Privacy Policy

Data protection information

HEAG mobilo GmbH thanks you for visiting our website and for your interest in our company. We take the protection of personal data seriously. Personal data is all data that can be related to you personally, e.g. name, e-mail address, telephone number, etc.

In the following, we will first provide you with general information about the processing of your personal data and your rights as a data subject. We will then provide specific information about processing for other specified purposes. We update this data protection information on an ongoing basis. Please inform yourself regularly!

General information on data protection

§ 1 Responsible body

§ 2 Company data protection officer, data protection coordinators

§ 3 Making contact

§ 4 Your rights as a data subject

§ 5 Complaints to a supervisory authority

§ 6 Revocation or objection to the processing of your data

§ 7 No automated decision-making

§ 8 No transfer of data to third countries

A. Data protection information for visiting the website www.heagmobilo.de

§ 1 Collection of personal data when visiting our website, cookies

§ 2 Other functions and offers on our website

§ 3 Tracking – use of Matomo

§ 4 Newsletter

§ 5 Google Maps

§ 6 Google reCAPTCHA

§ 7 Multilingualism – Polylang

§ 8 All In One WP Security

§ 9 Use of social media platforms

§ 10 Facebook fan page

§ 11 Integration of YouTube videos

§ 12 Instagram

B. Data protection information on the increased transport charge (EBE)

C. Data protection information on the SEPA mandate

D. Data protection information on visitor management

E. Data protection information on video surveillance in the vehicles, stops and operating sites of HEAG mobilo GmbH

F. Data protection information on data processing for job applications

G. Data protection information on the use of season tickets as eTicket Rhein-Main (e.g. Deutschlandticket, schoolchildren’s ticket, senior citizens’ ticket)

H. Data protection information on the mobiSmart project – collection of mobile phone data on buses and trains

General information on data protection

§ 1 Responsible body

Unless otherwise stated, the controller pursuant to Article 4 No. 7 of the EU General Data Protection Regulation (GDPR) is HEAG mobilo GmbH, represented by the management, Klappacher Straße 172, 64285 Darmstadt, info@heagmobilo.de (HEAG mobilo).

In Section B (increased transport charges), HEAG mobiBus GmbH & Co.KG, represented by the management, Klappacher Straße 172, 64285 Darmstadt, info@heagmobibus.de (HEAG mobiBus) is the responsible body for the bus sector, and in Section G (eTicket Rhine-Main) all transport companies named therein. Stradadi GmbH, represented by the management, Klappacher Straße 172, 64285 Darmstadt info@stradadi.de (Stradadi) may also be the controller for the activity described in Section F (Applications) if the application is addressed to them.

§ 2 Company data protection officer, data protection coordinators

HEAG mobilo, HEAG mobiBus and Stradadi have appointed a joint company data protection officer.This is CTM-COM GmbH, Marienburgstraße 27, 64297 Darmstadt, datenschutz@ctm-com.de or telephone 06151 3942-72.

If you have any questions about data protection, you are also welcome to contact our internal data protection coordinators, datenschutz@heagmobilo.de.

§ 3 Making contact

When you contact us, the data you provide (your e-mail address and your request, first and last name if applicable, callback number, etc.) will be stored by us in order to answer your enquiry. We delete any data collected in the process as soon as storage is no longer required. If there are statutory retention obligations, we will restrict the processing until deletion.

§ 4 Your rights as a data subject

You always have the following rights vis-à-vis us as the controller with regard to your personal data in the data processing mentioned in the following sections:

Right to information free of charge
Right to rectification or erasure
Right to restriction of processing,
Right to object to processing,
Right to data portability.

§ 5 Complaint to a supervisory authority

You can also lodge a complaint with the competent supervisory authority (Article 77 GDPR). The authority responsible for us is

The Hessian Commissioner for Data Protection and Freedom of Information

Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany

Telephone 0611 1408-0

https://datenschutz.hessen.de/.

Alternatively, you can contact your local supervisory authority.

