Data privacy statement

We, the ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft (hereinafter "we" or „ÜSTRA“), appreciate your interest in our company.

We take the protection of your personal data and its confidential treatment very seriously. The processing of your personal data occurs exclusively within the scope of the data protection provisions, especially the General Data Protection Regulation (hereinafter „GDPR“ / German: DSGVO) and other applicable regulations.

This privacy policy is to inform you about the processing of your personal data and your rights within the GDPR.

Additionally our data privacy statement is available in our customer centre, Karmarsch-straße 30/32, 30159 Hanover.

Name and contact details of the person in charge and the data protection officer
This data privacy statement applies for the data processing done by the following party responsible:
ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft
Am Hohen Ufer 6
30159 Hanover
e-Mail: info@uestra.de
Phone: +49 511-16680

The data protection specialist can be reached as follows:
ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft
Data Protection Officer
Am Hohen Ufer 6
30159 Hanover
e-Mail: datenschutz@uestra.de
Phone: +49 511-16680

The subject matter of data protection
The subject matter of data protection is “personal data”. It includes all information, relating to an identified or identifiable individual (co-called data subject). This covers details such as name, postal address, e-mail address or customer number. 
Specific information on personal data processed by us can be found consecutively in the listed data processing operations.


Data disclosure 
We will forward your personal data to third parties (receiver) only if we are entitled to do so according to the data protection law pro-visions. In the following we would like to inform you about possible circumstances. We may pass your personal data to third parties if

•    you grant us permission to do so for one or more purposes (art. 6 para. 1 S. 1 lit. a GDPR);
•    data processing is necessary for the performance of a contract with you or for the implementation of pre-contractual measures upon your request (art. 6 para. 1 S. 1 lit. b GDPR);
•    the processing is necessary for compliance with a legal obligation (art. 6 para. 1 S. 1 lit. c GDPR)
•    it is necessary for the protection of our legitimate interests or of a third party as long as your interests do not outweigh (art. 6 para. 1 S. 1 lit. f GDPR).

Furthermore, we are cooperating with service providers, so-called processors, to whom personal data may be communicated in order to process your data on our behalf and in accordance with our instructions within the framework of art. 28 GDPR. These service providers have been carefully selected and commissioned by us, are bound by our instructions and are supervised and checked regularly.

Collection and storage of personal data
a)    When visiting the website
The following hints on privacy protection refer to our website at www.uestra.de (the „website“). When visiting our website, the browser used on your device sends automatically information to our website server. This information is temporarily stored anonymized in a so-called log file. 
In the course of this procedure, the following data is collected and stored without any action on your part  until the time of automatic deletion:

•    website you were at before you visited us („referrer“) , 
•    any contents accessed, 
•    date and time of the server query (and access), 
•    quantity of data transmitted, 
•    status of access (such as the file was transmitted or the file was not found, etc.) 
•    description of the type of web browser used/ identification data of the browser, operating system type used, 
•    IP address of the requesting computer. 
The IP addresses are being anonymised, meaning that no assignment is possible. The listed data is processed by us for the following purposes:
•    ensuring a smooth website connection,
•    providing a comfortable use of our website,
•    evaluation of the system security and -stability as well as 
•    for further administrative purposes (optimization of our website and the usability).
The legal basis for processing data is art. 6 para. 1 S. 1 lit. f GDPR. Our legitimate interest follows from the purposes listed above. In no case we use the collected data in order to draw conclusions concerning your personality. Furthermore, we use cookies on our website as well as web analysis services based on them. Further information on this can be found under paragraph 5 of this privacy statement.


b)    Data security
During the website visit, we make use of the popular SSL procedure (Secure Socket Layer) in connection with the respectively highest encryption level supported by your browser. Generally, this will be a 256-bit encryption. If your browser does not support a 256-bit encryption, we will use a 128-bit v3 technology instead. You will know whether a particular page of our website is transferred in encrypted form by the key or closed padlock symbol on the bottom toolbar of your browser.
Apart from that, we use appropriate technical and organisational safeguards to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continually improved as new technology becomes available.


c)    When ordering a newsletter
Via our website you have the possibility to subscribe for newsletters published by ÜSTRA (e.g. „ÜSTRA carpool“, „ÜSTRA traffic control centre“, „ÜSTRA job letter“, „ÜSTRA press subscription“). After you have sent the registration, you will receive an email with a confirmation link. Please confirm your regis-tration by clicking additionally on the indicated link provided in the verification e-mail (so-called double-opt-in process).
Provided you have expressly agreed according to art. 6 para. 1 S. 1 lit. a GDPR, we use your e-mail address for sending you our newsletter. In order to receive the newsletter, a valid e-mail address and a confirmation that you are at least 16 years of age is sufficient. Optionally, you can also enter your first and last name as well as the correct mode of address. 
In order to ensure that you can assign the consent for the reception of our newsletter effectively, we decided to set the mentioned minimum age for the reception of our newsletter. 
You can unsubscribe or revoke your consent at any time via a link at the end of every newsletter.
The data required for the distribution of this newsletter shall be deleted as soon as it is no longer required for the fulfilment of the purpose for which it was submitted and provided no other legal authorisation for further processing applies. Your e-mail address is conse-quently stored only for the sending of the newsletter as long as you revoke your permission.
For sending out the newsletters, the ÜSTRA has commissioned the CleverReach GmbH & Co. KG, Mühlenstraße 43, 26180 Rastede as processor.
For the purpose of completeness, we would like to point out that the ÜSTRA observes and evaluates the success of the newsletters sent on the basis of anonymous data, by collecting and storing the following data without any personal reference in order to gear the ÜSTRA services better towards the interests and needs of (potential) customers:
•    number of e-mails opened 
•    location while opening the e-mail 
•    e-mail client used 
•    information which links were clicked in a opened newsletter


d)    When using our contact form and e-mail contact
In case of any questions, we offer you the possibility to contact us via a contact form on our website. A valid email address is required in order to know who sent the e-mail and in order to answer it. 
Further information is voluntary. Alternatively, you can contact us via the e-mail address provided. In this case, your personal data transmitted with the e-mail is stored.

The data processing for the purpose of contacting is based on art. 6 para. 1 lit. f GDPR. Our legitimate interest is based on the will to answer your request. If your contact request is aimed at the conclusion of a contract, the legal basis includes additionally art. 6 para. 1 lit. b GDPR. The personal data collected by us - with the exception of such data required in compliance with legal obligations - will be deleted after the processing of your inquiry.

Cookies
a)    General

We use cookies on our website. These are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our website. In these cookies information is stored, arising in connection with the specifically used device. This does not imply, however, that we gain knowledge of your identity.
We categorize cookies as follows. Via the cookie banner displayed when visiting our website or via the link to your "privacy settings" you have the possibility to allow or prevent the use of certain, not essential cookies. 
Most browsers accept cookies automatically. However, you can configure your browser in such a way that no cookies can be saved on your computer or so that you are always asked for permission before cookies are saved. However, the deactivation or rejection of cookies may restrict the functionality of our web offer.

b)    Essential website cookies
These cookies are strictly necessary to provide you with basic services available through our websites such as page navigation, access to certain closed parts of the website and storage of your privacy settings. The website cannot function properly without these cookies. Therefore a deselection of essential cookies is not possible in the "privacy settings". 
The processing of personal data by essential cookies takes place initially on the basis of art. 6 para. 1 S. 1 lit. f GDPR for the protection of our legitimate interests regarding the operation of a fully functional website.
The following essential cookies are used and stored for the time and purpose specified:

Cookie name 

Duration of storage

Cookie purpose

PHPSESSID

end of the session

 PHP data identification, set by the web server, when PHP session () method is used.

fe_typo_user

end of the session

 this cookie is a standard session cookie of the used CMS TYPO3. During a user login for restricted sections it stores the entered access data.

cc_necessary

1 month

stores the settings of the cookie that essential cookies may be set

cc_analytics

1 month

stores the settings of the cookie banners whether cookies should be used for tracking/statistics/ analytical purposes.

cc_socialmedia

1 month

 stores the settings of the cookie banners whether social media cookies should be used.

