Data-Policy

§ 1 Information on the Collection of Personal Data

The following items provide an explanation of how and for what purpose personal data is collected when you use our website. Personal data includes all data that directly relates to you and can be used to identify you as a person, e.g. your name, address, e-mail addresses and user behavior.

§ 2 Data Controller

The data controller pursuant to Art. 4 Sect. 7 General Data Protection Regulation (GDPR) is HanseCom Public Transport Ticketing Solutions GmbH. The contact details are as follows:

HanseCom Public Transport Ticketing Solutions GmbH
Amsinckstraße 34
20097 Hamburg, Germany

hallo@hansecom.com

§ 3 Data Protection Officer

You can contact our data protection officer as follows:

Ines Krumrei

E-mail: datenschutz@hansecom.com

§ 4 Supervisory Authority

The relevant supervisory authority is:

Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22, 7. OG
20459 Hamburg, Germany

Phone: +49 40 428 544 040
E-mail: mailbox@datenschutz.hamburg.de

§ 5 Your Rights

As regards personal data relating to you, you have the following rights vis-à-vis us:

· Right to information,

· Right to rectification or deletion,

· Right to restrict processing,

· Right of objection to processing,

· Right to data portability.

You also have the right to file a complaint with a data protection supervisory authority regarding the processing of your personal data by us.

§ 6 Collection of Personal Data When You Visit Our Website

When you visit the website for the sole purpose of obtaining information, we only collect the personal data that your browser transmits to our server. When you decide to view our website, we collect the following data to obtain the technical information necessary to display our website to you and to guarantee its stable and secure operation (legal basis is Art. 6 Sec. 1 S. 1 lit. f GDPR):

· IP address,

· Date and time of the request,

· Time zone difference to Greenwich Mean Time (GMT),

· Content of the request (specific page),

· Access status/HTTP status code,

· The amount of data transferred in each case,

· Web page from which the request originated,

· Browser,

· Operating system and interface used,

· Language and version of the browser software.

§ 7 Disclosure of Your Data

Your data will not be disclosed to unauthorized parties. We will only disclose your data where this is necessary to fulfill legal or contractual obligations. Examples of this include the disclosure of data to tax authorities or to public prosecutors in the context of preliminary proceedings. We will also transfer your data to service providers who are necessary for the provision of services (e.g. technical service providers).
If our service providers are based outside the EU, we ensure that an adequate level of data protection as set forth in Art. 45 GDPR is adhered to or that the data importer has provided suitable guarantees pursuant to Art. 46 I GDPR.

§ 8 Objection or Revocation

1. Revocation of consent

If you have given your consent to the processing of your data, you can revoke it at any time.

2. Objection based on balancing interests

Insofar as we base the processing of your personal data on a balancing of interests, you may object to the processing. This is the case if the processing is not necessary in particular for the fulfillment of a contract with you. This is indicated by us in each case in the description of the functions below. In the event of such an objection, we ask you to explain the reasons why we should not process your personal data in the way we have done. In the event of your justified objection, we will examine the facts and either discontinue or adapt the data processing or point out our compelling legitimate grounds on the basis of which we will continue the processing.

3. Objection to use for advertising purposes

You naturally have the right to object to the processing of your personal data for advertising and data analysis purposes at any time.

4. Contact address for revocations or objections

In the event of a revocation or objection, please send an e-mail to hello@hansecom.com.

§ 9 Cookies

1. What are (http) cookies?

In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are text files used by the opened website to store data (e.g. the time of your last visit, etc.).

2. Expiration date, persistent cookies

Cookies have a predefined expiration date. As soon as the date is reached, the cookie or the information stored with it will be deleted from your browser. These are persistent cookies.

3. What are transient cookies?

Transient cookies are automatically deleted when you close your browser. This includes in particular the session cookies. These store a so-called session ID, which is used to assign different requests of your browser to a session.

4. What does ‘local storage’ mean?

‘Local storage’ refers to the temporary storage of your browser. Web pages can use it to store data. The functionality corresponds to that of (http) cookies, which is why this data is treated the same as cookies.

5. How to reject cookies

You can configure your browser settings according to your wishes and, for example, refuse to accept third-party cookies or all cookies. Please note that in this case you may not be able to use all functions of this website.

§ 10 Specific Processing Activity: Analysis of Website Usage via Google Analytics

1. What is Google Analytics?

Google Analytics is a service provided by Google Inc. (“Google”) to analyze website usage.