§ 6 Revocation or objection to the processing of your data

(1) If you have given us your consent to process your personal data, you can revoke this consent in whole or in part at any time without giving reasons. This does not affect the lawfulness of the processing until your cancellation.

(2) If we base the processing of your personal data on the protection of legitimate interests, you can object to this at any time. In doing so, we ask you to explain the reasons for your objection. These will be used to examine your objection and weigh up your interests. Depending on the result of the examination, we will discontinue or adapt the data processing. Alternatively, we will inform you why we consider the further processing of your personal data to be justified despite your objection.

§ 7 No automated decision-making

We do not use any kind of automated decision-making, including profiling (Article 22 GDPR).

§ 8 No transfer of data to third countries

Unless explicitly stated otherwise, your personal data will not be transferred to a third country (countries outside the European Economic Area – EEA).

A. Data protection information for visiting the website www.heagmobilo.de

§ 1 Collection of personal data when visiting our website, cookies

(1) You can use our website purely for information purposes (without registering or contacting us). In this case, we only collect the personal data that your browser transmits to our server. The following data is technically required to display our website to you and to ensure stability and security (legal basis is Article 6(1)(f) GDPR)

IP address
Date and time of the enquiry
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred in each case
Website from which the request originates
Browser, language and its version
Operating system and screen resolution

(2) In addition to the aforementioned data, cookies are stored on your computer when you visit our website. Cookies are small pieces of text information that are stored in the browser on the device you are using. Certain information flows to us through the cookie. Cookies serve to make our website more user-friendly and effective overall.

(3) Use of cookies:

a) This website uses the following types of cookies, the scope and function of which are explained below:

Transient cookies (see b)
Persistent cookies (see c).

b) Transient cookies are automatically deleted when you close the browser. These include session cookies in particular. These store a so-called session ID, with which various requests from your browser can be assigned to the joint session. This allows your computer to be recognised when you return to our website. The session cookies are deleted when you log out or close the browser.

c) Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies manually at any time in your browser settings.

§ 2 Further functions and offers of our website

(1) If you are interested, you can also use various services on our website. To do so, you must generally provide further personal data that we use to provide the respective service. The main principles of data processing in accordance with Article 5 of the GDPR apply.

(2) In some cases, we use external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions and are regularly monitored.

(3) Furthermore, we may pass on your personal data to third parties if we offer participation in promotions, competitions, contracts or similar services. Details on this can be found in the respective offer.

(4) If our service providers or partners are based in a country outside the European Economic Area (EEA), we will inform you of this in the respective offer.

§ 3 Tracking – Use of Matomo

(1) This website uses the web analysis service Matomo. The legal basis for the use of Matomo is Article 6(1)(1)(f) GDPR. Our legitimate interest lies in being able to use the statistics obtained to analyse the use of our website and regularly improve it for you as a user.

(2) In order to comply with the principle of data minimisation, we do not use cookies. Instead, Matomo uses a so-called Config_ID. Details on the technical process can be found at https://matomo.org/faq/general/how-is-the-visitor-config_id-processed/.

(3) This website uses Matomo with the ‘AnonymiseIP’ extension. The IP address is anonymised before it is saved. It is not merged with other data collected by us.

(4) The controller stores the information collected exclusively on servers in Germany. This involves the following data:

Number and time of visitors
Average length of visit
Visitors who left the website (leaving the website after one page)
Actions per visit (page views, downloads, outgoing links, internal searches)
(Unique) page views
Devices used and software installed by visitors
Actions per visit (page views, downloads, outgoing links, internal searches), (unique) page views, user behaviour (entry pages, exit pages, origin of visitors e.g. search engine etc.)
Devices used and software installed by visitors

(5) The Matomo programme is an open source project. Information from the third-party provider on data protection can be found at https://matomo.org/privacy-policy/.

§ 4 Newsletter

(1) You have the option of registering for our newsletter (press releases, traffic reports, etc.). All you need to do is enter your e-mail address. You can optionally enter further data. When you click on ‘Subscribe to newsletter’, we will first send a notification to the e-mail address you have provided, asking you to confirm it. Only then will you actually receive our newsletter (double opt-in).

