The following data protection principles applies when using the MVV-App. They supplement the Conditions of Carriage, the Tariff Conditions and the Ticket Fares, as well as the relevant privacy terms for purchasing Handy and Online Tickets and the data protection declaration for the sale of tickets via MVVswipe, each as amended from time to time.
MVV takes the security of personal data very seriously. This page outlines how your data as well as the data processed in the app is handled. For questions and information request, please use the contact details listed below on this page.
In the MVV-App, apart from the temporary, technically necessary intermediate saving of data due to the IP-based communication requirements, personal data is only processed when using the services explicitly described below (e.g. purchase of MVV mobile tickets, booking of on-demand services).
MVV GmbH takes data protection law very seriously and grants high priority to the principle of data minimisation. Most of the services and functions of the MVV-App do not require any personal data to be collected or processed. The data processing of the MVV-App is explained below, divided into sections and functionalities of the app.
Depending on the operating system and the respective authorization systems, special rights are required by the MVV-App to be able to carry out all of its functions. For each of the authorization, you will be explicitly informed during the installation or during the first use of the respective function. At this point you can decide explicitly whether you would like to authorize certain functions or not.
With the MVV-App you have the possibility to obtain travel information for any desired location as well as for your current location. This app uses location information made available by the smartphone, provided that it is enabled in the user settings. The app uses this data to determine the waypoints of travel routes and identify nearby stops/stations and departure times. The addresses, points of interests and PT stops used for the travel information are recorded (see Data Storage) without it being possible to retrace the person or his location. The explicit location data is also not stored or passed on to third parties.
The app saves the following information on the user-device: history of the last entered origins-destinations, public transport connections and lines, user-selected favorites, user-defined settings, downloads (network plans), status of app (to restore the last status when the app is restarted) and the data received from the server (e.g. map section, timetables). The app has access to the above-mentioned information from the local storage of the user-device. Please be advised that depending on the operating system further authorizations could be required to access the external memory cards (for example in case of Android an access to photos, media and documents is requested). In this case, none of your personal data is accessed.
To ensure a safe operation, the calculations regarding the electronic travel information (departures, timetables etc.) are recorded on our servers. The stored information consists exclusively of the calculations that were carried out and it adheres to the privacy policy of Münchner Verkehrs- und Tarifverbund GmbH, or rather that of the Bayerischen Eisenbahngesellschaft mbH. No personal information is transferred or stored. Therefore, it is not possible to trace back the user or any request patterns of the users.
The MVV-App is made available for download through the respective App stores. For the privacy regulations concerning these App stores or directly related fields we would like to refer you to their respective privacy policies:
The personal information given explicitly for the purpose of purchasing tickets and all the related changes are stored and processed by the respective shops or their service providers in accordance to their general terms and conditions.
The app can be used to save calculated routes and further information to digital calendars or to send them to third parties via text message, e-mail or social media platforms such as WhatsApp, Twitter, Telegram etc. These share options are based on the services installed on the smartphone and are subject to the respective data protection principles of these services. We do not have any influence over the apps installed by you or their respective privacy policies. The app’s access to configured calendars is write-only, meaning that existing entries are not read. Contact information is used solely for the purpose of sending messages; the data is not processed or stored by the app or our server.
For booking on-demand services (MVV-RufTaxi, FLEX) electronically or by telephone, a registration is required stating name, telephone number and e-mail address (may be optional for registration by telephone). This data is used exclusively for the organization, scheduling and execution of the booked rides as well as for contacting you in connection with the booked trips (e.g., change of travel time, queries about seat requirements) and for the same purpose electronically transmitted via encrypted transport systems to the callcenter as well as the transport company concerned. Art. 6 (1) lit b GDPR - the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures - and lit f GDPR. The legitimate interests of MVV GmbH, the transport companies and the public transport authorities are to provide passengers and users of the MVV app with better access to public transport and to facilitate timetable information and the purchase of MVV HandyTickets. Without providing the data, no booking can be executed via the booking tool. The data will be deleted no later than two years after the last use or booking. Otherwise, the data will be deleted within 30 days at the explicit request of the customer by e-mail to kundenbetreuung@mvv-muenchen.de, provided that there are no legal obligations to retain the data.
