Data privacy

Information and notes on data processing and data protection at VBB Verkehrsverbund Berlin-Brandenburg GmbH.

The VBB takes the protection of your personal data very seriously and informs you below in detail about the handling of your data: When handling personal data, VBB complies with the applicable data protection regulations, in particular the new EU General Data Protection Regulation (DSGVO) and the Federal Data Protection Act (BDSG).

Who is responsible for data processing and whom can you contact?

The VBB collects and processes your data as the responsible party. Should this be deviated from in certain cases, you will be informed at the appropriate place.

If you have any questions or suggestions regarding data processing at the VBB, please contact:

VBB Verkehrsverbund Berlin-Brandenburg GmbH.
Stralauer Platz 29
10243 Berlin
Telephone: 0 30 - 25 41 40
Fax: 0 30 - 25 41 41 12
E-mail:

For questions, suggestions and/or criticism you can reach the appointed data protection officer at:

VBB Verkehrsverbund Berlin-Brandenburg GmbH
Data Protection
Stralauer Platz 29
10243 Berlin
E-mail:

Who gets your data?

Within the VBB, access to your data is granted to those offices that need it to fulfil our contractual and legal obligations. For the execution of a contract, it is usually necessary to involve instruction-dependent processors, such as printing or shipping service providers or other parties involved in the fulfilment of the contract. These are carefully selected by us and strictly bound by contract. The service providers named below work according to our instructions, which is ensured by strict contractual regulations, by technical and organisational measures and by supplementary controls.

The response to enquiries may require a forwarding to the project partners involved. Data is only passed on to third parties within the framework of the regulations of the DSGVO and the BDSG.

How long will your data be stored?

We process and store your personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. If the data is no longer required for the fulfilment of these purposes, it will be deleted unless other legal or otherwise stipulated retention periods require this. Please note that you can determine or carry out the deletion of your data yourself if necessary (e.g. when favouriting stops for your frequent journeys).

What rights do users of the VBB app have?

You have a right to information about the personal data concerning you (Art. 15 DSGVO) as well as to correction (Art. 16 DSGVO) or deletion (Art. 17 DSGVO) or to restriction of processing (Art. 18 DSGVO), a right to object to processing (Art. 21 DSGVO) as well as the right to data portability (Art. 20 DSGVO). Furthermore, you have the right to complain to a data protection supervisory authority (Art. 13 (2) (d) DSGVO).

Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning him or her infringes the GDPR (Art. 77 GDPR). The data subject may exercise this right before a supervisory authority in the Member State of his or her residence, place of work or the place of the alleged infringement.

As a rule, you can contact the supervisory authority of your place of residence for this purpose. A list of the supervisory authorities is available here.

You can exercise your rights using the contact details below:
 

VBB Verkehrsverbund Berlin-Brandenburg GmbH
Data Protection
Stralauer Platz 29
10243 Berlin
E-mail:

What happens with links to external sites?

From the VBB website you can possibly reach third party websites by clicking on links. When setting up these links, we have checked the contents of the external websites for illegality and criminal liability. However, a change of the contents of the external websites cannot be excluded afterwards. The VBB is not obliged to check the links and the external websites continuously. Therefore, we cannot assume any liability for the data protection guidelines of the external websites.

Updating of the data protection information

We adapt our information and notes on data processing and data protection to changed functionalities or changed legal situations. We therefore recommend that you take note of the information at regular intervals.

Overview of our data protection information:

When using the app, the following data is processed:

  • Date and time of your request
  • Start and destination of your request
  • Operating system

It is technically not possible to use this app without processing this data. The legal basis for the processing is Art. 6 (1) lit. f DSGVO.


If you contact us, we process the personal data you provide for the purpose of processing the correspondence. The legal basis for the processing is Art. 6 para. 1 lit. f DSGVO.

Transfer of personal data to third parties

Data that has been logged when accessing our website will only be passed on to third parties if we are obliged to do so by law or by court decision, or if the transfer is necessary for legal or criminal prosecution in the event of attacks on our internet infrastructure. We do not pass on data for other non-commercial or commercial purposes.