(2) You can revoke your consent to receive our newsletter at any time without giving reasons. You will find an option to do so at the end of each newsletter. You can also object by post (HEAG mobilo GmbH, Klappacher Straße 172, 64285 Darmstadt) or by e-mail (kommunikation@heagmobilo.de).

(3) We use the newsletter tool Brevo from Sendinblue GmbH in Berlin to send our newsletter. We have concluded an order processing contract with this company. The data collected from you when you register for the newsletter is processed by Brevo. It will be deleted as soon as you unsubscribe from the newsletter.

§ 5 Google Maps

(1) This website uses the map service Google Maps. The provider is Google Ireland Limited (‘Google’), Gordon House, Barrow Street, Dublin 4, Ireland. With the help of this service, we can integrate map material on our website.

(2) To use the functions of Google Maps, it is necessary to save your IP address. This information is usually transmitted to a Google server in the USA and stored there. We have no influence on this data transfer. If Google Maps is activated, Google may use Google Fonts for the purpose of standardising the display of fonts. When you call up Google Maps, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.

(3) Due to data transmission, the Google Maps service is deactivated by default. If you wish to use it, you must give us your consent to do so. Your personal data will then be processed on the basis of Article 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG. Your consent can be revoked at any time (see above).

(4) Google also processes your personal data in the USA. The data transfer takes place on the basis of certification in accordance with the ‘EU-US Data Privacy Framework’ (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA.

(5) Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and

https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

You can find more information on the handling of user data in Google’s privacy policy: https://policies.google.com/privacy?hl=de.

§ 6 Google reCAPTCHA

(1) We use ‘Google reCAPTCHA’ (hereinafter referred to as ‘reCAPTCHA’) on this website. The provider is Google Ireland Limited (‘Google’), Gordon House, Barrow Street, Dublin 4, Ireland. The purpose of reCAPTCHA is to check whether data is entered on this website (e.g. in a contact form) by a human or by an automated programme. For this purpose, reCAPTCHA analyses the behaviour of the website visitor based on various characteristics.

(2) To analyse this, reCAPTCHA evaluates various information and forwards it to Google (e.g. page that integrates reCAPTCHA, page from which the user comes, IP address of the user, settings of the end device such as language, browser, location, length of stay, mouse movements and keyboard strokes, screen and window resolution, time zone and installation of browser plugins).

(3) The reCAPTCHA analyses run completely in the background if you have given us your consent to do so. The processing is then carried out on the basis of Article 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent authorises the storage of cookies or access to information in the user’s end device (e.g. the user’s browser).

device of the user (e.g. device fingerprinting) within the meaning of the TDDDG. Your consent can be revoked at any time (see above).

(4) For more information about Google reCAPTCHA, please refer to the Google Privacy Policy and the Google Terms of Use at https://policies.google.com/terms?hl=de.

(5) Google also processes your data in the USA. For details, please refer to section A § 5 paragraphs 4 and 5 (see above).

§ 7 Multilingualism – Polylang

(1) We would like to offer you our website in multiple languages. For this purpose, we use the WordPress plugin Polylang. The provider is WP SYNTEX, 8, rue Joseph Cugnot 38307 Bourgoin Jallieu, France. Further information can be found at https://polylang.pro/doc/is-polylang-compatible-with-the-eu-cookie-law/ and https://polylang.pro/doc/is-polylang-gdpr-compliant/.

(2) The Polylang cookie (‘pll_language’) only stores your language selection. It remains stored for one year and is then deleted. No data is sent to the provider.

(3) The legal basis for use is Article 6(1)(f) GDPR. Our legitimate interest lies in being able to offer you our website in multiple languages. You have the option to object to this use (see General information on data protection, section 6).

§ 8 All In One WP Security

(1) We use the plugin ‘All-In-One Security (AIOS) – Security and Firewall’ for the security of our website. The provider is Team Updraft or Updraft WP Software Ltd. Details can be found at https://de.wordpress.org/plugins/all-in-one-wp-security-and-firewall/.

