Privacy Policy

Data Protection Information for the muenchen app of Stadtwerke München GmbH

Status: 22.03.2022

1. Content of this privacy notice

This privacy policy informs you about the personal data we process when you use our mobile application muenchen app (hereinafter also referred to as "app"). In addition, this privacy policy will inform you as to which rights you have with regard to your data.

The term "personal data" comprises any information relating to an identified or identifiable natural person.

The app is connected to the single sign-on service "M-Login" of Stadtwerke München GmbH, so that registration and login are carried out by way of the "M-Login" (see 4.3) and data stored in M-Login is transmitted to the app if required and if you have approved of this. The following data will be transmitted subject to your approval in "M-Login":

  • Salutation
  • First name
  • Last name
  • Title
  • Date of birth
  • E-mail address
  • Address
  • Mobile number
  • Phone number
  • Information on your means of payment (see Sections 4.5 and 4.6)

2. Responsible person and data protection officer

Stadtwerke München GmbH (hereinafter also referred to as "we" or "SWM") is the responsible party pursuant to Article 4 (7) of the EU General Data Protection Regulation (GDPR).

Emmy-Noether-Str. 2
80992 Munich
E-mail address: muenchen_app_kontakt@swm.de

You can reach the data protection officer of Stadtwerke München GmbH at:

Stadtwerke München GmbH Data Protection Officer
Emmy-Noether-Straße 2
80992 Munich
E-mail address: datenschutz@swm.de

3. Basic information on data collection and scope of use

Insofar as we collect, process or use personal data, we comply with the applicable legal provisions, in particular with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the Telecommunications Telemedia Data Protection Act (TTDSG). When you contact us by e-mail or via a contact form, your e-mail address and, if you have provided this, we will store your name and telephone number in order to answer your questions. We delete the data accruing in this context after the storage is no longer necessary or in the case of statutory retention obligations restrict the processing.

In order to operate the app and customer service, we use (technical) service providers by way of order processing. We disclose personal data collected by way of our app to state institutions, authorities and courts if we are instructed to do so by you or are legally obligated to do so or, should this be necessary, for the efficient legal defense or assertion of rights. Unless explicitly explained in this privacy notice, we do not transfer personal data to countries outside the European Union (EU) or the European Economic Area (EEA).

4. Processing of personal data when using our app

4.1 When downloading the app, the required information is transmitted to the respective app store, i.e. in particular the user name, e-mail address and customer number of your app store account, the time of download, payment information and the individual device identification number. We have no influence on this data collection by the respective app store and are not responsible for it.

4.2 If you wish to use our app, we will collect the following data, which is technically necessary for us in order to offer you the functions of our mobile app and to ensure stability and security:

  • IP address
  • The request itself
  • Date and time of the request
  • Data volume transferred in each case

The legal foundation for this is Art. 6 (1) sentence 1 lit. b DSGVO, in order to provide you with our app within the scope of the usage agreement concluded with you and to enable you to place an order via the app, as well as Art. 6 (1) sentence 1 lit. f DSGVO, in order to be able to provide you with the app technically.

4.3 Certain functions of the app require you to log in. The central single sign-on service "M-Login" of Stadtwerke München GmbH is available for this purpose. M-Login is an online portal that registered users can use to centrally manage certain user and user profile data for selected services that are connected to M-Login. For further information on the processing of your data within the framework of M-Login, please refer to the data protection information for "M-Login". If you are already registered with M-Login, you can log in to the app using the email address and password you created there.

If you have approved and provided the following in the M-Login account, we will get access to the following items of your profile data in M-Login:

  • Salutation
  • First name
  • Last name
  • Title
  • Date of birth
  • E-mail address
  • Address (street, number, postal code, city and country)
  • Mobile number
  • Phone number
  • Information on means of payment

Furthermore, we store your consent to our GTC.

We process the above data to fulfill the contract with you on the use of our app. The legal foundation for this is Art. 6 para. 1 sentence 1 lit. b DSGVO.

4.4 The app enables registered and logged-in users to purchase tickets and other services from our partners. For this purpose, we process the necessary data and transmit it to the respective partner, in particular:

  • Your order (e.g. type, place and time of an event)
  • Your agreement with regard to the terms and conditions of the partner
  • The information as to whether your payment was successful
  • If applicable, your agreement with the hygiene concept of the organizer

We process this data for pre-contractual measures and for the fulfillment and execution of the brokerage contract. The legal foundation for this processing is Art. 6 para. 1 lit. b DSGVO.

Please inform yourself about the partner's data processing in the partner's privacy policy.