In order to further improve the quality of the app, MVV GmbH and/or IT service providers generate, after the express consent of the user, anonymised statistics regarding the usage of this app (“Opt-in-Procedure"). These usage statistics only serves as a basis for product improvement and does not contain any personal information. It is not possible to draw any conclusions regarding the user’s identity from this data. The function for collecting anonymous usage statistics can be activated by the user when opening the app for the first time and can be deactivated at any time via the app’s settings Menu. For obtaining the user-statistics, we use Google Firebase with an active IP-Anonymiser in our MVV-App for Android and iOS. The collected anonymous statistics information is transferred to Google servers and stored there. Responsible authority for users in the EU is Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google analyses this data to generate reports regarding the user-activity of the app. More detailed information regarding this can be found under support.google.com/analytics/answer/6004245?hl=de und www.google.de/intl/de/policies/
To improve the stability and reliability of the app, we use Google LLC's Firebase Crashlytics service to collect anonymous crash reports. The responsible body for users in the EU is Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). If the app crashes, information is transmitted to the Google server that contains information about the status of the app at the time of the crash and system information about the end device. Data includes Crashlytics-Installation-UUIDs, crash traces, and Breakpad-minidump formatted data. Further information can be found at firebase.google.com/support/privacy and www.google.de/intl/de/policies/. The collection of crash reports with Google Firebase Crashlytics can be deactivated directly when opening the app for the first time or at any time via the app’s settings menu ("Opt-out procedure").
The MVV-ID is a service provided by MVV GmbH that allows you to use various services and functionalities offered in the MVV-App that require registration with a joint account. If users of the MVV-App register for the MVV-ID, the data required for authentication, such as first name, surname, e-mail address and telephone number, as well as optional data that can be added to the profile for the use of further services (e.g. booking of on-demand transport, participation in MVVswipe, purchase of mobile tickets) are stored in a German computer centre and used only for the use of the services and functionalities offered in the MVV-App. The legal basis for the processing is Art. 6 para. 1 subpara. 1 lit. b) - the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures - and lit. f) GDPR. The legitimate interests of MVV GmbH are to give users of the MVV-App better access to public transport. Services requiring registration cannot be offered without an authentication and personal data.
The data will be deleted no later than two years after the last use (log-in). Otherwise, the data will be deleted within 30 days at the explicit request of the customer by e-mail to kundenbetreuung@mvv-muenchen.de, provided there are no legal obligations to retain the data.
For participation in MVVswipe, the privacy policy for this service applies, which is listed following this privacy policy. It supplements the data protection principles of the MVV-App and the GTC "Sale of tickets via MVVswipe".
During ticket purchase through MVV-App’s HandyTicket, the data protection regulations of the respective ticket shops apply. The regulations governing the sale of Handy and Online tickets via the ticket shop of MVV GmbH in accordance with section 12 of the Handy and Online Ticket terms and conditions are listed below.
In order to make the purchase process from HandyTicket easier, the user can permit the access to the device’s contacts. By doing this, the contact information can be automatically read and does not need to be manually entered during the purchase process. This service is optional and provides a faster way to buy tickets for passengers.
Messages sent via the contact form in the MVV-App or by e-mail are stored and analysed in anonymised form for the purpose of processing the request and for quality improvement. The processing is carried out by employees of MVV GmbH; if the message is forwarded to the relevant transport company or software service provider in order to respond or clarify the facts, the personal data transmitted will also be forwarded. The legal basis is Art. 6 para. 1 subpara. 1 lit. a) GDPR (consent). Without the provision of contact data, in particular the e-mail address, the request cannot be processed in writing.
The data will generally be deleted twelve months after processing.
Processing of data takes place - unless otherwise stated above for specific sections and functionalities of the MVV-App - in accordance with Art. 6 (1) subpar. 1 lit. f) GDPR to safeguard the legitimate interests of MVV GmbH, the transport companies and the authorities, in order to provide you, as a user of our MVV-App, better access to public transport and to facilitate timetable information and the purchase of MVV HandyTickets.