(2) This plugin can set cookies and thereby collect and store IP addresses. These are stored exclusively on our servers. Recipients of the data may be technical service providers who act as processors for the operation and maintenance of our website.

(3) The legal basis for use is Article 6(1)(f) GDPR. Our legitimate interest lies in securing our website against malicious software, brute force attacks, spam and other malicious activities. You have the option to object to this use (see General information on data protection, section 6).

§ 9 Use of social media platforms

(1) We currently use the following social media platforms for information and marketing purposes: YouTube, Facebook and Instagram. The legal basis for this is Article 6 paragraph 1 sentence 1 lit. f GDPR. Technically, our respective websites are integrated via a simple link. Personal data is only transferred to a platform operator when you click on the respective link. The links to the platforms can be found in the header of our website. Please note that the platforms mentioned are based in the USA. When you visit their websites, your personal data may therefore be transferred and stored there. We have no influence on the data processing procedures, the full scope of data collection, the purposes of processing, the storage periods or details on deletion are not known to us. Data is collected regardless of whether you have an account with the platform operator and are logged in there. If you are logged in to the platform, your data collected by us will be assigned directly to your existing account. If you do not wish this to happen, you should log out after using the respective platform.

(2) The platforms store the personal data collected about you as user profiles and use these for the purposes of advertising, market research and/or the customised design of their website. You have the right to object to the creation of user profiles. For details, please refer to the respective data protection information of the platform.

§ 10 Facebook fan page

(1) Links to the social network Facebook are integrated on our website. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. However, according to Facebook, the data collected is also transferred to the USA and other third countries. An overview of the Facebook social media elements can be found here:

https://developers.facebook.com/docs/plugins/?locale=de_DE.

(2) When you click on the link, a direct connection is established between your device and the Facebook server. Facebook thereby receives the information that you have visited our website with your IP address. If you click on the Facebook ‘Like’ button while you are logged into your Facebook account, you can link the content of this website to your Facebook profile. This allows Facebook to associate your visit to this website with your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by Facebook. Further information on this can be found in the privacy policy of Facebook at: https://de-de.facebook.com/privacy/explanation.

(3) The use of this service is based on your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TDDDG. Consent can be revoked at any time.

(4) Insofar as personal data is collected on our website and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its transfer to Facebook. The processing that takes place after forwarding is carried out solely by Facebook. The obligations incumbent on us jointly have been set out in an agreement on joint processing. You can find the wording of the agreement at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using Facebook and for the secure implementation on our website in accordance with data protection law. Facebook is responsible for the data security of Facebook products is the responsibility of Facebook.

(5) You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert the data subject rights with us, we are obliged to forward them to Facebook.

(6) Facebook / Meta also processes your personal data in the USA. The data transfer takes place on the basis of certification in accordance with the ‘EU-US Data Privacy Framework’ (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA.

§ 11 Integration of YouTube videos

(1) We have integrated the video service YouTube.com into our online offering. YouTube is a platform on which users can post videos and make them publicly accessible. The platform is operated by Google Inc, 1600 Amphitheater Parkway, Mountainview, California 94043, USA. The contact for customers in Europe is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

(2) The videos can be played directly on our website and are all integrated in ‘extended data protection mode’, i.e. no data about you as a user is transferred to YouTube if you do not play the videos. Only when you play the videos will the data mentioned in paragraph 3 be transmitted. We have no influence on this data transfer.

(3) By playing a video, YouTube receives the information that you have accessed the corresponding subpage of our website. This occurs regardless of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish your data to be associated with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or customising its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide customised advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.

(4) Further information on the purpose and scope of data collection and its processing by YouTube can be found in the privacy policy. There you will also find further information on your rights and setting options to protect your privacy: https://policies.google.com/privacy?hl=de&gl=de.

(5) Google also processes your personal data in the USA. The data transfer takes place on the basis of certification in accordance with the ‘EU-US Data Privacy Framework’ (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA.

