1. General Information
(1) MVV GmbH offers the function of a CheckIn-CheckOut system (hereinafter referred to as the InOut system or MVVswipe) in the MVV app. This is a smartphone-based sales system with automatic ex-post fare calculation. Using location information (GPS), the smartphone recognizes a check-in actively initiated by the customer, the route travelled on MVV via local public transport and the check-out initiated by the customer. The system then calculates the correct fare for the route traveled in the background based on this location data. If several journeys are made per day, the maximum applicable daily fare (depending on the zone and number of passengers) is charged. Depending on the number of journeys per day, the customer's previously created means of payment will be debited.
(2) MVV GmbH uses the IT service provider Mentz GmbH (hereinafter referred to as MENTZ), Grillparzerstraße 18, 81675 Munich, Germany, and the financial company LOGPAY Financial Services GmbH (hereinafter referred to as LOGPAY), Schwalbacher Straße 72, 65760 Eschborn, Germany, to process the e-payment service (e.g. InOut system). MENTZ is responsible for the technical operation of the software components. The infrastructure is located in certified data centers in Germany. As part of commissioned data processing, the service providers use software instances at the data center operator Amazon Web Services (AWS). These components are operated exclusively in the eu-central-1 region (Frankfurt am Main).
(3) The controller within the meaning of data protection law is MVV GmbH, represented by the management. It can be contacted by e-mail via info@mvv-muenchen.de or by post via MVV GmbH, Management, Thierschstraße 2, 80538 Munich. MVV GmbH has an external data protection officer. This can be contacted by e-mail via datenschutz@mvv-muenchen.de or by post via DSBOK, Data Protection Officer for MVV GmbH, Untergasse 2, 65474 Bischofsheim. If the deletion of the customer's personal data is desired, this must be requested by e-mail to datenloeschung@mvv-muenchen.de.
(4) The German version of the General Terms and Conditions and the Privacy Policy shall apply. In the event of a conflict between the German and English language versions, the German version shall take precedence.
2. Data required for the use of MVVswipe
(1) MVVswipe respectively the MVV app requires access to the following data and services in order to perform the function of the InOut system in accordance with Section 1, paragraph 2:
(2) The above-mentioned data is required by the InOut system in order to be able to correctly identify the public transport journey. No personal movement profiles are created. Recording of the journey only begins once check-in has been successfully completed. The MVV app does not need to be permanently open for recording. Recording ends when the customer successfully checks out. The system services mentioned above under paragraph (1) can be deactivated at any time outside of an active InOut journey via the settings of the mobile device, but must be reactivated before a new journey is started with MVVswipe. The customer will receive a corresponding system message. The customer explicitly consents to the InOut system or the MVV app accessing their personal data (see sections 3, 4 and 5), including the above-mentioned data (see section 2, paragraph 1) - also for the purpose of clarifying customer inquiries. Otherwise it will not be possible to use the InOut function.
The MVV app is made available via the relevant app stores. For data protection within these stores or directly related areas, please refer to their data protection guidelines:
3. Registration for MVVswipe
(1) Registration by the customer is required to use the InOut system. By registering, the customer must agree to the General Terms and Conditions (GTC) and data protection provisions for the InOut function as well as the conditions of carriage and tariff provisions of MVV.
(2) The following data is collected for registration:
(3) Data processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR.
(4) During the registration process, the customer can voluntarily consent to the use of personal data for market research purposes (optional checkbox; see section 7).
4. Use of the InOut system and price determination
(1) The basic system of the InOut system was explained in section 1, paragraph 1. In order to be able to permanently locate the customer's journey and subsequently calculate the correct price, the InOut system must access and process the following data (see also section 2):
(2) With each use, a travel authorization is acquired by the customer, assigned to the corresponding customer account and displayed there. The following data is processed in this context:
(3) The travel distance calculated on the basis of the journey data is made up of the first boarding stop after check-in, the stops and transfer stops passed through, the last disembarkation stop before check-out and the means of transport and lines used. The fare is calculated by assigning the calculated travel distance to the applicable MVV fare conditions. The data provided by the customer during registration and the payment methods used are used to calculate the fare (see sections 3 and 5).
(4) Data processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR.
