policy and the Google Terms of Service at the following links:
https://policies.google.com/privacy?hl=en and
https://policies.google.com/terms?hl=en.
 

1.6 Use of analysis tools and advertising

1.6.1 Google Tag Manager

We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The Google Tag Manager is a tool that enables us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create user profiles, does not store cookies, and does not perform any independent analyses. It only serves to manage and play out the tools integrated via it. However, the Google Tag Manager collects your IP address, which may also be transmitted to Google's parent company in the Unites States.

The Google Tag Manager is used based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in a quick and uncomplicated integration and management of various tools on our website. Insofar as a corresponding consent has been requested, the processing is carried out exclusively based on Art. 6 para. 1 lit. a GDPRand § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in your terminal device (e.g., device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

1.6.2 Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables us to analyse the behaviour of visitors to our website. In doing so, we receive various usage data, such as page views, length of stay, operating systems used and the origin of the users. This data is assigned to the respective end device of our users. An assignment to a user ID does not take place.

Furthermore, Google Analytics allows us to record your mouse and scroll movements and clicks, among other things. Furthermore, Google Analytics uses various modelling approaches to complement the data sets collected and uses machine learning technologies in the data analysis.

Google Analytics uses technologies that enable the recognition of users for the purpose of analysing their behaviour (e.g., cookies or device fingerprinting). The information collected by Google about the use of this website is usually transferred to a Google server in the Unites States and stored there.

The use of this service is based on your consent according to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. The consent can be revoked at any time.

Data transfer to the Unites States is based on the EU Commission's standard contractual clauses. Details can be found here:
https://privacy.google.com/businesses/controllerterms/mccs/.

Browser plugin

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=en.

You can find more information on how Google Analytics handles your data in Google's privacy policy:
https://support.google.com/analytics/answer/6004245?hl=en.

Google Signals

We use Google Signals. When you visit our website, Google Analytics collects, among other things, your location, search history and YouTube history, as well as demographic data (data from visitors). This data can be used for personalised advertising with the help of Google Signals. If you have a Google Account, the visitor data from Google Signals will be linked to your Google Account and used for personalised advertising messages. The data is also used to create anonymised statistics on the usage behaviour of our visitors.

Job processing

We have concluded an order processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

1.6.3 Google Ads

We use Google Ads. Google Ads is an online advertising programme of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to display advertisements in the Google search engine or on third-party websites when users enter certain search terms on Google (keyword targeting). Furthermore, targeted advertisements can be displayed on the basis of user data held by Google (e.g. location data and interests) (target group targeting). As a website operator, we can evaluate this data quantitatively by analysing, for example, which search terms led to the display of our advertisements and how many advertisements led to corresponding clicks.

The use of this service is based on your consent according to Art. 6 para. 1 lit. a GDPRand § 25 para. 1 TTDSG. The consent can be revoked at any time.

Data transfer to the Unites States is based on the EU Commission's standard contractual clauses. Details can be found here:
https://policies.google.com/privacy/frameworks?hl=en-GB and
https://privacy.google.com/businesses/controllerterms/mccs/

1.6.4 Google Looker Studio

We use Google Looker Studio - a software of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Looker Studio is used to manage and visualise data from the aforementioned analysis tools. We can only analyse data in Google Looker Studio if you have allowed the use of the respective tool.

We use Google Looker Studio for marketing and optimisation purposes, in particular to analyse the use of our website and to continuously improve individual functions and offers as well as the user experience. The statistical evaluation of user behaviour enables us to improve our offer and make it more interesting for you as a user.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPRand § 25 para. 1 TTDSG. This consent can be revoked at any time.

Data transfer to the United States is based on the standard contractual clauses of the EU Commission. Details can be found here:

https://privacy.google.com/businesses/gdprcontrollerterms/ and here:
https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

1.6.5 Deep Media Advertiser Tag

We use the Deep Media Advertiser Tag, a service of Deep Media Technologies GmbH, Hohe Bleichen 8, 20354 Hamburg. The Deep Media Advertiser Tag is a tag management system for managing technologies for marketing and optimisation purposes. It is used in particular to serve ads that are relevant and interesting to you and to improve campaign performance reports.

The use of the Advertiser Tag may involve the processing of pseudonomised online identifiers, such as cookies and click IDs. It is not possible for Deep Media Technologies GmbH to personally identify the user.

The use of this service is based on your consent according to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. This consent can be revoked at any time.

Further information on the use of data by Deep Media Technologies GmbH can be found here:

https://www.deepmedia.de/en/privacy-information-advertiser-tag/

1.7 Contacting Hamburger Hochbahn AG via our Internet service

You have the option of contacting us via our website (www.hochbahn.de/en). The data protection aspects of these contact options are described here. Data protection information on contacting us outside our website can be found under point 6 of this data protection declaration.