2. Purpose of processing

We use Google Analytics to analyze the use of our website. The statistics gained through this service allow us to improve our offering and make it more attractive to you as a user.

3. How does Google Analytics work?

Google Analytics stores the website usage behavior, e.g. the duration of the visit, in “cookies” (see above).

4. Where is the data processed?

The information about your use of this website is stored on servers located in both the EU and the USA. EU standard contractual clauses pursuant to Art. 46 I in conjunction with Art. 46 II lit. c) GDPR have been concluded with Google.

5. Prevention of processing by Google

You can prevent cookies from being stored on your computer by making the corresponding settings in your browser. Furthermore, you can prevent Google from collecting, transferring and processing the data generated by these cookies about your website utilization (incl. your IP address) by downloading and installing the browser plugin available at this link: http://tools.google.com/dlpage/gaoptout?hl=de.

6. Legal basis

The legal basis for the use of Google Analytics is your implied consent pursuant to Art. 6 Sec. 1 S. 1 lit. a GDPR and our legitimate interest pursuant to Art. 6 Sec. 1 S. 1 lit. f GDPR.

7. Further information

Third-party information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.

Terms of use: http://www.google.com/analytics/terms/de.html

Overview of data privacy: http://www.google.com/intl/de/analytics/learn/priv...

Privacy policy: http://www.google.de/intl/de/policies/privacy

§ 11 Facebook

You can share the content of our website on Facebook. We do not use any plugins for this purpose. You can share our website by clicking Internet links. Once you select the share website feature, you will be using Facebook’s website services. You will leave our website, and Facebook will likely process the personal data that is usually collected when you visit websites.

§ 12 Google Web Fonts

1. What are Google Web Fonts?

Google Web Fonts are free character sets provided by Google that can be used on client computers to display web pages.

2. Purpose of processing

We use Google Web Fonts for the uniform presentation of our website.

3. Is personal data processed in this case?

When the website is displayed, the visitor’s computer downloads the character sets from Google. Google registers this process and can identify which website was opened by the user.

4. Where is the data processed?

The information about your use of this website generated by the retrieval of the character sets is stored on servers located both in the EU and in the USA. EU standard contractual clauses pursuant to Art. 46 I in conjunction with Art. 46 II lit. c) GDPR have been concluded with Google.

5. Legal basis

The legal basis for the use of Google Web Fonts is Art. 6 Sec. 1 S. 1 lit. f GDPR.

6. Further information

Third-party information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.

Information about Google Web Fonts: https://developers.google.com/fonts/faq

Privacy statement: http://www.google.de/intl/de/policies/privacy

§ 13 Embedded YouTube Videos

1. What Are YouTube Videos?

These are videos embedded in our website. The technology for playing the videos is provided by Google.

2. Purpose of processing

We process the data in order to provide you with videos on our website.

3. What data is processed by YouTube?

YouTube videos are provided in ‘Advanced Privacy Mode’. This means that no personal data is processed by YouTube when you access the website on which the YouTube video was integrated. Only when you play videos will YouTube process the personal data that is usually required for the rendering of web services (IP address, time, etc.). For more information on these data categories, please consult § 6 of this declaration. The processing will take place regardless of whether you are logged in with your Google Account.

If you are logged in at Google, your data will be directly associated with your account. If you do not want this action to be associated with your Google profile, you must log out before activating the button. YouTube stores your data in user profiles and uses it for the purposes of advertising, market research and/or the need-based design of its website. This evaluation is carried out in particular (even for users who are not logged in) to provide demand-oriented advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, but you must contact YouTube to exercise this right.

4. Legal basis

The legal basis is Art. 6 Sec. 1 S. 1 lit. f GDPR.

5. Further information

YouTube is a service offered by Google. The information generated by the retrieval of the videos is stored on servers located both in the EU and in the USA. EU standard contractual clauses pursuant to Art. 46 I in conjunction with Art. 46 II lit. c) GDPR have been concluded with Google. Further information on the purpose and scope of data collection and processing can be found in the privacy statement. It also provides you with more information on your rights and setting options to protect your privacy: https://www.google.de/intl/de/policies/privacy.

Third-party information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.

Information about Google Web Fonts: https://developers.google.com/fonts/faq

Privacy statement: http://www.google.de/intl/de/policies/privacy

§ 14 Advertising and Information on Products, Services and More (Newsletter)

1. Purpose and legal basis

Data is processed to inform you about products, services and further marketing measures via e-mail. The basis for this is the digitally granted consent in accordance with Art. 6 I S. 1 lit. a GDPR. Furthermore, we process your data in our own interest in accordance with Art. 6 I S. 1 lit. f GDPR.

