Privacy Statement

for our websites, timetable information and mobile ticketing of Verkehrsverbund Warnow GmbH (VVW)

Inhalt:

  1. General information
  2. Data Controller
  3. Your rights as a data subject
  4. Informational use of websites and web services
  5. Contacting us
  6. Cookies
  7. Google Analytics
  8. Google Tag Manager
  9. Akamai Cookie Sync
  10. MediaMath
  11. Downloading the VVW app and access permissions
  12. Purchasing mobile tickets
  13. Timetable information
  14. Credit check
  15. Disclosure of personal data
  16. Storage duration and deletion of data
  17. Data security
  18. Protection of minors
  19. Right of modification

1. General information

This privacy policy informs you about the collection and processing of your personal data when using our web services, such as

Personal data is all data that relates to you personally, e.g. your name, address, email address, phone number, device identification or user behaviour. Unless otherwise stated below, the data subjects' data will be collected.

Your personal data is processed for the following purposes:

  • to provide a working website,
  • to answer enquiries and communicate with users and customers,
  • to provide timetable information,
  • to initiate and execute contracts for the purchase of tickets via mobile ticketing,
  • to market and optimise our offering,
  • for statistical evaluation of the use of our offerings.

Personal data are processed only if (legal basis):

  • you have expressly granted us consent pursuant to Art. 6 para.1 clause 1 lit. a GDPR,
  • this is necessary for the execution of the contract with you or the provision of precontractual measures, Art. 6 para.1 clause 1 lit. b GDPR,
  • we have a legitimate interest in this and there is no reason to believe that you have a predominantly legitimate interest under Art. 6 para.1 clause 1 lit. f GDPR, and
  • a legal obligation for processing, Art. 6 para.1 clause 1 lit. c GDPR, exists.

The data processed by us will be deleted as soon as storage is no longer required for the intended purpose and there are no legal retention periods.

2. Data Controller

The Controller in the sense of data privacy laws is

Verkehrsverbund Warnow GmbH
legally represented by the Managing Director, Andrea Doliwa
Stampfmüllerstr. 40
18057 Rostock
Email: info@verkehrsverbund-warnow.de
Telephone: +49 (0)381 - 492 36 96

(hereinafter: "Controller" or "we").

3. Your rights as a data subject

If your personal data are processed, you are a "data subject" within the meaning of the General Data Protection Regulation (GDPR) and you have the following rights regarding your personal data. To exercise your rights, an email to us or a letter by mail to the above address is sufficient.

  1. Withdrawal of your consent: If the data processing is based on your consent, you can withdraw this consent from the Controller at any time with effect for the future, Art. 7 para. 3 GDPR. Revocation is possible in writing or by email to the Controller.
  2. Information: You can request information about your personal data processed by us, Art. 15 GDPR.
  3. Correction or completion: You may request the correction of incorrect data or the completion of your personal data stored with us, Art. 16 GDPR.
  4. Erasure: You may request the erasure of your personal data stored by us in accordance with Art. 17 GDPR.
  5. Restriction of processing: You may request the restriction of the processing of your personal data, Art. 18 GDPR.
  6. Right to data portability: In accordance with Art. 20 GDPR, you may receive personal data you provided to us in a structured, conventional and machine-readable format, or request the transmission of these data to another Controller.
  7. Right to object: You have the right to object to the processing of personal data concerning you at any time for reasons arising from your specific situation, which is carried out in accordance with Art. 6 para.1 lit. e GDPR (data processing in the public interest) or Art. 6 para. 1 lit. f GDPR (data processing on the basis of a balance of interests), Art. 21 GDPR. If you lodge your objection, we will no longer process the personal data that concerns you unless we can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise, or defend legal claims. Objection is possible in writing or by email to the Controller.
  8. Right to complain to a supervisory authority: In addition, you have the right to complain to a data protection supervisory authority about the processing of your personal data by us, Art. 77 GDPR.  

4. Informational use of our websites

When you visit our website, the browser used on your device automatically sends information to our website's server. This information is temporarily stored in a so-called log file. The following information is recorded without your intervention and stored until it is automatically deleted:

  1. IP address of the requesting device,
  2. date and time of access,
  3. name and URL of the downloaded file,
  4. website from which access is made (referrer URL)
  5. the browser used and, if applicable, the operating system of your device as well as the name of your access provider.

We process these data for the following purposes:

  • to ensure a smooth connection setup for web pages, i.e. allowing web pages to be displayed to you,
  • to ensure comfortable use of our websites,
  • to guarantee and evaluate system security and stability and,
  • in anonymised form, for other administrative purposes.

