Privacy Policy
Data Protection Information for the muenchen app of Stadtwerke München GmbH
Status: 23.10.2024
1. Content of this privacy notice
This privacy policy informs you about the personal data we process when you visit our website (muenchen-app.swm.de) and use our mobile application muenchen app (hereinafter also referred to as "app"). In addition, this privacy policy will inform you as to which rights you have with regard to your data.
The term "personal data" comprises any information relating to an identified or identifiable natural person.
The app is connected to the single sign-on service "M-Login" of Stadtwerke München GmbH, so that registration and login are carried out by way of the "M-Login" (see 5.3) and data stored in M-Login is transmitted to the app if required and if you have approved of this. The following data will be transmitted subject to your approval in "M-Login":
- Salutation
- First name
- Last name
- Title
- Date of birth
- E-mail address
- Address
- Mobile number
- Phone number
- Portrait photo incl. photo upload date
- Child portrait photo incl. photo upload date
- Child profiles
- Student profile
- Information on your means of payment (see Sections 5.6 and 5.7)
2. Responsible person and data protection officer
Stadtwerke München GmbH (hereinafter also referred to as "we" or "SWM") is the responsible party pursuant to Article 4 (7) of the EU General Data Protection Regulation (GDPR).
Emmy-Noether-Str. 2
80992 Munich
E-mail address: datenschutz.stadtwerke@swm.de
You can reach the data protection officer of Stadtwerke München GmbH at:
Stadtwerke München GmbH
Data Protection Officer
Emmy-Noether-Straße 2
80992 Munich
E-mail address: datenschutz@swm.de
3. Basic information on data collection and scope of use
Insofar as we collect, process or use personal data, we comply with the applicable legal provisions, in particular with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the Telecommunications Telemedia Data Protection Act (TTDSG). When you contact us by e-mail or via a contact form, your e-mail address and, if you have provided this, we will store your name and telephone number in order to answer your questions. We delete the data accruing in this context after the storage is no longer necessary or – in the case of statutory retention obligations – restrict the processing.
In order to operate the app and customer service, we use (technical) service providers by way of order processing. We disclose personal data collected by way of our app to state institutions, authorities and courts if we are instructed to do so by you or are legally obligated to do so or, should this be necessary, for the efficient legal defense or assertion of rights. Unless explicitly explained in this privacy notice, we do not transfer personal data to countries outside the European Union (EU) or the European Economic Area (EEA).
4. Processing of personal data when calling up and informative use of our website
4.1 Calling up the website
Each time you access this website, your browser automatically sends the following data to our website server: IP address of your requesting internet-capable device; date and time of your access to the website; website/application from which the access was made (referrer URL); your browser type with version and language; operating system of your internet-capable computer; your internet service provider; the sub-websites you are visiting; files downloaded from our website (e.g. PDF or Word documents); website accessed; website previously visited.
The temporary storage of the IP address for the duration of the use of our website is necessary to provide you with our website.
In addition, further processing of the data mentioned in 4.1. (1st paragraph) is carried out in order to optimize our website, to ensure the permanent functionality, security and stability of our website and connected IT systems, and to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.
The legal basis for this data processing is Art. 6 para. 1 lit. f GDPR. The legitimate interest follows from the above-mentioned purposes of providing the content of the website accessed by the user, the optimization of the website and the system security and stability as well as procedures in case of cyber attacks.
The above data will be deleted as soon as the use of the service (use of the website) ends.
4.2 Cookies
We use cookies on our website. Cookies are small text files and contain a characteristic string that enables identification of the browser when the website is called up again.
You can make detailed cookie settings for this website in our Cookie Banner at https://muenchen-app.swm.de/ and, for example, only allow required cookies.
4.2.1 Use of required cookies
We use technically necessary cookies that ensure smooth use of the website and enable numerous basic functions. You can find more information about these cookies in the privacy settings (cookie icon) at https://muenchen-app.swm.de/.