1.7.1 Request via contact form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We do not pass on this data without your consent.

The processing of this data is based on Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; the consent can be revoked at any time.

The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g., after we have completed processing your enquiry). Mandatory legal provisions - in particular retention periods - remain unaffected.

1.7.2 Chatbot in the career portal

You have the opportunity to get individual questions answered quickly via a free chatbot on the Hamburger Hochbahn AG career portal.

We use the chatbot to answer the questions of interested parties or applicants as quickly as possible. In addition, interested parties or applicants can use digital forms or free input fields in the chatbot to send orders to Hamburger Hochbahn AG for processing. Depending on the content of the request, the chatbot can also send it directly to the service employee responsible for it. In order to enable a later resumption of the conversation, it is evaluated on the basis of its questions and search criteria when the first contact is made.

When visiting the chatbot, personal data of the user is processed. This includes:

• IP address (not stored)
• UserID
• ConversationID
• Data entered by the user

The first time you use the chatbot, you will be assigned a randomly generated UserID. The UserID remains stored in your browser until you delete your browsing history. If you want to use the chatbot again after deleting your browser history, a new randomly generated UserID will be generated. In this case, you may have to re-enter any answers or questions you have previously clicked on or entered. When they use the chatbot again, the UserID is transmitted to it by their browser. This allows them to continue a previously interrupted conversation, search, or input in the chatbot at any time (similar to setting cookies on websites). The conversations, searches, or entries they have started are also generated and stored in the events on their browser. To continuously improve the chatbot, we record events such as "chatbot was displayed" and click events such as "user clicked on answer X". For this purpose, we use conversation IDs, which are generated in the same way as the UserID within the bot's database. It serves as an object identifier and is required for the construction of the bot, as database entries need a unique identifier. Data processing for other purposes (e.g., tracking) does not take place.

We process your data in accordance with Art. 6 para. 1 lit. b GDPR. The legal basis for data processing is a gratuitous contract between you and Hamburger Hochbahn AG. In addition, there is a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in ensuring smooth communication with those interested in our job offers or applicants and in ensuring that our services function properly and can be continuously improved.

If the legal basis for data processing ceases to exist, all personal data entered by you will be deleted. Data that is required for contract processing or is subject to statutory retention periods remains unaffected by this.

Job processing

The chatbot is used within the scope of a commissioned processing according to Art. 28 GDPR. The data processor is Solvemate GmbH, Friedrichstraße 114, 10117 Berlin, Germany. All data is processed exclusively by certified data centre operators within the European Union.

2. Our social media presence

This privacy policy applies to the following social media sites:

• https://de-de.facebook.com/deinhvv/
• https://twitter.com/hochbahn
• https://www.xing.com/pages/hamburgerhochbahnag
• https://www.linkedin.com/company/hamburger-hochbahn-ag
• https://www.youtube.com/channel/UC2c_Dwq09WgBnrKhKblbNOg

2.1 Data processing by social networks

We maintain publicly accessible profiles on social networks. The individual social networks we use can be found below.

Social networks can usually comprehensively analyse your behaviour as a user when you visit their website or a website with integrated social media content (e.g., like buttons or advertising banners). By visiting our social media presences, numerous data protection-relevant processing operations are triggered. In detail:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. Under certain circumstances, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, you can be shown interest-based advertising inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are or were logged in.

Please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing procedures may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.

2.1.1 Legal basis

Our social media presences are intended to ensure the most comprehensive presence possible on the internet. This is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on different legal grounds, which must be stated by the operators of the social networks (e.g., consent within the meaning of Art. 6 para. 1 lit. a GDPR).

2.1.2 Responsible party and assertion of rights

If you visit one of our social media sites, we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal.

Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing procedures of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to object, to data portability and the right to complain to the competent supervisory authority. Furthermore, you can demand the correction, blocking, deletion and, under certain circumstances, the restriction of the processing of your personal data.

2.1.3 Storage period

The data collected directly by us via the social media presence will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your end device until you delete them. Mandatory legal provisions - in particular retention periods - remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g., in their privacy policy, see below).

2.2 Social networks in detail

2.2.1 Facebook

As part of a joint responsibility, we operate a profile on Facebook together with Hamburger Verkehrsverbund GmbH, S-Bahn Hamburg GmbH, and Verkehrsbetriebe  Hamburg-Holstein GmbH. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter Meta). According to Meta, the data collected is also transferred to the Unites States and other third countries.

We have entered into a Joint Processing Agreement (Controller Addendum) with Meta. This agreement specifies the data processing operations for which we or Meta are responsible when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your advertising settings independently in your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://www.facebook.com/legal/EU_data_transfer_addendum and
https://en-gb.facebook.com/help/566994660333381.

