Navigate in Hochbahn

Main navigation

Privacy Policy in accordance with the EU General Data Protection Regulation

In accordance with the EU General Data Protection Regulation (GDPR) which came into effect from 25 May 2018 onwards, we hereby inform you about the processing of your personal data by us and about the rights afforded to you in relation to this processing.

Who is responsible for data processing and who can I contact?

Responsible Body (“Data Controller”):
Hamburger Hochbahn AG
Steinstraße 20
20095 Hamburg
Phone: +49 40 3288-0

You can contact our company’s Data Protection Officer at:
Hamburger Hochbahn AG
Data Protection Offer
Steinstraße 20
20095 Hamburg
Phone: +49 40 3288-2316

You can contact the official Hamburg data protection authorities at:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 7.OG
20459 Hamburg
Phone: +49 40 428 54 4040

Which data do we process?

We process personal data which we receive from you within the scope of our business relationship. We also process personal data insofar as this is necessary for the provision of our services, which we receive permissibly from other companies in the “Hamburger Verkehrsverbund HVV” or from other third parties.
In addition to contractual data, we process your communication data, which we obtain via your contact with us (e.g. contact form, customer dialogue). Moreover, we process your personal data as required in connection with online or print applications in the context of job offers.
Video surveillance in our systems and vehicles is an important preventative measure for your security. However, the video recordings are automatically deleted again after a short time if no incident has been reported.

Specifically, we process the following data:

• Contractual data (depending on the product and service, this includes name, address details, date of birth, phone number, e-mail address, bank details, billing and payment data, photo)

• Communication data (name, address, e-mail address, possibly phone number/mobile number)
• Correspondence (e.g. written correspondence with you)
• Video data
• Advertising and sales data (e.g. for products that are potentially of interest to you)
• Applicant data (name, address details, phone number, e-mail address, date of birth, applicant documentation)

For what purpose(s) do we process your data and on what legal Basis?

In the following, we will inform you about why and on what legal basis we process your data.

1. For the fulfilment of contractual obligations (Article 6 (1) (b) of the GDPR)

The processing of your personal data is carried out for the performance of contracts with you (subscription, purchase of products) as well as for pre-contractual measures.

2. For the balancing of interests (Article 6 (1) (f) of the GDPR)

We also process your data, if necessary, to protect the legitimate interests of us or third parties. This is carried out, for example, for the following purposes:
• Ensuring IT security and IT operations
• Advertising or market and opinion research, unless you have opted out of your data being used for this
• Assertion of legal claims and defence in legal disputes
• Consultations and data exchange with credit agencies (e.g. “Schufa”) to determine creditworthiness and default risks
• Video surveillance for the determent, prevention and investigation of criminal offences, the improvement of passengers’ sense of security and the reduction of damage from vandalism.
• In connection with the processing of customer enquiries, complaints, etc.
• Prize draws on special occasions (e.g. Hamburg’s Museum Night, “Elbjazz”)
• Online reservations and requests for visitor programs with the museum vehicle

3. On the basis of your consent (Article 6 (1) (a) of the GDPR)

If you have given us consent to process your personal data for specific purposes, the lawfulness of the processing is given on the basis of this consent. Your consent can be revoked at any time. This also applies to any consent given prior to the GDPR coming into force, i.e. before 25 May 2018. Please note that the revocation will only take effect from the date of revocation onwards.

4. On the basis of legal requirements (Article 6 (1) (c) of the GDPR)

We also process your data in order to fulfil legal obligations, e.g. to verify commercial or tax retention periods. The German Commercial Code (“Handelsgesetzbuch”) and German Tax Code (“Abgabenordnung”), for example, should be given particular mention here.

Who will receive access to my data?

Those employees and departments within Hamburger Hochbahn AG (HOCHBAHN) that require your data to fulfil the purposes and legal bases stated above will obtain access to that data. All relevant employees are obliged to comply with data protection regulations. Contract processors employed by us may also receive data for these purposes. These may be, for example, companies in the categories IT services, financial service providers, corruption prevention, document processing, archiving, file disposal, collection, consulting, marketing and sales, creation and distribution of customer tickets, implementation of data analyses for the purpose of demand and/or supply analysis, further optimisation of HVV transport services, or printing services.
These contract processors are obliged, within the framework of separate contracts, to confirm and comply with all measures required under data protection law.

How long will my data be saved for?

