Data privacy statement

We, the ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft (hereinafter "we" or „ÜSTRA“), appreciate your interest in our company.

We take the protection of your personal data and its confidential treatment very seriously. The processing of your personal data occurs exclusively within the scope of the data protection provisions, especially the General Data Protection Regulation (hereinafter „GDPR“ / German: DSGVO) and other applicable regulations.

This privacy policy is to inform you about the processing of your personal data and your rights within the GDPR.

Additionally our data privacy statement is available in our customer centre, Karmarsch-straße 30/32, 30159 Hanover.

1. Name and contact details of the person in charge and the data protection officer
This data privacy statement applies for the data processing done by the following party responsible:
ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft
Am Hohen Ufer 6
30159 Hanover
e-Mail: info@uestra.de
Phone: +49 511-16680

The data protection specialist can be reached as follows:
ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft
Data Protection Officer
Am Hohen Ufer 6
30159 Hanover
e-Mail: datenschutz@uestra.de
Phone: +49 511-16680

2. The subject matter of data protection
The subject matter of data protection is “personal data”. It includes all information, relating to an identified or identifiable individual (co-called data subject). This covers details such as name, postal address, e-mail address or customer number. 
Specific information on personal data processed by us can be found consecutively in the listed data processing operations.


3. Data disclosure 
We will forward your personal data to third parties (receiver) only if we are entitled to do so according to the data protection law pro-visions. In the following we would like to inform you about possible circumstances. We may pass your personal data to third parties if

•    you grant us permission to do so for one or more purposes (art. 6 para. 1 S. 1 lit. a GDPR);
•    data processing is necessary for the performance of a contract with you or for the implementation of pre-contractual measures upon your request (art. 6 para. 1 S. 1 lit. b GDPR);
•    the processing is necessary for compliance with a legal obligation (art. 6 para. 1 S. 1 lit. c GDPR)
•    it is necessary for the protection of our legitimate interests or of a third party as long as your interests do not outweigh (art. 6 para. 1 S. 1 lit. f GDPR).

Furthermore, we are cooperating with service providers, so-called processors, to whom personal data may be communicated in order to process your data on our behalf and in accordance with our instructions within the framework of art. 28 GDPR. These service providers have been carefully selected and commissioned by us, are bound by our instructions and are supervised and checked regularly.

4. Collection and storage of personal data
a)    When visiting the website
The following hints on privacy protection refer to our website at www.uestra.de (the „website“). When visiting our website, the browser used on your device sends automatically information to our website server. This information is temporarily stored anonymized in a so-called log file. 
In the course of this procedure, the following data is collected and stored without any action on your part  until the time of automatic deletion:

•    website you were at before you visited us („referrer“) , 
•    any contents accessed, 
•    date and time of the server query (and access), 
•    quantity of data transmitted, 
•    status of access (such as the file was transmitted or the file was not found, etc.) 
•    description of the type of web browser used/ identification data of the browser, operating system type used, 
•    IP address of the requesting computer. 
The IP addresses are being anonymised, meaning that no assignment is possible. The listed data is processed by us for the following purposes:
•    ensuring a smooth website connection,
•    providing a comfortable use of our website,
•    evaluation of the system security and -stability as well as 
•    for further administrative purposes (optimization of our website and the usability).
The legal basis for processing data is art. 6 para. 1 S. 1 lit. f GDPR. Our legitimate interest follows from the purposes listed above. In no case we use the collected data in order to draw conclusions concerning your personality. Furthermore, we use cookies on our website as well as web analysis services based on them. Further information on this can be found under paragraph 5 of this privacy statement.


b)    Data security
During the website visit, we make use of the popular SSL procedure (Secure Socket Layer) in connection with the respectively highest encryption level supported by your browser. Generally, this will be a 256-bit encryption. If your browser does not support a 256-bit encryption, we will use a 128-bit v3 technology instead. You will know whether a particular page of our website is transferred in encrypted form by the key or closed padlock symbol on the bottom toolbar of your browser.
Apart from that, we use appropriate technical and organisational safeguards to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continually improved as new technology becomes available.


