Data protection policy-ticketapp
Personal data are any information relating to an identified or identifiable natural person (Article 4(1) of the EU General Data Protection Regulation (“GDPR”)). This includes information such as your name, your e-mail address, your postal address, your telephone number, and other information such as your IP address.
In all circumstances, your right to privacy is our highest priority. We therefore treat all the data you provide in accordance with relevant statutory provisions in force, such as the General Data Protection Regulation (GDPR) and the Berlin Data Protection Act (BlnDSG). It is also important that you are aware at any time of what data we collect, when we save them, and how we use them. The BVG undertakes to comply with all statutory data protection provisions. This is monitored by the BVG’s data protection officer. If you have any questions, suggestions, or comments relating to the issue of data privacy and protection, please contact our data protection officer by sending an e-mail to firstname.lastname@example.org.
1. Downloading the Ticket app
You can download our Ticket app from your respective App Store for your operating system. This will transmit data required for the download to the App Store, in particular the user data associated with your account (user name, e-mail address), the time of download, payment information, and your personal device identifier. The data are collected by the provider of the App Store, acting as the controller. We only process these data to the extent required to download the Ticket app.
The legal basis is Article 6(1)(b) of the GDPR.
2. Use of the ticket app
We only process your personal data to the extent required to provide the service you request (Article 6(1)(b) of the GDPR).
If you wish to purchase products available in the Ticket app, you must first register in the Ticket app or at www.BVG.de (My BVG). You are under no obligation to provide your personal data (Article 13(2)(e) of the GDPR). If you do not register, however, we will not be able to provide the service. You can alternatively purchase our range of tickets at all BVG sales outlets, private sales outlets, and at our ticket machines.
During the registration process, you will be asked to provide personal data that are required to use the Ticket app. This data comprises your name, your e-mail address, whether you are an adult or a minor, and – if using the “SEPA direct debit” payment method or if you request an invoice to be sent to you – your residential/billing address. You must also enter information relevant to the payment method you choose (e.g. IBAN, credit card number, PayPal account information, mobile phone number etc.).
We only use and process this information in the manner specified. We do not use automated decision-making, including profiling.
b) Use of the Ticket app
When you use our Ticket app, we only collect personal data during the ordering process and save them in a log file. The following data are recorded: model and manufacturer of the terminal device used, version information, data processed/collected during the ordering process (even if aborted). This data processing is justified under Articles 6(1)(b) and 6(1)(f) of the GDPR. Our legitimate interest here is to ensure an optimum Ticket app experience.
If there is a problem with the connection between the app and the background system or if the connection is lost, we will also save the data associated with the error (request, error) in your Ticket app account.
The geographical location of the device is only recorded for the purpose of providing location-based services with your consent (Article 6(1)(a) of the GDPR). When purchasing certain fares, we will record your location to determine your starting stop or station. In these cases, the legal basis is Article 6(1)(b) of the GDPR.
c) Disclosure of personal data
(1) Payment by credit card, SEPA direct debit mandate
When using any payment method other than PayPal (e.g. SEPA direct debit, credit card), your personal data (first and last name, date of birth, address, e-mail address, account details, credit card details, mobile number as necessary, and information on your ticket purchases) will be transmitted to our external financial services provider (currently LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn, Germany) for the purpose of completing the sale and assigning our claims against you that arise in connection with your ticket purchase. Your payment details are transmitted in a secure and encrypted form. The legal basis is Article 6(1)(f) of the GDPR. We have a legitimate interest in outsourcing the handling of payments and the management of claims.
You can object to the transmission of the data to LogPay at any time. In this case, we will not process your data for this purpose any more unless
- there are compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or
- the processing is required for the establishment, exercise, or defence of legal claims.
In the event of an effective objection, it will not be possible to submit any orders that use a credit card or the SEPA direct debit mandate as their payment method.
More information on how LogPay processes data can be found at https://www.logpay.de/DE/datenschutzinformationen/.
For security reasons, credit card information is not saved in the Ticket app or the background system of the Ticket app.
(2) Payment by “Google Pay”
You may pay using Google Pay in the Ticket app. The provider of this payment service is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you select Google Pay as your payment method, Google Pay will transmit your credit card details to LogPay in encrypted form using a virtual card number. No other personal data is transmitted to LogPay. LogPay’s handling of your payment is in accordance with principles set out in (1). The legal basis for processing when using Google Pay is Article 6(1)(f) of the GDPR. We have a legitimate interest in offering you a broad range of payment methods and in outsourcing payment handling.
More information on how Google Pay operates and processes data can be found at https://pay.google.com/intl/de_de/about/ and https://payments.google.com/files/privacy/new_privacy/privacynotice_ZZ_de.html.
(3) Payment by “Apple Pay”
You may pay using Apple Pay in the Ticket app. The provider of this payment service is Apple Inc., 1 Apple Park Way, Cupertino, CA 95014, USA. If you select Apple Pay as your payment method, Apple Pay will transmit your credit card details to LogPay in encrypted form using a device account number. No other personal data is transmitted to LogPay. LogPay’s handling of your payment is in accordance with principles set out in (1). The legal basis for processing when using Apple Pay is Article 6(1)(f) of the GDPR. We have a legitimate interest in offering you a broad range of payment methods and in outsourcing payment handling.