For details, see Facebook's privacy policy:
https://www.facebook.com/about/privacy/.

2.2.2 Twitter

We use the short message service Twitter. The provider is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland.

You can adjust your Twitter privacy settings yourself in your account. To do so, click on the following link and log in:
https://twitter.com/personalization.

Data transfer to the Unites States is based on the EU Commission's standard contractual clauses. Details can be found here:
https://gdpr.twitter.com/en/controller-to-controller-transfers.html.

For details, see Twitter's privacy policy:
https://twitter.com/de/privacy.

2.2.3 XING

We have a profile on XING. The provider is New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.

For details on how they handle your personal data, please refer to XING's privacy policy:
https://privacy.xing.com/en/privacy-policy.

2.2.4 LinkedIn

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

LinkedIn uses advertising cookies. If you would like to disable LinkedIn advertising cookies, please use the following link:
https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transfer to the Unites States is based on the EU Commission's standard contractual clauses. Details can be found here:
https://www.linkedin.com/legal/l/dpa and
https://www.linkedin.com/legal/l/eu-sccs.

For details on how they handle your personal data, please refer to LinkedIn's privacy policy:
https://www.linkedin.com/legal/privacy-policy.

2.2.5 YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on how they handle your personal data, please refer to YouTube's privacy policy:
https://policies.google.com/privacy?hl=en.

3. Your application to Hamburger Hochbahn AG

We offer you the opportunity to apply to us (by post or via online application form). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that the collection, processing, and use of your data will be carried out in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence.

Further information on data protection when registering on the Hamburger Hochbahn AG career portal can be found here:
https://hochbahn.onlyfy.jobs/policy.

3.1 Scope and purpose of data collection

If you send us an application, we process your associated personal data (e.g. contact and communication data, application documents, notes in the context of job interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. We base the processing of personal data in the context of an application procedure on Art. 6 para. 1 lit. b GDPR (initiation and implementation of the employment relationship) and Art. 6 para. 1 lit. c GDPR (legal obligation to process employee data). In certain cases, we process your data to protect a legitimate interest of us or of third parties (Art. 6 para. 1 lit. f GDPR). A legitimate interest exists, for example, if your data is required for the assertion, exercise, or defence of legal claims in the context of the application procedure (e.g., claims under the General Equal Treatment Act). In the event of a legal dispute, we have an overriding legitimate interest in processing the data for evidence purposes.

If you provide information in your application documents that contains special categories of personal data within the meaning of Art. 9 para. 1 of the GDPR (e.g., information that allows conclusions to be drawn about your sexual orientation; information about your health; information that allows conclusions to be drawn about your ethnic origin or your religion), we will also only process this data within the legally permissible framework.

3.2 Registration for the application management

You can register for the application management service at www.hochbahn.de under the "Karriere" section. We will only use the data entered for this purpose for the purpose of using this service. You can find more information about data protection when registering on the career portal of Hamburger Hochbahn AG here:
https://hochbahn.onlyfy.jobs/policy.

3.3 Retention period of the data

If we are unable to make you a job offer, if you reject a job offer or withdraw your application, we reserve the right to retain the data you have provided on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. This storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the six-month period has expired (e.g., due to an impending or pending legal dispute), the data will only be deleted when the purpose for further storage no longer applies.

Longer storage may also take place if you have given your consent (Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a as well as § 26 para. 2 Bundesdatenschutzgesetz (Federal Data Protection Act) or if legal storage obligations prevent deletion.

4. Video surveillance in the buildings and vehicles of Hamburger Hochbahn AG.

An important security measure for the prevention and prosecution of criminal offences is video surveillance in our facilities and vehicles. As a transport company, we have a legitimate interest in ensuring the safety of passengers and employees when using our vehicles and facilities (Art. 6 para. 1 lit. f GDPR).

The video surveillance images in our facilities and vehicles are recorded on a so-called "ring buffer" for a maximum of 72 operating hours (depending on the vehicle type or facility). This means that the data is automatically overwritten at all times, unless the recording is removed or saved within the maximum recording period in order to clarify criminal offences or special incidents.

Video data can be passed on to police investigating authorities in the context of police investigations.

For the purpose of ensuring operational processes and passenger guidance, anonymous people counts are also automatically collected from live video images. This means that no personal data is collected and processed, only counting events. The collected counting data is used to analyse, forecast and improve overcrowding situations as well as stop and transfer times.

5. News transmission via Telegram or Notify

Via our website, you have the option of ordering the dispatch of disruption and blocking messages for our four underground lines via the messaging services "Telegram" or "Notify". We provide this service via MessengerPeople GmbH, Seidlstraße 8, 80335 Munich (hereinafter "MessengerPeople") or via Commify Germany GmbH, Radeberger Straße 1, 01099 Dresden, which we have commissioned with the technical implementation of sending the messages.