                      

c)    Cookies for Tracking/statistical purposes

The cookies for tracking/ statistical purposes help us to optimize our website according to your needs. 
In this sense we use tracking measures in order to collect statistical data on the use of our website with the goal of optimizing our offerings. 
We use the Open Source software Matomo. The information generated by the cookie concerning the usage of the website and a trimmed part of your IP address will be transmitted to our server and combined in user profiles with pseudonyms for usage analysis purposes. An assignment of the page requests to an identifiable person is thereby excluded. Only your browser can be recognized as soon as you visit the website again. Information generated by the cookie concerning your use of our website is not handed over to a third party. In no case, the IP address will be associated with any other data concerning the user. 


Via the cookie banner or your "privacy settings" you can decide that cookies for track-ing/statistical purposes are being used. You can change the corresponding setups anytime. If you do not make any specific setting, no cookies will be used for tracking/statistical purposes. 
The tracking cookies provided below and used by us are carried out based on art. 6 para. 1 S. 1 lit. f GDPR. with your agreement. You can revoke this agreement at any time by adapting your "privacy settings".


The following cookies for tracking/statistical purposes are used – only with your consent:

Cookie name        

Duration of storage

Cookie purpose

_pk_id

13 months 

 A Matomo provided definite identification number to identify recurrent visitors of the website.

_pk_ses 

30 minutes

Cookie set by Matomo. It serves the purpose of recognising whether the user left the page for a longer time.

 

Use of social media, third-party providers

I. General
We maintain publicly accessible profiles on various social networks. Your visit to these profiles initiates a variety of data processing operations. In the following, we provide you with an overview of which of your personal data is collected, used and stored by us when you visit our profiles. You are not obliged to provide us with your personal data. However, this may be necessary for individual functionalities of our profiles in social networks. These functionalities will not be available to you or only to a limited extent if you do not provide us with your personal data.

a) Social media channels
When you visit our profiles, your personal data is collected, used and stored not only by us, but also by the operators of the respective social network. This happens even if you yourself do not have a profile in the respective social network.
The individual data processing operations and their scope differ depending on the operator of the respective social network. Details about the collection and storage of your personal data as well as the type, scope and purpose of their use by the operator of the respective social network can be found in the privacy statements of the respective operator:

     

  • you can view the privacy policy for the social network Facebook, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, at https://www.facebook.com/about/privacy/update;
  •  

More information on the rights of the persons affected according to GDPR and the agreement with Meta concerning the existing shared responsibility is available here: https://de-de.facebook.com/legal/terms/page_controller_addendum.

     

  • you can view the privacy policy for the social network Instagram, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, at https://privacycenter.instagram.com/policy;
  •  

  • you can view the privacy policy for the social network YouTube, which is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, at https://www.gstatic.com/policies/privacy/pdf/20190122/f3294e95/google_privacy_policy_de_eu.pdf;

  •  

  • you can view the privacy policy for the social network Twitter of the service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, parent company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; at: https://twitter.com/privacy, (Settings: https://twitter.com/personalization).

  •  

  • you can view the privacy policy for Soundcloud of the service provider SoundCloud Global Limited & Co. KG, Rheinsberger Str. 76/77, 10115 Berlin at https://soundcloud.com/pages/privacy. The privacy policy for Spotify of the service provider Spotify AB Regeringsgatan 19, 111 53 Stockholm, Sweden, SE556703748501 at https://www.spotify.com/de/legal/privacy-policy/

  •  

  • you can view the privacy policy for Apple Podcast of the service provider Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Republic of Ireland at https://www.apple.com/de/legal/privacy/deww/

  •  

  • you can view the privacy policy for Google Podcasts of the service provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland at https://policies.google.com/privacy?hl=de

  •  

II. Information on collecting personal data and legal bases
a) Social media channels

When you visit one of our ÜSTRA social media pages, we process your actions and interactions with it, e.g., the content of your messages, posts or comments that you address to us or leave on our social media pages, or when you like or share our posts, as well as your public profile data (e.g., your name and profile picture) when publicly viewable.  We process data on our social media outlets to inform customers about service offers and to interact with visitors.

Legal basis is Art. 6 para. 1 p. 1 lit. f GDPR. If your contact aims at the conclusion of a contract (or is related to an existing contract), the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR. Furthermore, the respective operators of the social media channel/network provide us with anonymous user statistics (such as user growth, use of the individual functions) of the social media pages operated by us based on actions or interactions of our followers (e.g. likes, shares, comments function which help to follow the use and reach of our posts. The statistics help us as well to evaluate our content and to identify the usage preferences, enabling us to design our social media pages with the target group in mind.

We do not have any access to individual user information (age, gender, professional position of the fan page visitor), collected by Facebook to generate these statistics as well as further data gathering by Facebook (esp. via cookies). In this respect we are not able to look at personal data used for the generation of user statistics.

This is a matter of the operator of the social media channel, who is contractually obliged to take on primary responsibility according to GDPR concerning the processing of these data, to perform GDPR duties regarding these data and to provide affected persons with the essence of this obligation.
Further information on the Meta agreement concerning the existing shared responsibility is available here https://dede.facebook.com/legal/terms/page_controller_addendum.

General information relating to the data processing by Facebook Ltd. can be found here: https://de-de.facebook.com/privacy/policy/?entry_ point=data_policy_redirect&entry=0. This data processing serves our legitimate interest in improving the user experience when visiting our Facebook fan page. The legal basis for the data processing is thus Article 6 para. 1 lit. f GDPR.

b) Social Hub
Legal basis of the processing is Article 6 para. 1 lit. b) GDPR, provided your request is processed within the scope of the contractual relationships.
If no contractual relationship exists, then the legal basis is formed by point (f) of Art. 6(1) of the GDPR.
Personal data processed by us will be stored for 365 days after the last interaction and deleted immediately afterwards, unless otherwise required by mandatory legal regulations. We save your personal data over this period, to be able to take up previous correspondence. In this respect, the storage period takes place for customer relationship management features, by sending you our answer timely. For the service provided by Social Hub we brought a data processing agreement to a close. Your personal data will not be transmitted to third parties.

III. Right of objection
Insofar as your personal data are processed based on legitimate interests according to art. 6 I 1 lit. f GDPR you have the right, according to art. 21 GDPR, to object to the processing of your personal data if there are grounds for doing so which arise from your particular situation or if the objection is directed against direct advertising. In the latter case, you have a general right of objection, which is implemented by us without stating a particular situation.