You can also visit our website without cookies. If you do not want to use cookies, you can completely disable or restrict them in your browser. However, this may lead to functional restrictions of our website. If you want to log in, cookies are required. The legal basis for data processing is Art. 6 para. 1 lit. f GDPR, § 25 para. 2 TTDSG. The legitimate interest for data collection follows from the purpose of providing the informational function of the website called by the user and the simplification of the website.
The following list provides more information on how to disable or manage your cookie settings in the browser you use:
4.2.2 Use of cookies for web analysis
Our website uses the web analysis tool Matomo to statistically analyze usage. The statistics obtained allow us to improve our offer and make it more interesting for you.
We process the following data:
- The IP address (anonymized by zeros of an octet);
- The web pages accessed, time and duration of stay;
- The source from which the user accessed the website (e.g. search engine, social media, website or campaign);
- Website usage (which target pages are accessed and how often, click paths, view of and interaction with page elements such as links, buttons, navigation elements, videos, downloads, bounce rates and time spent on individual pages, search inputs, scroll depth, return);
- Conversion goals (e.g., number of newsletter subscriptions);
- Information from the end device: operating systems, browsers and end devices (incl. resolution) with which the website is accessed.
The processing of the data is carried out exclusively under our responsibility.
For more information about the analysis tool Matomo (Piwik), see the link.
The legal basis for the web analysis is Art. 6 para. 1 p. 1 lit. f GDPR. The processing serves the purpose of evaluating the number of visitors and the use of our service and thus to improve our service. We have a legitimate interest in this. If you wish to object to the processing, you can do so in the privacy settings (cookie icon at the edge of the browser).
We place a web analysis cookie in your browser. The legal basis is your consent according to Art. 6 para. 1 p. 1 lit. a GDPR, § 25 para. 1 TTDSG.
In the privacy settings (cookie icon at the edge of the browser) you can get more information about the cookies set and how long they are stored.
The legal basis for reading out your above-mentioned device information is your consent pursuant to Art. 6 (1) p. 1 lit. a GDPR, § 25 (1) TTDSG.
If you wish to revoke your consent, you can do so in the privacy settings (cookie icon at the edge of the browser).
5. Processing of personal data when using our app
5.1 When downloading the app, the required information is transmitted to the respective app store, i.e. in particular the user name, e-mail address and customer number of your app store account, the time of download, payment information and the individual device identification number. We have no influence on this data collection by the respective app store and are not responsible for it.
5.2 If you wish to use our app, we will collect the following data, which is technically necessary for us in order to offer you the functions of our mobile app and to ensure stability and security:
- IP address
- The request itself
- Date and time of the request
- Data volume transferred in each case
The legal foundation for this is Art. 6 (1) sentence 1 lit. b GDPR, in order to provide you with our app within the scope of the usage agreement concluded with you and to enable you to place an order via the app, as well as Art. 6 (1) sentence 1 lit. f GDPR, in order to be able to provide you with the app technically.
5.3 Certain functions of the app require you to log in. The central single sign-on service "M-Login" of Stadtwerke München GmbH is available for this purpose. M-Login is an online portal that registered users can use to centrally manage certain user and user profile data for selected services that are connected to M-Login. For further information on the processing of your data within the framework of M-Login, please refer to the data protection information for "M-Login". If you are already registered with M-Login, you can log in to the app using the email address and password you created there.
If you have approved and provided the following in the M-Login account, we will get access to the following items of your profile data in M-Login:
- Salutation
- First name
- Last name
- Title
- Date of birth
- E-mail address
- Address (street, number, postal code, city and country)
- Mobile number
- Phone number
- Portrait photo incl. photo upload date
- Child portrait photo incl. photo upload date
- Child profiles
- Student profile
- Information on means of payment
Furthermore, we store your consent to our GTC.
We process the above data to fulfill the contract with you on the use of our app. The legal foundation for this is Art. 6 para. 1 sentence 1 lit. b GDPR.