c)    When ordering a newsletter
Via our website you have the possibility to subscribe for newsletters published by ÜSTRA (e.g. „ÜSTRA carpool“, „ÜSTRA traffic control centre“, „ÜSTRA job letter“, „ÜSTRA press subscription“). After you have sent the registration, you will receive an email with a confirmation link. Please confirm your regis-tration by clicking additionally on the indicated link provided in the verification e-mail (so-called double-opt-in process).
Provided you have expressly agreed according to art. 6 para. 1 S. 1 lit. a GDPR, we use your e-mail address for sending you our newsletter. In order to receive the newsletter, a valid e-mail address and a confirmation that you are at least 16 years of age is sufficient. Optionally, you can also enter your first and last name as well as the correct mode of address. 
In order to ensure that you can assign the consent for the reception of our newsletter effectively, we decided to set the mentioned minimum age for the reception of our newsletter. 
You can unsubscribe or revoke your consent at any time via a link at the end of every newsletter.
The data required for the distribution of this newsletter shall be deleted as soon as it is no longer required for the fulfilment of the purpose for which it was submitted and provided no other legal authorisation for further processing applies. Your e-mail address is conse-quently stored only for the sending of the newsletter as long as you revoke your permission.
For sending out the newsletters, the ÜSTRA has commissioned the CleverReach GmbH & Co. KG, Mühlenstraße 43, 26180 Rastede as processor.
For the purpose of completeness, we would like to point out that the ÜSTRA observes and evaluates the success of the newsletters sent on the basis of anonymous data, by collecting and storing the following data without any personal reference in order to gear the ÜSTRA services better towards the interests and needs of (potential) customers:
•    number of e-mails opened 
•    location while opening the e-mail 
•    e-mail client used 
•    information which links were clicked in a opened newsletter


d)    When using our contact form and e-mail contact
In case of any questions, we offer you the possibility to contact us via a contact form on our website. A valid email address is required in order to know who sent the e-mail and in order to answer it. 
Further information is voluntary. Alternatively, you can contact us via the e-mail address provided. In this case, your personal data transmitted with the e-mail is stored.

The data processing for the purpose of contacting is based on art. 6 para. 1 lit. f GDPR. Our legitimate interest is based on the will to answer your request. If your contact request is aimed at the conclusion of a contract, the legal basis includes additionally art. 6 para. 1 lit. b GDPR. The personal data collected by us - with the exception of such data required in compliance with legal obligations - will be deleted after the processing of your inquiry.

5. Cookies
a)    General

We use cookies on our website. These are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our website. In these cookies information is stored, arising in connection with the specifically used device. This does not imply, however, that we gain knowledge of your identity.
We categorize cookies as follows. Via the cookie banner displayed when visiting our website or via the link to your "privacy settings" you have the possibility to allow or prevent the use of certain, not essential cookies. 
Most browsers accept cookies automatically. However, you can configure your browser in such a way that no cookies can be saved on your computer or so that you are always asked for permission before cookies are saved. However, the deactivation or rejection of cookies may restrict the functionality of our web offer.

b)    Essential website cookies
These cookies are strictly necessary to provide you with basic services available through our websites such as page navigation, access to certain closed parts of the website and storage of your privacy settings. The website cannot function properly without these cookies. Therefore a deselection of essential cookies is not possible in the "privacy settings". 
The processing of personal data by essential cookies takes place initially on the basis of art. 6 para. 1 S. 1 lit. f GDPR for the protection of our legitimate interests regarding the operation of a fully functional website.
The following essential cookies are used and stored for the time and purpose specified:

Cookie name 

Duration of storage

Cookie purpose

PHPSESSID

end of the session

 PHP data identification, set by the web server, when PHP session () method is used.

fe_typo_user

end of the session

 this cookie is a standard session cookie of the used CMS TYPO3. During a user login for restricted sections it stores the entered access data.

cc_necessary

1 month

stores the settings of the cookie that essential cookies may be set

cc_analytics

1 month

stores the settings of the cookie banners whether cookies should be used for tracking/statistics/ analytical purposes.

cc_socialmedia

1 month

 stores the settings of the cookie banners whether social media cookies should be used.

                      

c)    Cookies for Tracking/statistical purposes

The cookies for tracking/ statistical purposes help us to optimize our website according to your needs. 
In this sense we use tracking measures in order to collect statistical data on the use of our website with the goal of optimizing our offerings. 
We use the Open Source software Matomo. The information generated by the cookie concerning the usage of the website and a trimmed part of your IP address will be transmitted to our server and combined in user profiles with pseudonyms for usage analysis purposes. An assignment of the page requests to an identifiable person is thereby excluded. Only your browser can be recognized as soon as you visit the website again. Information generated by the cookie concerning your use of our website is not handed over to a third party. In no case, the IP address will be associated with any other data concerning the user. 


