Data privacy statement
It is only possible to use the products offered at hvv-deutschlandticket.de if you make your personal data available to us to the extent that this is necessary to fill out the various forms involved (e.g. mandatory fields if present). As required by law, we would therefore like to inform you here concerning what data we need to collect and process in connection with the use of hvv Plus, how we treat your data and what rights you have as a data subject affected by our processing of your data.
Why are my data being processed (purpose of data processing) and who is responsible for that (the data controller)?
We process your personal data for the following purposes:
- for the fulfilment of contractual obligations under the agreement for participation in hvv Plus and
- the support, information and advertising in connection with hvv Plus
- for tracking and to measure the success and reach of the programme
- to manage your consent
- tag management
- targeted online advertising
Data are collected, processed and used by Hamburger Verkehrsverbund GmbH, Brooktorkai 18, 20457 Hamburg.
What is the legal basis for the processing of my data?
The legal basis for the processing of your personal data according to Regulation (EU) 2016/679 (EU General Data Protection Regulation, in the following GDPR) is:
1. Fulfilment of contractual obligations under the agreement for participation in hvv Plus
For the administration and processing of your participation in hvv Plus, in particular to verify your entitlement to take part in the scheme, we need all the personal data which you provided when you registered for hvv Plus. Our processing of this is based on Art. 6 Par. 1 (b) GDPR (fulfilment of contractual obligations).
2. Support, information and advertising in connection with hvv Plus
We will inform you about the coupons available from third parties via hvv Plus and other special offers by email. Processing in this context will be based on the obtaining of your consent before the beginning of data processing according to Article 6 Par. 1. (a) GDPR (Consent).
3. Email tracking, measuring the success and reach of the programme
When sending out invitations to participate in hvvPlus to eligible clients and when registered users are informed about the various coupons available from third parties via hvv Plus and other special offers, user behaviour will be measured. Processing in this context will be based on the obtaining of your consent before the beginning of data processing according to Article 6 Par. 1. (a) GDPR) and § 25 Par. 1 of the Law on Data Privacy in Telecommunications and Telemedia (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG)) (Consent), provided that such consent was given. If you have not given your consent, success and reach will only be measured in a limited form (tracking of the opening rate). No information will be read out from the memory in the user's end device and no information will be saved onto such devices. We base this limited form of success and reach measurement on Article 6 Par. 1. (f) GDPR (Legitimate interest). Without such data, we have no basis for the ongoing optimization of our website which we pursue in the interests of our customers. Since the data are processed in pseudonymised form, no clearly overriding contrary legitimate interest is discernible.
In addition devices will be used to measure the success and reach of the programme in connection with the use of the website at hvv-deutschlandticket.de, similarly based on the obtaining of your consent before the beginning of data processing according to Article 6 Par. 1. (a) GDPR and § 25 Par. 1 of the Law on Data Privacy in Telecommunications and Telemedia (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG)) (Consent), provided that such consent was given. If you have not given your consent, success and reach will only be measured in a limited form without employing cookies. No information will be read out from the memory in the user's end device and no information will be saved onto such devices. We base this limited form of success and reach measurement on Article 6 Par. 1. (f) GDPR (Legitimate interest). Without such data, we have no basis for the ongoing optimization of our website which we pursue in the interests of our customers. Since the data are processed in pseudonymised form, no clearly overriding contrary legitimate interest is discernible.
4. Managing your consent
Collecting and administrating users' consent according to Article 6 Par. 1. (a) GDPR and § 25 Par. 1 of the Law on Data Privacy in Telecommunications and Telemedia (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG)) (Consent), necessitates the use of a system for consent management. Our use of such a software tool is based on Article 6 Par. 1. (c) GDPR (Compliance with a legal obligation). Without the use of such a tool we would not be able to comply with the legal requirements concerning the administration of users' consent and its revocation.
5. Tag management
The use of a so-called “tag manager” is based on Article 6 Par. 1. (f) GDPR (Legitimate interest). We have a legitimate interest in integrating and administrating various tools on our website quickly and in an uncomplicated way. In our view, no overriding legitimate contrary interest of the users exists since the tool used only serves to integrate various other tools into the website, not for collecting information on the use of the website or the users.
6. Google Ads
We use Google Ads. Google Ads is an online advertising program from Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland. Processing in this context will be based on the obtaining of your consent before the beginning of data processing according to Article 6 Par. 1. (a) GDPR and § 25 Par. 1 of the Law on Data Privacy in Telecommunications and Telemedia (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG)) (Consent).