5.4 The app enables registered and logged-in users to purchase tickets and other services from our partners. For this purpose, we process the necessary data and transmit it to the respective partner, in particular:
- Your order (e.g. type, place and time of an event)
- Your agreement with regard to the terms and conditions of the partner
- The information as to whether your payment was successful
- If applicable, your agreement with the hygiene concept of the organizer
We process this data for pre-contractual measures and for the fulfillment and execution of the brokerage contract. The legal foundation for this processing is Art. 6 para. 1 lit. b GDPR.
Please inform yourself about the partner's data processing in the partner's privacy policy.
5.5 Personalized content
You can select areas of interest in the muenchen app. If you use this function, the muenchen app selects content based on your specified interests and displays it in labeled sections in the feed. For example, you will be shown content about concerts if you indicate that you are interested in music. You can change or remove the areas of interest at any time; they will then be deleted and no longer used for personalization. The legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. f GDPR ("legitimate interests"). Our legitimate interest is to show you personalized content in the muenchen app at your request. You can object to this processing at any time by removing the areas of interest.
We also offer you the option of utilizing the items in your watch list and your purchase history (purchases made via the app) for personalization. To be able to use this function, you must first activate it. You can also change or adjust the setting at any time under Profile. The legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. f GDPR ("legitimate interests"). Our legitimate interest is to show you personalized content in the muenchen app at your request. You can object to this processing at any time by deactivating the corresponding personalization function in the settings. The respective data will then no longer be used for personalization.
5.6 Location data processing
The app offers you the possibility to determine offers and information in the radius of your current location ("radius search"). In order for you to use this, it is necessary that your current location is transmitted from the operating system to the app and processed for this purpose.
The app processes your location only when you have activated the corresponding function in the app as well as approved your location for the app in the corresponding device settings.
The data is only used to determine the requested information and is deleted afterwards. You can deactivate access to the location data in the device settings at any time.
The legal basis for this data processing is Art. 6 (1) p. 1 lit. b and lit. f GDPR. Our legitimate interest is to enable you to search for offers based on your location if desired, as well as to provide an optimal user experience of the app.
You can also use the app without this function.
5.7 If you have entered SEPA direct debit as a means of payment in the M-Login and have approved it for us, your approval will give us access to the following personal data:
- IBAN
- Account holder
- BIC if applicable
In order to pay by SEPA direct debit you have given Novalnet AG a direct debit authorization for your account. We pass on your personal data (first and last name, date of birth, address, e-mail address, account details, telephone number if applicable, IP-address and the amount to be debited) and any changes to Novalnet AG for the purpose of selling and assigning the claims against you that arise in connection with your chargeable order. This is done on the foundation of Art. 6 para. 1 p. 1 lit. f GDPR. The legitimate interest on our part is the outsourcing of payment processing and receivables management. The legitimate interest on the part of Novalnet AG consists in the processing of data for the purpose of processing payments, for receivables management, the evaluation of the admissibility of payment methods and the prevention of payment defaults. The offer to conclude a contract with costs (e.g. purchase of a ticket) is only accepted if Novalnet AG acquires the resulting claim from the contract with costs. If Novalnet AG refuses to acquire the claim, your offer to conclude a contract with costs will be rejected. You may object to the transmission of this data to Novalnet AG at any time, but then orders via the electronic sales channel will no longer be possible. The data protection information of the Novalnet AG can be found under the respective link.
In addition, we process your personal data, which we receive from Novalnet AG (information about the decision whether or not to acquire the claim).
5.8 If you have deposited a credit card as a means of payment in the M-Login and have approved it for us, we will obtain access to the following personal data based on your approval:
- Credit card replacement number
- Card type
- Four final digits of the credit card number
- Expiration date
We store this data as long as you have deposited the credit card as a means of payment in the M-Login and approved it for us or until the complete processing of purchases made using this credit card.