§ 12 Instagram

(1) Functions of the Instagram service are integrated on this website. These functions are offered by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Further information on this can be found in Instagram’s privacy policy: https://privacycenter.instagram.com/policy/.

(2) When you click on the link, a direct connection is established between your device and the Instagram server. Instagram thereby receives information about your visit to this website. If you are logged into your Instagram account, you can link the content of this website to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate your visit to our website with your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by Instagram.

(3) The use of this service is based on your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TDDDG. Consent can be revoked at any time.

(4) Insofar as personal data is collected on our website and forwarded to Meta or Instagram, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Article 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its transfer to Meta or Instagram. The processing that takes place after forwarding is carried out solely by Instagram. The obligations incumbent on us jointly have been set out in a joint processing agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the data protection information when using Instagram and for the secure implementation on our website in accordance with data protection law. Meta is solely responsible for the data security of the Instagram products.

(5) You can assert data subject rights (e.g. requests for information) regarding the data processed by Instagram directly with Meta. If you assert your data subject rights with us, we are obliged to forward them to Meta.

(6) Facebook / Meta also processes your personal data in the USA. The data transfer takes place on the basis of certification in accordance with the ‘EU-US Data Privacy Framework’ (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA.

B. Data protection information on the increased transport charge (EBE)

Collection and processing of personal data

(1) We collect the following personal data to process your increased fare:

First name and surname

Gender

Date of birth

Address (street, house number, postcode, place of residence)

Nationality

Incident data (EBE incident no., date, time, passenger position in the vehicle, complaint, direction, control stop, boarding stop, destination stop, type of ID, ticket number, ticket type, remark, passenger comment, passenger behaviour, inspector number, vehicle number, line)

Payment made

For minors, data of legal guardians (first name, surname, gender, address), if applicable

(2) The legal basis for the processing of your personal data is Article 6 (1) sentence 1 lit. b and f GDPR. The common RMV conditions of carriage allow the responsible transport companies to charge and collect an increased fare from passengers who are found travelling without a valid ticket. The data is also stored to record repeat offences. In such cases, we reserve the right to initiate criminal proceedings.

Deletion of data

We delete your personal data as soon as it is no longer required. In addition, we are subject to various retention and documentation obligations (e.g. HBG, BGB, etc.). The retention and documentation periods specified there are up to ten years.

Data transfer to third parties

(1) In principle, we do not pass on your personal data to third parties. External service providers who process data on our behalf are contractually obliged to comply with data protection in accordance with Article 28 GDPR and are therefore not considered third parties.

(2) BHS Bad Homburger Servicegesellschaft mbH and Bad Homburger Inkasso GmbH (address in each case: Konrad-Adenauer-Allee 1-11, 61118 Bad Vilbel) are commissioned to collect outstanding EBE receivables.

(3) If the personal details of the person concerned have to be established or if there is a repeated EBE case, we reserve the right to pass on the data to the competent authority for criminal prosecution.

C. Data protection information on the SEPA mandate

Collection and processing of personal data
(1) We collect and process the following data when a SEPA mandate is issued:

Surname, first name

Date of birth

Address (place of residence, postcode, street, house number)

Telephone number

E-mail address

IBAN and BIC if applicable

(2) The data is processed on the contractual basis of a SEPA direct debit mandate issued in accordance with Article 6(1)(a) GDPR.

Data transfer to third parties

(2) The data is transmitted to the credit institutions involved so that direct debits can be made.

Deletion of data

We delete your personal data as soon as it is no longer required for the fulfilment of our contractual relationship. In addition, we are subject to various retention and documentation obligations (e.g. HBG, BGB, etc.). The retention and documentation periods specified there are up to ten years.

D. Data protection information on visitor management

With the following information, we would like to inform you as a visitor to our company about the processing of your personal data.

Collection and processing of personal data

(1) Your personal data will be processed insofar as this is necessary in the context of your visit. The data collected is collected and stored for the purpose of documenting current visitors to HEAG mobilo GmbH. The data is stored in writing so that the visitor’s request can be assigned internally and thus ensure that nobody gains unauthorised access to our company premises.