IV. Up-to-dateness and modification of this data protection declaration
This privacy policy is currently valid and as of September 2022. Due to the further development of our website and offers regarding it or due to changed legal or official requirements, it may become necessary to change this data protection declaration. The current data protection declaration can be called up and printed out at any time on the website under the following address: https://www.uestra.de/datenschutz/

Blog logbook

This privacy statement (on the basis of the above mentioned) also applies to the Blog logbook at fahrtenbuch.uestra.de.

Competition
We offer competitions at irregular intervals. Detailed information on privacy can be found at: www.uestra.de/teilnahmebedingungen-gewinnspiele/.

Mobility shop (online shop)
With respect to the processing of your personal data within the Mobility shop accessible via the website please refer to the appropriate privacy statement at https://www.uestra.de/en/data-privacy-protection/ .

Monthly pass subscription

The ÜSTRA operates, as part of the cooperation between the transport companies running within the Großraum-Verkehr Hannover GmbH (hereinafter referred to as GVH) area, the subscription centre. The subscription centre processes GVH subscription orders and serves the subscribers. The ÜSTRA is customer contract partner. The website gvh.de provides the online portal „My subscription“, where subscriptions can be ordered and where the data stored during an order can be edited afterwards.

a.  Purposes and legal basis of data processing
We process data, resulting exclusively from contractual and business relationship with you. In concrete terms, we process the following data:
 
•    Master data regarding your contract (e.g. first and last name, address, date of birth, gender, contact details (phone number, e-mail, mobile phone, etc.) of the contract partner and - where available – of a different user resp. account holder
•    Bank details (BIC / IBAN)
•    Product data of subscription
•    Data relating to the implementing and processing the contractual relationships (powers of attorney) 
•    Where applicable, information on your status as a pupil, trainee, student, pensioner etc.

Legal basis is Art. 6 Para. 1 S.1 lit. b GDPR.
However, in certain cases we do process your data, in order to preserve our legitimate interest or of other parties (e.g. authorities). In particular, this applies in case of offences (legal basis Art. 6 Para. 1 S.1 lit. f GDPR in conjunction with § 24 Federal Data Protection Act) or the intracompany data exchange for administrative purposes (legal basis Art. 6 Para. 1 S.1 lit. f GDPR).
If you have given us consent to process your personal data, the corresponding consent is the legal basis (Art. 6 Para. 1 S.1 lit. a GDPR) for the described processing. You may retract consent at any time. It only affects future. Without the data we will normally reject the conclusion of the contract or the execution of the order or will no longer be able to implement an existing contract. 

b. Storage duration or criteria for duration determination
We process your personal data for the duration of our business relation, including the preparation and completion of a contract. Your personal data will be deleted as soon as it is no longer required to fulfil the contract relation.
Furthermore, we are subject to different safekeeping and documentation obligations (e. g. Tax Code, Commercial Code, Civil Code, etc.). The related periods for storage resp. documentation amount up to ten years but in certain cases they may amount up to thirty years.

Documents, proving the authorisation to use the Senior pass subscription or the Monthly pass education subscription, will be destroyed after viewing (upon dispatch of passes) resp. returned immediately upon presentation in the customer centre.  

c. Recipients or categories of recipients of the data
Within our company, only persons and bodies receive your personal data that require it to fulfil our contractual and legal obligations.

Processors, we recruited, particularly in IT, credit assessment, logistics and print services can process your data for us. 

In the case of payment defaults, we share your personal data with collection service and legal service providers. By submitting the data, we pursue our legitimate interest in an effective enforcement of our claims. Legal basis for data transfer results from Art. 6 Para.1 S.1 lit. b and f GDPR. 

Your personal data will not be transferred into states outside the European Economic Region (EWR). 

d. Cookies (when using the portal at gvh.de)
The required cookies help to make our website and the various functional features available, by enabling basic functions such as page navigation, access to non-public areas of the website and saving of your privacy settings. The website cannot work properly without these required cookies. Declining the required cookies is therefore not possible. The processing of personal data by the required cookies is carried out based on Art. 6 Para. 1 p. 1 lit. f GDPR o safeguard our legitimate interests concerning the operation of the portal. The following required cookies are used:

Cookie name

Storage duration

Purpose of cookie

ASP.NET_SessionId

End of the session

It ensures that during the whole session you are always communicating with the same webserver

.ASPXAUTH

End of the session

Authentication cookie

cookieconsent_dismissed

One year

Is generated by cookie banner for saving cookie settings

e. Further notes on mandatory information
The ÜSTRA notes that providing your personal data is neither statutory nor contractually prescribed. As far as provision is required for the conclusion of a contract, this is revealed by mandatory fields. You are not obliged to provide personal data to ÜSTRA. No negative impact on you will result from failure to provide data, except that your desired contract cannot be executed and the subscription contract can therefore not be concluded. 

Marketing / Direct marketing

We use your data listed under section 1, according to your consent given to ÜSTRA regarding the subscription order for recent offers and information, self-promotion of products and services as well as for market research and survey purposes of the GVH, the Regiobus and ÜSTRA.

In so far as you gain access from our Internet pages via so-called links to contents of other providers, this will be noticeable. Either this provider is explicitly identified or indicated via a hyperlink. The use of these offers is subject to the conditions of the particular operators.

1. Kinds of data processed If you have joined our email list we may also process the following information we collect:

     

  • Title
  •  

  • First name
  •  

  • Last name
  •  

  • Address (for postal deliveries)
  •  

  • E-mail address (for e-mail newsletters)
  •  

  • Type and duration of subscription
  •  

2. Categories of persons concerned

     

  • Direct marketing subscribers
  •  

3. Purpose and legal basis

This processing is carried out on the basis of your consent, accordingly Art. 6 Para. 1 lit. f GDPR. You may withdraw/modify your consent at any time with effect for the future without this affecting the lawfulness of the processing based on consent before its withdrawal. After receipt of your revocation, we will stop the processing of your personal data, unless mandatory legal provisions exist, that may impose an obligation upon us to process your data.

For statistical purposes we use anonymised tracking in our e-mailings. In this process, recipient reactions (opening a mailing, clicking on text and image links, downloading images with an email pro-gram) are recorded and stored anonymously for statistical purposes. It is not possible to draw conclusions about individual users from the stored data. The data will not be used to create unique personal profiles. If due to direct marketing a redirection to our website takes place, further data may be collected by order of the web analysis service concerning the website use. These data will not be merged with direct marketing data. The section concerning the website provides information concerning data incurring when using our website.

Right of withdrawal You can prevent the consent with immediate effect in the future without stating reasons at: widerruf@gvh.de or by post at: GVH, - Widerruf Marketing -, Karmarschstr. 30/32, 30159 Hannover. Recipients Your personal data will not be passed on to external third parties. A transfer of the personal data you have provided to a third country does not take place as well. Storage duration The personal data stored for direct marketing purposes will be deleted if you revoke your consent to the storage.