Via the cookie banner or your "privacy settings" you can decide that cookies for track-ing/statistical purposes are being used. You can change the corresponding setups anytime. If you do not make any specific setting, no cookies will be used for tracking/statistical purposes. 
The tracking cookies provided below and used by us are carried out based on art. 6 para. 1 S. 1 lit. f GDPR. with your agreement. You can revoke this agreement at any time by adapting your "privacy settings".


The following cookies for tracking/statistical purposes are used – only with your consent:

Cookie name        

Duration of storage

Cookie purpose

_pk_id

13 months 

 A Matomo provided definite identification number to identify recurrent visitors of the website.

_pk_ses 

30 minutes

Cookie set by Matomo. It serves the purpose of recognising whether the user left the page for a longer time.

 

6. Use of social media, third-party providers
a)    Facebook
On our pages are links integrated to offers of the social network Facebook for which in terms of data protection law Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) is responsible. The Facebook privacy policy can be found at www.facebook.com/about/privacy/.

b)    Instagram
On our pages are links integrated to offers of the social network Instagram for which in terms of data protection law Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) is responsible. We have included Instagram videos in our online services. When you play the videos, a direct connection between your browser and the Instagram server is generated. Instagram receives the information that you have accessed our website with your IP address and it may be the case that you are being linked with your Instagram account, provided that you have one and you are logged in during the visit of our website. The Instagram privacy policy can be found at instagram.com/about/legal/privacy/.

c)    Twitter
On our pages are links integrated to offers of Twitter for which in terms of data protection law Twitter International Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland) is responsible. The Twitter privacy policy can be found at twitter.com/de/privacy.

d)    Xing
On our pages are links integrated to offers of Xing for which in terms of data protection law XING SE (Dammtorstraße 29-32, 20354 Hamburg) is responsible. The Xing privacy policy can be found at privacy.xing.com/de/datenschutzerklaerung.

e)    YouTube
On our pages are links integrated to offers of YouTube for which in terms of data protection law Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) is responsible. This website embeds videos from YouTube channel. When you play the videos a direct connection between your browser and the YouTube server is being generated. YouTube receives the information that you have accessed our website with your IP address and it may be the case that you are being linked with your YouTube account, provided that you have one and you are logged in during the visit of our website. The YouTube privacy policy can be found at policies.google.com/privacy. 

7. Blog logbook
This privacy statement (on the basis of the above mentioned) also applies to the Blog logbook at fahrtenbuch.uestra.de.

8. Competition
We offer competitions at irregular intervals. Detailed information on privacy can be found at: www.uestra.de/teilnahmebedingungen-gewinnspiele/.

9. Mobility shop (online shop)
With respect to the processing of your personal data within the Mobility shop accessible via the website please refer to the appropriate privacy statement at https://www.uestra.de/en/data-privacy-protection/ .

10. Data collected and use during registration for MS Teams 
The following personal data can be processed: 
a. Registration

During the registration the following personal data will be collected:

     

  • username (first name and surname) 
  •  

  • office e-mail address
  •  

The registration for the use of MS Teams is performed centrally by the responsible administrators  from the TI division. 

b. Use 

When using MS Teams, further personal data will or can be collected, such as: 

     

  • your profile picture and your business telephone number
  •  

  • your division with abbreviated form 
  •  

  • sound and image data
  •  

  • content in text form e.g. as chat, shared files and other data, stored in your account
  •  

  • file information (file name, change date, document title and author) 
  •  

  • duration of calls without content
  •  

  • data on call quality
  •  

  • diagnostic data (in order to make the software safer and/or to find and eliminate errors, see section (c) 
  •  

  • in case of external users’ full name, e-mail and / or telephone number
  •  

  • IP address
  •  

Any other personal data or information can be added and modified by yourself. Adding information is voluntarily and cannot be demanded by ÜSTRA. 
Examples include: 

     

  • the profile picture, 
  •  

  • the status display, 
  •  

  • status messages, 
  •  

  • language settings, design, read confirmation. 
  •  

  • allows also to mute the microphone, to share the screen, to turn off the camera or to share the video or background image. 
  •  

The business use of MS Teams on your personal device is voluntary as well. 