5. Billing via LOGPAY
(1) The personal data provided by the customer (first name and surname, date of birth, address, e-mail address, telephone number if applicable and data on their respective purchases) and any changes will be forwarded to LOGPAY Financial Services GmbH for the purpose of selling and assigning MVV GmbH's claims against the customer arising in connection with their purchase, rental or booking. This is done on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR. The legitimate interest on the part of MVV GmbH lies in the outsourcing of payment processing and receivables management. The legitimate interest on the part of LOGPAY Financial Services GmbH is the processing of data for the purpose of processing payments, managing receivables, assessing the admissibility of payment methods and avoiding payment defaults.
(2) The offer to conclude a purchase contract for a ticket is only accepted if LOGPAY Financial Services GmbH acquires the resulting claim from the ticket sale. If LOGPAY Financial Services GmbH refuses to acquire the claim, the customer's offer to conclude a purchase contract is rejected.
(3) The customer may object to the transmission of this data to LOGPAY Financial Services GmbH at any time, but it will then no longer be possible to place an order via the electronic sales channel.
(4) The customer can access LOGPAY Financial Services' data protection information at documents.logpay.de/de/datenschutzinformationen.pdf.
(5) In addition, MVV GmbH processes the customer's personal data that MVV GmbH receives from LOGPAY Financial Services GmbH (information on the decision whether or not to purchase the receivable).
(6) In the event that personal data is processed for the performance of tasks carried out in the public interest (Art. 6 para. 1 sentence 1 lit. e GDPR) or to safeguard legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), the customer may object to the processing of personal data concerning him/her at any time with effect for the future. In the event of an objection, MVV GmbH must refrain from any further processing of the customer's data for the aforementioned purposes, unless
(7) As part of the registration process for the SEPA Direct Debit payment method and/or in the event of changes to customer data in connection with the switch to the SEPA Direct Debit payment method, the financial company LOGPAY Financial Services GmbH may carry out a check of the customer's details and creditworthiness. This is done by comparing the customer's personal data with the database of SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden.
(8) In order to check the credit card data provided by the customer and to process payments using the credit card procedure, the finance company LOGPAY Financial Services GmbH will forward the credit card and payment data to a credit card acquirer.
(9) In the event that the customer does not meet his payment obligations, his personal data will be passed on to a debt collection agency for the purpose of collecting the receivables (e.g. by means of payment reminders/reminders) and enforcing the receivables (e.g. in the context of legal dunning proceedings or cooperation with a law firm in the event of legal enforcement).
6. Customer support
(1) Any queries or complaints on the part of the customer regarding the correctness of the journey recording of a trip shall be taken over and processed by the customer support of the technical service provider MENTZ on behalf of MVV GmbH. All other inquiries (e.g. about the tariff or registration) are handled and processed by MVV GmbH's customer support. Customer inquiries sent directly from the MVV app are sent directly to MENTZ (journey and stop recording) or to MVV GmbH, depending on the subject specified. General inquiries sent by email will first be reviewed by MVV GmbH and forwarded to MENTZ if necessary.
(2) MVV GmbH may use and store the personal data of customers registered with it for the purpose of customer care and may also pass it on to its service providers to clarify questions; it will not be used for advertising or other purposes without the customer's prior express consent.
(3) The processing of this personal data is based on the legal basis of Art. 6 para. 1 lit. b GDPR, provided that the communication takes place in connection with the execution of the ticket purchase. The processing for other communication is based on the legitimate interest (on the part of MVV GmbH) pursuant to Art. 6 para. 1 lit. f GDPR, namely for the needs-based processing of the customer's contact request. No InOut ticket can be used without providing the data.
7. Market Research
(1) The InOut system implements a new technology for recording travel data for ex-post fare calculation. MVV GmbH can carry out market analyses (market research) in order to continuously improve and further develop the system and its user-friendliness. For this purpose, the customer can be sent a request to participate in market research in the app or via the e-mail address voluntarily released for market research purposes during registration. Participation in this is voluntary. By participating in market research, the following information is transmitted to the market research institute
Consent can be revoked at any time in text form and is valid for the future. The processing of this personal data is based on the legal basis of Art. 6 para. 1 lit. a GDPR, consent of the customer.
8. Journey history
(1) The journey history is created in the background system. Some of the personal data is stored locally in the app in order to display the history of journeys made by the customer in the MVV app. This includes History of journeys made and the resulting tickets, user settings and certain states of the MVV app.