If we commission third parties to process data, this is generally done by concluding a contract processing agreement (CPA) in accordance with Art. 28 DSGVO. This is the case for our website for:

Website analysis

So-called tracking tools are used on our homepage. For this purpose, we use the services of Google Analytics: Google Analytics is a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

Insofar as you have given your consent, this website uses Google Analytics, a web analytics service provided by Google LLC. Its use involves a specific mode of operation that allows data, sessions and interactions across multiple devices to be assigned to a pseudonymous user ID and thus to analyse a user's activities across devices.

Google Analytics uses special text files that are stored on your computer and enable an analysis of your use of the website.

The information generated by the cookie about your use of this website will be transmitted to and stored by Google on servers in the United States. In the event that IP anonymisation is activated on this website, however, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area.

Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. We would like to point out that on this website, Google Analytics has been extended to include IP anonymisation in order to ensure that IP addresses are recorded anonymously (so-called IP masking). The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

For more information on the terms of use and data protection, please visit https://www.google.com/analytics/terms/de.html or https://policies.google.com/?hl=de.

Purpose of website analysis by Google Analytics and legal basis

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator.

The legal basis for the use of Google Analytics is your consent in accordance with Art. 6 Para. 1 S.1 lit. a DSGVO. The recipient of the collected data is Google.

The data sent by us and linked to cookies, user IDs (e.g. user ID) or advertising IDs are automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website (e.g. driving information).

You can also prevent the collection of data generated by the cookie and related to your use of this website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link.

You can find more information on Google Analytics and data protection at http://tools.google.com/dlpage/gaoptout?hl=de.

2. mobile ticket - VBB mobile ticket via Handyticket Deutschland

2.1 Registration, billing and ticket issue

Type and scope of data collection

If you wish to purchase a VBB mobile phone ticket from the provider Handyticket Deutschland, you enter into a contractual relationship with Oberhavel Verkehrsgesellschaft mbH (hereinafter referred to as OVG). OVG distributes electronic mobile phone tickets for the VBB area, under the brand name "VBB-Handyticket", as part of HandyTicket Deutschland and issues these as VDV barcodes via the VBB app "Bus und Bahn".

The person responsible for processing your data for the VBB-Handyticket within the meaning of Art. 4 No. 7 of the General Data Protection Regulation (DS-GVO) is Oberhavel Verkehrsgesellschaft mbH.

The VBB offers access to the Handyticket Deutschland registration portal via the website. The contact person for all data protection issues is OVG (Annahofer Str. 1a, 16515 Oranienburg, e-mail: info@ovg-online.de).

OVG is responsible for the correct storage and updating of your Handyticket data. In connection with the booking of tickets, OVG also collects so-called payment data (bank details) in addition to your personal data.

If you wish to participate in the Handyticket Deutschland procedure, you must register on the Internet on the login page (https://www.handyticket.de/portals/web/nutzer/ovg/login.html) with your personal data. If you want to use a convenient payment method (credit card, direct debit, PayPal), OVG will ask you for your mobile phone number, your valid control medium and also your name, address, date of birth, credit card data or bank details when you register on the login page. OVG requires this data for the contractual relationship. If you use the direct debit payment method, the data you provide will be subjected to an identity and creditworthiness check as part of the online registration process.

By ordering and using a ticket purchased by mobile phone and issued via a VDV barcode (2D barcode), OVG receives information about the type of ticket you purchased, the validity period (start and end of validity) and the tariff area used as well as the ticket's identification number. For single tickets, e.g. connecting tickets, OVG also receives the starting point (stop). This information is necessary for billing purposes. OVG also receives this information from customers who are not registered but use Handyticket Deutschland for transport services in our tariff zone.

If you have provided voluntary information when registering for Handyticket Deutschland, this information will be used by the service providers exclusively for this purpose.