The collection and temporary storage of the IP address is necessary to enable the display of our web pages on your device.

The legal bases for the data processing are Art. 6 para.1 clause 1 lit. b and f, GDPR. Our legitimate interest arises from the purposes listed above for data collection. The personal data are not merged with other data available to us.

5. Contacting us

If you contact us by email or via the contact form on our web pages, the personal data transmitted by you will be stored by us. These include, in particular:

  • Form of address
  • First name
  • Surname
  • Email address
  • Address
  • Phone
  • Your enquiry

Which data is transmitted to us in detail when using the contact form can be found in the entry fields of the contact form. The entry fields marked with an asterisk (*) are mandatory fields. In addition, we collect your IP address and the time of sending. We need this information to be able to process your request and communicate with you. Further information can be provided voluntarily.

The data transmitted by you will be used exclusively for processing your request. The legal bases of this data processing are Art. 6 para.1 clause 1 lit. b GDPR, if it is a precontractual measure, as well as Art. 6 para. 1 lit. a GDPR based on your consent. The personal data collected in this case will be deleted if they are no longer required and deletion does not conflict with statutory retention requirements.

6. Cookies

When you use our websites and the mobile app, cookies are stored on your device. In some cases, instead of using cookies, we use a different authentication method with a similar technique to cookies.

Cookies are small text files that are installed and stored in the memory of your device. Cookies allow certain information to be passed to the site that sets the cookie (e.g. us). Cookies cannot run programmes or transmit viruses to your device.

The following types of cookies are used, the scope and mode of operation of which are explained below:

  • Transient cookies: These are automatically deleted when you close your web browser or our mobile app. These especially include session cookies. They store a so-called session ID, which can be used to assign various requests to your browser or mobile app. This allows your device to be recognised when you use our website or mobile app again. The session cookies are deleted as soon as you log out the browser or app.
  • Persistent cookies: These cookies are automatically deleted after a specified period, which may differ depending on the cookie in question. You can configure the settings of your browser and the app according to your wishes and reject, for example, the acceptance of third-party cookies or all cookies. Please note that you may then not be able to use all functions of our mobile app.

We use cookies for the following purposes:

  • to make the use of our offerings easier and more user-friendly, e.g. by being recognised when you visit our website again, and you don't have to re-enter any data,
  • to analyse and evaluate the performance and use of our offering (performance monitoring, bug fixes, fraud prevention), to further develop our offering based on the results and to make it more attractive to the user.

The legal basis for such processing is Art. 6 para. 1 lit. a and f, GDPR. Our legitimate interest arises from the purposes listed above for data collection.

Opt-out: Most browsers accept cookies automatically. However, you can configure your browser in such a way that no third-party cookies or no cookies are stored on your device, or a message is always displayed before a new cookie is created. You can also install a cookie blocker as a browser add-on, e.g. Ghostery (https://www.ghostery.com/de/). However, disabling cookies completely may mean that you may not be able to use all the features of our websites and app.

7. Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland ("Google"). Google Analytics uses "cookies", i.e. text files stored on your computer that enable your website use to be analysed. The information generated by the cookie about your use of this website is usually transferred to a Google server in the US and stored there. This website uses Google Analytics with the extension "_anonymizeIp()". As a result, IP addresses are only processed in truncated form in order to prevent Google from identifying specific individuals. Only in exceptional cases will the entire IP address be transmitted to a Google server in the USA and truncated there.

On behalf of the website operator, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services related to website usage and internet use.  Pseudonymous user profiles can be created from the data processed in this way. The IP address provided by your browser as part of Google Analytics will not be combined with other data from Google.

The purpose of using Google Analytics is to analyse the use of our website, regularly improve it and thus operate more economically. The statistics we gain enable us to improve our offering and make it more interesting for you as a user. The legal basis for this data processing is Art. 6 para.1 clause 1 lit. f GDPR, as we have a legitimate interest in the analysis, optimisation and economic operation of our website and the data processing is necessary to safeguard this interest.

For the exceptional cases in which personal information is transferred to the US, Google has submitted to the EU-US Privacy Shield and is committed to complying with European data protection law: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

The personal data of website visitors processed in this context via Google Analytics will be deleted or anonymised at the latest after 14 months.

You may refuse the storage of Google Analytics cookies by selecting the appropriate settings on your browser. However, please be advised that you may then not be able to use all the features of this website. You can also prevent the data generated by cookies concerning your use of the website (incl. your IP address) from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=EN.