(2) The legal basis for the collection and processing of your personal data in the context of the visit may result from Article 6 (1) sentence 1 lit. a, b and/or f GDPR. Our legitimate interests arise from always knowing which external persons are where on our company premises for reasons of your personal safety and our business operations.

(3) Personal data for the documentation of your visit are your contact details, name, day + time of visit, telephone number and email address, if applicable, vehicle licence plate number if you drive on the company premises.

(4) Our company premises are partially under video surveillance. These areas are recognisable by signage. If you enter or drive through these areas, we will also process video data about you (see section F below).

Recipients or categories of recipients of the data

(1) Within our company, those departments that require your data to fulfil our contractual obligations and legitimate interests will have access to it. Processors engaged by us (Article 28 GDPR) may also receive data for these purposes. These processors are companies in the categories of IT services, security companies and telecommunications.

(2) We only disclose your data to third parties for their own use if and insofar as consent has been given or contractual and/or legal regulations provide for this. Third parties in the above sense are public bodies/authorities and private companies. In addition, we may transfer your personal data to authorities (law enforcement authorities) and courts in Germany and abroad in the interests of the company.

Duration of data storage

The personal data collected by us during your visit will be stored for the duration of your visit and for 1 year thereafter and then deleted, unless we are

are obliged to store the data for a longer period in accordance with Article 6(1)(c) GDPR due to retention and documentation obligations (e.g. from the German Commercial Code (HGB), German Criminal Code (StGB) or German Tax Code (AO))

or if there is a legitimate interest in storage in accordance with Article 6(1)(f) GDPR, e.g. during the current limitation period, which is usually three years, but can also be up to 30 years in certain cases,

or you have consented to further storage in accordance with Article 6(1)(a) GDPR.

As soon as the storage of the data is no longer required for the aforementioned storage purposes or if you withdraw your consent, your data will be deleted immediately.

Reason for providing your data and possible consequences of not providing it

If you do not provide your personal data, you will unfortunately not be permitted to enter our company premises.

E. Privacy Policy Video surveillance in the vehicles, stops and operating sites of HEAG mobilo GmbH

Purpose and legal basis of data processing

We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG-neu).

Video surveillance in the vehicles, at the stops and in the operating facilities of HEAG mobilo GmbH is carried out on the basis of Article 6 (1) sentence 1 f) GDPR to protect our and other legitimate interests. Video surveillance ensures the protection of our customers, employees and other third parties, serves to exercise and enforce our domiciliary rights and to investigate civil and criminal offences (in particular theft, burglary, damage to property, vandalism and illegal waste disposal). When used at bus stops, video surveillance is also used to monitor connections and analyse current operations (buses and trains) in order to be able to take further action in the event of disruptions or accidents.

Duration of data storage

The video recordings are stored in the vehicles for a maximum of 48 hours and then automatically overwritten and deleted. When monitoring our operating sites, the storage period is up to 72 hours. The images from the video cameras at our stops are not stored, but only transmitted live to our traffic control centre at Böllenfalltor. Camera recording areas that are not required for monitoring purposes are technically rendered unrecognisable (blackening). If data is analysed in the context of an incident (e.g. criminal complaint or accident), it is subject to the statutory retention and documentation periods.

Data transfer

Within HEAG mobilo GmbH, access to stored personal data is only granted to those offices and departments that require this data to fulfil their tasks. Access is only granted to the extent absolutely necessary.

In principle, we do not pass on your personal data to third parties. However, it is theoretically possible that external service providers could gain access to the data as part of the maintenance of our IT systems. These service providers are contractually obliged to comply with data protection as processors (Article 28 GDPR).

Personal data about data subjects may also be passed on in individual cases if this is required by law, consent has been given or we are authorised or obliged to provide information. In this context, personal data may also be passed on to law enforcement authorities (police and public prosecutor’s office).

F. Data protection information on data processing for applications

Collection of data

By entering your data, you provide the above-mentioned companies with your personal data about a specific application for the purpose of the job search itself.