2. Data categories

We process your e-mail address in order to be able to send you e-mails. We also process your first name and surname to address you personally.

3. Transmission of your data to our service provider

The data is transmitted to the operators of our IT infrastructure. It is also possible that external IT service providers may have access to this data during troubleshooting activities.

We use the services of the following providers to send out e-mails:

- Orange Marketing (Christian Harms, Schumannstr. 49, 60325 Frankfurt am Main, Germany)

The service provider integrates a so-called ‘tracking pixel’ into the dispatched newsletters. This tracking pixel enables the provider to analyze user behavior, such as whether the newsletter has been read by the recipient.

4. Access authorization

Your data can only be accessed by employees who are authorized to do so.

5. Voluntary nature and revocation of consent

Your consent is voluntary. The use of our services and offers is not affected by this consent. You can revoke your consent at any time. To do so, use the corresponding link in the e-mail or send an e-mail to hallo@hansecom.com.

6. Retention period

If no obligations of retention exist, we will delete your data after you withdraw your consent.

§ 15 E-Mail Server

1. Purpose and legal basis

Data processing is carried out in order to be able to communicate with you via electronic mail. We perform this processing in order to fulfill our agreed obligations defined in Art. 6 I S. 1 lit. b GDPR. Furthermore, the operation of the e-mail server and the communication made possible by it are also in our own interest in accordance with Art. 6 I S. 1 lit. f GDPR.

2. Data categories

When operating the e-mail system, all data that you send us via electronic mail is captured. This includes, for example, e-mail addresses, your name, your address and other communication data.

3. Recipient of your data

The data is transmitted to the responsible persons named under § 1 and the operators of our IT infrastructure. It is also possible that external IT service providers may have access to this data during troubleshooting activities. We draw on a service from Microsoft to send out e-mails. Your data can only be accessed by employees who are authorized to do so.

4. Access authorization

Your data can only be accessed by employees who are authorized to do so.

5. Retention period

If no obligations of retention exist, we will delete your data after you withdraw your consent.

An obligation of retention can result, for example, from Section 147 of the German Fiscal Code. If a separate contract has been concluded or a contract has been initiated with you, we are obliged under this provision to store the data for 10 years.

6. Disclosure of data

The e-mail server is operated and maintained by Microsoft. For this reason, e-mails are also stored in Microsoft’s infrastructure. Although Microsoft is a company based outside the EU (USA), it has subjected itself to the Privacy Shield framework and thus guarantees a data protection standard that corresponds to that of the European Union. For more information on this, please use the following link: http://www.microsoftvolumelicensing.com/Downloader...

7. Encryption

In order to prevent unauthorized access to your personal data by third parties, our e-mail servers support transport-encrypted transmissions. All synchronizations are carried out in encrypted form. Furthermore, our contact form is provided on an encrypted website.

§ 16 deleted


§ 17 Payments and Accounting

1. Purpose and Legal Basis
We process your data to making payments, receive payments and to record incoming and outgoing payments for accounting purposes.
Since the payments are made within the framework of contractual service agreements, the legal basis for this is provided in Art. 6 I lit. b GDPR. 

2. Data Categories
We process your name, the payment amount and the type of ticket purchased.

3. Recipient of Your Data
Incoming payments are processed by our banking institution and are therefore also disclosed to it.

4. Access Authority
Your data can only be accessed by employees who are authorized to do so. 

5. Retention Period
The data must be retained for 10 years due to statutory retention obligations.

§ 18 LogPay and Credit Check

1. Purpose and Legal Basis
We do not perform credit checks. Purchase price claims are assigned to the LogPay payment service provider by our clients. Further details as well as the contact data of the respective responsible persons can be found in Section 19 of this data privacy declaration. For more information on data processing at LogPay, click the following link: https://www.logpay.de/DE/datenschutzinformationen/
The legal basis for the assignment of claims is Art. 6 I lit. f GDPR. The outsourcing of payment processing and receivables management constitute the legitimate interest.
LogPay, as the responsible party, performs credit checks at its discretion during initial registration. Our own legitimate interest pursuant to Art. 6 I lit. f GDPR is the avoidance of payment defaults.

2. Data Categories
The name, date of birth, address, e-mail address, bank account details, credit card information as well as information about the data and the services received are processed.

