I. General information
Berliner Verkehrsbetriebe AöR, Holzmarktstraße 15-17, 10179 Berlin (“BVG” or “we”) complies with statutory data protection regulations. User data are treated with confidentiality. They are only disclosed to third parties to the extent permitted by data protection regulations or if the user provides their consent.
Below, we set out the ways in which we process personal data
- when you use this website
- if you purchase a ticket subscription
- if you take part in our competitions
Personal data are any information relating to an identified or identifiable natural person (Article 4(1) of the EU General Data Protection Regulation (“GDPR”)). This includes information such as your name, your e-mail address, your postal address, and your telephone number. It does not include information which cannot be linked directly to your identity, such as the number of users of a website.
If you have any questions, suggestions, or comments relating to the issue of data privacy and protection, please contact our data protection officer by sending an e-mail to email@example.com.
II. Use of the website
The data we process on our website encompass the personal data required to enable the informational use of our website, to allow you to contact us by e-mail or our contact form, and to use the “My BVG” service and our online shop. We do not carry out any other processing of personal data unless you have given consent to the processing (Article 6(1)(a) of the GDPR). This covers the data you provide voluntarily when contacting us or using the “My BVG” service, and data that may be processed on the basis of the cookie settings you have made. You are under no obligation to provide your personal data. If you do not provide your personal data, however, we will not be able to provide the service for which they are required.
1. Processing of personal data on informational use of our website
If you use our website for purely informational purposes, i.e. not to log in, register, or transmit any other data to us, we do not collect any personal data except for the data that are transmitted by your browser to make it possible for you to visit our website. This includes your IP address, the date and time of the request, the browser used, and the content of the request.
The basis for the data processing is Article 6(1)(f) of the GDPR. We have a legitimate interest in ensuring the stability and security of the website.
This data are saved by us for a duration of 40 days and then erased.
Cookies are saved on your computer when you use our website. Cookies are small text files that are saved on your hard drive and through which the party setting the cookie (i.e. us in this case) receives certain information. Cookies cannot run programs or transmit viruses to your computer. They are used to make our website more user-friendly and effective as a whole.
The legal basis for the use of the following cookies is Article 6(1)(f) of the GDPR. We have a legitimate interest in optimising our website and evaluating user behaviour on our website. You can delete the cookies at any time by using the relevant functions in your browser. Below, you can also find out how to prevent the installation of cookies.
2.1 Functional Cookies
2.2 Google Ads (AdWords)
2.2.1 Use of Google AdWords conversion tracking
2.2.2 Use of the Google AdWords remarketing function
2.2.3 Objection to data collection
You can object to Google AdWords’ collection of your data by clicking the following link. This places an opt-out cookie on your computer that prevents your data from being collected in the future when visiting this website. Deactivate AdWords tracking.
This website uses functions provided by the web analytics service Google Analytics. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics cookies are stored on the basis of Article 6(1)(b) of the GDRP. The website operator has a legitimate interest in analysing user behaviour for the purpose of optimising both its website and its marketing activities.
We have activated the IP anonymisation function on this website. This means that Google will truncate your IP address for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area prior to transmission to the USA. Only in exceptional cases will the full IP address be sent to and shortened by Google servers in the United States. On behalf of the website provider, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website provider. Google will not associate your IP address with any other data held by Google.
You may prevent cookies from being saved by selecting the appropriate settings in your browser. However, please note that if you do this, you may not be able to use the full functionality of this website. You can also prevent Google’s collection and use of the data (including your IP address) generated by the cookie by downloading and installing the browser plugin available at https://tools.google.com/dlpage/gaoptout?hl=de.
Objection to data collection
You can object to Google Analytics’ collection of your data by clicking the following link. This places an opt-out cookie on your computer that prevents your data from being collected in the future when visiting this website. Deactivate Google Analytics tracking.
Contract data processing
We have concluded an agreement on contract data processing with Google and fully implement the strict requirements stipulated by the German data protection authorities when using Google Analytics.
Demographics in Google Analytics
This website uses the “Demographics” function in Google Analytics. This enables the creation of reports containing information on the ages, genders, and interests of website visitors. The data is derived from Google’s interest-based advertising and visitor data from third-party providers. None of this data can be associated with a specific person. You can deactivate this function at any time by going to the display settings in your Google account, or generally prohibit the collection of your data by Google Analytics as set out in the section entitled “Objection to data collection”.
Google Analytics Remarketing
Our websites use the functions of Google Analytics Remarketing combined with the cross-device functions of Google AdWords and Google DoubleClick. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
This function allows marketing audiences created with Google Analytics Remarketing to be associated with the cross-device functions of Google AdWords and Google DoubleClick. This makes it possible to show the interest-based, personalised advertising that has been tailored to your usage and browsing habits on one device (e.g. mobile phone) on one of your other devices (e.g. tablet or PC).