Sprinti Mobile Application Privacy Policy 

The ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft (“ÜSTRA”) sprinti mobile application (“sprinti App”) is available to download on your mobile end user device. We’d like to take this opportunity to introduce you to our privacy policy and explain how it pertains to your personal information being processed when you use the sprinti App or any of the services the application puts at your disposal. 
Personal data is defined as any personal information related to an identifiable natural person (Article 4(1) General Data Protection Regulation; “GDPR”). This includes your identity (first and last name), contact information (email address and mobile phone number), and your connection information (IP address and location). We consider protecting your privacy with the utmost care to be a fundamental responsibility and proceed accordingly. That is why we are glad to comply with any applicable statutory regulations, such as the GDPR or Lower Saxon data protection laws. We also believe that it’s important for you to know when we process and store your data and what our purpose is for doing so. 
ÜSTRA recognises its obligation to comply with all of the relevant data protection statutes and has designated a data protection officer to help coordinate our data protection efforts as well as address any concerns you may have. If you have any questions, suggestions, or comments related to data protection our data protection officer would love to hear from you. Don’t hesitate to get in touch on datenschutz@uestra.de. 
1)    Downloading the sprinti App 
The sprinti mobile application is available for download in Apple and Android app stores. When you download a mobile application, certain information about you is transmitted to the corresponding app store, particularly data related to user name and email, time of download, and device ID. The data controller responsible for any of the information collected when downloading and installing the application is the respective app store provider. ÜSTRA only processes this information insofar as it is pertains to downloading the sprinti App. The lawfulness of processing is established by Article 6(1)(a) GDPR. In order to use the App, some of your data needs to be processed.
2)    Creating a User Account and Accessing the sprinti App and its Services
a)    Creating a User Account 
If you want to be able to take advantage of the products and services available on the sprinti App, you will first need to create a user account. You do not have any statutory or contractual obligation to make your personal information available (Article 13(2)(e) GDPR). That notwithstanding, a user account is necessary to gain access to the sprinti App’s full suite of services. During registration you will be asked for the personal information required to use the App. This includes your name, email address, and mobile phone number. The lawfulness of processing is established by Article 6(1)(b) GDPR because users must each have corresponding accounts in order for ÜSTRA to be able to ensure performance of transport-service provision contracts or take requisite steps prior to entering into a contract. 
b)    Using the sprinti App 
When you use the sprinti App to book services or when you use the App within the scope of the service you have contracted, the manner in which we process your personal information is described below. When you use the sprinti App to book a service we collect the following data: IP Address, model and manufacturer IDs of connecting end user devices, and device operating system. Information collected and processed while making an order include date and time of request, place and time of departure, destination, and estimated time of arrival (even when users cancel pending orders). Informing customers of upcoming pick-ups via the application and notifying them that their sprinti has arrived at the pick-up location is an essential part of the demand-responsive transport service we provide. Our drivers carry a booking list containing customer names and will record when riders come on board as well as when they get off the sprinti. The processing of this data is justified by Article 6(1)(b) GDPR (performance of contract). In case of communication problems or disconnections between the App and the underlying ÜSTRA system, we will store the information related to this error (request/error) to your account. We will only ever record the geolocation of your device after receiving your express consent (Article 6(1)(a) GDPR) and will use it exclusively to provide location-based services. Some of the services that you contract using the sprinti App require us to record your geolocation. When you book a ride, for example, we process your location in order to determine the nearest stop for pick-up. The lawfulness of processing this kind of information is established by Article 6(1)(b) GDPR (performance of contract). 
c)    Analysing Usage Data 
We analyse information related to user behaviour in order to determine vehicle occupancy rates, user profiles, route usage profiles, as well as to conduct market research. Any results are used to promote our services to you; but only upon receiving your permission to do so. 
The lawfulness of analysing usage data is established by Article 6(1)(f) GDPR. We have a legitimate interest in processing data for this purpose because it enables us to gauge, refine, improve, and market (with permission) our products and services. The lawfulness of using your personal information in order to provide consent-based targeted marketing of our services is established by Article 6(1)(a) GDPR. 
d)    Transfer of Personal Data 
(1) Google Maps: The sprinti App connects to Google Maps via embedded API. This web mapping service is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. We use Google Maps in the interest of presenting our online services in an attractive manner and to make it easy for users to find locations mentioned in the App. This represents a legitimate business interest within the scope of Article 6(1)(f) GDPR. When you use the Google Maps service, your browser communicates directly with Google. The related information is transmitted to servers generally located in the United States and stored there. ÜSTRA has no influence over this data transmission. For more information on how user data is handled by Google, please see the Google Privacy Policy on www.google.de/intl/de/policies/privacy/. For the Google Maps Terms of Service, please see policies.google.com/terms. For detailed information regarding transparency, privacy options, and data protection rules, please visit the Google Safety Center on safety.google. The Google Safety Center also gives you the option of changing your data administration and protection settings. 
(2) ÜSTRA relies on additional processors to provide IT services, technical and cloud services (including application hosting), data storage, and for customer service (replying to your contact or request). The lawfulness of processing is established by Article 6(1)(f) GDPR. We have a legitimate interest in processing your personal information for this purpose because it’s required to secure proper function of the App in cooperation with third party IT service providers and to be able to contract customer enquiry reply services out to external partners. 
(3) We work with the following data processors for marketing purposes: 

     

  • Facebook (Marketing), 1601 Willow Road, Menlo Park, California 94025, USA 
  •  

  • LeanPlum (digital marketing), 1550 Bryant Street, Suite 525, San Francisco, California 94103, USA 
  •  

As user of the sprinti App, you can choose whether or not you want to be shown relevant personalised ads or provide us with information we can use to improve our products and services. The lawful bases for processing are established by Article 6(1)(a) GDPR. 
3)    No Automated Individual Decision-Making
We use neither automated individual decision-making nor profiling in relation to data privacy. 
4)    Your Rights as a Data Subject 
Depending on the circumstances, which are considered on a case-by-case basis, you have the following rights as a data subject: 

     

  • You have a right to be informed about the personal information we have processed; the right to access your personal data; and the right to demand copies of any personal data about you that we hold. Your right to access includes information related to the purpose of processing; categories of data being processed; identity of potential third-party recipients of the information or service providers with access to it; and envisaged storage period (in case a fixed period cannot be named, the criteria used to determine the storage period must be provided). 
  •  

  • You have the right to request for your personal data to be rectified, erased, or restricted from further processing insofar as our use of this data is incompatible with our data protection obligations – particularly because (i) the information is incomplete or incorrect; (ii) the information is no longer necessary in relation to the purposes for which is was collected or otherwise processed; (iii) you revoked the consent which formed the lawful basis for processing your personal data; or (iv) you exercised your right to object to processing of your personal data. In cases where your data has been processed by external providers, we will forward any rectification, erasure, restriction request to each recipient to whom the personal information has been disclosed, unless this proves impossible or involves disproportionate effort. 
  •  

  • You have the right to deny giving your consent to processing of your personal data and are allowed to revoke your previously-given consent at any time (without effect on the lawfulness of data processing carried out before consent was revoked). 
  •  

  • You are entitled to object to the processing of any personal data on grounds relating to your particular situation. 
  •  

  • You have a right to know the potential consequences and intended impact of any automated individual decision-making process we employ. Furthermore, you have the right not to be subject to a decision based solely on automated means if the decision produces legal effects concerning you or significantly affects you in a similar way. As a consequence, you have the right to obtain human intervention, are given an opportunity to express your point of view, and shall have your point of view taken into consideration in an otherwise automated individual decision-making process. 
  •  

  • You have the right to request any personal data that you have us provided with; to receive it in a structured, commonly-used, and machine-readable format; and to have it transmitted directly to another without hindrance, where technically feasible. 
  •  

  • You have the right to lodge a complaint with a competent supervisory authority – e.g. because you believe that the we did not comply with data protection regulations when processing your personal information and therefore infringed your rights as a data subject. 
  •  

If you would like to exercise your rights as a data subject, please inform us via email at datenschutz@uestra.de. 
5)    Personal Information Storage Period 
ÜSTRA will automatically delete your personal data once it is no longer required to achieve the indicated purpose provided that erasure is permitted by statutory regulations. ÜSTRA anonymizes data before using to carry out statistical analyses. 
6)    Updating our Privacy Policy 
ÜSTRA has updated its Privacy Policy. The new policy will come into effect starting 1 October 2023. You can find the updated Privacy Policy at www.uestra.de/datenschutz. We reserve the right to update or amend this Privacy Policy to reflect any potential changes in technology or statutory law.