Users have the right to information regarding the concerned personal data (Article 15 GDPR) as well as to rectification (Article 16 GDPR) or cancellation (Article 17 GDPR) or to restrict the processing of data (Article 18 GDPR) or a right to object to the processing (Article 21 GDPR) and a right to data portability (Article 20 GDPR) in accordance with the statutory provisions on data protection.
According to Article 77 GDPR, irrespective of any administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, in particular in the Federal State of your residence, place of work or place of alleged infringement, if you consider that the processing of your personal data has violated the General Data Protection Regulation.
Responsible supervisory authority for MVV GmbH is the Bavarian State Commissioner for Data Protection, PO Box 22 12 19, 80502 Munich, www.datenschutz-bayern.de.
The responsibility for data protection at MVV lies with the executive managerial board of MVV GmbH. It can be reached by e-mail via info@mvv-muenchen.de or by post via MVV GmbH, Geschäftsführung, Thierschstraße 2, 80538 München.
MVV GmbH has a data protection officer. You can reach them by e-mail via datenschutz@mvv-muenchen.de or by post via MVV GmbH, Datenschutzbeauftragter, Thierschstraße 2, 80538 München.
Excerpt from the General Terms and Conditions and Privacy Policy (GTC) for the sale of MobileTickets via the ticket shop of MVV GmbH (as of August 2024)
(1) In order to process the e-Payment services (e.g. webshop, mobile app) MVV GmbH uses the services of the IT service provider EOS UPTRADE GmbH, Schanzenstraße 70, 20357 Hamburg, as well as the financial service provider LogPay Financial Services GmbH Schwalbacher Straße 72, 65760 Eschborn. The technical operation of the software components is delegated to eos.uptrade GmbH. All infrastructure is installed in certified data centers in Germany. As part of commissioned data processing, the service providers use software instances of Amazon Web Services (AWS). The operation of these components takes place exclusively at servers located at Frankfurt am Main (Germany).
(2) The personal data provided by the customer (first and last name, date of birth, address, email address, if necessary a banking account or credit card data, if applicable mobile number) as well as data regarding the ticket purchases of the customer (order data, if necessary IP address and client, log data) and all changes are passed on to LogPay Financial Services GmbH for the purpose of the sale and assignment of the claims against the customer in connection with the ticket purchase. This is done on the legal basis of art. 6 sect. 1 sentence 1 lit. f GDPR. The legitimate interest of MVV GmbH is the outsourcing of the payment process and the receivables management. The legitimate interest of LogPay Financial Services GmbH is the processing of data for the purposes of handling payments, receivables management, the assessment of permissibility of payment methods and the prevention of payment defaults. The offer to conclude a sales contract for a ticket is only accepted if LogPay Financial Services GmbH acquires the resulting claim from the ticket sale. If LogPay Financial Services GmbH rejects the purchase of the claim, the offer to conclude a sales contract will be rejected. The information regarding data protection of LogPay Financial Services GmbH can be accessed on https://www.logpay.de/EN/datenschutzinformationen/. In addition, MVV GmbH processes your personal data having received from LogPay Financial Services GmbH (information about the decision whether the claim is acquired or not). Without providing the data, the Mobile-/OnlineTicket cannot be used.
(3) LogPay Financial Services GmbH shall conduct a check of the consumer’s data and creditworthiness during the registration for the SEPA direct debit procedure and/or in consequence of the change of the payment method to direct debit procedure. The latter shall be carried out by comparing the customer personal details given with the stored date of SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden.
(4) In order to prevent fraud with the bank account data, the identity of the bank account holder shall be verified as part of the registration process for the SEPA Direct Debit payment and/or in the event of changes to the customer data in connection with the switch to the SEPA Direct Debit payment. As part of this verification (Bank-Ident procedure or Photo-Ident procedure), the first and last name, IBAN and e-mail address are transmitted to Verimi GmbH, Oranienstrasse 91, 10969 Berlin.
(5) LogPay Financial Services GmbH passes the customer’s credit card on to a credit card acquirer in order to check the credit card details and to process all payments via credit card.
(6) In case the customer fails to meet his or her payment obligations, the personal details are passed on to a debt collection agency for the purpose of the collection of the receivables (for example with a payment reminder) and the enforcement of the receivables (for example through legal default actions or the cooperation with a law firm in case of a legal enforcement).