Legal basis for the processing of personal data

The legal basis for data processing is Article 6(1)(b) GDPR in conjunction with Section 26 BDSG-new. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Data protection and confidentiality

Data protection is an important concern for us. The HEAG companies have taken the necessary organisational and technical measures to ensure the confidentiality of your application. All employees in the HR department are obliged to maintain confidentiality regarding personal data as part of their contractual employment relationship. When processing data, the general standards for data security in accordance with the current state of the art are taken into account.

Types of data and their use

We process data in connection with your application. During the application process, the usual correspondence data such as postal address, e-mail address and telephone numbers are stored in the applicant database for the purpose of your application, in addition to your title, surname and first name. In addition, application documents such as cover letter, CV, professional, training and further education qualifications and references are stored. These are the data, documents and information that you send us in connection with your application.

Types of data and their use

Rights of data subjects

You can exercise your rights as a data subject at any time. In this regard, please contact our HR department (personal@heagmobilo.de) or our data protection officer.

Right of cancellation

You have the right to withdraw your consent in accordance with Article 7 (3) GDPR with effect for the future. In this regard, please contact our HR department (personal@heagmobilo.de). Upon receipt of your revocation, we will no longer process your data for the purposes specified in the consent.

Data erasure and storage period

Your personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

If you apply for a job at HEAG, your data (profile, application and any test results from a recruitment test) will be placed in your personnel file. Your personal application data will generally be deleted automatically six months after completion of the application process. The background to this is the need for comprehensive documentation of the application process in the event of the assertion and/or defence of labour law claims by former applicants. The legal basis for this data processing is our overriding legitimate interest in a comprehensive legal defence in accordance with Article 6(1)(f) GDPR. We will not inform you about the deletion of the data.

A longer retention period or subsequent renewed contact by HEAG for new job options requires the consent of the applicant. This must be expressly declared to HEAG in writing or by means of the corresponding consent on HEAG’s online application form. 

G. Data protection information on the use of season tickets as eTicket Rhine-Main (e.g. Deutschlandticket, schoolchildren’s ticket, senior citizens’ ticket)

Name and contact details of the responsible body and the company data protection officer:

Joint responsibility for data processing

As part of the eTicket RheinMain, HEAG mobilo and HEAG mobiBus operate a database, the ‘network-wide background system’ (vHGS), for the administration and processing of the eTicket RheinMain in joint responsibility with all participating transport companies and sales service providers used by transport companies (= customer contract partners) and the Rhein-Main-Verkehrsverbund GmbH (= RMV).

The respective customer contract partners collect and process customer data on their own responsibility within the scope of their area of responsibility. RMV is responsible for the technical and functional operation of the vHGS and is authorised to use other companies (processors) to support it in the functional and technical operation of the database, for example also for the creation and dispatch of eTickets and paper tickets.

The joint responsibility for data processing, in particular the competences and responsibilities of the parties involved, has been agreed in writing in accordance with Article 26 GDPR (joint controllership). The main contents of this agreement and a current list of the customer contract partners involved in the vHGS are available at www.rmv.de/vhgs-joint-controllership.

Purpose of data processing

The data is processed for the purpose of managing, maintaining and distributing electronic tickets on chip cards (eTicket RheinMain) and paper tickets via the network-wide background system (vHGS).

This includes:

the creation and provision of a data record for issuing the ticket or for issuing a proof of authorisation on a chip card via a read/write device (acceptance terminal)
the creation and provision of a data record for printing the ticket in paper form
issuing and sending the ticket and other contractual information
the correction of previously transmitted personal data due to changes in contact details or similar reasons
Processing customer and prospective customer enquiries
processing the payment of the ticket
checking the ticket
checking for misuse, such as manipulation, duplicates or double registrations with a chip card

The last 10 transactions are also stored on the chip card. A transaction is the process of data exchange between the chip card, the acceptance terminal and the background system that occurs, for example, when the ticket is checked. This involves the time, location and type of transaction as well as the terminal number and the ticket/product number.