As soon as you make use of a chargeable service, we transmit the personal data to First Data GmbH that is required to bill your credit card. These are, in particular, the amount of the claim, the credit card replacement number and a reference text with which a payment by the payment service provider to us can be assigned to the service you have used.
We process the above data in order to fulfill the contract with you on the use of our service. The legal foundation for this is Art. 6 para. 1 sentence 1 lit. b GDPR.
You can access the data protection information of First Data GmbH under the respective link.
5.9 Our app uses the web analysis tool Matomo in order to statistically analyze usage. The statistics obtained enable us to improve our offer and make it more interesting for you. The processing of the data is carried out exclusively under our responsibility.
We process the following data:
- the IP address (anonymized by zeros of an octet)
- the screens called up within the app
- the user behavior (accessed screens, click paths bounce rates and time spent on screens)
- Conversion goals (e.g., whether a purchase was made)
- Information from your end device (operating systems and end devices with which the app is used)
The legal basis for the web analysis is Art. 6 para. 1 p. 1 lit. f GDPR. The processing serves the purpose of evaluating the number of visitors and the use of our service and thus to improve our service. We have a legitimate interest in this. You can object to the processing at any time by deactivating the usage analysis in the app settings under "Profile" > "Privacy" > "Send usage statistics".
The legal basis for reading out your above-mentioned device information is your consent according to Art. 6 para. 1 p. 1 lit. a GDPR, § 25 para. 1 TTDSG.
You can revoke your consent at any time by deactivating the usage analysis in the app settings under "Profile" > "Privacy" > "Send usage statistics".
Further information about the analysis tool Matomo can be found under the respective link.
5.10 If you want to receive push notifications from the app, you can activate this in the settings. You can change or cancel this setting at any time in the app under “Profile” or in the settings of your device.
5.11 Our App uses Firebase Crashlytics, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google", parent company: Google LLC, USA), to analyze errors of the app and to fix problems. When the app crashes, an anonymized crash report is sent to Google in real time. This report contains information related to your use of our app about the device status, device type, operating system, app version, the time of the crash and the device identification number at the time of the crash.
For more information, please see the privacy policy of Google LLC.
The legal foundation for the use of Firebase Crashlytics is your consent according to Art. 6 para. 1 p. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by deactivating Firebase Crashlytics in the app settings under "Privacy".
5.12 We also process your personal data in order to fulfill other legal obligations. These may affect us in connection with the processing of your order or business communication, among other things. These obligations include, in particular, retention periods under commercial, trade or tax law.
We process your personal data in order to meet a legal obligation to which we are subject pursuant to Art. 6 para. 1 lit. c GDPR in connection with commercial, trade or tax law, insofar as we are obliged to record and store your data.
5.13 We process your personal data in order to assert our rights and enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Moreover, we process your personal data to the extent necessary to prevent or prosecute criminal offences. In doing so, we process your personal data to protect our legitimate interests pursuant to Art. 6 (1) lit. f GDPR, insofar as we assert legal claims or defend ourselves in legal disputes or we prevent or investigate criminal acts.
6. Required provision of personal data
The provision of the aforementioned data is – unless expressly communicated otherwise – already necessary for the conclusion or execution of the contract, as this cannot be carried out without this personal data. Insofar as we are subject to a legal obligation to process your personal data (for example, for the prevention of money laundering), you are legally obligated to provide us with this data. Otherwise, we may not be permitted to enter into a contractual relationship with you.
7. Categories of data recipients
Within SWM, access to your data is granted to those offices that need this information for the purposes described. To the extent permitted by law (for example, as part of commissioned processing), we may disclose personal data to third parties in the following categories:
- (IT) service providers
- Customer service providers
- Logistics
- Print service providers
- Sales partners
- Payment service providers
- Collection service providers and lawyers
- Public bodies and institutions (e.g. social insurance providers, financial authorities, police, public prosecutor's office, supervisory authorities) if there is a corresponding obligation / authorization
8. Data transfer to a third country or to an international organization
Within the context of the use of Firebase Crashlytics, there is the possibility that Google also stores or processes your data outside the European Union / the European Economic Area in a so-called third country (e.g. in the USA). This data transfer is based on so-called EU standard contractual clauses.