Recipient of the data

Your registration data will be processed by HanseCom Public Transport Ticketing Solutions GmbH on the basis of the General Terms and Conditions of Handyticket Deutschland for the purpose of providing and billing electronic mobile phone tickets.

A service provider (https://www.handyticket.de/impressum.html) has been commissioned to process the Handyticket Deutschland procedure.

OVG will pass on your personal data (first and last name, date of birth, address, e-mail address, account details, credit card details, mobile phone number if applicable, as well as data on your respective ticket purchases) and any changes to LogPay Financial Services GmbH for the purpose of selling and assigning our claims against you that arise in connection with your ticket purchase. This is done on the basis of Art. 6 para. 1 p. 1 lit. f DS-GVO. The legitimate interest on our side is the outsourcing of payment processing and receivables management. The legitimate interest on the part of LogPay Financial Services GmbH consists in the collection of data for the purpose of processing payments, for receivables management, the evaluation of the admissibility of payment methods and the prevention of payment defaults. You can object to the transmission of this data to LogPay Financial Services GmbH at any time, however, it will then no longer be possible to place an order via the electronic sales channel. You can access the data protection information of LogPay Financial Services GmbH here.

If, as a registered customer, you use transport services provided by another transport company participating in Handyticket Deutschland, your usage data will be passed on to this transport company for the purpose of processing ticket sales and also as a basis for ticket control. In addition, the data will be passed on to the respective body entitled to receive information, if it is obliged to do so by law or by court order.


Deletion of data

Usage data (ticket data) will be deleted after 12 months. Customer data is completely deleted 12 months after completion of all processes as a result of a termination. The specified deletion periods do not apply to payment processing by LogPay Financial Services GmbH.

2.2 Communication data

Type and scope of data collection

For some communication processes (ticket issue, ticket blocking), which take place in the context of the use of VBB mobile phone tickets, data records are created by the distribution system of OVG on the basis of Handyticket Deutschland and the control terminals of the transport companies in the Verkehrsverbund Berlin-Brandenburg and transmitted to the background systems of the transport companies.

All data records contain the time, place and type of communication process (ticket issue, ticket blocking) as well as the respective identification numbers for the ticket, for the fare product on which the ticket is based and for the issue or control terminal as well as the date and time of the start and end of validity of the ticket.


Recipients of the data

The data collected via the terminals of the transport companies are processed by the sales background systems of the transport companies and transmitted to a central data control system of the VBB (issuing data records) and the central, Germany-wide blocking management system of VDV eTicket-Service GmbH & Co. KG (blocking data records).

The central data control system at the VBB receives the ticket issue data records directly from the systems of the transport companies in order to check them against each other so that system security can be guaranteed and, if necessary, errors in the systems can be detected and rectified.


Deletion of data

All communication data received by the sales background systems of the transport companies and the central data control system at the VBB are stored for the duration of the procedure. A precise specification of the storage period and deletion periods is made in consultation with the data protection officers of VBB GmbH and the transport companies, based on a data protection impact assessment, external requirements and technical possibilities of the systems.

3. electronic ticketing (eTicket) - VBB-fahrCard

3.1 Storage on the VBB-fahrCard

Type and extent of data collection

With impersonal, transferable tickets the tariff product, the tariff area of validity, the temporal and spatial validity and the card number are stored in the chip of the VBB-fahrCard.

For personal, non-transferable tickets, the tariff product, the tariff area of validity, the temporal and spatial validity and the card number are stored in the chip of the VBB-fahrCard. In addition, your first name and surname are encoded (only first and last letter readable) and, if applicable, your year of birth (product-specific) are stored in your electronic ticket. Your photograph and your first and last name are printed on the card.