3. Further Details
Since the principals listed under Section 17 Item 10 are responsible for this data processing, you can obtain further details from the relevant contacts listed there.
Information on data processing and credit assessment by LogPay (LogPay Financial Services GmbH, Schwalbacher Strasse 72, 65760 Eschborn, Germany) is provided via the following link: https://www.logpay.de/DE/datenschutz/

§ 19 Virtual Events, Video Conferences

1. Purpose and Legal Basis
We offer virtual rooms and events that enable the exchange of experiences as well as networking with other participants. The exchange of experiences is in our legitimate interest. Consequently, the legal basis is Art. 6 I lit. f) GDPR. By participating voluntarily, participants express that their interest does not supersede ours.
We also use voice and video conferencing systems to conduct face-to-face meetings with you in the context of maintaining customer relations. The legal basis for this is the fulfillment of contractual obligations in accordance with Art. 6 I lit. b) GDPR.

2. Data Categories
Virtual events are carried out with the help of video conferencing systems. To use these, it is necessary to process the following categories of data: Your public IP, the time of use and your login name. The following categories of data are also processed: your name, company name, e-mail address as well as voice and video communication data.

3. Recipients of Your Data
We draw on the services of Microsoft (Teams) and Lionheartt Squared Ltd (Zoom) to provide video conferencing functions. EU standard contractual clauses have been agreed with both suppliers. For more information, please consult the privacy statements of the providers:
Zoom (Lionheart Squared Ltd): https://zoom.us/docs/de-de/privacy-and-legal.html

4. Access Authorization
Your data can only be accessed by employees who are authorized to do so.

5. Retention Period
Video and voice conferences are not recorded as a general rule.

§ 20 Dispatch of Postal and Merchandise Consignments

1. Purpose and Legal Basis
The processing of your data is necessary for the dispatch of postal and merchandise consignments. If these are consignments made within the framework of contractual agreements, the legal basis for this is provided in Art. 6 I lit. b) GDPR. If we send you mailings in order to advertise our products and services, the legal basis is Art. 6 I lit. f) GDPR. In this case, the marketing of our offers constitutes our legitimate interest.

2. Data Categories
The following information is required to complete the shipping process: your name and address.

3. Recipients of Your Data
Your data will be transferred to various European transport service providers.

4. Access Authorization
Your data can only be accessed by employees who are authorized to do so.

5. Retention Period
The data will be deleted after the purpose ceases to exist.

§ 21 Event Organization

1. Purpose and Legal Basis
Data is processed for the purpose of organizing and implementing face-to-face events. Your data is processed as a result of your registration and thus on the basis of Art. 6 I lit. b) GDPR.

2. Data Categories
We process the following data categories: your name, your company’s name, your company’s address, your position in your company, your phone number, your e-mail address, and your meal preferences.

3. Recipients of Your Data
Your data will be provided to the service providers who need this information for the event. This includes postal service providers for sending invitations and catering service providers for providing food. The data of presenters is transmitted to the hotels, driving service providers and travel service providers.

4. Access Authorization
Your data can only be accessed by employees who are authorized to do so.

5. Retention Period
The data will be deleted after the purpose ceases to exist.

§ 22 Photos and Videos

1. Purpose and Legal Basis
We take photos and videos at our events and publish them on the Internet and in print media. The processing of data serves the purpose of public relations activities, which is also the legitimate interest pursuant to Art. 6 I lit. f) GDPR of the controller (see recital 47). It is questionable whether the interest of the data subjects in protecting their privacy outweighs this interest. The photographs and videos taken predominantly depict a professional environment. Moreover, these are publicly advertised events, and the fact that photographs and videos will be taken is pointed out in advance.
Furthermore, care is taken during production and publication to ensure that the legitimate interests of the persons depicted are taken into consideration. Therefore, the interest of the data subject does not prevail. The legal basis for processing is Art. 6 I lit. f) GDPR.
Any recordings and publications by the press or other media are carried out by the respective responsible press or media company based on the media privilege pursuant to Art. 85 II GDPR.

2. Data Categories
Image, sound and video recordings are processed.

3. Recipients of Your Data
We publish the recordings on our website, in print media and on the following social media platforms:

Facebook
The provider is Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland). For more information on privacy, please visit https://www.facebook.com/policy.php.

XING
The provider is New Work SE (Dammtorstr. 30, 20354 Hamburg, Germany). For more information on privacy, please consult the XING privacy policy at https://privacy.xing.com/en/privacy-policy.