7. Microsoft Ads
We use Microsoft Ads, an online advertising program from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (“Microsoft”). Processing in this context will be based on the obtaining of your consent before the beginning of data processing according to Article 6 Par. 1. (a) GDPR and § 25 Par. 1 of the Law on Data Privacy in Telecommunications and Telemedia (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG)) (Consent).
8. Meta Ads (formerly Facebook Ads)
We use the service Meta Pixel (formerly Facebook Pixel) from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Parent company: Meta Platforms, Inc., 1601 Willow Road Menlo Park, CA 94025, USA. Our processing in this context is based on your consent obtained before the beginning of data processing according to Article 6 Par. 1. (a) GDPR and § 25 Par. 1 of the Law on Data Privacy in Telecommunications and Telemedia (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG)) (Consent).
9. Outbrain Ads
We use Outbrain, an online advertising platform from Outbrain Inc., 39 West 13th Street, 3rd Floor, New York, NY 10011, USA ("Outbrain"). Our processing in this context is based on your consent obtained before the beginning of data processing according to Article 6 Par. 1. (a) GDPR and § 25 Par. 1 of the Law on Data Privacy in Telecommunications and Telemedia (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG)) (Consent).
10. Taboola Ads
We use Taboola, an online advertising platform from Taboola Europe Limited (2nd Floor, Aldgate House, 33 Aldgate High St, London EC3N, UK). Our processing in this context is based on your consent obtained before the beginning of data processing according to Article 6 Par. 1. (a) GDPR and § 25 Par. 1 of the Law on Data Privacy in Telecommunications and Telemedia (Telekommunikation-Telemedien- Datenschutz-Gesetz (TTDSG) (Consent).
Further information on tracking, measurement of success and reach, consent management, tag management and the use of Google Ads, Microsoft Ads, Meta Ads and Outbrain Ads
1. Email tracking
When emails with an invitation to participate in hvvPlus and/or informing clients about the various coupons available from third parties via hvv Plus and other special offers are sent to you, we record whether an email sent to you is opened and the links contained in it followed. Tracking pixels and tracking links are used here as elements of the email tracking. Such tracking is employed for each email sent. Third parties will not be given access to the tracking results. We use a software from Inxmail GmbH, Wentzigerstr. 17, 79106 Freiburg for tracking. You can revoke the consent you have given to this at any time.
2. Measurement of success and reach
For the purposes of monitoring, analysis and optimization we use the tool etracker from etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg. In this respect, the pseudonyms which are employed when using the internet, e.g. abbreviated IP addresses, are processed when collecting and evaluating data. Cookies are only used if you have given the necessary consent required under data protection laws and have not revoked your consent. You can at any time revoke your consent and actively object to the collection of your user behaviour.
3. Consent management
The tool consentmanager from Consentmanager GmbH, Eppendorfer Weg 183, 20253 Hamburg is used for consent management.
We use consentmanager to document your consent to the storing of certain cookies on your end device or to obtain your consent to the use of certain technologies in compliance with data protection requirements. Consentmanager saves a cookie in your browser in order to be able to correctly assign your consent or its revocation to you. The data collected in this way are stored until such time as you delete the cookie concerned yourself and/or revoke the consent previously given. This revocation can be given at any time using the tool consentmanager. When consent is revoked, as well as in the case that you do not give it in the first place, this information that there is no consent is stored via a cookie so that no (further) cookies or applications may be placed, for instance for success and reach measurement (a so-called “do not track cookie”).
Cookies are small files that do not damage your end device. They are either stored temporarily for the duration of your visit to the website (session cookies) or permanently (permanent cookies) on your end device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them or your browser automatically deletes them.
In some cases, cookies from third party companies may be stored on your end device when you enter our website (third party cookies). These enable us or you to use certain services offered by these third party companies.
Cookies have different functions. Many cookies are technically necessary since certain website functions will not work without them (e.g. displaying videos). Other cookies are used to evaluate user behaviour or to show advertising material.
Consentmanager gives you the option of seeing an overview of the cookies being used and thus of the consent you have given at any time and also of revoking such consent.
You can choose your browser settings so that you are informed about the placing of cookies and allow cookies only in individual cases, as well as exclude the acceptance of cookies for specific cases or in general, and activate the automatic deletion of cookies whenever you close your browser. If you deactivate cookies, the functionality of this website may be restricted.
4. Tag Manager
We use the Google Tag Manager. The provider for this is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The Google Tag Manager is a tool with which we can integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager does not itself create user profiles, save cookies or make any independent analyses. It only serves to administrate and run the tools it integrates. The Google Tag Manager does however record your IP address, which may be transmitted to the Google parent company in the USA.