MVV GmbH may use and store the personal data of registered customers for the purpose of customer service and pass them on to their service providers for the clarification of questions; the personal data are not used for advertising or other purposes without the prior explicit consent of the customer. This is done based on 6 sect. 1 sentence 1 lit. b GDPR, for fulfilment of the Mobile-/OnlineTicket contract. Without providing the data, the Mobile-/OnlineTicket cannot be used.
For securing the revenues, the transport companies involved in the transport association may - on request - inspect the ticket data, the information stored in the barcode (masked last name, masked first name and date of birth of the ticket holder) and the control medium (e.g. personal ID) provided by the customer. This is done based on art. 6 sect. 1 sentence 1 lit. f GDPR. The legitimate interest of MVV GmbH and the transport companies is the securing of fares. Personal data are not stored on the control device, but only displayed. In the event of an objection to a ticket inspection, personal data may be forwarded to the transport company that oversees further processing. Without providing the data, the Mobile-/OnlineTicket cannot be used.
(1) The personal data collected by MVV GmbH or by its service providers will be deleted when the purpose of the data collection (sale of Handy- and Online tickets) does no longer exist and no legal retention periods are opposed. The account information of a customer, who has not made any ticket purchases, will be erased, at the latest, after a period of two years. The account information of a customer who has made ticket purchases will be deleted ten years after the last purchase. The order data are treated as a receipt and are stored according to legal retention periods, then they are deleted. Apart from that, a cancellation of personal data can be carried out if a customer explicitly requests it by sending an email to kundendialog@mvv-muenchen.de and given that no legal retention periods are opposed. In this case, the deletion is carried out within a maximum period of 60 days.
(2) As long as the processing of personal data is based on the consent of the customer, there is a right to revoke the consent at any time, without affecting the legality of the processing carried out based on the consent until the revocation, in accordance with the legal regulations on data protection (art. 7 GDPR, § 51 BDSG).
In case of processing of personal data to carry out tasks in the public interest (Art. 6 Sect. 1 Sentence 1 lit. e GDPR) or to safeguard legitimate interests (Art. 6 Sect. 1 Sentence 1 lit. f GDPR), the customer can object to the processing of personal data concerning her or him at any time with effect for the future. In case of an objection, the MVV GmbH refrain from any further processing of the affected data for the aforementioned purposes, unless,
There is a right to information on the personal data concerned (art. 15 GDPR) as well as to rectification (art. 16 GDPR) or cancellation (art. 17 GDPR) or to restriction of processing (art. 18 GDPR) or a right of objection to the processing (art. 21 GDPR) and a right to data portability (Article 20 GDPR) in accordance with the legal regulations on data protection. The customer can assert these rights by sending an e-mail to kundendialog@mvv-muenchen.de.
(3) The responsibility for data protection according to legal regulations is in the hands of MVV GmbH, represented by the management. It can be reached by e-mail via info@mvv-muenchen.de or by post via MVV GmbH, Management, Thierschstraße 2, 80538 Munich. MVV GmbH has a data protection officer that can be reached by e-mail via datenschutz@mvv-muenchen.de or by post via MVV GmbH, Datenschutzbeauftragter, Thierschstraße 2, 80538 Munich. If you would like your personal data to be erased, please send an email to datenloeschung@mvv-muenchen.de.
(4) According to art. 77 GDPR, irrespective of any other administrative or judicial remedies, the customer has the right to lodge a complaint with a supervisory authority, in particular in the Federal State of his or her residence, place of work or place of the suspected violation, if the customer considers that the processing of his or her personal data has violated the General Data Protection Regulation.
Responsible supervisory authority for MVV GmbH is the Bavarian State Commissioner for Data Protection, PO Box 22 12 19, 80502 Munich, www.datenschutz-bayern.de.
1. General Information
(1) MVV GmbH offers the function of a CheckIn-CheckOut system (hereinafter referred to as the InOut system or MVVswipe) in the MVV app. This is a smartphone-based sales system with automatic ex-post fare calculation. Using location information (GPS), the smartphone recognizes a check-in actively initiated by the customer, the route travelled on MVV via local public transport and the check-out initiated by the customer. The system then calculates the correct fare for the route traveled in the background based on this location data. If several journeys are made per day, the maximum applicable daily fare (depending on the zone and number of passengers) is charged. Depending on the number of journeys per day, the customer's previously created means of payment will be debited.