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set that prevents your data from being collected on future visits to this site: Disable Google Analytics

Third Party Information: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Further information from the third-party provider for data protection can be found on the following websites:

8. Google Tag Manager

On our websites, we use the "Google Tag Manager", a service of Google Ireland Ltd., Google Building Gordon House, Barrow St, Dublin 4, Ireland ("Google"). This service allows us to manage so-called web page tags via an interface. The tool "Google Tag Manager", which implements the tags, is a cookie-free domain and does not collect any personal data. The Google Tag Manager causes other tags to be activated which may, for their part, register data under certain circumstances. The Google Tag Manager does not access these data. If deactivation occurs at domain or cookie level, it remains in use for all tracking tags implemented by Google Tag Manager.

Third-party information: Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland.

Further information of the third-party provider on Google's data protection can be found on the following websites:

9. Akamai Cookie Sync

We use "Akamai Cookie Sync" on our website, a service of Akamai Technologies, Inc., 150 Broadway, Cambridge, MA 02142, United States of America (hereinafter referred to as "Akamai"). Akamai Cookie Sync stores and processes information about your user behaviour on our website. Amongst other things, Akamai Cookie Sync uses cookies, i.e. small text files that are stored locally in the cache of your web browser on your device and that allow an analysis of the use of our website by you.

We use Akamai Cookie Sync for marketing and optimisation purposes, in particular to analyse the use of our internet presence and to be able to continuously improve individual functions and offerings as well as the user experience. By statistically evaluating user behaviour, we can improve our offering and make it more interesting for you as a user. This is also our legitimate interest in the processing of the above data by the third-party provider. The legal basis is Art. 6 para. 1 clause 1 lit. f, GDPR.

You can prevent the installation of cookies by deleting existing cookies and deactivating the storage of cookies in the settings of your browser. Please note that in this case you may not be able to use all functions of our website to their full extent. You can also prevent the collection of the aforementioned information by Akamai by setting an opt-out cookie on one of the following linked websites:

Please note that this setting will be deleted if you delete your cookies. You can object to the collection and forwarding of personal data or prevent the processing of this data by deactivating the execution of Java-Script in your browser. You can also prevent the execution of Java-Script code as a whole by installing a Java-Script blocker (e.g. https://noscript.net/ or https://www.ghostery.com). Please note that in this case you may not be able to use all functions of our website to their full extent.

Akamai is subject to and certified under the Privacy Shield Agreement between the European Union and the USA. Akamai therefore undertakes to comply with the standards and regulations of European data protection law. Further information can be found in the following linked entry:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Third party information: Akamai Technologies, Inc., 150 Broadway, Cambridge, MA 02142, United States.

For more information about the third party's privacy policy, please refer to the following website: https://www.akamai.com/us/en/privacy-policies/.

10. MediaMath

We use the "MediaMath" service on our website, MediaMath UK Ltd., 230 Blackfriars Road, London, SE1 8NW, United Kingdom. MediaMath stores and processes information about your user behaviour on our websites. Among other things, MediaMath uses cookies for this purpose, i.e. small text files that are stored locally in the cache of your browser on your device and allow an analysis of the use of our websites by you.

We use MediaMath for marketing and optimisation purposes, in particular to analyse the use of our internet presence and to be able to continuously improve individual functions and offerings as well as the user experience. By statistically evaluating user behaviour, we can improve our offering and make it more interesting for you as a user. The legal basis for processing the above data by the third-party provider is Art. 6 para. 1 clause 1 lit. f, GDPR. Our legitimate interest results from the aforementioned processing purpose.

You can prevent the installation of cookies by deleting existing cookies and deactivating the storage of cookies in the settings of your browser. We would like to point out that in this case you may not be able to use all the functions of our website. You can also prevent the collection of the aforementioned information by MediaMath by setting an opt-out cookie on one of the following linked websites:

Please note that this setting will be deleted if you delete your cookies.

You can object to the collection and forwarding of personal data or prevent the processing of this data by deactivating the execution of Java-Script in your browser.

You can also prevent the execution of Java-Script code as a whole by installing a Java-Script blocker (e.g. https://noscript.net/ or https://www.ghostery.com/de). However, disabling cookies completely may mean that you may not be able to use all the features of our websites or app.

