We are delighted that you are using our apps. Below, we would like to inform you of how we handle your data in line with Article 13 of the General Data Protection Regulation (GDPR).
The office named in the address details is the controller with respect to the data collected and processed:
Verkehrsverbund Bremen/Niedersachsen GmbH (VBN)
Am Wall 165-167
28195 Bremen
Our company data protection commissioner will be happy to give you information or ideas on the subject of data protection:
Andrea Beu
Verkehrsverbund Bremen/Niedersachsen GmbH
Email: datenschutz(at)vbn.de
Telephone: 04 21 / 59 60-0
For a period of seven days we save the IP address transmitted by your device strictly related to the purpose of being able to detect, limit and remedy attacks on our systems. After the end of this period we will delete or anonymise the IP address The legal basis is Article 6 para. 1 f) GDPR.
When you make inquiries in our apps, usage data will be temporarily stored on our web server for statistical purposes as a protocol for improving the quality of our applications. This data comprises
We undertake technical and organisational measures to protect your data as comprehensively as possible from unwanted attacks. We use an encryption method in our application. Your data is transmitted from your device to our server and vice versa via the internet using an SSL/TLS encryption.
Within the context of processing an order, we transmit your data in accordance with Article 28 GDPR to service providers, who support us in operating our website (for example hosts, internet agencies, web analysis service providers) and the associated processes. Our service providers are strictly bound by instructions to us and are bound by a contract accordingly.
We sometimes transmit personal data to a third country outside the EU. We must always ensure that there is an adequate level of data protection:
In the case of Google (USA), an adequate level of data protection is a consequence of participation in the Privacy Shield Agreement (Article 45 para. 1 GDPR).
In the case of Microsoft (USA), an adequate level of data protection is a consequence of participation in the Privacy Shield Agreement (Article 45 para. 1 DSGVO).
Our apps contain links to web offerings from other providers. For example, you can see this when linking from disruption information to a connection and by the fact that a new browser window opens. If these are not web offerings of VBN GmbH, the data protection regulations of those providers apply there. This applies, for example, to links to our partners’ websites.
We incorporate the trip planning services of Hacon Ingenieurgesellschaft mbH, Lister Straße 15, 30163 Hanover in our applications.
When you use the functions of the app, a connection will be made between your browser (device) and the Hacon servers. In the process, data bout you, such as your IP address and the device you are using as well as your interactions within the FahrPlaner app will be processed. This includes the following areas of the app: Timetable, Departures, Map, Alarm, service area (News), Settings/Publisher’s Details/Info.
To ensure needs-based design of our applications, we create pseudonymous use profiles on the Hacon servers with the help of the Matomo web analysis tool. Matomo uses cookies that are stored on your device and that we can read. This is how we can recognise returning visitors and count them as such. The unabbreviated IP address is not stored. Data processing is on the basis of Article 6 para. 1 f) GDPR or Article 15 para. 3 of the German Telemedia Act and in the interests of learning how often our services are accessed by different users.
You can object to processing at any time by selecting the option "Usage statistics” in the FahrPlaner app settings and confirming the dialogue with “No”. In this case, Matomo does not collect any session data. When you newly install our application, however, this means that the tracking setting is deleted and may have to be activated again.
3.7.2 Praise and Criticism
In the app area “Praise& Criticism” in our applications we incorporate the services of a web host.
When you access this area, a connection will be made between your browser (device) and the host’s server. Some of your data, such as your IP address and the device you are using to visit the site and your interactions within the Praise and Criticism app is processed.
You can also fill in this form without stating your personal data. A response is not possible then. When you send off the form with personal data, the information in 3.9. Praise and Criticism applies.
Please note that if you use some app function, additional authorisations will be asked for and then data will be collected and processed.
If you want to be able to take an address from your device’s contacts as the starting point or destination when planning a trip, you must grant the app access to your contacts. Only the selected address (no names of contacts) are transmitted to our servers and used to calculate the timetable information to/from the address selected.
Depending on the operating system, maps from Google Maps (Google Incorporated, USA) for Android and Apple Maps (Apple Incorporated) for iOS are incorporated in our apps. By using these maps, information about your use (in particular the IP address of your device) is transmitted to a server belonging to the relevant third company in the USA and stored there. The processing of personal data using technically necessary cookies and your IP address is based on the legal basis of Article 6 para. 1 sentence 1 f) GDPR and the interest of optimising our offering for you. We have no influence on the further processing of data by the third companies concerned. Please read the Terms of Use of Google Maps or Apple Maps if you want to use the service. If you do not agree to data processing by the company concerned, please do not use the map functions.