(2) MVV GmbH uses the IT service provider Mentz GmbH (hereinafter referred to as MENTZ), Grillparzerstraße 18, 81675 Munich, Germany, and the financial company LOGPAY Financial Services GmbH (hereinafter referred to as LOGPAY), Schwalbacher Straße 72, 65760 Eschborn, Germany, to process the e-payment service (e.g. InOut system). MENTZ is responsible for the technical operation of the software components. The infrastructure is located in certified data centers in Germany. As part of commissioned data processing, the service providers use software instances at the data center operator Amazon Web Services (AWS). These components are operated exclusively in the eu-central-1 region (Frankfurt am Main).
(3) The controller within the meaning of data protection law is MVV GmbH, represented by the management. It can be contacted by e-mail via info@mvv-muenchen.de or by post via MVV GmbH, Management, Thierschstraße 2, 80538 Munich. MVV GmbH has an external data protection officer. This can be contacted by e-mail via datenschutz@mvv-muenchen.de or by post via DSBOK, Data Protection Officer for MVV GmbH, Untergasse 2, 65474 Bischofsheim. If the deletion of the customer's personal data is desired, this must be requested by e-mail to datenloeschung@mvv-muenchen.de.
(4) The German version of the General Terms and Conditions and the Privacy Policy shall apply. In the event of a conflict between the German and English language versions, the German version shall take precedence.
2. Data required for the use of MVVswipe
(1) MVVswipe respectively the MVV app requires access to the following data and services in order to perform the function of the InOut system in accordance with Section 1, paragraph 2:
(2) The above-mentioned data is required by the InOut system in order to be able to correctly identify the public transport journey. No personal movement profiles are created. Recording of the journey only begins once check-in has been successfully completed. The MVV app does not need to be permanently open for recording. Recording ends when the customer successfully checks out. The system services mentioned above under paragraph (1) can be deactivated at any time outside of an active InOut journey via the settings of the mobile device, but must be reactivated before a new journey is started with MVVswipe. The customer will receive a corresponding system message. The customer explicitly consents to the InOut system or the MVV app accessing their personal data (see sections 3, 4 and 5), including the above-mentioned data (see section 2, paragraph 1) - also for the purpose of clarifying customer inquiries. Otherwise it will not be possible to use the InOut function.
The MVV app is made available via the relevant app stores. For data protection within these stores or directly related areas, please refer to their data protection guidelines:
3. Registration for MVVswipe
(1) Registration by the customer is required to use the InOut system. By registering, the customer must agree to the General Terms and Conditions (GTC) and data protection provisions for the InOut function as well as the conditions of carriage and tariff provisions of MVV.
(2) The following data is collected for registration:
(3) Data processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR.
(4) During the registration process, the customer can voluntarily consent to the use of personal data for market research purposes (optional checkbox; see section 7).
4. Use of the InOut system and price determination
(1) The basic system of the InOut system was explained in section 1, paragraph 1. In order to be able to permanently locate the customer's journey and subsequently calculate the correct price, the InOut system must access and process the following data (see also section 2):
(2) With each use, a travel authorization is acquired by the customer, assigned to the corresponding customer account and displayed there. The following data is processed in this context:
(3) The travel distance calculated on the basis of the journey data is made up of the first boarding stop after check-in, the stops and transfer stops passed through, the last disembarkation stop before check-out and the means of transport and lines used. The fare is calculated by assigning the calculated travel distance to the applicable MVV fare conditions. The data provided by the customer during registration and the payment methods used are used to calculate the fare (see sections 3 and 5).
(4) Data processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR.
5. Billing via LOGPAY
(1) The personal data provided by the customer (first name and surname, date of birth, address, e-mail address, telephone number if applicable and data on their respective purchases) and any changes will be forwarded to LOGPAY Financial Services GmbH for the purpose of selling and assigning MVV GmbH's claims against the customer arising in connection with their purchase, rental or booking. This is done on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR. The legitimate interest on the part of MVV GmbH lies in the outsourcing of payment processing and receivables management. The legitimate interest on the part of LOGPAY Financial Services GmbH is the processing of data for the purpose of processing payments, managing receivables, assessing the admissibility of payment methods and avoiding payment defaults.