c. Diagnosis and metadata
In addition to this, all user activities, such as e.g. time of access, date, kind of access, details of the data, files or documents accessed and all activities in the context of usage, such as creating, changing or deleting a document, setting up a team and channels in Teams, creating notes in the notebook, starting a chat and answering in a chat are processed. 
In this context, we expressly point out that video or telephone conferences via MS Teams are not recorded and we deactivated this function by the system. 
In this context, please refer to the detailed documentation of Microsoft. 
docs.microsoft.com/de-de/microsoftteams/teams-privacy 

d. Cookies 
When using MS Team as browser-based application, so-called cookies are collected. Only the operator of the website and Microsoft are respondible for the collection and processing of these cookies. 
When using Microsoft Teams, you accept the usage and data protection policies of Microsoft Corporation. The privacy statement of Microsoft and other information on the collection and use of cookies and the control functions – like e.g. turning on and off cookies for advertising purposes – by the user can be found in the corresponding section under
privacy.microsoft.com/de-DE/privacystatement 

Purpose of data processing

The use of MS Teams primarily serves as electronic exchange. MS Teams can as well be used for sharing the own screen. 
For participation in online events with Microsoft Teams, a link is generated to the corresponding event and is shared with the internal or external participants. The e-mail address of the participant or the username will be forwarded to Microsoft Teams, in order to send an e-mail invitation. Microsoft Teams places a phone number or a link into the invitation (incl. meeting ID, password) you can work with in order to use the service. Your personal data are being processed in order to enable these mentioned above functions of communication and cooperation. 

Legal basis for the processing of your personal data 

a. The legal basis for data processing forms Art. 6 para. 1 f) GDPR. The legitimate interest of ÜSTRA according to Art. 6 para. 1 f) GDPR is based on the usage of device-independent Office documents for the smooth and efficient cooperation within the company and the own team. ÜSTRA therefore has a legitimate interest in an efficient performance of internal and external communication. Due to Microsoft Teams, particularly the digital, quick and easy contact, ÜSTRA offers additionally flexible home office solutions. 

b. The legal basis for data processing for external users is according to Art. 6 para. 1 a) the agreement. This is issued implied by participating in a MS Teams call. 

Recipients of the data
Microsoft as provider of MS Teams necessarily obtains information on the above-mentioned data (comparison chap. 2, c), in so far as this is intended within the context of our order processing contract with Microsoft. 
Recipients of this data can be as well IT service providers (processors). We herewith assign these external providers with the execution of tasks and services such as maintenance and service of the administrative data, data hosting and hotline services. These service providers act on our instructions what is ensured by strict contractual rules, by technical and organisational measures and by complementary checks. We have carefully selected these service providers and regularly monitor the services, particularly the sensitive handling of the stored data there. All service providers engaged by us are obliged to maintain confidentiality and to comply with the statutory regulations. 
Further recipients of your data are MS Teams users, you chat with, video chat or conference call participants or chat partners you share files with. 

Data processing within the European Union
MS Teams is a US Microsoft service. The processing of personal data takes places on servers within the EU and thereby within the scope of the GDPR. We concluded an order processing contract with the Teams provider which conforms to the requirements of Art. 28 GDPR. An adequate level of data privacy protection is guaranteed by the so-called EU standard contractual clauses. 

Saving place and saving time
Your personal data are stored on servers in German data centres which are certified by the Federal Office for Information Security (BSI) according to Germany's C5 Cloud Security Standard. 
We will delete your personal data as soon as it is no longer required for the purposes afore mentioned. 
Provided there are statutory regulations, such as e.g. legal storage obligations according to commercial and tax law, these data are stored for 6 or 10 years. 
Please note that you and / or an administrator can delete your data where appropriate - e.g. the profile picture. 
More information on this may be found at support.microsoft.com/de-de/office/l%C3%B6schen-eines-teams-c386f91b-f7e6-400b-aac7-8025f74f8b41 

When you leave the company, your member account will become inactive. Your data can be reactivated within 30 days. Afterwards your account will be deleted.