As your contractual partner, HOCHBAHN processes and saves your personal data only for as long as it is necessary for the fulfilment of the contractual and legal obligations. It should be noted here that our business relationship on a subscription basis is an ongoing obligation that usually lasts for several years.
If the data is no longer required for the fulfilment of contractual or legal obligations, it will be deleted on a regular basis, unless any (temporary) further processing is required for the following purposes:
• Fulfilment of commercial or tax retention periods: The German Commercial Code (“Handelsgesetzbuch”) and German Tax Code (“Abgabenordnung” are noteworthy examples here. The retention and documentation periods stipulated in these regulations are up to 10 years.
• Preservation of evidence within the scope of the statute of limitations: According to §§ 195 ff. of the German Civil Code (BGB), these periods of limitation are generally 3 years, but can also be up to 30 years in individual cases.
Applicant data is usually deleted after 12 months. In order to enable us to contact you at a later date in the case of other future vacancies, you have the option of giving us your written consent to store your data for a total of 24 months in the online questionnaire on page 5 or on request. Your data will be deleted in full once the aforementioned periods have expired.
The video surveillance images in our systems and vehicles are recorded on a so-called "ring buffer" for 24 or 72 operating hours (depending on the vehicle type or system). This means that this data is constantly overwritten automatically if no removal or backup of the recording has been made within 24 or 72 operating hours for the purpose of clarifying criminal offences or special incidents.
In the case of competitions on the HOCHBAHN website, the data is collected exclusively for the purpose of conducting the competition and shall not be used for any other purpose. The data will be deleted once the competition has come to an end. The same provision applies to HOCHBAHN competitions on social media platforms (e.g. Facebook, Twitter).

Will data be transferred to any third country or to an international Organisation?

We will only transfer your data to countries outside the EU or EEA (so-called “third countries”) if this is required by law or if you have given us your consent to do this. This is not currently the case.

What data protection rights do I have?

Every data subject has the right of access pursuant to Article 15 of the GDPR, the right of rectification pursuant to Article 16 of the GDPR, the right to erasure pursuant to Article 17 of the GDPR, the right to restriction of processing pursuant to Article 18 of the GDPR and the right to data portability pursuant to Article 20 of the GDPR.
Furthermore, you have the right to lodge a complaint with a data protection supervisory authority.

To what extent is there automated decision-making in individual cases?

Generally speaking, we do not use fully automated decision-making pursuant with Article 22 of the GDPR to establish and conduct a business relationship. Where we use these procedures in individual cases, we will inform you separately if this is required by law.

Will my data be used for profiling purposes?

We do not make use of automated processing to make any decision about the establishment and execution of a contractual relationship or a business relationship.

Information about your rights of objection

Right of objection in individual cases
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you on the basis of Article 6 (1) (f) of the GDPR (data processing based on a balancing of interests).
If you file an objection, your personal data will no longer be processed unless we can prove compelling legitimate reasons for processing that outweigh your interests, rights and freedoms or the processing serves the assertion, exercise or defence of legal claims.

Right to object to the processing of data for direct marketing purposes
In individual cases we process your personal data in order to implement direct advertising. You have the right at any time to object to the processing of your personal data for the purpose of such advertising.
If you object to the processing for purposes of direct advertising, we will no longer process your personal data for these purposes. The objection can be made in any form and should be sent to the “Responsible Body” as stated at the beginning of this document:
Hamburger Hochbahn AG
Steinstraße 20
20095 Hamburg

Use of cookies

HOCHBAHN uses cookies on its website pages in order to determine the frequency of use, the number of users and their preferences, as well as to customise its online services further. The information is processed in anonymous form only. Cookies are small files that are stored on your PC by our web servers and saved by your browser. Cookies do not damage your computer and do not contain viruses. In principle, you can use the HOCHBAHN website pages without cookies by adjusting the settings in your browser accordingly. You may then be prompted to re-enter information when using certain functions.
Most of the cookies we use are so-called session cookies. They are automatically deleted at the end of your visit. Other cookies remain stored on your end device until you delete them. These cookies enable us to recognise your browser again when you next visit the website. We have a legitimate interest in the saving of cookies for the technically error-free and optimised provision of our services. If other cookies (e.g. cookies for analysing your browsing behaviour) are saved, these shall be dealt with separately in this Privacy Policy. 

Use of analysis tools

Google Analytics

We use Google Analytics, a web analytics service provided by Google Inc. (“Google”). The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google uses cookies for this purpose. These are text files that are stored on your computer and enable an analysis of how you use the website. The information generated by the cookie about a user’s use of the website is generally transmitted to and saved by Google on servers in the United States.
Google Analytics cookies are saved on the basis of Article 6 (1) (f) of the GDPR.
Google will use this information on our behalf to evaluate the use of our online services by users, to compile reports on activities within this online service and to provide us with other services associated with the use of this online service and the Internet. Pseudonymous user profiles can be created from the processed data.
We only use Google Analytics with IP anonymisation enabled. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. The IP address transmitted by the user’s browser is not merged or combined with other Google data.
Users may opt to prevent the use of cookies by selecting the appropriate settings in their browser. Users can also prevent the recording of data by Google that is generated by the cookie and relates to their use of the online service by downloading and installing the browser plugin under the following link:
Our website uses the “demographic features” function of Google Analytics. This allows us to generate reports that contain information about the age, gender and interests of website visitors. This data is sourced from interest-related advertising by Google and visitor data from third-party providers. This information cannot be associated with any specific individual. You may opt out of this feature at any time using the ad preferences in your Google Account or opt out of having your information collected by Google Analytics as outlined below.
For more information about terms of use and privacy, please visit or
For more information about Google’s use of data for advertising purposes, setting preferences and opt-out options, please visit the following Google web pages: (“Google’s use of data when you use the websites or apps of our partners”), (“Google’s use of data for advertising purposes”), (“Manage information Google uses to display advertisements to you”) and (“Determine which advertisements Google displays to you”).

