MVV takes the security of personal data very seriously. This page outlines how your data as well as the data processed in the app is handled. For questions and information request, please use the contact details listed below on this page.

In the MVV-App, apart from the temporary, technically necessary intermediate saving of data due to the IP-based communication requirements and during the usage of any of the offered ticket shops for the purpose of purchasing tickets through MVV-HandyTickets, no personal data is processed.

While using one of the offered ticket shops for MVV-HandyTickets in the MVV-App, personal data is processed in accordance to the terms and conditions of the respective ticket shops. The relevant rules applicable to the sale of Handy and Online Tickets through the MVV GmbH’s Ticket shop which are stated in the section 12 of General Terms and Conditions have been listed (in extracts) in the lower part of this privacy policy.

Depending on the operating system and the respective authorization systems, special rights are required by the MVV-App to be able to carry out all of its functions. For each of the authorization, you will be explicitly informed during the installation or during the first use of the respective function. At this point you can decide explicitly whether you would like to authorize certain functions or not.

With the MVV-App you have the possibility to obtain travel information for any desired location as well as for your current location. This app uses location information made available by the smartphone, provided that it is enabled in the user settings. The app uses this data to determine the waypoints of travel routes and identify nearby stops/stations and departure times. The addresses, points of interests and PT stops used for the travel information are recorded (see Data Storage) without it being possible to retrace the person or his location. The explicit location data is also not stored or passed on to third parties.

The app saves the following information on the user-device: history of the last entered origins-destinations, public transport connections and lines, user-selected favorites, user-defined settings, downloads (network plans), status of app (to restore the last status when the app is restarted) and the data received from the server (e.g. map section, timetables). The app has access to the above-mentioned information from the local storage of the user-device. Please be advised that depending on the operating system further authorizations could be required to access the external memory cards (for example in case of Android an access to photos, media and documents is requested). In this case, none of your personal data is accessed. 

To ensure a safe operation, the calculations regarding the electronic travel information (departures, timetables etc.) are recorded on our servers. The stored information consists exclusively of the calculations that were carried out and it adheres to the privacy policy of Münchner Verkehrs- und Tarifverbund GmbH, or rather that of the Bayerischen Eisenbahngesellschaft mbH. No personal information is transferred or stored. Therefore, it is not possible to trace back the user or any request patterns of the users.

The MVV-App is made available for download through the respective App stores. For the privacy regulations concerning these App stores or directly related fields we would like to refer you to their respective privacy policies:

• Apple App Store: https://www.apple.com/legal/privacy/de-ww/
• Google Play Store: https://policies.google.com/privacy?hl=de&gl=de
• Amazon Appstore: https://www.amazon.de/gp/help/customer/display.html/ref=footer_privacy?ie=UTF8&nodeId=201909010
• Microsoft Store: https://privacy.microsoft.com/de-de/privacystatement

The personal information given explicitly for the purpose of purchasing tickets and all the related changes are stored and processed by the respective shops or their service providers in accordance to their general terms and conditions.

The app can be used to save calculated routes to digital calendars or to send them to third parties via text message, e-mail or social media platforms such as WhatsApp, Twitter, Telegram etc. These share options are based on the services installed on the smartphone and are subject to the respective data protection principles of these services. We do not have any influence over the apps installed by you or their respective privacy policies. The app’s access to configured calendars is write-only, meaning that existing entries are not read. Contact information is used solely for the purpose of sending messages; the data is not processed or stored by the app or our server.

As a user you can actively report delays. When a user reports a delay, - and the permission is granted by the user - the location information of the smartphone is accessed. Your location is only needed as a plausibility check in order to avoid miss-use of the service (the delays are cross-checked with the delays reported by the actual lines serving the respective routes). Your exact location is neither transferred nor stored on our servers. Submitted delay notifications are anonymised by MVV GmbH and/or IT service providers and subsequently stored on servers, aggregated and temporarily made available to other passengers. The only information used are the affected PT lines, stops and the type of delay report. No personal user data is collected.