Your data protection rights
Regarding your personal data you have the following rights: 

     

  • Right of access: according to Art. 15 GDPR you have a right of access
  •  

  • Rectification: according to Art. 16 GDPR You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data.
  •  

  • Right to erasure: according to Art. 17 GDPR you have the right to obtain the erasure of personal data if deletion is legally acceptable. 
  •  

  • Right to restriction of processing: according to Art. 18 GDPR you have the right to obtain restriction of processing your personal data. 
  •  

  • Right to data portability: according to Art. 20 GDPR you have the right to receive your personal data, which you have provided to us and the right to transmit those data to another controller.
  •  

  • Right to object: according to Art. 21 GDPR you have the right to object at any time to processing of personal data. 
  •  

  • You have also the right to complain at the appropriate data protection authority about the processing of your personal data, should you believe the data processing was unlawful.
  •  

Profiling 
As a responsible company, we renounce personal evaluations for the use of MS Teams. 
2 Please see recital 71 of GDPR

Information on your right to object according to Art. 21 GDPR
a. Individual-case right to object

You have the right, due to your special circumstances, at any time to object against the processing of your personal data, if such processing is otherwise lawful under Art. 6 Sec. 1 e GDPR (data processing in the public interest) and Art. 6 Sec. 1 f GDPR (data processing due to overriding interest of data controller); this also includes profiling. 
If you object, we shall not process your personal data anymore, except, if we can show compelling reasons to further processing that override your interests, rights and freedoms, or if the processing is done to protect and defend us against legal claims.

b. Recipient of an objection
There are no specific requirements for the format of your objection. It can be sent with the subject header “Objection,” stating your name, address and date of birth, to: 

ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft 
Der externe Beauftragte für den Datenschutz (externa data protection officer)
Am Hohen Ufer 6 
30159 Hannover 
e-mail: datenschutz@uestra.de 
phone: +49511-16680
 

11. Use of video equipment
a)    Purposes and legal basis of data processing
We use video equipment in our buses, city trams, stations, stops and properties (accessible to the public). 
Pictures and video recordings are generated which allow the identification of persons. The personal data processed includes as well movement and time data in vehicles and on properties (entry/exit/ stay).  
Video surveillance conduces to prevent, investigate and detect material damage and per-sonal injury caused by vandalism as well as other crime and disorder, to protect lives, health and liberty of passengers, to secure evidence in order to satisfy legal claims, to guarantee security needs of the passengers and employees and to exercise property rights.

The legal basis for the use of video recordings is § 4 para.1 no. 2 and 3, para. 3 Federal Data Protection Act and art. 6 para. 1 S.1, lit. f GDPR.

b)    Storage duration or criteria for the identification of the duration
The video recordings will be deleted at the latest within 48 hours after recording (after 24 hours in vehicles and after 48 hours in subway stations and stops as well as on properties). A longer storage takes place only in case the use of the recording is required for the evaluation of an actual incident and/or as evidence to satisfy legal claims.

c)    Recipients or categories of recipients of data
In the event of a possible criminal prosecution the data may be transmitted to the law enforcement authorities (police, public prosecutors) and judiciary. Your personal data shall not be transferred outside the EU.

d)    Your obligation to provide the data
To ensure the purposes specified above, the recordings are strictly necessary. Without these data we will in general refuse your transportation or will no longer be able to execute an existing subscription contract.

12. Privacy notices for subscription clients
a)    Purposes and legal basis of the data processing
We process data that comes exclusively within the scope of the business and contract connection. In detail we process the following data:

•    basic data concerning your contract (e. g. first name, family name, address, date of birth, gender, contact details (phone, e-mail, mobile phone, etc.))
•    bank details (BIC / IBAN)
•    data relating to implementing and processing contractual relationships (power of authority) 

Your data is processed for the implemen-tation of our subscription contracts with you. The purposes for data processing are based in detail on the basis of contract. These include, for example, subscription orders, payment transactions, in cases of postal dispatch the delivery address.
The legal basis of this processing activity is art. 6 para. 1 S. 1 lit. b GDPR.
In individual cases we process your data in order to protect a legitimate interest by us or a third party (e.g. public authorities). This applies in particular in case of crime detection (legal basis art. 6 para. 1 S.1 lit. f GDPR in conjunction with § 24 Federal Data Protection Act) or the intercompany data exchange for administrative purposes (legal basis art. 6 para. 1 S.1 lit. f GDPR).
If you have consented to collecting, processing or using your data, the corresponding consent forms the legal basis (art. 6 para. 1 S.1 lit. a GDPR) for the processing named there. You can revoke any declarations of consent with respect to the future at any time. Without these data we will in general refuse the conclusion of the contract or the execution of the order or we will be no longer able to implement an existing contract.