(2) The offer to conclude a purchase contract for a ticket is only accepted if LOGPAY Financial Services GmbH acquires the resulting claim from the ticket sale. If LOGPAY Financial Services GmbH refuses to acquire the claim, the customer's offer to conclude a purchase contract is rejected.
(3) The customer may object to the transmission of this data to LOGPAY Financial Services GmbH at any time, but it will then no longer be possible to place an order via the electronic sales channel.
(4) The customer can access LOGPAY Financial Services' data protection information at documents.logpay.de/de/datenschutzinformationen.pdf.
(5) In addition, MVV GmbH processes the customer's personal data that MVV GmbH receives from LOGPAY Financial Services GmbH (information on the decision whether or not to purchase the receivable).
(6) In the event that personal data is processed for the performance of tasks carried out in the public interest (Art. 6 para. 1 sentence 1 lit. e GDPR) or to safeguard legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), the customer may object to the processing of personal data concerning him/her at any time with effect for the future. In the event of an objection, MVV GmbH must refrain from any further processing of the customer's data for the aforementioned purposes, unless
(7) As part of the registration process for the SEPA Direct Debit payment method and/or in the event of changes to customer data in connection with the switch to the SEPA Direct Debit payment method, the financial company LOGPAY Financial Services GmbH may carry out a check of the customer's details and creditworthiness. This is done by comparing the customer's personal data with the database of SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden.
(8) In order to check the credit card data provided by the customer and to process payments using the credit card procedure, the finance company LOGPAY Financial Services GmbH will forward the credit card and payment data to a credit card acquirer.
(9) In the event that the customer does not meet his payment obligations, his personal data will be passed on to a debt collection agency for the purpose of collecting the receivables (e.g. by means of payment reminders/reminders) and enforcing the receivables (e.g. in the context of legal dunning proceedings or cooperation with a law firm in the event of legal enforcement).
6. Customer support
(1) Any queries or complaints on the part of the customer regarding the correctness of the journey recording of a trip shall be taken over and processed by the customer support of the technical service provider MENTZ on behalf of MVV GmbH. All other inquiries (e.g. about the tariff or registration) are handled and processed by MVV GmbH's customer support. Customer inquiries sent directly from the MVV app are sent directly to MENTZ (journey and stop recording) or to MVV GmbH, depending on the subject specified. General inquiries sent by email will first be reviewed by MVV GmbH and forwarded to MENTZ if necessary.
(2) MVV GmbH may use and store the personal data of customers registered with it for the purpose of customer care and may also pass it on to its service providers to clarify questions; it will not be used for advertising or other purposes without the customer's prior express consent.
(3) The processing of this personal data is based on the legal basis of Art. 6 para. 1 lit. b GDPR, provided that the communication takes place in connection with the execution of the ticket purchase. The processing for other communication is based on the legitimate interest (on the part of MVV GmbH) pursuant to Art. 6 para. 1 lit. f GDPR, namely for the needs-based processing of the customer's contact request. No InOut ticket can be used without providing the data.
7. Market Research
(1) The InOut system implements a new technology for recording travel data for ex-post fare calculation. MVV GmbH can carry out market analyses (market research) in order to continuously improve and further develop the system and its user-friendliness. For this purpose, the customer can be sent a request to participate in market research in the app or via the e-mail address voluntarily released for market research purposes during registration. Participation in this is voluntary. By participating in market research, the following information is transmitted to the market research institute
Consent can be revoked at any time in text form and is valid for the future. The processing of this personal data is based on the legal basis of Art. 6 para. 1 lit. a GDPR, consent of the customer.
8. Journey history
(1) The journey history is created in the background system. Some of the personal data is stored locally in the app in order to display the history of journeys made by the customer in the MVV app. This includes History of journeys made and the resulting tickets, user settings and certain states of the MVV app.
(2) The processing of locally stored data is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to provide the customer with a functional and user-friendly app.
