In accordance with the EU General Data Protection Regulation (GDPR) which came into effect from 25 May 2018 onwards, we hereby inform you about the processing of your personal data by us and about the rights afforded to you in relation to this processing.
Who is responsible for data processing and who can I contact?
Responsible Body (“Data Controller”):
Hamburger Hochbahn AG
Phone: +49 40 3288-0
You can contact our company’s Data Protection Officer at:
Hamburger Hochbahn AG
Data Protection Offer
Phone: +49 40 3288-2316
You can contact the official Hamburg data protection authorities at:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 7.OG
Phone: +49 40 428 54 4040
Which data do we process?
We process personal data which we receive from you within the scope of our business relationship. We also process personal data insofar as this is necessary for the provision of our services, which we receive permissibly from other companies in the “Hamburger Verkehrsverbund HVV” or from other third parties.
In addition to contractual data, we process your communication data, which we obtain via your contact with us (e.g. contact form, customer dialogue). Moreover, we process your personal data as required in connection with online or print applications in the context of job offers.
Video surveillance in our systems and vehicles is an important preventative measure for your security. However, the video recordings are automatically deleted again after a short time if no incident has been reported.
Specifically, we process the following data:
• Contractual data (depending on the product and service, this includes name, address details, date of birth, phone number, e-mail address, bank details, billing and payment data, photo)
• Communication data (name, address, e-mail address, possibly phone number/mobile number)
• Correspondence (e.g. written correspondence with you)
• Video data
• Advertising and sales data (e.g. for products that are potentially of interest to you)
• Applicant data (name, address details, phone number, e-mail address, date of birth, applicant documentation)
For what purpose(s) do we process your data and on what legal Basis?
In the following, we will inform you about why and on what legal basis we process your data.
1. For the fulfilment of contractual obligations (Article 6 (1) (b) of the GDPR)
The processing of your personal data is carried out for the performance of contracts with you (subscription, purchase of products) as well as for pre-contractual measures.
2. For the balancing of interests (Article 6 (1) (f) of the GDPR)
We also process your data, if necessary, to protect the legitimate interests of us or third parties. This is carried out, for example, for the following purposes:
• Ensuring IT security and IT operations
• Advertising or market and opinion research, unless you have opted out of your data being used for this
• Assertion of legal claims and defence in legal disputes
• Consultations and data exchange with credit agencies (e.g. “Schufa”) to determine creditworthiness and default risks
• Video surveillance for the determent, prevention and investigation of criminal offences, the improvement of passengers’ sense of security and the reduction of damage from vandalism.
• In connection with the processing of customer enquiries, complaints, etc.
• Prize draws on special occasions (e.g. Hamburg’s Museum Night, “Elbjazz”)
• Online reservations and requests for visitor programs with the museum vehicle
3. On the basis of your consent (Article 6 (1) (a) of the GDPR)
If you have given us consent to process your personal data for specific purposes, the lawfulness of the processing is given on the basis of this consent. Your consent can be revoked at any time. This also applies to any consent given prior to the GDPR coming into force, i.e. before 25 May 2018. Please note that the revocation will only take effect from the date of revocation onwards.
4. On the basis of legal requirements (Article 6 (1) (c) of the GDPR)
We also process your data in order to fulfil legal obligations, e.g. to verify commercial or tax retention periods. The German Commercial Code (“Handelsgesetzbuch”) and German Tax Code (“Abgabenordnung”), for example, should be given particular mention here.
Who will receive access to my data?
Those employees and departments within Hamburger Hochbahn AG (HOCHBAHN) that require your data to fulfil the purposes and legal bases stated above will obtain access to that data. All relevant employees are obliged to comply with data protection regulations. Contract processors employed by us may also receive data for these purposes. These may be, for example, companies in the categories IT services, financial service providers, corruption prevention, document processing, archiving, file disposal, collection, consulting, marketing and sales, creation and distribution of customer tickets, implementation of data analyses for the purpose of demand and/or supply analysis, further optimisation of HVV transport services, or printing services.
These contract processors are obliged, within the framework of separate contracts, to confirm and comply with all measures required under data protection law.
How long will my data be saved for?
As your contractual partner, HOCHBAHN processes and saves your personal data only for as long as it is necessary for the fulfilment of the contractual and legal obligations. It should be noted here that our business relationship on a subscription basis is an ongoing obligation that usually lasts for several years.