5. Google Ads
Google Ads allows us to publish ads in the Google search engine or on third party websites when the user enters certain search keywords in Google (keyword targeting). Targeted advertising can also be published on the basis of the user data available to Google (e.g. location and interests) (target group selection). As the website operator, we can evaluate such data quantitatively, for instance by analysing what search keywords have triggered the publishing of our ads and how many ads have generated how many clicks. You can revoke the consent you have given to this at any time.
Transfer of data to the USA is based on the Standard Contractual Clauses of the EU Commission pursuant to Art. 46 Par. 2 (c) GDPR. You can find details here: https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/controllerterms/mccs/
6. Microsoft Ads
Microsoft Ads allows us to publish ads in the Microsoft search engine Bing or on third party websites when the user enters certain search keywords in Bing keyword targeting). Targeted advertising can also be published on the basis of the user data available to Microsoft (e.g. location and interests) (target group selection). As the website operator, we can evaluate such data quantitatively, for instance by analysing what search keywords have triggered the publishing of our ads and how many ads have generated how many clicks. You can revoke the consent you have given to this at any time.
Transfer of data to the USA is based on the Standard Contractual Clauses of the EU Commission pursuant to Art. 46 Par. 2 (c) GDPR. You can find further information about the Standard Contractual Clauses and the Microsoft practice in processing personal data in the Data Privacy Policy of Microsoft at https://privacy.microsoft.com/de-de/privacystatement.
7. Meta Ads (formerly Facebook Ads)
By using Meta Pixel, your browser establishes a connection to servers of Meta which enables the authenticity of user data such as IP addresses or user IDs to be checked and places a cookie with the information that you have accessed our website or clicked on an ad from us as soon as you have given your consent to the use of cookies for which this is required. If you are registered with Facebook, Meta can allocate the visit to your account. By using the “Custom Audience” function we can return to you or other visitors of the website later with advertising offers on Facebook or third party websites based on your interests. With Meta Pixel’s “Conversion” function we can also measure actions by visitors to our website (e.g. purchase of a product). The data collected do not allow us to draw any conclusions as to the identity of visitors to the website. Meta can however customize the placing of advertising offers both on Facebook and outside it accordingly. In addition, Meta Pixel collects meta-communication data (e.g. IP addresses, device and browser properties).
You can revoke your consent with effect for the future at any time. If you are registered with Facebook you can administrate your advertising preferences, including the placing of ads customized for your interests, under https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
If you do not have a Facebook account, you can deactivate the placing of ads customized for your interests at the website of the European Interactive Digital Advertising Alliance:
http://www.youronlinechoices.com/de/praferenzmanagement/.
In using the service, data are transferred to the USA. Transfer of data to the USA is based on the Standard Contractual Clauses of the EU Commission. You can find further details here:
https://www.facebook.com/legal/terms/dataprocessing, https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.
You can find further details about how Meta processes personal data, including the legal basis on which Meta does this as well as your options for pursuing your rights as a data subject towards Meta, in Meta’s Data Privacy Policy under https://www.facebook.com/privacy/policy
You can also find specific information and details of Meta-Pixel and how it works in the Help section of Facebook.
8. Outbrain Ads
Outbrain enables us to place sponsored content on various online media to provide relevant content customized for your interests and user behaviour. This may involve the processing of your personal data in order to display targeted ads to you.
Transmission of your data to Outbrain may involve its transfer to countries outside the European Union (EU) or the European Economic Area (EEA) in which a lower level of data privacy protection may apply. Such transfer is based on appropriate guarantees such as the Standard Contractual Clauses of the EU Commission pursuant to Art. 46 Par. 2 (c) GDPR.
You can find further details of the Standard Contractual Clauses and the Privacy Policy of Outbrain at https://www.outbrain.com/privacy/de/
9. Taboola Ads
Taboola enables us to place sponsored content on various online media to provide relevant content customized for your interests and user behaviour. This may involve the processing of your personal data in order to display targeted ads to you.
Transmission of your data to Taboola may involve its transfer to countries outside the European Union (EU) or the European Economic Area (EEA) in which a lower level of data privacy protection may apply. Such transfer is based on appropriate guarantees such as the Standard Contractual Clauses of the EU Commission pursuant to Art. 46 Par. 2 (c) GDPR.
You can find further details of the Standard Contractual Clauses and the Privacy Policy of Taboola at https://www.taboola.com/policies/privacy-policy.
Who will my data be passed on to during processing and for what purpose?
Hamburger Verkehrsverbund GmbH works together with various data processing contractors. This is done in compliance with all applicable provisions of European data protection regulations.