The transactions currently stored on the chip card are only stored there and can be viewed at the RMV mobility centres and deleted on request. In addition, when the ticket is checked, the control device sends a control data record to RMV’s eTicket background system. This is used to check for misuse.

Legal basis for data processing

The data processing is necessary for the fulfilment of a subscription contract with the customer and, if different, with the account holder and the subsequent use of the ticket by the customer or user as proof of a valid travel authorisation when using the public transport network (fulfilment of contract pursuant to Article 6(1)(b) GDPR).

Recipients or categories of recipients of the personal data

The following recipients are involved in operational processing

Rhein-Main-Verkehrsverbund GmbH – technical operator of the vHGS as an integral part of the eTicket RheinMain and its processor for the functional and technical operation of the vHGS, Rhein-Main-Verkehrsverbund Servicegesellschaft (rms GmbH) and its processor for the hosting and technical operation of the vHGS, Cubic Transportation Systems (Deutschland) GmbH
Customer contract partners involved in the vHGS who sell tickets via the vHGS and provide certain services to the respective customers (e.g. changes of address or geographical validity). A current list can be viewed at www.rmv.de/vhgs-joint-controllership
Credit agencies that can be used by the customer contract partner to check the customer’s creditworthiness
Debt collection companies that can be called in if the customer defaults on payment.

Data processing agreements have been concluded with all processors in accordance with Article 28 GDPR.

Data is not transferred to third countries in accordance with Articles 45 – 49 GDPR.

Duration of data storage

Personal data is routinely deleted when it is no longer required to fulfil the contract and is no longer subject to the statutory (in particular tax law) retention periods (Article 17(1)(a) and (e) GDPR).

The usage data generated in connection with the eTicket RheinMain will be deleted six months after successful receipt of payment for the transactions in the vHGS, but may be analysed by RMV for transport purposes (e.g. to assess the development of demand on certain connections) after prior pseudonymisation. Control data records transmitted to the background system for the purpose of checking misuse are deleted from the background system no later than 14 days after collection.

Analyses and misuse checks are carried out on the basis of legitimate interest in accordance with Article 6(f) GDPR.

Necessity of the provision of data

The provision of data is necessary for the conclusion and processing of personalised tickets and the use of eTickets or paper-based tickets. It is not possible to conclude contracts for personalised tickets without providing the data.

Alternatively, it is possible to purchase a non-personalised, transferable and anonymously usable ticket by paying cash in advance.

H. Data protection information on the mobiSmart project – collection of mobile phone data in buses and trains

Purpose of data processing

Your personal data is collected and processed to measure the flow of traffic on our route network and to determine the capacity utilisation of our buses and trains.

Legal basis and necessity of data processing

The legal basis is our legitimate interest pursuant to Article 6 (1) sentence 1 lit. f GDPR. The legitimate interests of HEAG mobilo arise from the purpose described. HEAG mobilo requires the information collected on the actual demand of its passengers for transport in order to offer an attractive mobility service. In contrast, there are no apparent overriding interests of passengers to refrain from collecting data.

Recipients or categories of recipients / data transfer

Within our company, only data that has previously been anonymised is processed. This also applies to our technical service provider. No data is transferred to countries outside the EU (so-called third countries).

Duration of data storage

We collect one or more MAC addresses (unique number for identifying mobile devices) of the mobile devices carried by our passengers. These MAC addresses are anonymised within milliseconds in the working memory of the recording devices installed in buses and trains. The MAC addresses are not stored beyond this. This does not apply when an objection is raised (see below).

RIGHT TO OBJECT TO THE PROCESSING

You can object to the processing at any time without giving reasons. We will then permanently exclude your MAC address(es) from further processing. To do so, please contact datenschutz@heagmobilo.de, stating your e-mail and MAC address(es) and your name (optional).

You can also prevent your MAC address(es) from being recorded by switching on the flight mode on your mobile devices. Please ensure that your end devices are recorded again when you manually reactivate the WLAN in flight mode. If you do not provide or object to the processing of your personal data, you will not suffer any disadvantages. 

(as at 25 February 2025)