(2) The processing of locally stored data is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to provide the customer with a functional and user-friendly app.
9. Control of InOut journeys
(1) In order to secure revenue, the transport companies involved in the network may, if necessary, view the ticket data, the information stored in the barcode (first name and surname (masked display, if necessary, depending on the control device) as well as the date of birth and, if applicable, the title, first name and surname of the ticket holder) and the control medium presented by the customer during the control. This is done on the basis of Art. 6 para. 1 subpara. 1 lit. f) GDPR. The legitimate interest of MVV GmbH and the inspecting transport companies is to secure fare revenue. Personal data is not stored in the recording equipment, but only displayed. In the event of a complaint, personal data may be forwarded to the transport company that carried out the inspection for further processing. No InOut ticket can be used without providing the data.
10. Storage period and retention periods
(1) The personal data stored by MVV GmbH or by the service providers shall be deleted when they are no longer required for the fulfillment of the purpose for which they were collected (distribution of InOut tickets) and the statutory retention obligations (maximum ten years according to § 147 para. 3 AO) no longer conflict with this. The data of a registered customer account that has not been active for two years will be deleted from the corresponding directory after two years at the latest. Data of active customer accounts will be deleted from the corresponding directory ten years after the booking date. Order data is to be treated as a booking document and is stored in accordance with the statutory retention periods, after which it is deleted. Otherwise, deletion will take place at the express request of the customer by e-mail to kundendialog-swipe@mvv-muenchen.de, provided there are no statutory retention obligations to the contrary. In this case, deletion will take place after 30 days at the latest.
(2) Information that is relevant for technical testing and analysis, i.e. operating software (version), model of the end device and app version, is temporarily stored and automatically deleted again after six months.
11. Forwarding of data
(1) In the course of using the functions and processing the contract, it is usually necessary to involve processors. These include:
All processors and external service providers have been or will be carefully selected and are subject to strict data protection agreements. They are safeguarded by contractual regulations, technical and organizational measures and supplementary controls.
Insofar as this is necessary for the aforementioned purposes, MVV GmbH also transfers customer data to recipients outside the European Economic Area (EEA), provided that
In addition, MVV GmbH transfers the customer's personal data to the technical service providers used by MVV GmbH, which support MVV GmbH in operation and maintenance and are based in the USA. The customer's personal data is stored exclusively on servers within the EU/EEA. However, it cannot be completely ruled out that the customer's personal data may be transferred to the USA (e.g. in the case of support inquiries). To this end, MVV GmbH and the technical service providers it uses have taken suitable measures to ensure an adequate level of protection for the customer's personal data. In addition to the conclusion of the EU Commission's standard contractual clauses, this also includes the implementation of additional technical, organizational and contractual protective measures. The customer's other personal data is not transferred to countries outside the EEA.
12. Other information on data protection
(1) Insofar as the processing of personal data is based on the customer's consent, there is a right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal, in accordance with the statutory provisions on data protection (Art. 7 GDPR, Section 51 BDSG).
If personal data is processed for the performance of tasks carried out in the public interest (Art. 6 para. 1 sentence 1 lit. e GDPR) or for the purposes of legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), the customer may object to the processing of their personal data concerned at any time with effect for the future. In the event of an objection, MVV GmbH must refrain from any further processing of the data concerned for the aforementioned purposes, unless
There is a right to information about the personal data concerned (Art. 15 GDPR) as well as to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) or to restriction of processing (Art. 18 GDPR) or a right to object to processing (Art. 21 GDPR) as well as a right to data portability (Art. 20 GDPR) in accordance with the statutory provisions on data protection. The customer can assert these rights by sending an email to kundendialog-swipe@mvv-muenchen.de.
(2) In addition to the aforementioned processing purposes, the customer's personal data will also be processed for the following purposes:
(3) In accordance with Art. 77 GDPR, without prejudice to any other administrative or judicial remedy, the customer shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the customer considers that the processing of personal data relating to him or her infringes the General Data Protection Regulation.
(4) The competent supervisory authority for MVV GmbH is the
Bayerische Landesbeauftragte für den Datenschutz (Bavarian State Commissioner for Data Protection), Postfach 22 12 19, 80502 Munich, www.datenschutz-bayern.de.