In the memory of each eTicket a logbook is created, which records all writing processes that take place on the chip of the VBB-fahrCard in a transparent and comprehensible way for the customer. This includes the issuing of tickets as well as the blocking of eTickets or the complete VBB-fahrCard (application blocking). The logbook contains a maximum of ten entries. The following data is recorded:

  • Type and description of the transaction: Issue / Blocking
  • Terminal ID
    • Terminal ID: identifies the type of terminal and terminal number
    • Organisation identification number of the transport company to which the terminal belongs
  • Transaction time: date and time of issuance / blocking
  • Transaction location ID
  • Location type code: identifies the type of issuing / blocking location (e.g. bus stop, railway station)
    • Location number: unique identification number per issuing / blocking location
    • Organisation identification number of the transport company to which the issuing / blocked location is assigned
  • Authorisation ID
    • Authorisation number of the issued / blocked ticket
    • Organisation identification number of the transport company that issued the ticket
  • Product ID
    • Product number of the fare product issued as an entitlement
    • Organisation ID number of the fare manager (usually VBB)
  • Line ID
    • Line number on which the ticket was issued / blocked
    • Line variant number, if several routes are operated for the line
  • Journey ID
    • Trip number on which the issue/blocking took place
    • Trip variant number, if several trips are possible for the trip.

Control procedures are not logged in this logbook.

You have the possibility at any time to have the data from the logbook of your VBB-fahrCard displayed by your customer advisor in a customer centre of your transport company. In addition, you can read out this data yourself at a customer information terminal, in short info terminal, of your choice.

Info terminals are usually installed in the customer centres of the transport companies, but can also be found in partner agencies. Access to the info terminals is possible during the business hours of the customer centres or the agencies.

The VBB-fahrCard can also be read via commercial smartphone apps, provided the smartphone has an NFC interface.

The eTicket can be read or written contactlessly if the reader/writer is no more than one centimetre away from the card. This means that cards in jacket pockets or purses cannot usually be read. In addition, you have the option of providing your eTicket with an appropriate protective cover that prevents electronic contact with the card.

Please note that the protective cover must be removed for independent control procedures at the bus terminals and for mobile controls by control staff of the transport companies.


Recipients of the data

The data on the VBB-fahrCard are only accessible to the holder and the control staff of the transport companies. When reading out the VBB-fahrCard at customer information terminals or via mobile phone apps, the data of the eTickets and the logbook are shown on the display of the reading device. No data records are generated.

During issuing and control processes by the transport companies, the data of the VBB-fahrCard (app) and the eTickets are shown on the displays of the stationary or mobile terminals. Ticket issuing processes are stored in the logbook of the VBB-fahrCard. If a control process leads to the blocking of an eTicket or a VBB-fahrCard (application blocking), a corresponding data record is also written into the logbook of the card.


Deletion of data from the VBB-fahrCard

With every contact with an eTicket terminal that triggers a ticket issuing or, if applicable, blocking process, an entry is written into the logbook on the eTicket. After ten entries, each additional entry overwrites the oldest existing entry (ring buffer).

You can also delete all entries from the logbook of your eTicket at any info terminal. Info terminals are usually installed in the customer centres of the transport companies, but can also be found in partner agencies. Access to the Infoterminals is possible during the business hours of the customer centres or the agencies.

3.2 Communication data

Type and scope of data collection

For all communication processes (ticket issuing and, if applicable, ticket blocking) that take place with the VBB-fahrCard, data records are created by the issuing and control terminals of the transport companies in the Verkehrsverbund Berlin-Brandenburg and transmitted to the background systems of the transport companies.

In the case of personal tickets, your first name and surname are encoded in the data records for ticket issuance (only the first and last letters are readable in each case) and, if applicable, your year of birth.

All data records contain the time, place and type of communication process (ticket issue or ticket blocking) as well as the respective identification numbers for the ticket, for the fare product on which the ticket is based and for the issue or control terminal as well as the date and time of the start and end of validity of the ticket.

In the case of blocking operations, the identification number of the line and the journey on which the communication operation took place is also written to the corresponding data record.