In order to further improve the quality of the app, MVV GmbH and/or IT service providers generate, after the express consent of the user, anonymised statistics regarding the usage of this app. This data only serves as a basis for product improvement and does not consist of any personal information. It is not possible to draw any conclusions regarding the user’s identity from this data. These usage statistics are used solely for the purpose of improving the product and do not contain any personal information. Users can deactivate this feature at any time in the app’s settings menu. For obtaining the user-statistics, we use Google Analytics with an active IP-Anonymiser in our MVV-App for Android and iOS. The collected anonymous statistics information is transferred to Google servers and stored there. Google analyses this data to generate reports regarding the user-activity of the app. More detailed information regarding this can be found under www.google.com/analytics/terms/de.html and www.google.de/intl/de/policies/.

During ticket purchase through MVV-App’s HandyTicket, the data protection regulations of the respective ticket shops apply. The regulations governing the sale of Handy and Online tickets via the ticket shop of MVV GmbH in accordance with section 12 of the Handy and Online Ticket terms and conditions are listed below.

The terms and conditions of the MVG and S-Bahn ticket shop can be found in the respective ticket shops.

In order to make the purchase process from HandyTicket easier, the user can permit the access to the device’s contacts. By doing this, the contact information can be automatically read and does not need to be manually entered during the purchase process. This service is optional and provides a faster way to buy tickets for passengers.

Processing of data takes place in accordance with Art. 6 (1) subpar. 1 lit. f) GDPR to safeguard the legitimate interests of MVV GmbH, the transport companies and the authorities, in order to provide you, as a user of our MVV-App, better access to public transport and to facilitate timetable information and the purchase of MVV HandyTickets.

Users have the right to information regarding the concerned personal data (Article 15 GDPR) as well as to rectification (Article 16 GDPR) or cancellation (Article 17 GDPR) or to restrict the processing of data (Article 18 GDPR) or a right to object to the processing (Article 21 GDPR) and a right to data portability (Article 20 GDPR) in accordance with the statutory provisions on data protection.

According to Article 77 GDPR, irrespective of any administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, in particular in the Federal State of your residence, place of work or place of alleged infringement, if you consider that the processing of your personal data has violated the General Data Protection Regulation.

Responsible supervisory authority for MVV GmbH is the Bavarian State Commissioner for Data Protection, PO Box 22 12 19, 80502 Munich, www.datenschutz-bayern.de.

The responsibility for data protection at MVV lies with the executive managerial board of MVV GmbH. It can be reached by e-mail via info@mvv-muenchen.de or by post via MVV GmbH, Geschäftsführung, Thierschstraße 2, 80538 München.

MVV GmbH has a data protection officer. You can reach them by e-mail via datenschutz@mvv-muenchen.de or by post via MVV GmbH, Datenschutzbeauftragter, Thierschstraße 2, 80538 München.

Excerpt from the General Terms and Conditions and Privacy Policy (GTC) for the sale of MobileTickets via the ticket shop of MVV GmbH (as of May 2018)

(1) In order to process the e-Payment services (e.g. webshop, mobile app) MVV GmbH uses the services of the IT service provider eos.uptrade GmbH, Schanzenstraße 70, 20357 Hamburg, and the financial services provider LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn. The technical operation of the software components is delegated to eos.uptrade GmbH; all infrastructure is installed in certified data centers in Germany.

(2) The personal data provided by the customer (first and last name, date of birth, address, email address, if necessary a banking account or credit card data, if applicable mobile number) as well as data regarding the ticket purchases of the customer (order data, if necessary IP address and client, log data) and all changes are passed on to LogPay Financial Services GmbH for the purpose of the sale and assignment of the claims against the customer in connection with the ticket purchase. This is done on the legal basis of art. 6 sect. 1 sentence 1 lit. f GDPR. The legitimate interest of MVV GmbH is the outsourcing of the payment process and the receivables management. The legitimate interest of LogPay Financial Services GmbH is the collection of data for the purposes of handling payments, receivables management, the assessment of permissibility of payment methods and the prevention of payment defaults. The information regarding data protection of LogPay Financial Services GmbH can be accessed on https://landingpage.logpay.de/mobility_dsgvo_2018/. Without providing the data, the Mobile-/OnlineTicket cannot be used.

(3) LogPay Financial Services GmbH shall conduct a check of the consumer’s data and creditworthiness during the registration for the SEPA direct debit procedure and/or in consequence of the change of the payment method to direct debit procedure. The latter shall be carried out by comparing the customer personal details given with the stored date of SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. 