If you have provided the relevant consent, Google will associate your web and app browser histories with your Google account for this purpose. This makes it possible to display the same personalised advertising on all devices on which you log in using your Google account.
To support this function, Google Analytics collects the Google-authenticated IDs of users who are temporarily associated with our Google Analytics data to define and create audiences for cross-device advertising.
You can object to cross-device remarketing/targeting by deactivating personalised advertising in your Google account; click on the following link to do so: https://www.google.com/settings/ads/onweb/
The data collected is only associated with your Google account on the basis of your consent, which you can provide to Google or withdraw (Article 6(1)(a) of the GDPR). In the event of data collection that is not associated with your Google account (e.g. because you do not have a Google account or have objected to this association), data collection is based on Article 6(1)(f) of the GDPR. As the operator of this website, our legitimate interest is in the anonymised analysis of website visitors for marketing purposes.
Duration of storage
Data we have saved is erased within 38 months of it last being used.
4. Use of measurement systems
Our website uses the measurement system (“SZMnG”) provided by INFOnline GmbH ( https://www.infonline.de) for the purpose of obtaining statistical data on the use of our services. The aim of the usage measurement is to statistically determine, based on a standardised procedure, the number of visits to our website, the number of website visitors, and their browsing habits, and thus to obtain comparable data across the market. It also uses geolocation capabilities, i.e. the ability to associate a visit to a website with the location from which it was visited; this is done exclusively on the basis of anonymised IP addresses and only as far as the level of the German federal states/regions. The geographical information obtained in this process can never be used to identify the specific location of a user. In addition, usage data from different websites is merged and saved in a database for technical assessments of age and gender information. This data is disclosed to the service providers within AGOF for further reach processing.
The following personal data is processed as part of the measurement system: IP address and randomly-generated client identifier. The IP addresses are shortened by 1 byte prior to any processing and only processed further in anonymised form. IP addresses that have not been truncated in this way are not stored or processed further. This identifier is unique to a browser until the cookie or local storage object is erased. Measurement of data and subsequent association with a client identifier is therefore also possible if you visit other websites that similarly use the measurement system (“SZMbG”) provided by INFOnline GmbH. The validity of the cookie is limited to a maximum of one year.
Usage statistics of all online services that are members of the German Audit Bureau of Circulation (IVW – http://www.ivw.eu) or participate in the studies run by the Working Group for Online Media Research (AGOF – http://www.agof.de) are regularly processed by the AGOF and the Working Group for Media Analysis (agma – http://www.agma-mmc.de) to ascertain reach, and published with the performance value “unique user”, and also by the IVW with the performance values “page impression” and “visits”. These reach data and statistics can be viewed on the respective websites.
The legal basis for data processing is Article 6(1)(f) of the GDPR. We have a legitimate interest in evaluating the use of our website and using this information to display interest-based advertising to thereby boost the website’s market value. We also have a legitimate interest in providing the pseudonymised data to INFOnline, AGOF, and IVW for the purposes of market research (AGOF, agma) and for statistical purposes (INFOnine, IVW). We further have a legitimate interest in providing the pseudonymised data to INFOnline for the purpose of developing and providing interest-based advertising materials.
Your full IP address will not be stored by INFOnline GmbH. Truncated IP addresses are stored for a maximum of 60 days. Usage data in combination with the unique identifier is stored for a maximum of six months.
Neither your IP address nor your truncated IP address will be disclosed to third parties. Data with client identifiers is forwarded to the following AGOF service providers to produce the AGOF study:
Kantar Deutschland GmbH ( https://www.tns-infratest.com/)
Ankordata GmbH & Co. KG ( http://www.ankordata.de/homepage/)
Interrogare GmbH ( https://www.interrogare.de/)
5. Use of functions on our website
If you contact us by e-mail or by using our contact form, we will save the reason for your contact, your e-mail address, and your name for the purpose of responding to your questions. We also save all the information you provide on a voluntary basis with your query. The legal basis is Article 6(1)(b) of the GDPR and Article 6(1)(f) of the GDPR. We have a legitimate interest in ensuring a smooth customer service experience. After dealing with your query, the personal data with which it is associated are erased.
5.2 “My BVG” service
If you would like to use our “My BVG” service, you must register to do so, providing your name, your e-mail address, and a password you choose. We use the double opt-in procedure for registrations, i.e. your registration is not completed until you have confirmed that you wish to register by clicking on the link in a confirmation e-mail we send you for this purpose. If your confirmation is not received within 1 day, your registration request is automatically deleted from our database.