Recipients of the data

The data collected via the terminals of the transport companies are processed by the sales background systems (issuing/control systems) of the transport companies and sent to a central data control system of the VBB (issuing data records) and the central, Germany-wide blocking management system of VDV eTicket-Service GmbH & Co. KG (blocking data records).

The central data control system at the VBB receives the ticket issue data records (first and last name and, if applicable, year of birth are deleted before being entered into the system) directly from the systems of the transport companies as well as the ticket/card blocking data records collected by the control systems of the transport companies via the blocking management system of VDV eTicket-Service GmbH & Co. KG in order to check them against each other so that system security can be guaranteed and, if necessary, errors in the systems can be detected and rectified.


Deletion of data

All communication data received by the sales background systems of the transport companies and the central data control system at the VBB are stored for the duration of the procedure. A precise specification of the storage duration and deletion periods is made in coordination with the data protection officers of VBB GmbH and the transport companies, based on a data protection impact assessment, external requirements and technical possibilities of the systems.

4. mobile applications (apps) - "Handyticket Deutschland", "Bus & Bahn" and "jump".

For the use of our apps on your mobile devices, data is automatically collected, e.g.

  • Name and version of the app you are using,
  • unique device identifier (UDID) and the
  • local time and date stamp of the server.

This is used to ensure the proper functioning of the app, i.e. registration, for the purpose of customer service and, if you accidentally remove the app from your device, to restore the app to your device. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b (processing of the contract for the provision of the mobile ticket or provision of the app "jump") and lit. c DS-GVO (implementation of payment processing of the mobile ticket).

The VBB app "Bus&Bahn" asks the user for access rights for the location and contacts when first used. Both requests can be refused, but lead to minor restrictions in the use of the app. We collect the physical location of your device only in case of your consent to provide you with location-based services, e.g. navigation and traffic information. The collection and sharing of this location information can be suspended at any time by not using the location-based services within the App or by turning off your mobile device. For billing purposes, we may need to collect your location (start/destination). We may also collect location information ("traffic measurement data") to improve content. However, this information is collected anonymously. In principle, you can prohibit our apps from accessing the GPS location data of your mobile device. This only has the effect of impairing usability in the form of self-input.

To simplify usability, you can also allow or prohibit our apps from accessing your contacts. In the case of permission, the address books are not read out completely and are not transferred to our servers. Only the address data (street and city) will be used to calculate journey times and stops. In principle, you can prohibit our apps from accessing your contacts. This only has the effect of impairing usability in the form of self-input. For further information, the data protection declaration is linked under the menu item "Info & Help" (Android) or "Help" (iOS). You will find all information on data processing in connection with Handyticket Deutschland under the bullet point "2. Handyticket - VBB-Handyticket via Handyticket Deutschland".

All our apps do without authorisations that could restrict the privacy of the user. If permissions are required, these are explained in the respective app description and the required functions of the app, about which you will be informed in accordance with § 13 para. 1 TMG before the start of the usage process.

5. Contact

For communication and contact in the context of enquiries or complaints, we process your data, e.g.

  • Name, first name,
  • address
  • e-mail address
  • telephone number and
  • Reason for contact (information, complaint).

If you contact us, we process the personal data you provide for the purpose of processing the correspondence. The legal basis for the processing is Art. 6 para. 1 lit. f DSGVO.

6. Social media

You can find us on various social media with our own presence. The social media activities operated by us and detailed below are carried out on the basis of Art. 6 (1) lit. f DSGVO. With these activities, we would like to provide you with a broad, multimedia offer and exchange information with you on topics that are important to you.

For the respective data processing purposes and data categories, please refer to the respective offer listed in more detail below.


Facebook

If you visit our fan pages on Facebook, Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA, as operator, stores and processes personal data to the extent described in the privacy policy. The privacy policy can be found here: http://de-de.facebook.com/policy.php.