The authorisation for the “Camera” is needed to personalise the icons in “My addresses” with your own/transferred pictures. Favourites created in this way are then visible in all parts of the app and can be used quickly and easily for planning a trip. Furthermore, the authorisation is needed for the option to be able to send your own pictures/photos in the Praise Lob & Criticism form. In this way, you can better explain your feedback to us with a picture.
Based on your location, the app can display stops, possible trips near you and service messages (News). To do this, after your consent, the GPS coordinates identified by your device will be transmitted to our servers. For example, you can ask for connections to/from your current location and have stops near you displayed.
If you use the Push Notification service, an anonymised device code will be stored on the Hacon servers to that information can be sent to your device. This enables you to be notified of the current traffic situation on your subscribed trips in the event of delays or disruptions.
To provide the Push Notification service, on Android services a product from Google Incorporated (USA) “Google Cloud Messaging” or “Firebase Cloud Messaging” is used", on iOS a product from Apple Incorporated (USA” "Apple Push Notification service” so that notifications can be sent to your device if new traffic reports are available. The us of these services may result in information about your use (in particular the IP address of your device) may be transmitted to a server belonging to Google Incorporated or Apple Incorporated in the USA and stored there. We have no influence on further processing of data by Google Incorporated or Apple Incorporated. Please read the Terms of Use of Google or Apple if you want to use the service. If you do not agree to data processing by Google Incorporated or Apple Incorporated, please do not use the Push Notification functions.
The authorisations are not used for any more purposes. You can change your consent in the app settings of your device operating system at any time.
We incorporate the services of EOS UPTRADE GmbH, Schanzenstraße 70, 20357 Hamburg in our applications.
If you use the relevant functions of the app, a connection will be made between your browser (device) and the EOS UPTRADE servers. In the process, some of your data, such as your IP address and the device you use to visit the site and your interactions are processed and saved. This includes the following area of the app: Tickets.
By sending off the registration form and then using the MobileTicket more information about you will be processed by EOS UPTRADE GmbH. The General Terms and Conditions (https://shop.vbn.de/index.php/cms/terms_conditions/1) and the following data protection regulations of the MobileTicket apply.
We process the customer’s data, i.e. their name, title, address, their date of birth, their email address, chosen payment method, bank details with IBAN and/or credit card data, response to security questions and the order details with the following information: IP address, first name and surname for ticket personalisation and ticket data in accordance with Article 6 para. 1 b) GDPR for the purposes of fulfilling the contract. The User-Agent/device information is collected in accordance with Article 6 para. 1 f) GDPR with a legitimate interest. The legitimate interest is system optimisation, quality assurance and fraud prevention.
This also comprises associated customer support.
The data provided by you that is necessary for fulfilling the contract will be processed and stored on our behalf by EOS UPTRADE GmbH, Schanzenstraße 70, 20357 Hamburg in accordance with Article 6 para. 1 f). The legitimate interest on our part lies in outsourcing the back-office system, ticket creation and hosting to a service provider.
We transmit your personal data (first name and surname, date of birth, address, email address, bank account details, credit card data, where applicable mobile telephone number and data on your ticket purchases) and all changes to LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn for the purposes of sales and assigning our claims against you that arise in association with your ticket purchase. This is done on the basis of Article 6 para. 1 f) GDPR. The legitimate interest on our part lies in outsourcing the payment processing and claims management. The legitimate interest on the part of LogPay Financial Services GmbH lies in collecting the data for the purposes of processing payments, claims management, evaluating the permissibility of payment types and avoiding defaults.
You can object to the transmission of data to EOS UPTRADE GmbH and LogPay Financial Service GmbH at any time, however orders using the electronic sales channel will no longer be possible.
The data protection legal information of LogPay Financial Services GmbH can be accessed at https://www.logpay.de/datenschutz.html.
Personal data will be stored only for as long as the prescribed by law and for as long as necessary to fulfil the relevant purpose.
To issue the Deutschland-Ticket in the VBN FahrPlaner, we process your customer data with our partners. We receive the customer information surname, first name, date of birth, email address, contract number and ticket information (ticket ID, validity) from the various companies that have concluded a subscription contract with you. The valid Deutschland-Ticket is then displayed in the VBN FahrPlaner app and can be checked anywhere in Germany.