4.5 If you have entered SEPA direct debit as a means of payment in the M-Login and have approved it for us, your approval will give us access to the following personal data:

  • IBAN
  • Account holder
  • BIC if applicable

We will change our payment service provider for SEPA direct debit in February 2023. Therefore, in a transition period between 01.02.2023 and 28.02.2023, all users who use this payment method will be switched to the new payment service provider. You will be affected by the changeover from the time you submit a SEPA direct debit mandate in favor of our new payment service provider, Novalnet AG, upon request.

In order to pay by SEPA direct debit you have given Novalnet AG a direct debit authorization for your account. We pass on your personal data (first and last name, date of birth, address, e-mail address, account details, telephone number if applicable, IP-address and the amount to be debited) and any changes to Novalnet AG for the purpose of selling and assigning the claims against you that arise in connection with your chargeable order. This is done on the foundation of Art. 6 para. 1 p. 1 lit. f DSGVO. The legitimate interest on our part is the outsourcing of payment processing and receivables management. The legitimate interest on the part of Novalnet AG consists in the processing of data for the purpose of processing payments, for receivables management, the evaluation of the admissibility of payment methods and the prevention of payment defaults. The offer to conclude a contract with costs (e.g. purchase of a ticket) is only accepted if Novalnet AG acquires the resulting claim from the contract with costs. If Novalnet AG refuses to acquire the claim, your offer to conclude a contract with costs will be rejected. You may object to the transmission of this data to Novalnet AG at any time, but then orders via the electronic sales channel will no longer be possible. The data protection information of the Novalnet AG can be found under the respective link.

In addition, we process your personal data, which we receive from Novalnet AG (information about the decision whether or not to acquire the claim).

4.6 If you have deposited a credit card as a means of payment in the M-Login and have approved it for us, we will obtain access to the following personal data based on your approval:

  • Credit card replacement number
  • Card type
  • Four final digits of the credit card number
  • Expiration date

We store this data as long as you have deposited the credit card as a means of payment in the M-Login and approved it for us or until the complete processing of purchases made using this credit card.
As soon as you make use of a chargeable service, we transmit the personal data to First Data GmbH that is required to bill your credit card. These are, in particular, the amount of the claim, the credit card replacement number and a reference text with which a payment by the payment service provider to us can be assigned to the service you have used.

We process the above data in order to fulfill the contract with you on the use of our service. The legal foundation for this is Art. 6 para. 1 sentence 1 lit. b DSGVO.

You can access the data protection information of First Data GmbH under the respective link.

4.7 Our app uses the web analysis tool Matomo in order to statistically analyze usage. The statistics obtained enable us to improve our offer and make it more interesting for you. The processing of the data is carried out exclusively under our responsibility.

We process the following data:

  • the IP address (anonymized by zeros of an octet)
  • the screens called up within the app
  • the user behavior (accessed screens, click paths bounce rates and time spent on screens)
  • Conversion goals (e.g., whether a purchase was made)
  • Information from your end device (operating systems and end devices with which the app is used)

The legal basis for the web analysis is Art. 6 para. 1 p. 1 lit. f DSGVO. The processing serves the purpose of evaluating the number of visitors and the use of our service and thus to improve our service. We have a legitimate interest in this. You can object to the processing at any time by deactivating the usage analysis in the app settings under "Profile" > "Privacy" > "Send usage statistics".

The legal basis for reading out your above-mentioned device information is your consent according to Art. 6 para. 1 p. 1 lit. a DSGVO, § 25 para. 1 TTDSG.

You can revoke your consent at any time by deactivating the usage analysis in the app settings under "Profile" > "Privacy" > "Send usage statistics".

Further information about the analysis tool Matomo can be found under the respective link.

4.8 Our App uses Firebase Crashlytics, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google", parent company: Google LLC, USA), to analyze errors of the app and to fix problems. When the app crashes, an anonymized crash report is sent to Google in real time. This report contains information related to your use of our app about the device status, device type, operating system, app version, the time of the crash and the device identification number at the time of the crash.

For more information, please see the privacy policy of Google LLC.

The legal foundation for the use of Firebase Crashlytics is your consent according to Art. 6 para. 1 p. 1 lit. a DSGVO. You can revoke your consent at any time with effect for the future by deactivating Firebase Crashlytics in the app settings under "Privacy".

4.9 We also process your personal data in order to fulfill other legal obligations. These may affect us in connection with the processing of your order or business communication, among other things. These obligations include, in particular, retention periods under commercial, trade or tax law.

We process your personal data in order to meet a legal obligation to which we are subject pursuant to Art. 6 para. 1 lit. c DSGVO in connection with commercial, trade or tax law, insofar as we are obliged to record and store your data.