(4) LogPay Financial Services GmbH passes the customer’s credit card on to a credit card acquirer in order to check the credit card details and to process all payments via credit card. 

(5) In case the customer fails to meet his or her payment obligations, the personal details are passed on to a debt collection agency for the purpose of the collection of the receivables (for example with a payment reminder) and the enforcement of the receivables (for example through legal default actions or the cooperation with a law firm in case of a legal enforcement).

MVV GmbH may use and store the personal data of registered customers for the purpose of customer service and also pass them on to their service providers for the clarification of questions; the personal data are not used for advertising or other purposes without the prior explicit consent of the customer. This is done on the basis of 6 sect. 1 sentence 1 lit. b GDPR, for fulfilment of the Mobile-/OnlineTicket contract. Without providing the data, the Mobile-/OnlineTicket cannot be used.

For securing the revenues, the transport companies involved in the transport association may - on request - inspect the ticket data, the information stored in the barcode (masked last name, masked first name and date of birth of the ticket holder) and the control medium (e.g. personal ID) provided by the customer. This is done on the basis of of art. 6 sect. 1 sentence 1 lit. f GDPR. The legitimate interest of MVV GmbH and the transport companies is the securing of fares. Personal data are not stored on the control device, but only displayed. In the event of an objection to a ticket inspection, personal data may be forwarded to the transport company that is in charge of further processing. Without providing the data, the Mobile-/OnlineTicket cannot be used.

(1) The personal data collected by MVV GmbH or by its service providers will be deleted when the purpose of the data collection (sale of Handy- and Online tickets) does no more exist and no legal retention periods are opposed. The account information of a customer, who has not made any ticket purchases, will be erased, at the latest, after a period of two years. The account information of a customer who has made ticket purchases will be deleted ten years after the last purchase. The order data are treated as a receipt and are stored according to legal retention periods, then they are deleted. Apart from that, a cancellation of personal data can be carried out if a customer explicitly requests it by sending an email to kundenbetreuung@mvv-muenchen.de and given that no legal retention periods are opposed.

(2) As long as the processing of personal data is based on the consent of the customer, there is a right to revoke the consent at any time, without affecting the legality of the processing carried out on the basis of the consent until the revocation, in accordance with the legal regulations on data protection (art. 7 GDPR, § 51 BDSG). There is a right to information on the personal data concerned (art. 15 GDPR) as well as to rectification (art. 16 GDPR) or cancellation (art. 17 GDPR) or to restriction of processing (art. 18 GDPR) or a right of objection to the processing (art. 21 GDPR) and a right to data portability (Article 20 GDPR) in accordance with the legal regulations on data protection. The customer can assert these rights by sending an e-mail to kundenbetreuung@mvv-muenchen.de.

(3) The website of MVV GmbH and the webshop for the sale of OnlineTickets uses etracker technology to collect visitor behavior data. These data are collected anonymously to be used for optimization purposes. All visitor data is saved using an anonymous user ID and can be aggregated to a usage profile. Cookies may be used to collect and save this data, but the data remains strictly anonymous. Cookies are small text files that are stored in the visitor’s local browser cache. Using such cookies it is possible to recognize the visitor’s browser. The data will not be used to determine the personal identity of the website visitor or compiled with personal data pertaining to the user of the pseudonym unless agreed to separately by the person concerned. The collection and storage of data may be revoked at any time with respect to subsequent services.

(4) The responsibility for data protection according to legal regulations is in the hands of MVV GmbH, represented by the management. It can be reached by e-mail via info@mvv-muenchen.de or by post via MVV GmbH, Management, Thierschstraße 2, 80538 Munich. MVV GmbH has a data protection officer that can be reached by e-mail via datenschutz@mvv-muenchen.de or by post via MVV GmbH, Datenschutzbeauftragter, Thierschstraße 2, 80538 Munich.

(5) According to art. 77 GDPR, irrespective of any other administrative or judicial remedies, the customer has the right to lodge a complaint with a supervisory authority, in particular in the Federal State of his or her residence, place of work or place of the suspected violation, if the customer considers that the processing of his or her personal data has violated the General Data Protection Regulation.

Responsible supervisory authority for MVV GmbH is the Bavarian State Commissioner for Data Protection, PO Box 22 12 19, 80502 Munich, www.datenschutz-bayern.de.