Minors with restricted legal capacity may only select the “prepaid” method to purchase tickets in the Ticket app. This requires legal representatives of minors to transfer credit to the minor’s prepaid account in their BVG user account prior to making an order. Minors may only submit orders if they have sufficient credit in their prepaid accounts.
When using the “prepaid” payment method, information regarding the credit available in the prepaid account and account information relating to the bank transfer will be processed. Processing is carried out solely for the purpose of enabling payment from prepaid credit. The legal basis is Article 6(1)(b) of the GDPR.
You can pay for purchases in the Ticket app using the online payment service provider PayPal. The provider of this payment service is (Europe) S.à.r.l. et Cie, S.C.A.., 22-24 Boulevard Royal, L-2449 Luxembourg (hereafter “PayPal”). If you select PayPal as your payment method, you will be redirected to the PayPal website and the personal data you have entered will be transmitted to PayPal in encrypted form. It typically includes your name, your address, your telephone number, your IP address, your e-mail address, and other information required for order handling and your specific order.
PayPal is the controller responsible for processing your personal data. If required for the purpose of completing the order, PayPal may also disclose data to third parties. PayPal will also transmit personal data to credit agencies, e.g. SCHUFA, in order to establish your identity and creditworthiness. The legal basis is Article 6(1)(f) of the GDPR. Our legitimate interest here is to ensure our customers’ ability to pay.
More information on how PayPal processes data can be found at https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.
If you do not fulfil your payment obligations, your personal data will be passed to the debt collection agency diagonal inkasso GmbH, Bremer Straße 11, 21244 Buchholz in der Nordheide for the purpose of recovering the debt (e.g. sending payment reminders) and enforcing claims (e.g. court collection proceedings or cooperation with a solicitor’s office in the event of legal action being taken). In this case, the transmission of your personal data is based on Article 6(1)(f) of the GDPR, as the ability to enforce our claims represents a legitimate interest in data processing.
(7) Google Maps
The Ticket app uses the Google Maps service via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use Google Maps in the interest of increasing the attractiveness of our online services and making it easier to find the locations indicated by us in the app. This represents a legitimate interest as set out in Article 6(1)(f) of the GDPR.
When using the service, your browser communicates directly with Google Inc. This information is normally transmitted to and stored on a Google server in the USA. We have no influence over this data transmission.
You can also change your settings there, allowing you to manage and protect your data.
3. App analysis
Our app uses Google Analytics for Firebase, a function for evaluating user behaviour in the app and for marketing analyses. The analysis tool automatically collects the following data on app usage:
- Number of users and sessions
- Session duration
- Operating systems
- Device models
- First-time starts
- App starts
- App updates
- In-app purchases
This data is provided to Google Analytics and Google Analytics for Firebase, and evaluated by Google in anonymised form. Google uses a device identifier (device ID, cookie, or similar technology) on user’s devices, on the basis of which it is possible to determine how long users interact with the Ticket app, how often they make in-app purchases, and how many of them were active within a specific period of time. The legal basis for data processing is Article 6(1)(f) of the GDPR. We have a legitimate interest in analysing use of the app and working to continuously improve it. Data transfer to Google is based on Article 28 of the GDPR in conjunction with the processing contract.
You can prevent the analysis by changing your device settings (iOS: Settings > Privacy > Analysis/Advertising; Android: Account > Google > Display). You can also object to this usage information being transmitted in the Ticket app by going to “My BVG”, “About this app”, “Data protection”.
The data is stored for a period of 14 months and then erased.
4. Rights of data subjects
Depending on the circumstances in your specific case, you have the right
- to obtain access to the personal data processed by us and/or request copies of these data. This includes information concerning the purpose of usage, the category of data used, their recipients and authorised users, and, where possible, the planned period for which the data will be stored or, if that is not possible, the criteria used to determine that period.
- to request the rectification, erasure, or restriction of processing of your personal data, provided that their use is impermissible under data protection law, in particular because (i) the data are incomplete or incorrect, (ii) the data are no longer required for the purposes for which they were collected, (iii) the consent on which processing is based was withdrawn, or (iv) you have made use of your right to object to processing of your personal data; in cases in which the data are processed by third parties, we will forward your request for rectification, erasure, or restriction of processing to these third parties, unless this proves to be impossible or would involve disproportionate effort;
- to refuse consent or – without affecting the lawfulness of data processing carried out prior to withdrawal – to withdraw your consent to the processing of your personal data at any time;
- to object to processing on grounds relating to your particular situation;
- to obtain information on the logic involved, as well as the significance and the envisaged consequences of our automated decision-making. You also have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. If automated decision-making is used, you also have the right to express your point of view, which will be taken into account in the decision-making process;
- to request the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and to transmit these data to another controller without hindrance from us; you also have the right to have the personal data transmitted directly from us to another controller, where technically feasible;
- to lodge a complaint with the competent supervisory authorities, e.g. if you are of the opinion that your rights have been infringed due to processing of your personal data that is not in compliance with data protection regulations.
5. How long we retain personal data
The BVG will delete your personal information when the purpose for which it was stored no longer exists and there are no statutory regulations which require its continued storage. Your personal information is only used for statistical analysis in anonymised form.