Data collected and use during registration for MS Teams 
The following personal data can be processed: 
a. Registration

During the registration the following personal data will be collected:

     

  • username (first name and surname) 
  •  

  • office e-mail address
  •  

The registration for the use of MS Teams is performed centrally by the responsible administrators  from the TI division. 

b. Use 

When using MS Teams, further personal data will or can be collected, such as: 

     

  • your profile picture and your business telephone number
  •  

  • your division with abbreviated form 
  •  

  • sound and image data
  •  

  • content in text form e.g. as chat, shared files and other data, stored in your account
  •  

  • file information (file name, change date, document title and author) 
  •  

  • duration of calls without content
  •  

  • data on call quality
  •  

  • diagnostic data (in order to make the software safer and/or to find and eliminate errors, see section (c) 
  •  

  • in case of external users’ full name, e-mail and / or telephone number
  •  

  • IP address
  •  

Any other personal data or information can be added and modified by yourself. Adding information is voluntarily and cannot be demanded by ÜSTRA. 
Examples include: 

     

  • the profile picture, 
  •  

  • the status display, 
  •  

  • status messages, 
  •  

  • language settings, design, read confirmation. 
  •  

  • allows also to mute the microphone, to share the screen, to turn off the camera or to share the video or background image. 
  •  

The business use of MS Teams on your personal device is voluntary as well. 

c. Diagnosis and metadata
In addition to this, all user activities, such as e.g. time of access, date, kind of access, details of the data, files or documents accessed and all activities in the context of usage, such as creating, changing or deleting a document, setting up a team and channels in Teams, creating notes in the notebook, starting a chat and answering in a chat are processed. 
In this context, we expressly point out that video or telephone conferences via MS Teams are not recorded and we deactivated this function by the system. 
In this context, please refer to the detailed documentation of Microsoft. 
docs.microsoft.com/de-de/microsoftteams/teams-privacy 

d. Cookies 
When using MS Team as browser-based application, so-called cookies are collected. Only the operator of the website and Microsoft are respondible for the collection and processing of these cookies. 
When using Microsoft Teams, you accept the usage and data protection policies of Microsoft Corporation. The privacy statement of Microsoft and other information on the collection and use of cookies and the control functions – like e.g. turning on and off cookies for advertising purposes – by the user can be found in the corresponding section under
privacy.microsoft.com/de-DE/privacystatement 

Purpose of data processing

The use of MS Teams primarily serves as electronic exchange. MS Teams can as well be used for sharing the own screen. 
For participation in online events with Microsoft Teams, a link is generated to the corresponding event and is shared with the internal or external participants. The e-mail address of the participant or the username will be forwarded to Microsoft Teams, in order to send an e-mail invitation. Microsoft Teams places a phone number or a link into the invitation (incl. meeting ID, password) you can work with in order to use the service. Your personal data are being processed in order to enable these mentioned above functions of communication and cooperation. 

Legal basis for the processing of your personal data 

a. The legal basis for data processing forms Art. 6 para. 1 f) GDPR. The legitimate interest of ÜSTRA according to Art. 6 para. 1 f) GDPR is based on the usage of device-independent Office documents for the smooth and efficient cooperation within the company and the own team. ÜSTRA therefore has a legitimate interest in an efficient performance of internal and external communication. Due to Microsoft Teams, particularly the digital, quick and easy contact, ÜSTRA offers additionally flexible home office solutions. 

b. The legal basis for data processing for external users is according to Art. 6 para. 1 a) the agreement. This is issued implied by participating in a MS Teams call. 

Recipients of the data
Microsoft as provider of MS Teams necessarily obtains information on the above-mentioned data (comparison chap. 2, c), in so far as this is intended within the context of our order processing contract with Microsoft. 
Recipients of this data can be as well IT service providers (processors). We herewith assign these external providers with the execution of tasks and services such as maintenance and service of the administrative data, data hosting and hotline services. These service providers act on our instructions what is ensured by strict contractual rules, by technical and organisational measures and by complementary checks. We have carefully selected these service providers and regularly monitor the services, particularly the sensitive handling of the stored data there. All service providers engaged by us are obliged to maintain confidentiality and to comply with the statutory regulations. 
Further recipients of your data are MS Teams users, you chat with, video chat or conference call participants or chat partners you share files with. 

Data processing within the European Union
MS Teams is a US Microsoft service. The processing of personal data takes places on servers within the EU and thereby within the scope of the GDPR. We concluded an order processing contract with the Teams provider which conforms to the requirements of Art. 28 GDPR. An adequate level of data privacy protection is guaranteed by the so-called EU standard contractual clauses. 

Saving place and saving time
Your personal data are stored on servers in German data centres which are certified by the Federal Office for Information Security (BSI) according to Germany's C5 Cloud Security Standard. 
We will delete your personal data as soon as it is no longer required for the purposes afore mentioned. 
Provided there are statutory regulations, such as e.g. legal storage obligations according to commercial and tax law, these data are stored for 6 or 10 years. 
Please note that you and / or an administrator can delete your data where appropriate - e.g. the profile picture. 
More information on this may be found at support.microsoft.com/de-de/office/l%C3%B6schen-eines-teams-c386f91b-f7e6-400b-aac7-8025f74f8b41 

When you leave the company, your member account will become inactive. Your data can be reactivated within 30 days. Afterwards your account will be deleted.

Your data protection rights
Regarding your personal data you have the following rights: 

     

  • Right of access: according to Art. 15 GDPR you have a right of access
  •  

  • Rectification: according to Art. 16 GDPR You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data.
  •  

  • Right to erasure: according to Art. 17 GDPR you have the right to obtain the erasure of personal data if deletion is legally acceptable. 
  •  

  • Right to restriction of processing: according to Art. 18 GDPR you have the right to obtain restriction of processing your personal data. 
  •  

  • Right to data portability: according to Art. 20 GDPR you have the right to receive your personal data, which you have provided to us and the right to transmit those data to another controller.
  •  

  • Right to object: according to Art. 21 GDPR you have the right to object at any time to processing of personal data. 
  •  

  • You have also the right to complain at the appropriate data protection authority about the processing of your personal data, should you believe the data processing was unlawful.
  •  

Profiling 
As a responsible company, we renounce personal evaluations for the use of MS Teams. 
2 Please see recital 71 of GDPR

Information on your right to object according to Art. 21 GDPR
a. Individual-case right to object

You have the right, due to your special circumstances, at any time to object against the processing of your personal data, if such processing is otherwise lawful under Art. 6 Sec. 1 e GDPR (data processing in the public interest) and Art. 6 Sec. 1 f GDPR (data processing due to overriding interest of data controller); this also includes profiling. 
If you object, we shall not process your personal data anymore, except, if we can show compelling reasons to further processing that override your interests, rights and freedoms, or if the processing is done to protect and defend us against legal claims.

b. Recipient of an objection
There are no specific requirements for the format of your objection. It can be sent with the subject header “Objection,” stating your name, address and date of birth, to: 

ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft 
Der externe Beauftragte für den Datenschutz (externa data protection officer)
Am Hohen Ufer 6 
30159 Hannover 
e-mail: datenschutz@uestra.de 
phone: +49511-16680
 

11. Use of video equipment
a)    Purposes and legal basis of data processing
We use video equipment in our buses, city trams, stations, stops and properties (accessible to the public). 
Pictures and video recordings are generated which allow the identification of persons. The personal data processed includes as well movement and time data in vehicles and on properties (entry/exit/ stay).  
Video surveillance conduces to prevent, investigate and detect material damage and per-sonal injury caused by vandalism as well as other crime and disorder, to protect lives, health and liberty of passengers, to secure evidence in order to satisfy legal claims, to guarantee security needs of the passengers and employees and to exercise property rights.