If the data is no longer required for the fulfilment of contractual or legal obligations, it will be deleted on a regular basis, unless any (temporary) further processing is required for the following purposes:
• Fulfilment of commercial or tax retention periods: The German Commercial Code (“Handelsgesetzbuch”) and German Tax Code (“Abgabenordnung” are noteworthy examples here. The retention and documentation periods stipulated in these regulations are up to 10 years.
• Preservation of evidence within the scope of the statute of limitations: According to §§ 195 ff. of the German Civil Code (BGB), these periods of limitation are generally 3 years, but can also be up to 30 years in individual cases.
Applicant data is usually deleted after 12 months. In order to enable us to contact you at a later date in the case of other future vacancies, you have the option of giving us your written consent to store your data for a total of 24 months in the online questionnaire on page 5 or on request. Your data will be deleted in full once the aforementioned periods have expired.
The video surveillance images in our systems and vehicles are recorded on a so-called "ring buffer" for 24 or 72 operating hours (depending on the vehicle type or system). This means that this data is constantly overwritten automatically if no removal or backup of the recording has been made within 24 or 72 operating hours for the purpose of clarifying criminal offences or special incidents.
In the case of competitions on the HOCHBAHN website, the data is collected exclusively for the purpose of conducting the competition and shall not be used for any other purpose. The data will be deleted once the competition has come to an end. The same provision applies to HOCHBAHN competitions on social media platforms (e.g. Facebook, Twitter).
Will data be transferred to any third country or to an international Organisation?
We will only transfer your data to countries outside the EU or EEA (so-called “third countries”) if this is required by law or if you have given us your consent to do this. This is not currently the case.
What data protection rights do I have?
Every data subject has the right of access pursuant to Article 15 of the GDPR, the right of rectification pursuant to Article 16 of the GDPR, the right to erasure pursuant to Article 17 of the GDPR, the right to restriction of processing pursuant to Article 18 of the GDPR and the right to data portability pursuant to Article 20 of the GDPR.
Furthermore, you have the right to lodge a complaint with a data protection supervisory authority.
To what extent is there automated decision-making in individual cases?
Generally speaking, we do not use fully automated decision-making pursuant with Article 22 of the GDPR to establish and conduct a business relationship. Where we use these procedures in individual cases, we will inform you separately if this is required by law.
Will my data be used for profiling purposes?
We do not make use of automated processing to make any decision about the establishment and execution of a contractual relationship or a business relationship.
Information about your rights of objection
Right of objection in individual cases
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you on the basis of Article 6 (1) (f) of the GDPR (data processing based on a balancing of interests).
If you file an objection, your personal data will no longer be processed unless we can prove compelling legitimate reasons for processing that outweigh your interests, rights and freedoms or the processing serves the assertion, exercise or defence of legal claims.
Right to object to the processing of data for direct marketing purposes
In individual cases we process your personal data in order to implement direct advertising. You have the right at any time to object to the processing of your personal data for the purpose of such advertising.
If you object to the processing for purposes of direct advertising, we will no longer process your personal data for these purposes. The objection can be made in any form and should be sent to the “Responsible Body” as stated at the beginning of this document:
Hamburger Hochbahn AG
Use of analysis tools
We use Google Analytics, a web analytics service provided by Google Inc. (“Google”). The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics cookies are saved on the basis of Article 6 (1) (f) of the GDPR.
Google will use this information on our behalf to evaluate the use of our online services by users, to compile reports on activities within this online service and to provide us with other services associated with the use of this online service and the Internet. Pseudonymous user profiles can be created from the processed data.
We only use Google Analytics with IP anonymisation enabled. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. The IP address transmitted by the user’s browser is not merged or combined with other Google data.
Our website uses the “demographic features” function of Google Analytics. This allows us to generate reports that contain information about the age, gender and interests of website visitors. This data is sourced from interest-related advertising by Google and visitor data from third-party providers. This information cannot be associated with any specific individual. You may opt out of this feature at any time using the ad preferences in your Google Account or opt out of having your information collected by Google Analytics as outlined below.
For more information about Google’s use of data for advertising purposes, setting preferences and opt-out options, please visit the following Google web pages: https://policies.google.com/privacy/google-partners (“Google’s use of data when you use the websites or apps of our partners”), http://www.google.com/policies/technologies/ads (“Google’s use of data for advertising purposes”), http://www.google.de/settings/ads (“Manage information Google uses to display advertisements to you”) and http://www.google.com/ads/preferences/ (“Determine which advertisements Google displays to you”).