You can prevent Google Analytics from collecting your data by clicking on the following link. An opt-out cookie will be set to prevent the collection of your data on future visits to this website:

Click here to be excluded from data collected by the Google Tag Manager.

Please note: The objection (opt-out) is saved in the form of a cookie. If you delete your cookies, you must opt out of web tracking once again.

For more information about how Google Analytics utilises user data, please refer to Google’s information about data privacy and security:

Google Ads

This website uses Google AdWords, an analysis service provided by Google, as well as conversion tracking as part of Google AdWords. For this purpose, Google AdWords places a conversion tracking cookie on your computer’s hard drive (“conversion cookie”) whenever you click on an ad placed by Google. These cookies become invalid after 30 days and are not used for personal identification. If you visit certain pages on our website, Google may recognise that you clicked on the ad and were directed to that page. The information obtained with the help of conversion cookies is used to generate statistics for AdWords customers who use conversion tracking. These statistics tell us the total number of users who have clicked on the Google ad and visited a page with a conversion tracking tag. In addition to conversion tracking, we also use the following functions:
• Remarketing
• Audiences with common interests
• User-defined audiences with common interests
• Custom intent audiences
• Similar audiences
• Audiences based on demographics and geographical location
We use Google’s remarketing function to reach users who have already visited our website. This enables us to present our advertising to target groups, or audiences, who have already shown an interest in our products or services. AdWords also utilises Google’s Display Network to measure user behaviour over the past 30 days and the contextual search engine to determine which common interests and characteristics users of our website share. Based on this information, AdWords then identifies new potential customers for marketing purposes whose interests and characteristics are similar to those of users of our site. Audience-specific remarketing is achieved by means of the combined use of cookies, such as Google Analytics cookies and Google DoubleClick cookies.
To find out more about Google AdWords terms of use and privacy please visit:

Google reCAPTCHA

We use Google reCAPTCHA on our websites for specific occasions. The purpose of reCAPTCHA is to verify whether the data on our websites (e.g. in a contact form) has been entered by an actual person or by an automated program. To this end, reCAPTCHA analyses the behaviour of the website visitor on the basis of various characteristics. This analysis begins automatically as soon as the website visitor accesses our website. The analysis process involves reCaptcha evaluating various items of information (e.g. IP address, duration of the visit to our website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The reCAPTCHA analyses run completely in the background. Website visitors are not notified that an analysis is being carried out.
The data processing carried out is pursuant to Article 6 (1) (f) of the GDPR. We have a legitimate interest in protecting our online offerings from improper, automated spying. For more information about Google reCAPTCHA please visit: and


Our website uses plugins from the YouTube page operated by Google. The site is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.
Whenever you visit one of our pages with a YouTube plugin, a connection will be established to YouTube’s servers. The YouTube server will be notified of which of our pages you have visited.
If you are logged in to your YouTube account, you allow YouTube to directly associate your browsing behaviour with your personal profile. You can prevent this by logging out of your YouTube account. YouTube is utilised in the interest of ensuring that our website is presented in a visually appealing way. This constitutes a legitimate interest within the meaning of Article 6 (1) (f) of the GDPR.
If you would like to find out more about the processing of user data please refer to the YouTube Privacy Policy at:

News notifications via WhatsApp or Telegram

 On our website you have the option of subscribing to notifications about faults or closures occurring on our four subway lines via the messaging services “WhatsApp” or “Telegram”. We provide this service through the company MessengerPeople GmbH, Herzog-Heinrich-Str. 9, 80336 Munich, Germany (referred to hereinafter as “MessengerPeople”) or via Goyya Systems GmbH & Co. KG, Radeberger Str. 1, 01099 Dresden, Germany, which we have commissioned with the technical implementation of the dispatch of these notification messages.
The messages are sent via a WhatsApp or Telegram account created in our name. If you register to receive messages via WhatsApp and/or Telegram via our website in accordance with the instructions outlined there, MessengerPeople will receive access to the username registered with WhatsApp and/or Telegram, your telephone number (only if you register via WhatsApp), your Telegram ID (only if you register via Telegram) and all messages sent to the service. In exceptional cases, subscribers will be notified of system changes by SMS.
You can unsubscribe from MessengerPeople’s messages via WhatsApp and/or Telegram at any time by sending the message “STOP” to the WhatsApp or Telegram account through which you previously ordered the messaging service.
You may also request that MessengerPeople delete the aforementioned information at any time by sending the message “DELETE ALL DATA” to the respective WhatsApp or Telegram account.
You can also find information about the use and operation of the news service performed by MessengerPeople when you order the news notifications you want to receive. Detailed information about the use of personal data by MessengerPeople GmbH can also be found in the MessengerPeople Data Privacy notice at

Last updated: September 2021