The legal basis for the use of video recordings is § 4 para.1 no. 2 and 3, para. 3 Federal Data Protection Act and art. 6 para. 1 S.1, lit. f GDPR.

b)    Storage duration or criteria for the identification of the duration
The video recordings will be deleted at the latest within 48 hours after recording (after 24 hours in vehicles and after 48 hours in subway stations and stops as well as on properties). A longer storage takes place only in case the use of the recording is required for the evaluation of an actual incident and/or as evidence to satisfy legal claims.

c)    Recipients or categories of recipients of data
In the event of a possible criminal prosecution the data may be transmitted to the law enforcement authorities (police, public prosecutors) and judiciary. Your personal data shall not be transferred outside the EU.

d)    Your obligation to provide the data
To ensure the purposes specified above, the recordings are strictly necessary. Without these data we will in general refuse your transportation or will no longer be able to execute an existing subscription contract.

12. Privacy notices for subscription clients
a)    Purposes and legal basis of the data processing
We process data that comes exclusively within the scope of the business and contract connection. In detail we process the following data:

•    basic data concerning your contract (e. g. first name, family name, address, date of birth, gender, contact details (phone, e-mail, mobile phone, etc.))
•    bank details (BIC / IBAN)
•    data relating to implementing and processing contractual relationships (power of authority) 

Your data is processed for the implemen-tation of our subscription contracts with you. The purposes for data processing are based in detail on the basis of contract. These include, for example, subscription orders, payment transactions, in cases of postal dispatch the delivery address.
The legal basis of this processing activity is art. 6 para. 1 S. 1 lit. b GDPR.
In individual cases we process your data in order to protect a legitimate interest by us or a third party (e.g. public authorities). This applies in particular in case of crime detection (legal basis art. 6 para. 1 S.1 lit. f GDPR in conjunction with § 24 Federal Data Protection Act) or the intercompany data exchange for administrative purposes (legal basis art. 6 para. 1 S.1 lit. f GDPR).
If you have consented to collecting, processing or using your data, the corresponding consent forms the legal basis (art. 6 para. 1 S.1 lit. a GDPR) for the processing named there. You can revoke any declarations of consent with respect to the future at any time. Without these data we will in general refuse the conclusion of the contract or the execution of the order or we will be no longer able to implement an existing contract.

b)    Storage duration or criteria for determining the duration
We process your personal data for the duration of our business relationship what includes as well the negotiation and performance of a contract. Your personal data will be deleted as soon as these are no longer required for the fulfilment of the contractual obligation. 
In addition, we are subject to different safekeeping and documentation obligations  (such as German fiscal code, German Commercial Code, German Civil Code, etc.). The periods set out for the storage / documentation amount up to ten years, in certain cases they may amount up to thirty years.

c)    Recipients or categories of recipients of data
Within our company only persons and organisations obtain your personal data that require these for the proper performance of certain contractual and legal duties. 
In addition, the following offices may receive your data: contract processors used by us especially in the area of e.g. IT services, solvency check, logistics and printing services. 
In the case of payment defaults we share your personal data with collection and legal service providers. With the transmission of data we follow our justified interest in an efficient mechanism to enforce uncontested claims. The legal basis for the transfer of data results from art. 6 para.1 S.1 lit. b and f GDPR.
Your personal data will not be transferred to a third country (states outside the European Economic Area - EEA).

d)    Your obligation to provide the data
For the developing and implementation of business relations and for the performance of related contractual duties you are bound to provide your data.

12. Increased fare
a)    Purposes and legal basis of the data processing
Due to our tariff terms and conditions and the terms and conditions of carriage we are entitled to request an increased fare in case of travelling without a valid ticket. 
We process your details, such as
•    first and last name
•    address data, (in case of children also the data of parent or legal guardians) 
•    date and place of birth, type and number of identification card 
•    gender
•    incident data
•    station where you got on
•    line and time 
•    dunning- and/or payment data
for the handling of the increased fare (accounting) and implementation of the civil or criminal liability. 
The data processing takes place based on art. 6 para. 1 S.1 lit. c (as well as art. 6 para. 1 S.1 lit. b) and f)) GDPR. The legal duty results from § 9 Regulation on the General Conditions of Carriage for the tramway and trolleybus traffic as well as line traffic by regular service vehicles. Our legitimate interest results from our tariff provisions and Conditions of Carriage as well as the prosecution of criminal offences according to §§ 263, 265a, 267 StGB (German penal or criminal code).

b)    Storage duration or criteria for the determination of duration 
The storage duration results from the legal regulations of the tax code as well as the safekeeping and documentation obligations according to tax law and commercial law and amounts to 10 years from the end of the year when the data was collected.

c)    Recipients or categories of recipients of data
In the framework of a possible criminal prosecution the data may be transferred to the police or the public prosecutor's office according to §§ 263, 265a, 267 StGB, if you repeatedly cannot present a valid ticket. 
For address inquiry a data transfer to the residents' registration office may take place.
In addition, personal data will be shared with collection and legal services providers for the purposes of claims recovery. This is carried out only if you do not pay the increased fare within a certain period of time. 
The legal basis is art. 6 para. 1 S. 1 lit. b and f GDPR. 
With the transmission of data we follow our justified interest in an efficient mechanism to enforce uncontested claims.

d)    Your obligation to provide the data
You are under a contractual obligation to provide the data.

14. Customer complaints (ticket vending machines)
a)    Purposes and legal basis of the data processing
Within the scope of complaints relating to ticket purchases at our ticket vending machines we collect data such as
•    first and last name
•    gender
•    address data 
•    phone
•    bank details
•    detailed information about the purchased tickets (such as place, type, quanti-ty)
in order to follow this matter and to be able to resolve it and to implement a proper pro-cessing. 
The legal basis for the data processing is art. 6 para. 1 S.1 lit. b and f GDPR.

b)    Storage duration or criteria for the determination of duration 
Personal data will remain stored beyond the time of the actual complaints processing for fraud protection. The deletion of your complaint data will not take place before the end of the storage periods under commercial and tax law. The time periods provided for therein amount up to 10 years.

c)    Recipients or categories of recipients of data
Your personal data will not be passed on to third parties and will not be transmitted to a third country.

d)    Your obligation to provide the data
Within the scope of complaints you have to provide personal data that is required for the fulfilment of your order (complaint). Without the data it may be the case that we will reject the order execution.