b)    Storage duration or criteria for determining the duration
We process your personal data for the duration of our business relationship what includes as well the negotiation and performance of a contract. Your personal data will be deleted as soon as these are no longer required for the fulfilment of the contractual obligation. 
In addition, we are subject to different safekeeping and documentation obligations  (such as German fiscal code, German Commercial Code, German Civil Code, etc.). The periods set out for the storage / documentation amount up to ten years, in certain cases they may amount up to thirty years.

c)    Recipients or categories of recipients of data
Within our company only persons and organisations obtain your personal data that require these for the proper performance of certain contractual and legal duties. 
In addition, the following offices may receive your data: contract processors used by us especially in the area of e.g. IT services, solvency check, logistics and printing services. 
In the case of payment defaults we share your personal data with collection and legal service providers. With the transmission of data we follow our justified interest in an efficient mechanism to enforce uncontested claims. The legal basis for the transfer of data results from art. 6 para.1 S.1 lit. b and f GDPR.
Your personal data will not be transferred to a third country (states outside the European Economic Area - EEA).

d)    Your obligation to provide the data
For the developing and implementation of business relations and for the performance of related contractual duties you are bound to provide your data.

12. Increased fare
a)    Purposes and legal basis of the data processing
Due to our tariff terms and conditions and the terms and conditions of carriage we are entitled to request an increased fare in case of travelling without a valid ticket. 
We process your details, such as
•    first and last name
•    address data, (in case of children also the data of parent or legal guardians) 
•    date and place of birth, type and number of identification card 
•    gender
•    incident data
•    station where you got on
•    line and time 
•    dunning- and/or payment data
for the handling of the increased fare (accounting) and implementation of the civil or criminal liability. 
The data processing takes place based on art. 6 para. 1 S.1 lit. c (as well as art. 6 para. 1 S.1 lit. b) and f)) GDPR. The legal duty results from § 9 Regulation on the General Conditions of Carriage for the tramway and trolleybus traffic as well as line traffic by regular service vehicles. Our legitimate interest results from our tariff provisions and Conditions of Carriage as well as the prosecution of criminal offences according to §§ 263, 265a, 267 StGB (German penal or criminal code).

b)    Storage duration or criteria for the determination of duration 
The storage duration results from the legal regulations of the tax code as well as the safekeeping and documentation obligations according to tax law and commercial law and amounts to 10 years from the end of the year when the data was collected.

c)    Recipients or categories of recipients of data
In the framework of a possible criminal prosecution the data may be transferred to the police or the public prosecutor's office according to §§ 263, 265a, 267 StGB, if you repeatedly cannot present a valid ticket. 
For address inquiry a data transfer to the residents' registration office may take place.
In addition, personal data will be shared with collection and legal services providers for the purposes of claims recovery. This is carried out only if you do not pay the increased fare within a certain period of time. 
The legal basis is art. 6 para. 1 S. 1 lit. b and f GDPR. 
With the transmission of data we follow our justified interest in an efficient mechanism to enforce uncontested claims.

d)    Your obligation to provide the data
You are under a contractual obligation to provide the data.

14. Customer complaints (ticket vending machines)
a)    Purposes and legal basis of the data processing
Within the scope of complaints relating to ticket purchases at our ticket vending machines we collect data such as
•    first and last name
•    gender
•    address data 
•    phone
•    bank details
•    detailed information about the purchased tickets (such as place, type, quanti-ty)
in order to follow this matter and to be able to resolve it and to implement a proper pro-cessing. 
The legal basis for the data processing is art. 6 para. 1 S.1 lit. b and f GDPR.

b)    Storage duration or criteria for the determination of duration 
Personal data will remain stored beyond the time of the actual complaints processing for fraud protection. The deletion of your complaint data will not take place before the end of the storage periods under commercial and tax law. The time periods provided for therein amount up to 10 years.

c)    Recipients or categories of recipients of data
Your personal data will not be passed on to third parties and will not be transmitted to a third country.

d)    Your obligation to provide the data
Within the scope of complaints you have to provide personal data that is required for the fulfilment of your order (complaint). Without the data it may be the case that we will reject the order execution.

15. House ban

a)    Purposes and legal basis of the data processing:
If our house rules are being violated, we have the right to exercise our property rights and to issue house bans. The data you provide to us, such as

•    salutation
•    first and last name
•    address 
•    date of birth
•    possibly nationality 
•    date and time 
•    place
•    reason for the house ban

we process order to declare bans on entry, to lodge a trespass complaint (in case proper-ties were entered despite the existence of a house ban) and in order to assert possible claims.