9. Control of InOut journeys
(1) In order to secure revenue, the transport companies involved in the network may, if necessary, view the ticket data, the information stored in the barcode (first name and surname (masked display, if necessary, depending on the control device) as well as the date of birth and, if applicable, the title, first name and surname of the ticket holder) and the control medium presented by the customer during the control. This is done on the basis of Art. 6 para. 1 subpara. 1 lit. f) GDPR. The legitimate interest of MVV GmbH and the inspecting transport companies is to secure fare revenue. Personal data is not stored in the recording equipment, but only displayed. In the event of a complaint, personal data may be forwarded to the transport company that carried out the inspection for further processing. No InOut ticket can be used without providing the data.
10. Storage period and retention periods
(1) The personal data stored by MVV GmbH or by the service providers shall be deleted when they are no longer required for the fulfillment of the purpose for which they were collected (distribution of InOut tickets) and the statutory retention obligations (maximum ten years according to § 147 para. 3 AO) no longer conflict with this. The data of a registered customer account that has not been active for two years will be deleted from the corresponding directory after two years at the latest. Data of active customer accounts will be deleted from the corresponding directory ten years after the booking date. Order data is to be treated as a booking document and is stored in accordance with the statutory retention periods, after which it is deleted. Otherwise, deletion will take place at the express request of the customer by e-mail to kundendialog-swipe@mvv-muenchen.de, provided there are no statutory retention obligations to the contrary. In this case, deletion will take place after 30 days at the latest.
(2) Information that is relevant for technical testing and analysis, i.e. operating software (version), model of the end device and app version, is temporarily stored and automatically deleted again after six months.
11. Forwarding of data
(1) In the course of using the functions and processing the contract, it is usually necessary to involve processors. These include:
All processors and external service providers have been or will be carefully selected and are subject to strict data protection agreements. They are safeguarded by contractual regulations, technical and organizational measures and supplementary controls.
Insofar as this is necessary for the aforementioned purposes, MVV GmbH also transfers customer data to recipients outside the European Economic Area (EEA), provided that
In addition, MVV GmbH transfers the customer's personal data to the technical service providers used by MVV GmbH, which support MVV GmbH in operation and maintenance and are based in the USA. The customer's personal data is stored exclusively on servers within the EU/EEA. However, it cannot be completely ruled out that the customer's personal data may be transferred to the USA (e.g. in the case of support inquiries). To this end, MVV GmbH and the technical service providers it uses have taken suitable measures to ensure an adequate level of protection for the customer's personal data. In addition to the conclusion of the EU Commission's standard contractual clauses, this also includes the implementation of additional technical, organizational and contractual protective measures. The customer's other personal data is not transferred to countries outside the EEA.
12. Other information on data protection
(1) Insofar as the processing of personal data is based on the customer's consent, there is a right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal, in accordance with the statutory provisions on data protection (Art. 7 GDPR, Section 51 BDSG).
If personal data is processed for the performance of tasks carried out in the public interest (Art. 6 para. 1 sentence 1 lit. e GDPR) or for the purposes of legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), the customer may object to the processing of their personal data concerned at any time with effect for the future. In the event of an objection, MVV GmbH must refrain from any further processing of the data concerned for the aforementioned purposes, unless
There is a right to information about the personal data concerned (Art. 15 GDPR) as well as to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) or to restriction of processing (Art. 18 GDPR) or a right to object to processing (Art. 21 GDPR) as well as a right to data portability (Art. 20 GDPR) in accordance with the statutory provisions on data protection. The customer can assert these rights by sending an email to kundendialog-swipe@mvv-muenchen.de.
(2) In addition to the aforementioned processing purposes, the customer's personal data will also be processed for the following purposes:
(3) In accordance with Art. 77 GDPR, without prejudice to any other administrative or judicial remedy, the customer shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the customer considers that the processing of personal data relating to him or her infringes the General Data Protection Regulation.
(4) The competent supervisory authority for MVV GmbH is the
Bayerische Landesbeauftragte für den Datenschutz (Bavarian State Commissioner for Data Protection), Postfach 22 12 19, 80502 Munich, www.datenschutz-bayern.de.