15. House ban

a)    Purposes and legal basis of the data processing:
If our house rules are being violated, we have the right to exercise our property rights and to issue house bans. The data you provide to us, such as

•    salutation
•    first and last name
•    address 
•    date of birth
•    possibly nationality 
•    date and time 
•    place
•    reason for the house ban

we process order to declare bans on entry, to lodge a trespass complaint (in case proper-ties were entered despite the existence of a house ban) and in order to assert possible claims.

The data processing is based on art. 6 para. 1 S.1 lit. f GDPR. 
Our legitimate interest initially is to assert our property rights effectively and furthermore pursuing a claim relating to infringed property rights. Where required we will report an offense.

b)    Storage duration or criteria for the determination of duration
As far as necessary we process your personal data until the house ban is lifted,
at the latest after two years, unless they are still required for an additional purpose (e.g. law enforcement) due to a given occasion. 

c)    Recipients or categories of recipients of data
A data transmission to third parties (such as the police, courts, public prosecution service) takes place only in case it is required for the investigation and prosecution of criminal of-fences.

d)    Your obligation to provide the data
You are under obligation to provide the data.


16. Complaint management
a)    Purposes and legal basis of the data pro-cessing
We would be very pleased to receive your questions, wishes, suggestions and criticism in order to improve our service for you. 
In this case we process your data such as
•    first and last name
•    address data 
•    phone
•    e-mail 
for the treatment of your inquiry. 
Legal basis for the data processing described above is art. 6 para. 1 S.1 lit. f GDPR.

b)    Storage duration or criteria for the determination of duration
Your personal data will be deleted if they may not be processed further to safeguard justified interests or fulfil commercial or tax law related retention periods. The time periods provided for therein amount up to 10 years.

c)    Data receiver / data transfer
A passing to third parties does not take place.

d)    Your obligation to provide your data
Within the scope of your inquiry or complaint you have to provide the personal data required for the fulfilment of your order. Without the data it may be the case that we will reject the order execution.

17. Lost property
I.    Data of the finder
a)    Purposes and legal basis of the data processing of the finder
When you hand in a lost property at our place, we process your personal data provided on a voluntary basis. It includes
•    first and last name
•    address data 
•    object found, date and place of recovery
in order of being able to share the data of the owner with you in case he will collect his lost property. It allows you to assert your claims to a reward as finder. 
The data processing takes place on basis of art. 6 para. 1 S 1 lit. c GDPR. 
The legal obligation results from § 971 BGB (German Civil Code).

b)    Storage duration or criteria for the determination of duration
The data is basically deleted after 3 years. The legal deletion period is based on the period of limitation specified in the BGB (in this case: the regular limitation period according to §§ 195, 199 BGB).

c)    Recipients or categories of recipients of data
A data transfer does basically not take place.

d)    Your obligation to provide your data
If you raise a reward claim we need your data (name, address) in order to share with you the data of the owner. The claim is targeted against the owner.

II.    Data of the owner  
a)    Purposes and legal basis of the data processing of the owner/ collector
If you collect a lost object we will process data such as
•    first and last name
•    address data 
•    object found
•    where required the identity number / number of the driving licence
•    bank details (IBAN) – in case of issue of amounts of money above 10 € resp. in case of payment of return fees
Legal basis for the personal data processing described above is art. 6 para. 1 S. 1 lit. b, c and f GDPR.

b)    Storage duration or criteria for the determination of duration
If the data is no longer required for the fulfilment of contractual or legal obligations, it will be deleted unless a continued storage is required according to commercial law or tax-based retention periods. Worth mentioning here in particular are HGB (German Commercial Code) and AO (German fiscal code). The time periods provided for therein amount up to 10 years.

c)    Recipients or categories of recipients of data
We will share your data with the finder if the person can assert a claim and/or reimburse-ment of any expenses incurred.

d)    Your obligation to provide your data
Without provision of your personal data, we will not hand out the lost object.

18. Application management
a)    Purposes and legal basis of the data processing
If you send your application to us, we collect only personal data that is required for the application. Information such as gender, phone number, pictures and e-mail address is voluntary. 
We process your data, such as
•    first and last name
•    address data 
•    your application papers
and voluntary information such as
•    phone number
•    e-mail address
•    photo included in job application
for selection purposes. 
The data processing takes place based on art. 6 para. 1 S.1 lit. a (consent) and § 26 para. 1 BDSG (Federal Data Protection Act).

b)    Storage duration or criteria for the determination of duration
After completion of the application process - at the latest though after a period of 6 months - your personal data will automatically be deleted provided your application can not be considered - provided your prior agreement (agreement to store data for the future).

c)    Recipients or categories of recipients of data
Data will not be transferred.

d)    Your obligation to provide your data 
Without your data you cannot participate in the application process.

19. Claims management
a)    Purposes and legal basis of the data processing
We process your personal data in case of claims in order to evaluate our liability of com-pensation and the level. This includes:
•    basic data from your claim letter (such as name, address, date of birth, health insurance, pension insurance institute, insurance data)
•    bank details
•    address data of witness 
•    transaction numbers and reference numbers of authorities
•    health-related data in case of personal injury (severity of injury, intensity and dura-tion of the pain, duration of the incapacity for work, permanent damages, disfigurements, length of time spent in hospital etc.)
Legal basis for the processing of personal data for claims settlement is art. 6 para. 1 S 1 lit. c GDPR.  
If in the scope of claims management special categories of personal data are required such as your health data, we shall request your consent according to art. 9 para. 2 a in conjunction with art. 7 GDPR. This consent can be revoked at any time for the future. 
In the case of withdrawal the further processing of the claim is not possible without your personal data.
Your data (except particular categories of personal data) we process as well in order to preserve our legitimate interests or legitimate interests of third parties. This may e.g. be required for the prevention and investigation of crime. Legal basis is art. 6 para 1 S 1 lit. f GDPR.
Furthermore, we process your personal data for the fulfilment of commercial and tax law obligations of data retention. Legal basis is art. 6 para 1 S 1 lit. c GDPR. 

b)    Storage duration or criteria for the determination of duration
Your personal data will be deleted as soon as it is no longer required for the above men-tioned purposes. It may be the case that we keep your personal data for the period of time, in which claims can be made against us. The legal statute of limitations can amount up to 30 years. Furthermore we store your personal data insofar as we are legally obliged to do so. The legal retention requirement results from the German Commercial Code and the German fiscal code. The conservation period is up to ten years (10). 

c)    Recipients or categories of recipients of data
In order to fulfil our contractual and legal obligations we share your personal (claims) data with our reinsurer. In addition we can share your data with further recipients, such as authorities (social insurance agency, law enforcement authorities) or medical experts, technical expert, residual value calculators, financial institutions. 
Your personal data will not be transferred to a third country (states outside the European Economic Area - EEA).