The messages are sent via a Telegram or Notify account created in our name. If you sign up for messaging via Telegram and/or Notify via our website according to the instructions described there, MessengerPeople will receive the username deposited with Telegram and/or Notify, your Telegram ID (only when signing up via Telegram), your Notify ID (only when signing up via Notify) and all messages sent to the service. In exceptional cases, subscribers are informed of system changes via SMS.

You have the option to unsubscribe from receiving messages from MessengerPeople via Telegram and/or Notify at any time by sending the message "STOP" to the Telegram or Notify account through which you previously ordered the messaging service.

You may also request deletion of the above data from MessengerPeople at any time by sending the message "DELETE ALL DATA" to the relevant Telegram or Notify account.

Information on the use and operation of the news service implemented by MessengerPeople can also be found in the respective order of the desired news. Detailed information on the use of personal data by MessengerPeople GmbH can also be found in the MessengerPeople data protection information at:
https://www.messengerpeople.com/privacy/.

6. Communication with Hamburger Hochbahn AG

Information on communicating with us via our Internet offer can be found under point 1.7 of this data protection declaration.

6.1 Request by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your enquiry including all resulting personal data (name, enquiry) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

The processing of this data is based on Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested.

The data you send to us via contact requests will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g., after we have completed processing your request). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

6.2 Audio and video conferences

For communication purposes, we use online conference tools, among others. The individual tools we use are listed below. If you communicate with us by video or audio conference via the internet, your personal data will be collected and processed by us and the provider of the respective conference tool.

The conference tools collect all data that you provide/enter to use the tools (e-mail address and/or your telephone number). Furthermore, the conference tools process the duration of the conference, start and end (time) of participation in the conference, number of participants and other "contextual information" related to the communication process (metadata).

Furthermore, the provider of the tool processes all technical data that are necessary for the handling of online communication. This includes in particular IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker and the type of connection.

If content is shared, uploaded or otherwise made available within the tool, it will also be stored on the servers of the tool providers. Such content includes, but is not limited to, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared while using the service.

Please note that we do not have full influence on the data processing procedures of the tools used. Our options are largely determined by the corporate policy of the respective provider. For further information on data processing by the conference tools, please refer to the data protection statements of the respective tools used, which we have listed below this text.

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 para. 1 lit. b GDPR). Furthermore, the use of the tools serves the general simplification and acceleration of communication with us or our company (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). Insofar as consent has been requested, the tools in question are used on the basis of this consent; consent can be revoked at any time with effect for the future.

The data collected directly by us via the video and conference tools is deleted from our systems as soon as you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory legal retention periods remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.

We use the following conference tools:

Microsoft Teams

We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. For details on data processing, please refer to the Microsoft Teams privacy policy:
https://privacy.microsoft.com/en-gb/privacystatement.

We have concluded a contract on order processing (DPA) with the above-mentioned provider. This is a contract required by data protection law, which ensures that the provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

C. What data protection rights do I have?

Upon request, we will gladly inform you whether and which personal data we have stored about you (right to information). In addition, you can correct incorrect data (right to rectification) or have such data deleted whose storage is inadmissible or no longer necessary (right to deletion). Under certain circumstances, you can also request us to restrict the processing of your personal data (right to restriction of processing) as well as object to the processing of your data if this processing is based on

• the legal basis of the overriding legitimate interest (Art. 6 para. 1 lit. f GDPR) or
• the performance of a task in the public interest (Art. 6 para. 1 lit. e GDPR) or
• consent (Art. 6 para. 1 lit. a GDPR, if applicable in conjunction with § 25 para. 1 TTDSG) (right of revocation).

In particular, you can object at any time to the use of your personal data for the purposes of advertising and/or market and opinion research (right to object to advertising). Furthermore, you can in principle demand that we provide you with the personal data concerning you in a structured, common and machine-readable format in order to transfer this data to another responsible party without hindrance from us (right to data portability).

The aforementioned rights are granted to you by Articles 15 - 21 of the GDPR. They are only presented here in a very abbreviated form.

If you have any questions about the exact scope of the rights in question and how to exercise them, you can contact the data protection officer named in section A. and/or the Hamburg Commissioner for Data Protection and Freedom of Information (see D.).

D. Which supervisory authority can I complain to?

If you consider that the processing of personal data relating to you infringes data protection law, you may - without prejudice to any other administrative or judicial remedy - lodge a complaint with the competent supervisory authority. The competent supervisory authority is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (The Hamburg Commissioner for Data Protection and Freedom of Information)
Ludwig-Erhard-Straße 22
20459 Hamburg
E-Mail: mailbox@datenschutz.hamburg.de
Internet: datenschutz.hamburg.de

Status: August 2023