We will also save the data you provide on a voluntary basis for the duration of your use the service, unless you delete them yourself. You can manage and change any of the data you provide in your password-protected customer account.
If you use the service, your data may be accessible to other users of the service in connection with performance of the contract. Non-registered users cannot obtain any information about you.
Your personal data are processed solely for the purpose of using the service. This personal data are saved by us until you delete them in your profile or delete your profile entirely.
The legal basis for the data processing is Article 6(1)(b) of the GDPR.
5.3 Online shop
Registration is required if you want to purchase products available in the BVG online shop. The tickets sold in the BVG online shop can also be purchased without registration at all BVG sales outlets, private sales outlets, and at our ticket machines. We only collect, process, and use the personal data you provide as part of the registration process for the purpose of contract performance in accordance with Article 6(1)(b) of the GDPR.
The registration process requires you to enter your name, your e-mail address, your postal address, and, as applicable, a delivery address. We only use and process this information in the manner specified.
When you register in the BVG online shop, your user name will be created from the e-mail address you provide. When you make your first purchase in our shop, you will receive a password at the e-mail address you specified. The next time you make a purchase in the BVG online shop, you need only enter your user name and password; the shop system will then automatically retrieve all related data it has stored. You may amend these details whenever you log in, for example if your address has changed. You may also change your password or set a new one at any time.
Your access data will be saved by us until you delete your user account in the online shop. Personal data you provide when making an order are processed only for the purpose of handling the order and then erased, unless we are required by law to retain them.
When using any payment method other than PayPal (e.g. SEPA direct debit, credit card), your personal data (first and last name, date of birth, address, e-mail address, account details, credit card details, mobile number as necessary, and information on your ticket purchases) will be transmitted to our external financial services provider (currently LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn, Germany) for the purpose of completing the sale and assigning our claims against you that arise in connection with your ticket purchase. Your payment details are transmitted in a secure and encrypted form. The legal basis is Article 6(1)(f) of the GDPR. We have a legitimate interest in outsourcing the handling of payments and the management of claims.
You can object to the transmission of the data to LogPay at any time. In this case, we will not process your data for this purpose any more unless
- there are compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or
- the processing is required for the establishment, exercise, or defence of legal claims.
In the event of an effective objection, it will not be possible to submit any orders that use a credit card or the SEPA direct debit mandate as their payment method.
More information on how LogPay processes data can be found at https://www.logpay.de/DE/datenschutzinformationen/.
For security reasons, credit card information is not stored in the BVG online shop and must be re-etnered every time you place an order for the purpose of payment processing with our payment service provider.
If paying using the payment service provider Paypal, you will be redirected to the website of this payment service provider, PayPal (Europe) S.à.r.l. et Cie, S.C.A.., 22-24 Boulevard Royal, L-2449 Luxembourg. The personal data you enter are encrypted before being transmitted to PayPal. It typically includes your name, your address, your telephone number, your IP address, your e-mail address, and other information required for order handling and your specific order. The legal basis for the data forwarding is Article 6(1)(b) of the GDPR. PayPal is the controller responsible for processing your personal data. If required for the purpose of completing the order, PayPal may also disclose data to third parties. PayPal will also transmit personal data to credit agencies, e.g. SCHUFA, in order to establish your identity and creditworthiness. More information on how PayPal processes data can be found at https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.
6. Google Web Fonts
To ensure that fonts used on this website are uniform, this website uses so-called Web Fonts provided by Google. When you access a page on our website, your browser will load the required web fonts into your browser cache to correctly display text and fonts.
To do this, the browser you use will have to establish a connection with Google’s servers. As a result, Google will learn that your IP address was used to access our website. The use of Google Web Fonts is based on our interest in presenting our online content in a uniform and appealing way. According to Art. 6 Sect. 1 lit. f GDPR, this is a legitimate interest.
If your browser should not support Web Fonts, a standard font installed on your computer will be used.
For more information on Google Web Fonts, please follow this link: https://developers.google.com/fonts/faq and consult Google’s Data Privacy Declaration under: https://policies.google.com/privacy?hl=en.
We process personal data as part of the contract process, provided they are required for performance of the contract (e.g. name, address, account information, payment information). The legal basis for the data processing is Article 6(1)(b) of the GDPR.
IV. Participation in competitions
We organise competitions. Anyone is eligible to take part, unless the rules stipulate otherwise: for example, employees of the BVG or its wholly-owned subsidiaries (hereafter referred to as “BVG”) may not be eligible to participate in certain competitions. Information on any eligibility restrictions will be provided.
What personal data do we collect?