20. Data subject rights
You have the right:
•    according to art. 15 GDPR on information about your personal data stored by us. In particular you can demand information on the processing purposes, the category of the personal data, the categories of recipients with whom we shared or share your data, the planned storage duration, on the existence of a right of rectification, deletion, limiting the processing or withdrawal, on the existence of a right to appeal, the origin of personal data, provided that the data was not collected by us as well as on the existence of an automated decision making incl. profiling and if necessary significant information on the details;
•    according to art. 16 GDPR to demand immediately the rectification of incomplete or inaccurate personal data stored by us;
•    according to art. 17 GDPR demand the deletion of your personal data stored by us, provided the processing is not required for the exercise of freedom of expression and information, for the compliance with a legal obligation, for reasons of public interest or to enforce, implement or defend legal claims;
•    according to art. 18 GDPR to demand process limiting of your personal data if you deny the correctness of the data, the processing is unlawful but you refuse the deletion and we no longer need the data but you need it for the establishment, exercise or defence of legal claims or you objected to the processing of the data according to art. 21 GDPR;
•    according to art. 20 GDPR to receive your personal data, you have provided us with, in a clearly structured, common and machine readable format or to demand the transmission to another person responsible;
•    according to art. 7 para. 3 GDPR to withdraw your once given consent at any time. This has the consequence that we are no longer allowed to continue the data pro-cessing, based on your consent, in the future; and
•    according to art. 77 GDPR to complain at a supervisory authority. Generally you can address yourself to the supervisory authority of your current usual residence or workplace or our office.

21. Right of objection
Provided your personal data is processed based on legitimate interests according to art. 6 para. 1 S. 1 lit. f GDPR, you have according to art. 21 GDPR the right to enter an objection against the processing of your personal data, if there are valid reasons relating to your particular situation or if the objection is directed against direct mail. In the latter case you have a general right of objection, which will be implemented by us without giving any reason.

22. Topicality and amendment of this privacy statement
This privacy statement is actually valid and dated from October 2019.
Due to further development of our website and involved offers or due to changed statutory or official provisions it can be necessary to change this privacy statement. The most current version of our data privacy statement can be accessed and printed on this website at https://www.uestra.de/datenschutz/.

Data protection information in the course of construction measures

The ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft (ÜSTRA) is planning the new construction of the Glocksee depot (parallel to Wilhelmshavener Straße). In this context, the ÜSTRA informs the direct residents and owners about the new construction and potential participation possibilities. In this respect, the ÜSTRA will enter into an active dialog. For this purpose, information events will take place. The direct residents will be informed with a flyer (circular) about the construction project, the information event and the possibility of registration for the information event. In the further course, construction-related information will follow (circulars).
This general information concerning the implementation of the data protection requirements of Articles 12 to 14 of the General Data Protection Regulation will give you an overview of the processing of your personal data and your rights, resulting from the data protection regulations.

1. Name and contact details of person responsible and data security officer

ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft
Am Hohen Ufer 6
30159 Hannover
e-mail: info@uestra.de
Phone: +49 511 1668 0

Contact details of the data security officer:

ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft
External data security officer
Am Hohen Ufer 6
30159 Hannover
e-mail: datenschutz@uestra.de
Phone: +49 511 1668 0

2. Rights of persons affected

•    When we process your personal data, you have the right to receive information concerning the personal data stored about you (Art. 15 GDPR).

•    If personal data are incorrect or incomplete, the data subject may request for them to be corrected (Art. 16 GDPR).

•    If the requirements are met, you can demand the deletion or limitation of processing and you have the right to object to processing (Art. 17, 18, 21 GDPR).

•    You have also the right to complain at the data protection authority of the state of Lower Saxony.

•    If you gave your consent to the use and processing of your data, this consent may be withdrawn at any time, effective in the future without this affecting the lawfulness of the processing based on consent before its withdrawal.

If you make use of the legal right of revocation, please send an e-mail to: NeubauBhfGlocksee@uestra.de or by post to: ÜSTRA Hannoversche Verkehrsbetriebe Aktiengesellschaft, Neubau Bhf. Glocksee, Am Hohen Ufer 6, 30159 Hannover.

3. Disclosure of data

We shall forward your personal data to third parties (receiver) only if we are entitled to do so according to the data protection law provisions. Recipients of your data can be service providers. These service providers act on our instructions what is ensured by strict contractual rules, by technical and organisational measures and by complementary checks.

4. The subject matter of data protection
The subject matter of data protection is “personal data”. This includes all information, relating to an identified or identifiable individual (co-called data subject). This includes details such as name, postal address, e-mail address or customer number. Specific information on personal data processed by us can be found consecutively in the listed data processing operations:

I. Proprietor information

(1) Data subjects

Owners of property not used by themselves near Bhf. Glocksee 

(2) Personal data 

•    name 
•    address
•    details on the property
•    where required phone number
•    where required e-mail address

(3) Legal basis for the processing

The legal basis for data processing is the legitimate interest according to Art. 6 Para.1 lit. f GDPR. The legitimate interest of ÜSTRA is based on the early proprietor information concerning long-term construction projects and the mutual ensuring of the legal rights administration within the scope of the legal provisions of construction measures. 

(4) Origin of the data

If you are property owner of the properties near Bhf. Glocksee and you accordingly received a personal letter, we obtained your contact details from the surveying and cadastral administration, Lower Saxony („land registry office“), resp. the corresponding parcel- and proof of ownership („cadastre“). The cadastre is subject to the principle of public character. 

The recall of your data took place according to the provisions of the land registry office, with proof of entitled interest in accessing the cadastre. The legitimate interest is based on the early information of residents concerning long

term construction projects.

(5) Storage period

We will delete your personal data as soon as it is no longer required for the purposes afore mentioned. In this respect, the data is processed for the further communication within the construction process (particularly construction progress and restrictions). The construction phase is currently planned for the period from approx. 2023 to approx. 2028. Here, it may occur that your data is stored for the period over which claims can be made against us. The statutory period of limitation may be up to thirty years. Furthermore, we store your personal data if we are under a statutory obligation or require the data due to current reason, for a permissible purpose (e.g. defending legal claims). The processing is carried out only in connection with the permissible purpose.

II. Online event for owner- and resident information purposes 

Due to the pandemic, physical presence is currently not possible during events. The residents and owners register on a voluntary basis for the events and receive a link with information concerning the implementation resp. usage of the program. A recording of the event will not take place. The participation is possible via a guest link. In this respect, a separate registration is not required. The indication of your name or picture is not required.

(1) Personal data 
•    email address
•    where appropriate pseudonym
•    where appropriate name 

(2) Persons affected by the processing: 

•    residents of the Bhf. Glocksee 
•    owners of properties near Bhf. Glocksee  
•    owners of properties not used by themselves near the Bhf. Glocksee 

(3) Legal basis of the processing

The processing takes place based on your consent, given by telephone or in written form, according to. Art. 6 Para. 1 lit. a., Art. 7 GDPR. 

(4) Storage period

We will delete your personal data as soon as it is no longer required for the purposes afore mentioned. Concerning the online event, the data is used for this purpose only. Registration is to be carried out by email. The scheduling is planned for the 23.03 and 25.03.2021. Afterwards, the data is no longer required, except there are questions to the postbox.

(5) Obligation to provide personal data

Within the scope of your online participation, you have to provide such personal data, required for the participation. At least such as name or pseudonym and e-mail address. Without this data, the participation can be partly restricted or totally impossible.

III. Microsoft 365 applications

You got an invitation for the use of a Microsoft Office application, namely Microsoft Teams.
This is a non-personalised guest link that will enable you to participate in the online information event. Establishing a user account is not required.

When using Teams, Microsoft processes your personal data. Further information on data processing by Microsoft can be found in the MS Trust Center and the MS data privacy statement.

A processing of personal data in the framework of the use of Teams does not take place.