You can prevent Google Analytics from collecting your data by clicking on the following link. An opt-out cookie will be set to prevent the collection of your data on future visits to this website:
Click here to be excluded from data collected by the Google Tag Manager.
Please note: The objection (opt-out) is saved in the form of a cookie. If you delete your cookies, you must opt out of web tracking once again.
For more information about how Google Analytics utilises user data, please refer to Google’s information about data privacy and security: https://support.google.com/analytics/answer/6004245?hl=en.
This website uses Google AdWords, an analysis service provided by Google, as well as conversion tracking as part of Google AdWords. For this purpose, Google AdWords places a conversion tracking cookie on your computer’s hard drive (“conversion cookie”) whenever you click on an ad placed by Google. These cookies become invalid after 30 days and are not used for personal identification. If you visit certain pages on our website, Google may recognise that you clicked on the ad and were directed to that page. The information obtained with the help of conversion cookies is used to generate statistics for AdWords customers who use conversion tracking. These statistics tell us the total number of users who have clicked on the Google ad and visited a page with a conversion tracking tag. In addition to conversion tracking, we also use the following functions:
• Audiences with common interests
• User-defined audiences with common interests
• Custom intent audiences
• Similar audiences
• Audiences based on demographics and geographical location
We use Google reCAPTCHA on our websites for specific occasions. The purpose of reCAPTCHA is to verify whether the data on our websites (e.g. in a contact form) has been entered by an actual person or by an automated program. To this end, reCAPTCHA analyses the behaviour of the website visitor on the basis of various characteristics. This analysis begins automatically as soon as the website visitor accesses our website. The analysis process involves reCaptcha evaluating various items of information (e.g. IP address, duration of the visit to our website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The reCAPTCHA analyses run completely in the background. Website visitors are not notified that an analysis is being carried out.
The data processing carried out is pursuant to Article 6 (1) (f) of the GDPR. We have a legitimate interest in protecting our online offerings from improper, automated spying. For more information about Google reCAPTCHA please visit: https://policies.google.com/privacy?hl=en and https://www.google.com/recaptcha/intro/android.html
Our website uses plugins from the YouTube page operated by Google. The site is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.
Whenever you visit one of our pages with a YouTube plugin, a connection will be established to YouTube’s servers. The YouTube server will be notified of which of our pages you have visited.
If you are logged in to your YouTube account, you allow YouTube to directly associate your browsing behaviour with your personal profile. You can prevent this by logging out of your YouTube account. YouTube is utilised in the interest of ensuring that our website is presented in a visually appealing way. This constitutes a legitimate interest within the meaning of Article 6 (1) (f) of the GDPR.
News notifications via WhatsApp or Telegram
On our website you have the option of subscribing to notifications about faults or closures occurring on our four subway lines via the messaging services “WhatsApp” or “Telegram”. We provide this service through the company MessengerPeople GmbH, Herzog-Heinrich-Str. 9, 80336 Munich, Germany (referred to hereinafter as “MessengerPeople”) or via Goyya Systems GmbH & Co. KG, Radeberger Str. 1, 01099 Dresden, Germany, which we have commissioned with the technical implementation of the dispatch of these notification messages.
The messages are sent via a WhatsApp or Telegram account created in our name. If you register to receive messages via WhatsApp and/or Telegram via our website in accordance with the instructions outlined there, MessengerPeople will receive access to the username registered with WhatsApp and/or Telegram, your telephone number (only if you register via WhatsApp), your Telegram ID (only if you register via Telegram) and all messages sent to the service. In exceptional cases, subscribers will be notified of system changes by SMS.
You can unsubscribe from MessengerPeople’s messages via WhatsApp and/or Telegram at any time by sending the message “STOP” to the WhatsApp or Telegram account through which you previously ordered the messaging service.
You may also request that MessengerPeople delete the aforementioned information at any time by sending the message “DELETE ALL DATA” to the respective WhatsApp or Telegram account.
You can also find information about the use and operation of the news service performed by MessengerPeople when you order the news notifications you want to receive. Detailed information about the use of personal data by MessengerPeople GmbH can also be found in the MessengerPeople Data Privacy notice at https://www.messengerpeople.com/privacy
Last updated: December 2018