In general, we collect personal data in the form you use to provide it for the purpose of entering the competition. This means that we retain your postcard or save your email address with the personal data they contain, in particular, depending on the specifics of the competition, your name, contact details, address, and telephone number. For employees, we also save their organisation unit and company ID number. Any and all data you provide is on a purely voluntary basis. If you do not provide your data, however, you cannot take part in the competition.
On competitions accessed via the “Profil” app (only for use by BVG employees), an email address must generally be provided. We also process the following personal data: data you enter when logging in (email address, first name, last name), a login time stamp, and your solution. The general information on data processing for use of the PROFIL app www.profil-app.de/legal/datenschutzerklaerung further applies.
How do we process personal data?
We process personal data by storing it in analogue form (i.e. correspondence received by post) in a location that is only accessible to authorised personnel, or by storing emails, to which again only authorised BVG personnel have access. The data is processed exclusively for the purpose of running the competition, in particular to determine a winner. If you are a winner, we will contact you at the postal or email address you provided.
The legal basis is Article 6(1)(b) of the GDPR.
Your personal data is not used for any purpose other than the competition. In particular, your data will not be used for marketing purposes or disclosed to third parties.
We do, however, reserve the right to publish the first and last name of winners, as well as their place of residence and prize. This is a condition of participation in the competition. The legal basis is Article 6(1)(f) of the GDPR. The BVG’s legitimate interest is in making it transparent that the competition has taken place and a winner has been selected.
How long do we store personal data?
In general, we only store personal data until the competition has ended and a winner has been selected. Following this, the postcards are destroyed (shredded) and emails are deleted.
The only exception is if the winner is a BVG employee, in which case the following personal data must be processed further for tax-related reasons: last name, first name, value of prize. We only store this data for as long as is required by the relevant taxation law.
V. Disclosure to third parties
Your personal data are transmitted to the following third parties for the purposes set out above:
- Marketing, financial, and payment service providers for ticket sales handling
- Service providers for printing tickets/chip cards
- Debt collection agencies for enforcing claims
- IT providers for the purpose of data retention and maintenance
- Service providers for running competitions
The disclosure of personal data to our marketing, financial, and payment service providers, our service providers for printing tickets/chip cards and running competitions, and our Cloud hosting providers is based on Article 28 of the GDPR, in each case in conjunction with a processing contract that ensures that your personal data is only processed in accordance with the BVG’s instructions and is not disclosed to any other parties or processed for other purposes. If we disclose personal data to debt collection agencies, such disclosure is based on Article 6(1)(f) of the GDPR. In this case, the BVG has a legitimate interest in establishing, exercising, and defending its legal claims.
When ordering subscription tickets, the BVG will carry out a credit check during the customer’s direct debit registration process. This check is only carried out
- the first time the customer wishes to use the direct debit payment method
- the first time the customer wishes to use the direct debit payment method following changes to his or her information, such as name, address, and/or bank details (SEPA direct debit mandate)
The check involves a comparison of the personal and bank account details (information on the person, residential address, bank account and sort code) of the customer with the data held by
Creditreform Berlin Wolfram KG
VI. Automated decision-making
We do not use automated decision-making, including profiling.
VII. Your data protection rights
Depending on the circumstances in your specific case, you have the right
- to obtain access to the personal data processed by us and/or request copies of these data. This includes information concerning the purpose of usage, the category of data used, their recipients and authorised users, and, where possible, the planned period for which the data will be stored or, if that is not possible, the criteria used to determine that period;
- to request the rectification, erasure, or restriction of processing of your personal data, provided that their use is impermissible under data protection law, in particular because (i) the data are incomplete or incorrect, (ii) the data are no longer required for the purposes for which they were collected, (iii) the consent on which processing is based was withdrawn, or (iv) you have made use of your right to object to processing of your personal data; in cases in which the data are processed by third parties, we will forward your request for rectification, erasure, or restriction of processing to these third parties, unless this proves to be impossible or would involve disproportionate effort;
- to refuse consent or – without affecting the lawfulness of data processing carried out prior to withdrawal – to withdraw your consent to the processing of your personal data at any time;
- to request the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and to transmit these data to another controller without hindrance from us; you also have the right to have the personal data transmitted directly from us to another controller, where technically feasible;
- to take legal action or appeal to the data protection supervisory authorities, if you are of the opinion that your rights have been infringed due to processing of your personal data that is not in compliance with data protection regulations.
- You also have the right to object to processing of your personal data at any time:
- where we process your personal data for direct marketing purposes
- where we process your personal data in pursuance of our legitimate interests and on grounds relating to your particular situation
VIII. Other Information
If you have any questions, suggestions, or comments on the topic of data protection, please feel free to contact our data protection officer. Contact information:
Data protection officer
Berliner Verkehrsbetriebe (BVG) – statutory public body
10179 Berlin, Germany
Stand: 19.12.2018, 17:18