3.9.1 Purposes and legal basis of processing
Your customer data with respect to issuing the Deutschland-Ticket in the VBN FahrPlaner app is transmitted in accordance with Art. 6 Para. 1 lit. b GDPR for the purposes of processing the contract. The data controllers within the meaning of the General Data Protection Regulation (GDPR) when issuing the Deutschland-Ticket as a mobile phone ticket are in each case the subscription companies together with Verkehrsverbund Bremen/Niedersachsen GmbH (VBN) and in some cases Niedersachsentarif GmbH (NITAG) as the clients of the subscription companies and Verkehrsverbund Bremen/Niedersachsen GmbH.
We have concluded an agreement with the subscription companies and with Niedersachsentarif GmbH on joint responsibility under data protection law in accordance with Art. 26 GDPR.
List of partners:
The respective partners and Verkehrsverbund Bremen/Niedersachsen GmbH are equally responsible for providing information on the collection of data and on the essential contents of the agreement, as well as for processing enquiries from those affected.
Data subjects may assert the rights to which they are entitled under Articles 15 to 22 of the GDPR against the subscription companies and Verkehrsverbund Bremen/Niedersachsen GmbH. In principle, you will receive your information from the contracting party with whom you have concluded your subscription contract.
3.9.2 Recipients of personal data
The data provided by you, which are necessary for the issue of the Deutschland-Ticket, are processed and stored on our behalf by EOS UPTRADE GmbH, Schanzenstraße 70, 20357 in accordance with Article 6 para. 1 f). The legitimate interest on our side is the outsourcing of the background system, ticketing and hosting to a service provider.
You can object to the transmission of data to EOS UPTRADE GmbH at any time; however, it will then no longer be possible to issue the Deutschland-Ticket via the electronic sales channel.
3.9.3 Duration of data storage
Personal data is only stored as long as it is required by legal retention obligations and as long as it is necessary to achieve the respective purpose.
We process the customer’s data, i.e. their name, address, email address, telephone number and their concern (Praise and Criticism) in accordance with Article 6 para. 1 f) GDPR. Our legitimate interest lies in dealing with your concern quickly and effectively and passing it on the relevant office.
The specific concern will be passed to the relevant office that is responsible for answering your concern. This may be an individual transport company or the commissioning authority, such as Zweckverband Bremen/Niedersachsen and/or the districts and municipalities in the network area.
We have commissioned external service providers for hosting and further development of the database. Hosting is carried out by Bremer Straßenbahn AG (BSAG), Flughafendamm 12, 28199 Bremen; we have commissioned SIGNON Deutschland GmbH, Schützenstraße 15-17, 10117 Berlin for further development, which work strictly according to instructions.
You are entitled to object to processing. For example you can do this at datenschutz(at)vbn.de or by sending a notification to Verkehrsverbund Bremen/Niedersachsen, Am Wall 165-167, 28195 Bremen. Your personal data will then be deleted if it can not be further processed to ensure legitimate interest.
The data required for the answer will be deleted 18 months after the last contact. The concern will be anonymised.
When personal data is being processed, the GDPR gives you as an internet user certain rights:
You have the right to demand confirmation as to whether or not personal data concerning you has been processed; where that is the case you have the right of access to the personal data and the information listed in detail in Article 15 GDPR.
You have the right to demand immediate correction of incorrect personal data concerning you and, where applicable, to the completion of incomplete personal data.
You also have the right to demand that personal data concerning you be erased immediately if one of the reasons listed in detail in Article 17 GDPR applies, for example if the data is no longer needed for the original purposes.
You have the right to demand restriction of processing if one of the conditions listed in Article 18 GDPR applies, for example if you have objected to processing, for the duration of any investigation.
In certain cases, which are listed in detail in Article 20 GDPR, you have the right to demand receipt of the personal data concerning you in a structured, commonly used and machine-readable format or transmission of this data to a third party.
If data is collected on the basis of Article 6 para. 1 f) (Data Processing to Pursue Legitimate Interests), you are entitled to object to processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for processing which override the interest, rights and freedoms of the person concerned, or for the establishment, exercise or defence of legal claims.
According to Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes GDPR. The right to lodge a complaint may be made to a supervisory authority in particular in the member state of your habitual residence, place of work or place of the alleged infringement.
In the Free Hanseatic City of Bremen, the competent supervisory authority is the Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen, Arndtstraße 1, 27570 Bremerhaven.