For the exceptional cases in which personal information is transferred to the US, MediaMath has submitted to the EU-US Privacy Shield and is committed to complying with European data protection law: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

Further information on the third party's privacy policy can be found on the following website: http://www.mediamath.com/de/datenschutzrichtlinie/

 

11. Downloading the VVW app and access permissions

11.1 When downloading the mobile app, the required information is transferred to the respective app store (Apple Store or Google Play Store), in particular your username, email address and customer account number, time of download, payment information and the individual device identification. We have no influence on this data collection through the app store and are not responsible for it. We process the data only to the extent necessary for downloading the mobile app to your mobile device. For more information, see the privacy policy of the app store operators:

11.2 For certain services, the app requires access rights to your device. These access rights are displayed when the app is installed and can be individually confirmed or rejected by you. The legal basis for these processing operations is your consent, Art. 6 para. 1 lit. a, GDPR.

  • Location data: The app allows you, for example, to display the nearest stop or the use of your current position for travel planning. This requires the transfer of your current location.
  • Contacts: The app allows you to use addresses from your address book for the start/finish search. The contact details are not completely read, only the place and the street. This requires access to your "contacts" stored in the device.
  • Calendar: The app allows you to save travel connections in your calendar. This requires access to your calendar.

The processed data are used exclusively to provide the aforementioned functionalities.

You can also change the granted access rights in the device settings at any later time, thereby revoking your consent for the future. If the access rights are not granted, certain services cannot be provided.

12. Purchasing mobile tickets

12.1 A uniform mobile ticketing system is used, which you can access both via the web shop and via the app. With this mobile ticketing system, we use the services of the company EOS UPTRADE GmbH, Schanzenstraße 70, 20357 Hamburg, which is contractually obligated for us as a processor.

12.2 When the mobile ticketing system is called up in the web shop or in the app, the browser on your device automatically sends information to the server of EOS UPTRADE GmbH. This information is temporarily stored in a log file, so-called access data/server log files. These data are technically required to provide you with the capabilities of our mobile ticketing system and to ensure stability and security of use:

  • the IP address of the requesting device,
  • the date and time of the request,
  • the name of the requesting mobile device,
  • if necessary, the MAC address for WLAN use,
  • the website that receives the request (Referrer URL),
  • the operating system,
  • the language and browser version of the requesting device,
  • the mobile number of the requesting device (MSISDN),
  • the device identification, unique number of the requesting device (IMEI = International Mobile Equipment Identity),
  • the unique network subscriber number (IMSI = International Mobile Subscriber Identity).

If you have activated the appropriate access rights, we will process your current location data, the specifically requested address data of your contacts and, if you have requested it, access your calendar.

We process these data for the following purposes:

  • to ensure a smooth connection setup and provision of mobile ticketing,
  • to ensure a comfortable use of mobile ticketing,
  • to fulfil our contract with the customer (preparation of tickets, billing, provision of services by the transport company),
  • to guarantee and evaluate system security and stability and,
  • in anonymised form, for other administrative purposes.

The legal bases for the data processing are Art. 6 para.1 clause 1 lit. b and f, GDPR. The purposes indicated above constitute our legitimate interest in collecting such data.

12.3 VVW mobile tickets can be purchased either with or without registration.

(1) Acquisition with registration: As part of the registration, we collect the following additional personal data that we need for the execution of the contract, depending on the selected payment method:

  • salutation, surname, first name, address, date of birth, email address, your desired payment method and, additionally
  • in the case of SEPA direct debit: your bank details, including BIC (Business Identifier Code) and IBAN (International Bank Account Number), 
  • for credit card payments via Visa and Master Card: credit card type, credit card number, credit card expiry date (CVC check number), 
  • in the case of mobile operator payments (MNO billing): your mobile number, mobile network operator, TAN,
  • contract data, such as date and subject matter of the contract and the payment amount and,
  • if enabled, the location data.

Compulsory information required for registration is marked as such.

Since this is a uniform sales system, you can register both in the web shop and in the app. Your created customer account can then be used via both channels. The data collected when creating the customer account are stored with us, which facilitates the subsequent ticket purchase for you considerably. You can delete your customer account at any time after login.

(2) Purchase without registration

Purchasing mobile tickets without registration is only possible with the selection of the payment methods "mobile phone bill" and "credit card". In order to be able to check the mobile ticket, further personal data must be provided:

  • title, surname, first name, date of birth, email address as well as, 
  • for credit card payments via Visa and Master Card: credit card type, credit card number, credit card expiry date (CVC check number), 
  • in the case of mobile operator payments (MNO billing): your mobile number, mobile network operator, TAN,
  • contract data, such as date and subject matter of the contract and the payment amount and,
  • if enabled, the location data.