4.10 We process your personal data in order to assert our rights and enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Moreover, we process your personal data to the extent necessary to prevent or prosecute criminal offences. In doing so, we process your personal data to protect our legitimate interests pursuant to Art. 6 (1) lit. f DSGVO, insofar as we assert legal claims or defend ourselves in legal disputes or we prevent or investigate criminal acts.

5. Required provision of personal data

The provision of the aforementioned data is – unless expressly communicated otherwise – already necessary for the conclusion or execution of the contract, as this cannot be carried out without this personal data. Insofar as we are subject to a legal obligation to process your personal data (for example, for the prevention of money laundering), you are legally obligated to provide us with this data. Otherwise, we may not be permitted to enter into a contractual relationship with you.

6. Categories of data recipients

Within SWM, access to your data is granted to those offices that need this information for the purposes described. To the extent permitted by law (for example, as part of commissioned processing), we may disclose personal data to third parties in the following categories:

  • (IT) service providers
  • Customer service providers
  • Logistics
  • Print service providers
  • Sales partners
  • Payment service providers
  • Collection service providers and lawyers
  • Public bodies and institutions (e.g. social insurance providers, financial authorities, police, public prosecutor's office, supervisory authorities) if there is a corresponding obligation / authorization

7. Data transfer to a third country or to an international organization

Within the context of the use of Firebase Crashlytics, there is the possibility that Google also stores or processes your data outside the European Union / the European Economic Area in a so-called third country (e.g. in the USA). This data transfer is based on so-called EU standard contractual clauses.

Moreover, a data transfer to a third country or to an international organization does not currently take place with regard to the app. Should we use (IT) service providers for certain tasks in the future, who may also use (IT) service providers that have their company headquarters, parent company or data center headquarters in a third country (outside the European Union and the European Economic Area), the following must be given: The transfer is permissible based on a legal foundation for permission or due to you having expressly consented to the transfer and the special requirements for a transfer to a third country are met. In particular this means that the European Commission has decided that an adequate level of data protection exists in the third country (Art. 45 GDPR) or that appropriate safeguards (e.g., through so-called EU standard contractual clauses specified by the European Commission or the supervisory authority) and enforceable rights and effective remedies are provided and in place.

8. Security

We secure our app and other systems through technical and organizational measures against loss, destruction, access, modification or distribution of your data by unauthorized persons. In particular, we encrypt our data for transmission in order to ensure that your data is not read by unauthorized persons during transmission. In doing so, we use a modern, reliable Internet security standard.

9. Storage period

We delete your personal data after the storage is no longer necessary (e.g. after final response to your request, for the duration of the contractual relationship with you until its final termination), or – in the case of legal retention obligations – restrict the processing. Please note that further processing is necessary in particular to ensure the:

  • Fulfillment of statutory retention obligations, which may arise from the German Commercial Code (HGB) and the German Fiscal Code (AO), for example. The periods specified therein are up to ten years.
  • Preservation of evidence within the framework of statutory limitation provisions. According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can extend up to 30 years, with the regular limitation period being three years.

10. Your rights

According to Art. 15 DSGVO, you have the right to request information from us at any time about the personal data we have stored concerning yourself. This also pertains to the recipients or categories of recipients to whom this data is passed on and the purpose of the storage. At any time, you may, under the conditions of Art. 16 DSGVO demand the correction and / or under the conditions of Art. 17 DSGVO demand the deletion and / or under the conditions of Art. 18 DSGVO demand the restriction of processing. Furthermore, you may request data transfer at any time in accordance with Art. 20 DSGVO.

You have the right to object to the processing of your personal data if the conditions specified in Art. 21 DSGVO apply.

You can exercise your data protection rights vis-à-vis:

Stadtwerke München GmbH
Emmy-Noether-Straße 2
80992 Munich, Germany
datenschutz.stadtwerke@swm.de

In addition, according to Art. 77 DSGVO, you have the possibility to lodge a complaint with a data protection supervisory authority.

Right to revoke consent: If we process data on the basis of consent, you can revoke your consent to the processing of your data at any time for the future. Please address your revocation to:

Stadtwerke München GmbH
Emmy-Noether-Straße 2
80992 Munich, Germany
muenchen_app_kontakt@swm.de

11. Automated decision making

In principle, we do not use automated decision-making pursuant to Art. 22 DSGVO. Should we use these procedures in individual cases, we will inform you about this separately within the framework of the legal provisions.

12. Modification clause

As our data processing is subject to change, we will also adjust our privacy notice from time to time. Amended privacy notices will be published in the app. Unless otherwise specified, such changes shall take effect immediately. Therefore, please check this privacy notice regularly to view the most current version.