Moreover, a data transfer to a third country or to an international organization does not currently take place with regard to the app. Should we use (IT) service providers for certain tasks in the future, who may also use (IT) service providers that have their company headquarters, parent company or data center headquarters in a third country (outside the European Union and the European Economic Area), the following must be given: The transfer is permissible based on a legal foundation for permission or due to you having expressly consented to the transfer and the special requirements for a transfer to a third country are met. In particular this means that the European Commission has decided that an adequate level of data protection exists in the third country (Art. 45 GDPR) or that appropriate safeguards (e.g., through so-called EU standard contractual clauses specified by the European Commission or the supervisory authority) and enforceable rights and effective remedies are provided and in place.
9. Security
We secure our app and other systems through technical and organizational measures against loss, destruction, access, modification or distribution of your data by unauthorized persons. In particular, we encrypt our data for transmission in order to ensure that your data is not read by unauthorized persons during transmission. In doing so, we use a modern, reliable Internet security standard.
10. Storage period
We delete your personal data after the storage is no longer necessary (e.g. after final response to your request, for the duration of the contractual relationship with you until its final termination), or – in the case of legal retention obligations – restrict the processing. Please note that further processing is necessary in particular to ensure the:
- Fulfillment of statutory retention obligations, which may arise from the German Commercial Code (HGB) and the German Fiscal Code (AO), for example. The periods specified therein are up to ten years.
- Preservation of evidence within the framework of statutory limitation provisions. According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can extend up to 30 years, with the regular limitation period being three years.
11. Your rights
According to Art. 15 GDPR, you have the right to request information from us at any time about the personal data we have stored concerning yourself. This also pertains to the recipients or categories of recipients to whom this data is passed on and the purpose of the storage. At any time, you may, under the conditions of Art. 16 GDPR demand the correction and / or under the conditions of Art. 17 GDPR demand the deletion and / or under the conditions of Art. 18 GDPR demand the restriction of processing. Furthermore, you may request data transfer at any time in accordance with Art. 20 GDPR.
You have the right to object to the processing of your personal data if the conditions specified in Art. 21 GDPR apply.
You can exercise your data protection rights vis-à-vis:
Stadtwerke München GmbH
Emmy-Noether-Straße 2
80992 Munich, Germany
datenschutz.stadtwerke@swm.de
In addition, according to Art. 77 GDPR, you have the possibility to lodge a complaint with a data protection supervisory authority.
Right to revoke consent: If we process data on the basis of consent, you can revoke your consent to the processing of your data at any time for the future. Please address your revocation to:
Stadtwerke München GmbH
Emmy-Noether-Straße 2
80992 Munich, Germany
datenschutz.stadtwerke@swm.de
12. Automated decision making
In principle, we do not use automated decision-making pursuant to Art. 22 GDPR. Should we use these procedures in individual cases, we will inform you about this separately within the framework of the legal provisions.
13. Modification clause
As our data processing is subject to change, we will also adjust our privacy notice from time to time. Amended privacy notices will be published in the app. Unless otherwise specified, such changes shall take effect immediately. Therefore, please check this privacy notice regularly to view the most current version.
14. Digital Services Act (“DSA”)
Central Contact Point for matters related to the Digital Services Act ("DSA")
Stadtwerke München GmbH Emmy-Noether-Straße 2 80992 Munich
Email: dsa-kontakt@swm.de
The aforementioned entity is the central contact point for direct communication with the European Commission, the authorities of the member states, and the European Digital Services Board regarding the application of the DSA. Communication with this contact point can be conducted in English and German.