DeutschDeutsch

Processing of your employees’ personal data for all tickets on chip cards

Information according to Article 13 of the General Data Protection Regulation (GDPR)


Below we provide you with information regarding the issue of your employees’ personal data for all tickets on chip cards.

Personal data is all data that can be personally attributed to you, e.g. name, address, email addresses, user history.

The responsible body according to Art. 4 Section 7 GDPR is:
Rheinbahn AG
represented by the Executive Board
Lierenfelder Straße 42
40231 Düsseldorf

Telephone: 0211.582-01
Email: rheinbahn@rheinbahn.de

Company Data Protection Officer:
c/o Rheinbahn AG
Lierenfelder Straße 42
40231 Düsseldorf

Telephone: 0211.582-01
Fax: 0211.582-4466
E-Mail: datenschutzbeauftragter@rheinbahn.de

1. Data and data categories that are processed

The following data is processed for the contractual partner (customer), ticket user and payer:

  • Personal data (surname, first name, title, form of address, gender, date of birth)
  • Address data
  • Contact data (telephone, email, address)
  • Personnel and department number, if required
  • Data relating to payment processing and payment history (bank details, payment method)
  • Proof of eligibility (e.g. confirmation of school attendance)
  • Correspondence data (written communication)

2. Purposes and legal bases

  1. For all tickets and chip cards, the collection and processing of your customer data is required for the purpose of initiating and executing your contract, and billing in connection with your contract for using ÖPNV transport services and for monitoring travel eligibility. The data you have entered is, therefore, processed for the purpose of fulfilling the contract or for implementing pre-contractual measures according to Art. 6, Section 1(b) GDPR and for fulfilling legal obligations according to Art. 6, Section 1(c) GDPR.
  2. Moreover, the data is used to carry out market research, to improve our offerings and service performance based on our legitimate interest. Your data is processed based on Art. 6, Section 1 (f) GDPR.
  3. Data is also used – if desired – for the purpose of sending information (direct advertising). Your data is then processed based on your consent to direct advertising according to  Art. 6, Section 1(a) GDPR
  4. A credit check may also be carried out based on Art. 31 BDSG [Federal Data Protection Act] (new). For this check, the services of credit agencies or other third parties are used and for this purpose, your data will be transferred to them or requested from them. Your data is then collected, processed and used for this purpose based on legitimate interests according to Art. 6, Section 1 (f) GDPR. Legitimate interests exist in the collection of data for the purposes of processing payments, assessing the admissibility of payment methods and preventing payment defaults.

3. Categories of recipients to whom the data may be disclosed

Within the company, the following departments have access to personal data required to fulfil the above-mentioned purposes. This also applies to service providers and vicarious agents used. Recipients of personal data are service providers for handling printing, IT services or market data analysis, call centres and collection agencies. We have concluded relevant contract processing agreements with these service providers according to Art. 28 GDPR. Moreover, credit agencies receive personal data. If legal requirements are met, recipients of personal data may also include investigative authorities.

4. Duration of data storage

Personal data is deleted when the contractual relationship is terminated, all mutual claims have been fulfilled and there are no other legal retention obligations or legal justifications for storage. These include obligations under the German Commercial Code (HGB) and the German Fiscal Code (A0). This means that these will be deleted, at the latest, after the expiry of the statutory retention obligations, generally 10 years after the end of the contract.

5. Your rights as data subject

  1. Right to information:
    You have the right to receive information from us, on request, regarding the personal data processed by us relating to you according to Art. 15, GPDR. You may request this information by post or by email to the above-specified addresses.
  2. Right to correction of inaccurate data:
    You have the right to request prompt correction of personal data relating to you in so far as this is inaccurate. To do this, please apply to the above-specified contact addresses.
  3. Right to deletion:
    You have the right, according to the requirements of Art. 17, GPDR, to request deletion of personal data relating to you. These requirements provide, in particular, for  right of deletion, if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, and also in cases of unlawful processing, the existence of an objection, or the existence of an obligation for deletion under union law or the under the law of the member state to which we are subject. For the period of data storage, see Section 4 of this privacy statement. To exercise your right to deletion, please apply to the above- specified contact addresses.
  1. Right to restriction of processing:
    You have the right to request that processing be restricted according to Art. 18 GDPR. This right exists in particular, if the accuracy of personal data between us and the user is disputed, for the duration required to verify the accuracy, and also in the event that the user, in the case of an existing right to deletion, requests restricted processing instead of deletion; moreover, in the event that the data is no longer required for our purposes, however, the user needs it to assert, exercise or defend legal claims , if the successful exercise of an objection between us and the user is still disputed. To exercise your right to restrict processing, please apply to the above-specified contact addresses.
  1. Right to data portability:
    You have the right to receive the personal data relating to you which has been provided for us in a structured, accessible, machine-readable format according to Art. 20 GDPR. To exercise your right to data portability, please apply to the above-specified contact addresses.

6. Right of objection

You have the right, for reasons arising from your particular situation, to object to the processing of your personal data, based on Art 6, Section 1 (e) or (f) GDPR, in accordance with Art. 21 GDPR. This also includes the right to object to the processing for the purposes of advertising and marketing research. We will cease processing your personal data unless we can demonstrate compelling legitimate grounds for  processing which override your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

7. Right of appeal

You also have the right to appeal to the competent supervisory authority (in North Rhine-Westphalia, this is the State Commissioner for Data Protection and Information Security).

8. Contact

If you have questions or comments on the way in which we handle your personal data, or if you would like to exercise the rights mentioned in Sections 6 and 7 as a data subject, please use the above-mentioned contact addresses.