Plug-ins of the social network Facebook, provider Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA, are integrated on our website. You can recognise the Facebook plug-ins by the Facebook logo or the "Like" button on our website. You can find an overview of the Facebook PlugIns here: http://developers.facebook.com/docs/plugins/. When you visit our website, a direct connection is established between your browser and the Facebook server via the plug-in. Facebook thereby receives the information that you have visited our website with your IP address. If you click the Facebook "Like" button while you are logged into your Facebook account, you can link the content of our website on your Facebook profile. This allows Facebook to associate your visit to our website with your user account. We would like to point out that we, as the provider of the website, have no knowledge of the content of the transmitted data or its use by Facebook.

If you do not wish Facebook to be able to associate your visit to our website with your Facebook user account, please log out of your Facebook user account.


Twitter

If you visit our Twitter channels, Twitter Inc., 795 Folsom Street, Suite 600, San Francisco, CA 94107, USA, as operator, stores and processes personal data to the extent described in the privacy policy. The privacy policy can be found here: https://twitter.com/de/privacy.

When you use Twitter and in particular the "Re-Tweet" function, Twitter links your Twitter account to the websites you frequent. This is made known to other users on Twitter, in particular your followers. A data transfer to Twitter also takes place in this way.

Please note, however, that you have the option of changing your privacy settings on Twitter in your account settings there at http://twitter.com/account/settings.


Instagram

If you visit us on Instagram, Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA, as operator, stores and processes personal data to the extent described in the privacy policy. The privacy policy can be found here: http://instagram.com/about/legal/privacy.

If you are logged into your Instagram account, you can link the content of our pages to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate the visit to our pages with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Instagram.


YouTube

Our website uses plug-ins from the YouTube site operated by Google. The operator of the pages is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit one of our pages equipped with a YouTube plug-in, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited.

If you are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.

For more information on the handling of user data, please refer to YouTube's privacy policy at: https://www.google.de/intl/de/policies/privacy.

7. processing of personal data by the VBB Bus & Bahn-Begleitservice

The VBB processes personal data of the customers of the VBB Bus & Bahn-Begleitservice (hereinafter referred to as VBB Begleitservice) for the preparation, organisation and implementation of escort orders. The processing of personal data is only carried out with your explicit consent according to Art. 6 para. 1 letter a) DSGVO and an agreement on commissioned data processing according to Art. 28 para. 3 DSGVO.

The purpose of the data processing is the planning and implementation of the use of the VBB Bus & Bahn escort service intended by you in each case and thus forms a prerequisite for the provision of this service. The personal data is collected by telephone when the order is accepted or by filling out a contact form by the VBB escort service team, documented for processing and processed using the VBB-Fahrinfo for the creation of the escort orders and their documentation. Name, first name, home address, telephone number, type of physical limitation and date of the escort are stored. The indication of your type of physical limitation is a special category of personal data according to Art. 9 (1) DSGVO. In order to be able to process this data, we need your consent in accordance with Art. 9 (2) (a) in conjunction with Art. 7 DSGVO.

We have commissioned our cooperation partner D&B Dienstleistung und Bildung Gemeinnützige GmbH, Frankfurter Allee 202, 10365 Berlin, with the storage and processing of your personal data within the framework of commissioned data processing.

If you have any questions or complaints, you can contact the company data protection officer at D&B Dienstleistung und Bildung Gemeinnützige GmbH. He can be reached at the following contact details: Frank Lohmann ().

D&B Dienstleistung und Bildung Gemeinnützige GmbH undertakes to maintain confidentiality when processing personal data in accordance with the order. This obligation shall continue to exist even after termination of the accompanying order. D&B Dienstleistung und Bildung Gemeinnützige GmbH assures that it will familiarise those employed in the performance of the work with the provisions of data protection applicable to them prior to commencement of the activity and that it will oblige them to maintain confidentiality in an appropriate manner for the duration of their activity as well as after termination of the employment relationship.


Security

The protection objectives of confidentiality, integrity and availability of the systems and services as well as their resilience in relation to the type, scope and purpose of the processing operations shall be taken into account in such a way that the risk is permanently contained by means of appropriate technical and organisational measures.