(3) The purpose of the data processing is the conclusion of a contract for the purchase of tickets. To achieve this purpose, the compulsory information marked as such is required. The legal basis for such processing is  Art. 6 para.1 clause 1 lit. b GDPR.

13. Timetable information

13.1 Both on our website www.verkehrsverbund-warnow.de and in the mobile ticketing app we include "Timetable Information", a service of the company HaCon Ingenieurgesellschaft mbH, Lister Strasse 15, 30163 Hanover, Germany. If you call up the menu item "Timetable Information" or "Timetable Enquiry", a connection is made between the browser of your device and the server of HaCon.

When using the timetable information, the following personal data will be transmitted to HaCon: your IP address, date, time of the request, the device you are using and your respective page input on your start and destination and the time.

In addition, the application may require your current location information for certain features. You will be notified when the feature is selected and asked to agree to the use of your location information. If you agree, your location will be processed to search the connection. If you do not agree, the function in question cannot be used.

13.2 These data are used for the following purposes:

  • answering the user's timetable request,
  • to handle the ticket purchase and,
  • in anonymised form, for statistical purposes, such as the determination of the frequency and type of use and the number of users.

The legal basis for these processing operations is Art. 6 para. 1 lit. b GDPR, insofar as it concerns the initiation and execution of a contract, or Art. 6 para. 1 lit. f GDPR, our legitimate interest in evaluating the use of the app to improve our offering.

13.3 The personal data collected as part of the timetable information service will be deleted if these are no longer required to fulfil the request or to process the ticket purchase, or if the agreed purpose of use is waived and no legal storage requirements are in conflict.

14. Credit check

When selecting the "SEPA Direct Debit" payment method, the payment service provider commissioned by us may transfer personal data to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, for credit check purposes. The credit check is carried out by comparing the personal data against the data of SCHUFA Holding AG. Further information on data protection as well as the assertion of your rights of objection, information and other data subject rights can be found at: https://www.schufa.de/de/datenschutz/.

The legal basis of this data processing is our legitimate interest in the settlement of our legitimate claims, Art. 6 para. 1 lit. f, GDPR.

15. Disclosure of personal data

15.1 We generally do not disclose personal data to third parties unless

  • you have expressly consented pursuant to Art. 6 para.1 clause 1 lit. a, GDPR,
  • this is legally permissible and necessary pursuant to Art. 6 para.1 clause 1 lit. b GDPR for the execution of the contractual relationship with you,
  • there is a legitimate interest in disclosure according to Art. 6 para.1 clause 1 lit. f GDPR, and there is no reason to assume that you have an overriding interest in not disclosing your data, and if
  • there is a legal obligation to disclose pursuant to Art. 6 para.1 clause 1 lit. c, GDPR.

15.2 For the purpose of processing ticket sales, we transfer or disclose personal data to, among others, the following external service providers. In the links provided, you will find the respective privacy policy of our contractual partners, in which you will find further information on data protection and on the assertion of your right of information, objection and other data subject rights:

Zahlungsausfall.

The external service providers are carefully selected by us and contractually strictly committed. The service providers work according to our instructions, which is ensured by strict contractual arrangements, by technical and organisational measures and by supplementary controls. Insofar as required by law, the data are transmitted on the basis of a contract for processing orders in accordance with Art. 28 GDPR.

Where appropriate, the payment service providers carry out identity or credit checks. For further information, please refer to the terms and conditions and privacy statements of the respective payment service providers.

15.3 No personal data are transmitted to third countries, and this is not planned.

16. Retention and erasure of data

The personal data collected by us will be deleted if no longer required for the fulfilment of the contract or the agreed purpose no longer applies, and no legal storage requirements are in conflict. The retention period for commercial letters is 6 years and for all tax-relevant documents 10 years.

17. Data security

For security reasons and to protect the transmission of personal data and other confidential content (e.g. enquiries via the contact form), we use SSL or TLS encryption. The encrypted connection can be recognised by the "s" in the string "https://" and the lock symbol in your browser line.

18. Protection of minors

Children and persons under the age of 18 should not send any personal data to us without the approval of their parent(s) or guardian(s). We do not request personal data from children and young people, nor do we collect such information or pass it on to third parties.

19. Right of modification

Due to the further development of our website or due to changed legal requirements, it may become necessary to modify this privacy policy. The Controller will inform users about changes to the privacy policy in an appropriate manner. You can access and print out the current privacy policy at any time on our website.

 

As of 2019