Compliance with these regulations is ensured in addition by means of separate agreements with our data processing contractors.
Contract data processing includes support of the necessary hardware and software, providing data storage space as well as evaluation of data for the purpose of success and reach management.
Data processing contractors may also be used for advertising and marketing purposes.
How long will my data be stored for?
Hamburger Verkehrsverbund GmbH as your contract partner only processes and stores your personal data for the period of time necessary to fulfil contractual and legal obligations.
We distinguish here between different categories of data.
Your participation in hvv Plus creates a continuing obligation, so that we also need to retain certain basic data such as your name, address and email address (master data) permanently.
Pseudonymized data collected for the purpose of success and reach measurement, monitoring, analysis and optimization are regularly used to create analyses and stored in that form.
After analyses have been completed, the relevant input data is no longer needed and is deleted. Data gleaned from the email tracking of the reception of emails will be stored for 180 days,
the other results of the email tracking for 548 days (1.5 years).
Cookies stored on your end device remain there until you delete them.
If data stored to directly fulfil contractual and legal obligations or to protect our own legitimate interests are no longer needed,
they will be regularly deleted, unless it is necessary to prolong their storage (for a limited time) for the following purposes:
- Fulfilment of commercial or tax retention periods, e.g. under the German Commercial Code (“Handelsgesetzbuch”) and German Tax Code (“Abgabeordnung”).
The retention and documentation periods stipulated in these regulations are up to ten years.
- Preservation of evidence within the scope of the statute of limitations: According to §§ 195 ff. of the German Civil Code (BGB), these periods of limitation are generally three years,
but can also be up to 30 years in individual cases.
What data protection rights do I have concerning my personal data?
We will be happy to inform you on request whether and, if so, which personal data concerning you are stored by Hamburger Verkehrsverbund GmbH (Right to be Informed/Right of Access).
In addition to this you can notify us of incorrect data to have it corrected (Right to Rectification) or have data whose storage is inadmissible or no longer needed deleted (Right to Erasure).
In addition, under certain circumstances you are entitled to require of us that the processing of your personal data be restricted (Right to Restriction of Processing) as well as to object to
the processing of your data if and when such processing takes place
- on the legal basis of Overriding Legitimate Interest (Article 6 Par 1 (f) GDPR)
- for the performance of a task carried out in the public interest (Article 6 Par 1 (e) GDPR) or
- to revoke your Consent (Article 6 Par 1 (a) GDPR) (Right to Object).
In particular, you can object at any time to your personal data being used for advertising purposes or for market research or opinion polling (Right to Object to Data being used for Advertising).
You can further require in principle that personal data applying to you are made available to you by us in a structured, conventional and machine-readable format in order to be able to transmit
them to another data controller without us putting obstacles in your way. (Right of Data Portability).
The rights described above are guaranteed to you under Articles 15 – 21 of the GDPR, but are only presented here in very abridged form for reasons of space. If you have questions regarding the exact scope of the rights described and how to exercise them, you can get in touch with the Data Protection Officer given below and/or the Hamburg Representative for Data Protection and Freedom of Information.
Exercising your right of revocation
You have the right to object at any time to the collection of your user behaviour and any other processing which based on you giving your consent. You similarly have the right at any time to object to being sent advertising material.
If you wish to revoke the consent you have given to email tracking, we recommend that you declare this via the unsubscribe link contained in every email we send to you. Alternatively, you can send your revocation declaration to the contact data of our company Data Protection Officer, which you will find below.
In addition you can exercise this right of revocation at any time via the tool consentmanager.
In any case you can exercise your right of revocation of all and any consent given in the context of hvv Plus by making a declaration to that effect to Hamburger Verkehrsverbund GmbH.
Who can I turn to if I have questions about my data protection rights?
If you have questions concerning the processing of your personal data and/or how to exercise your rights as a user (data subject), you can get in touch directly with the responsible company Data Protection Officer. Please only use the following contact data for questions and enquiries dealing with the subject of data protection:
Kai H. Terschüren
Data Protection Officer of HVV GmbH
Brooktorkai 18
20457 Hamburg
Telephone: 040/32 57 75-0
E-Mail
What supervisory authority can I make a complaint to?
You have the right, without prejudice to any other administrative or judicial legal remedy, to lodge a complaint with the competent supervisory authority if you are of the opinion that the processing of the personal data concerning you infringes the GDPR. The competent authority for data processing in connection with the Value-Added programme hvv+ is
The Hamburg Representative for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22
20459 Hamburg
Telephone: 040 / 428 54 - 4040
Fax: 040 / 428 54 - 4000
E-Mail