The data processing is based on art. 6 para. 1 S.1 lit. f GDPR. 
Our legitimate interest initially is to assert our property rights effectively and furthermore pursuing a claim relating to infringed property rights. Where required we will report an offense.

b)    Storage duration or criteria for the determination of duration
As far as necessary we process your personal data until the house ban is lifted,
at the latest after two years, unless they are still required for an additional purpose (e.g. law enforcement) due to a given occasion. 

c)    Recipients or categories of recipients of data
A data transmission to third parties (such as the police, courts, public prosecution service) takes place only in case it is required for the investigation and prosecution of criminal of-fences.

d)    Your obligation to provide the data
You are under obligation to provide the data.


16. Complaint management
a)    Purposes and legal basis of the data pro-cessing
We would be very pleased to receive your questions, wishes, suggestions and criticism in order to improve our service for you. 
In this case we process your data such as
•    first and last name
•    address data 
•    phone
•    e-mail 
for the treatment of your inquiry. 
Legal basis for the data processing described above is art. 6 para. 1 S.1 lit. f GDPR.

b)    Storage duration or criteria for the determination of duration
Your personal data will be deleted if they may not be processed further to safeguard justified interests or fulfil commercial or tax law related retention periods. The time periods provided for therein amount up to 10 years.

c)    Data receiver / data transfer
A passing to third parties does not take place.

d)    Your obligation to provide your data
Within the scope of your inquiry or complaint you have to provide the personal data required for the fulfilment of your order. Without the data it may be the case that we will reject the order execution.

17. Lost property
I.    Data of the finder
a)    Purposes and legal basis of the data processing of the finder
When you hand in a lost property at our place, we process your personal data provided on a voluntary basis. It includes
•    first and last name
•    address data 
•    object found, date and place of recovery
in order of being able to share the data of the owner with you in case he will collect his lost property. It allows you to assert your claims to a reward as finder. 
The data processing takes place on basis of art. 6 para. 1 S 1 lit. c GDPR. 
The legal obligation results from § 971 BGB (German Civil Code).

b)    Storage duration or criteria for the determination of duration
The data is basically deleted after 3 years. The legal deletion period is based on the period of limitation specified in the BGB (in this case: the regular limitation period according to §§ 195, 199 BGB).

c)    Recipients or categories of recipients of data
A data transfer does basically not take place.

d)    Your obligation to provide your data
If you raise a reward claim we need your data (name, address) in order to share with you the data of the owner. The claim is targeted against the owner.

II.    Data of the owner  
a)    Purposes and legal basis of the data processing of the owner/ collector
If you collect a lost object we will process data such as
•    first and last name
•    address data 
•    object found
•    where required the identity number / number of the driving licence
•    bank details (IBAN) – in case of issue of amounts of money above 10 € resp. in case of payment of return fees
Legal basis for the personal data processing described above is art. 6 para. 1 S. 1 lit. b, c and f GDPR.

b)    Storage duration or criteria for the determination of duration
If the data is no longer required for the fulfilment of contractual or legal obligations, it will be deleted unless a continued storage is required according to commercial law or tax-based retention periods. Worth mentioning here in particular are HGB (German Commercial Code) and AO (German fiscal code). The time periods provided for therein amount up to 10 years.

c)    Recipients or categories of recipients of data
We will share your data with the finder if the person can assert a claim and/or reimburse-ment of any expenses incurred.

d)    Your obligation to provide your data
Without provision of your personal data, we will not hand out the lost object.

18. Application management
a)    Purposes and legal basis of the data processing
If you send your application to us, we collect only personal data that is required for the application. Information such as gender, phone number, pictures and e-mail address is voluntary. 
We process your data, such as
•    first and last name
•    address data 
•    your application papers
and voluntary information such as
•    phone number
•    e-mail address
•    photo included in job application
for selection purposes. 
The data processing takes place based on art. 6 para. 1 S.1 lit. a (consent) and § 26 para. 1 BDSG (Federal Data Protection Act).

b)    Storage duration or criteria for the determination of duration
After completion of the application process - at the latest though after a period of 6 months - your personal data will automatically be deleted provided your application can not be considered - provided your prior agreement (agreement to store data for the future).

c)    Recipients or categories of recipients of data
Data will not be transferred.

d)    Your obligation to provide your data 
Without your data you cannot participate in the application process.