LinkedIn
The provider is LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland). For more information on privacy, please see LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacy-policy and cookie policy at https://www.linkedin.com/legal/cookie-policy.

4. Right of Objection
You can object to the processing at any time. Please address your objection to the responsible body listed in Section 2.

5. Retention Period
If you object to the processing, we will delete the recordings made of you.

§ 23 Postal Marketing

1. Purpose and Legal Basis
Data is processed for the purpose of providing information about our products, services and other offers by post. Marketing measures by letter are carried out on the basis of Art. 6(1) lit. f) GDPR. Our own legitimate interest is the advertising of our own offers (cf. recital no. 47). A possible interest of the data subject is protection against harassment by mail advertising. According to Sec. 7 UWG, unreasonable harassment is always to be assumed in the case of contact by telephone according to Sec. 7 II No. 2 UWG or contact by electronic means (e-mail, fax) according to Sec. 7 II No. 3 UWG. Postal advertising is excluded from this. The legislator is therefore of the opinion that unreasonable harassment is not to be assumed in the case of postal advertising. In the absence of unreasonable harassment, the interest of the data subject in being protected against harassment does not outweigh the interest of the data controller.

2. Data Categories
Your name and address data will be processed.

3. Recipients of Your Data
We use postal service providers for mailing, who receive your address data as part of the delivery order.

4. Right of Objection
You can object to the processing at any time. Please address your objection to the responsible body listed in Section 2.

§ 24 E-Mail Marketing

1. Purpose and Legal Basis
Data is processed for the purpose of providing information about our offers and services via electronic mail (e-mail). This purpose also constitutes our legitimate interest pursuant to Art. 6 I lit. f) GDPR (cf. recital no. 47). A possible interest of the data subject is protection against harassment by advertising. According to Sec. 7 UWG, unreasonable harassment is always to be assumed in the case of contact by telephone according to Sec. 7 II No. 2 UWG or contact by electronic means (e-mail, fax) according to Sec. 7 II No. 3 UWG.
This does not apply to marketing measures directed at our customers who have already received similar goods or services from us pursuant to Section 7 III No. 2 UWG. According to the legislator, it must therefore be assumed that the interest of the data subjects does not outweigh our interest.
If the data subjects have consented to receiving electronic mail, the legal basis is Art. 6 I lit. a) GDPR.

2. Data Categories
Your name and e-mail address will be processed.

3. Recipients of Your Data
The data is transmitted to the responsible persons named in Section 1 and the operators of our IT infrastructure. It is also possible that external IT service providers may have access to this data during troubleshooting activities. We draw on a service from Microsoft to dispatch e-mails.
Your data can only be accessed by employees who are authorized to do so.

4. Right of Objection
You can object to the processing at any time. Please address your objection to the responsible body listed in Section 2.

§ 25 LinkedIn Insight Tag

1. Purpose and Legal Basis
Data is processed for the purpose of analyzing website usage and advertising activities. For this purpose, we use the “LinkedIn Insight Tag” conversion tracking tool of service provider LinkedIn Corporation (1000 W. Maude Avenue, Sunnyvale, CA 94085, USA).
This tool creates a cookie in your terminal device that stores the following data: web page views (URL), device and browser properties, and the IP address.

LinkedIn anonymizes the data before we, the site operator, receive it in the form of reports and statistics on advertisement performance.

The data is processed based on your consent according to Art. 6(1) lit. a) GDPR.

2. Where Is Your Data Processed?
In the course of using LinkedIn Insight-Tag, personal data may also be transmitted to the servers of LinkedIn Corporation in the USA. We have entered into an order processing agreement with LinkedIn for the use of LinkedIn Insight-Tag (https://de.linkedin.com/legal/l/dpa), which obliges LinkedIn to protect the data of our site visitors. EU standard contractual clauses pursuant to Art. 46 I in conjunction with Art. 46 II lit. c) GDPR were concluded to legitimize the data transfer. Further information on the purpose and scope of data processing can be found in the privacy policy of LinkedIn Corporation at https://de.linkedin.com/legal/privacy-policy.

3. Retention Time
The personal data collected by LinkedIn is automatically deleted within 90 days.

4. Revocation
You can revoke your consent at any time with effect for the future. To exercise your revocation, you can revoke your consent in the section above (“How to Disable or Remove Cookies”).

Date: 17 August 2022