19. Claims management
a)    Purposes and legal basis of the data processing
We process your personal data in case of claims in order to evaluate our liability of com-pensation and the level. This includes:
•    basic data from your claim letter (such as name, address, date of birth, health insurance, pension insurance institute, insurance data)
•    bank details
•    address data of witness 
•    transaction numbers and reference numbers of authorities
•    health-related data in case of personal injury (severity of injury, intensity and dura-tion of the pain, duration of the incapacity for work, permanent damages, disfigurements, length of time spent in hospital etc.)
Legal basis for the processing of personal data for claims settlement is art. 6 para. 1 S 1 lit. c GDPR.  
If in the scope of claims management special categories of personal data are required such as your health data, we shall request your consent according to art. 9 para. 2 a in conjunction with art. 7 GDPR. This consent can be revoked at any time for the future. 
In the case of withdrawal the further processing of the claim is not possible without your personal data.
Your data (except particular categories of personal data) we process as well in order to preserve our legitimate interests or legitimate interests of third parties. This may e.g. be required for the prevention and investigation of crime. Legal basis is art. 6 para 1 S 1 lit. f GDPR.
Furthermore, we process your personal data for the fulfilment of commercial and tax law obligations of data retention. Legal basis is art. 6 para 1 S 1 lit. c GDPR. 

b)    Storage duration or criteria for the determination of duration
Your personal data will be deleted as soon as it is no longer required for the above men-tioned purposes. It may be the case that we keep your personal data for the period of time, in which claims can be made against us. The legal statute of limitations can amount up to 30 years. Furthermore we store your personal data insofar as we are legally obliged to do so. The legal retention requirement results from the German Commercial Code and the German fiscal code. The conservation period is up to ten years (10). 

c)    Recipients or categories of recipients of data
In order to fulfil our contractual and legal obligations we share your personal (claims) data with our reinsurer. In addition we can share your data with further recipients, such as authorities (social insurance agency, law enforcement authorities) or medical experts, technical expert, residual value calculators, financial institutions. 
Your personal data will not be transferred to a third country (states outside the European Economic Area - EEA).

20. Data subject rights
You have the right:
•    according to art. 15 GDPR on information about your personal data stored by us. In particular you can demand information on the processing purposes, the category of the personal data, the categories of recipients with whom we shared or share your data, the planned storage duration, on the existence of a right of rectification, deletion, limiting the processing or withdrawal, on the existence of a right to appeal, the origin of personal data, provided that the data was not collected by us as well as on the existence of an automated decision making incl. profiling and if necessary significant information on the details;
•    according to art. 16 GDPR to demand immediately the rectification of incomplete or inaccurate personal data stored by us;
•    according to art. 17 GDPR demand the deletion of your personal data stored by us, provided the processing is not required for the exercise of freedom of expression and information, for the compliance with a legal obligation, for reasons of public interest or to enforce, implement or defend legal claims;
•    according to art. 18 GDPR to demand process limiting of your personal data if you deny the correctness of the data, the processing is unlawful but you refuse the deletion and we no longer need the data but you need it for the establishment, exercise or defence of legal claims or you objected to the processing of the data according to art. 21 GDPR;
•    according to art. 20 GDPR to receive your personal data, you have provided us with, in a clearly structured, common and machine readable format or to demand the transmission to another person responsible;
•    according to art. 7 para. 3 GDPR to withdraw your once given consent at any time. This has the consequence that we are no longer allowed to continue the data pro-cessing, based on your consent, in the future; and
•    according to art. 77 GDPR to complain at a supervisory authority. Generally you can address yourself to the supervisory authority of your current usual residence or workplace or our office.

21. Right of objection
Provided your personal data is processed based on legitimate interests according to art. 6 para. 1 S. 1 lit. f GDPR, you have according to art. 21 GDPR the right to enter an objection against the processing of your personal data, if there are valid reasons relating to your particular situation or if the objection is directed against direct mail. In the latter case you have a general right of objection, which will be implemented by us without giving any reason.

22. Topicality and amendment of this privacy statement
This privacy statement is actually valid and dated from October 2019.
Due to further development of our website and involved offers or due to changed statutory or official provisions it can be necessary to change this privacy statement. The most current version of our data privacy statement can be accessed and printed on this website at www.uestra.de/datenschutz/.