Data protection

Our data protection information

We are very pleased about your interest in our enterprise. For the management of the Verkehrsverbund Rhein-Sieg GmbH, data protection is a matter of particular importance.

As a matter of basic principle, the website of the Verkehrsverbund Rhein-Sieg GmbH can be used without providing any personal data at all. However, if a data subject wishes to avail him or herself of any special services of our enterprise via our website, the processing of personal data could become necessary. If the processing of personal data is necessary but there is no legal basis for it, we always obtain the consent of the data subject.

Personal data, e.g. the name, address, e-mail address or telephone number of a data subject, are always processed in harmony with the General Data Protection Regulation (GDPR) and in congruence with the currently applicable country-specific data protection regulations that apply to the Verkehrsverbund Rhein-Sieg GmbH. By means of this data protection information, our enterprise wishes to inform the general public about the type, scope and purpose of the personal data that we gather, use and process. Furthermore, the data protection information informs data subjects about their rights.

As the controller, the Verkehrsverbund Rhein-Sieg GmbH has implemented a number of technical and organisational measures to ensure that the personal data processed via this website are protected as completely as possible. Having said that, Internet-based data transmissions can as a matter of basic principle have security gaps, so that it is not possible to guarantee absolute protection. For that reason, any data subject is free to transmit personal data to us via other routes, for example by telephone.

Definitions

The data protection information of the Verkehrsverbund Rhein-Sieg GmbH is based on the terminology used by the makers of European Directives and Regulations in enacting the GDPR. Our data protection information should be easy to read and easy to understand both for the general public and for our clients and business partners. To make sure that that is the case, we would like to explain the terms used in advance.

The terms we use in this data protection information include the following:

a) Personal data

Personal data are all and any information which relates to an identified or identifiable natural person (hereinafter referred to as the 'data subject'). A natural person is deemed to be identifiable if he or she can be identified directly or indirectly, in particular by being coupled to an identifier such as a name, a code number, location data, an on-line ID or one or more special characteristics which express his or her physical, physiological, genetic, psychological, economic, cultural or social identity.

b) Data subject

A data subject is any identified or identifiable natural person whose personal data are processed by the controller.

c) Processing

Processing is any operation performed with or without the aid of automated procedures or any such series of operations in connection with personal data such as the gathering, recording, organisation, tabulation, storage, adaptation or modification of them, or their reading out, sampling, utilisation, disclosure by transmission, dissemination or any other form of making available, comparison or combination, restriction, erasure or destruction.

d) Restriction of processing

Restriction of processing is the bookmarking of stored personal data with the intention of restricting their future processing.

e) Profiling

Profiling is any kind of automated processing of personal data which consists in the use of them to assess certain personal aspects that relate to a natural person, and in particular to analyse or forecast aspects that relate to the work performance, economic status, health, personal preferences, interests, reliability, behaviour, whereabouts or relocation of said natural person.

f) Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the data can no longer be assigned to a specific data subject without additional information, provided that said additional information is stored separately and is subject to technical and organisational measures which ensure that the personal data cannot be assigned to any identified or identifiable natural person.

g) Controller

The controller is the natural person or legal entity, authority, insititution or other body who or which, alone or together with others, makes decisions on the purposes and means of processing personal data. If those purposes and means are prescribed by the law of the European Union (EU) or the law of the Member States, the controller, or rather the specific criteria of his or her nomination under EU law or the law of the Member States, may be pre-ordained.

h) Processor

A processor is any natural person or legal entity, authority, insititution or other body who or which processes personal data as commissioned by the controller.

i) Recipient

A recipient is any natural person or legal entity, authority, institution or other body to whom or which personal data are disclosed, regardless of whether he or she is a third party or not. Having said that, authorities which may receive personal data in the context of a given investigation mandate under EU law or the law of the Member States do not count as recipients.

j) Third party

A third party is any natural person or legal entity, authority, institution or other body other than the data subject, the controller, the processor and those persons who are authorised to process the personal data under the direct responsibility of the controller or processor.

k) Consent

Consent is any statement of intent made voluntarily and unambiguously by an informed data subject for a particular case in the form of a declaration or other unambiguous confirmatory act by which the data subject makes it clear that he or she agrees to the processing of the personal data that relate to him or her.

Name and address of controller

The controller within the meaning of the GDPR, the meaning of other data protection laws currently applicable in the Member States of the EU and the meaning of other provisions designed to protect data is:

Verkehrsverbund Rhein-Sieg GmbH
Kompetenzcenter Marketing NRW
Deutzer Allee 4
50679 Cologne
Germany

Tel.: 0221 208080
E-mail: kcm-nrw@vrs.de
Website: www.kcm-nrw.de

Name and address of data protection officer

The controller's data protection officer is:

Verkehrsverbund Rhein-Sieg GmbH
Data protection officer
Deutzer Allee 4
50679 Cologne
Germany

Tel.: 0221 208080
E-mail: datenschutz@vrs.de
Website: www.kcm-nrw.de

If a data subject has any queries or suggestions relating to data protection, he or she can apply directly to our data protection officer at any time.

Recording of general data and information

The website of the Verkehrsverbund Rhein-Sieg GmbH records a series of general data and information each time the website is accessed by a data subject or an automated system. These general data and information are saved in the log files of the server. The data recorded include (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system finds its way to our website (so-called referrer), (4) the subpages navigated to via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet protocol (IP) address, (7) the Internet service provider (ISP) of the accessing system and (8) other similar data and information which serve to ward off dangers in cases of attack on our IT systems.

In using these general data and information, the Verkehrsverbund Rhein-Sieg GmbH does not draw any conclusions about the data subject. It is far rather the case that the information is required (1) to deliver the content of our website correctly, (2) to optimise the content of our website and the advertising for it, (3) to guarantee the continuous functionality of our IT systems and the technology of our website and (4) to provide necessary information to the prosecution authorities in the case of a cyber-attack. The anonymously gathered data and information are thus evaluated by the Verkehrsverbund Rhein-Sieg GmbH for statistical purposes, and also with the aim of improving the data protection and data security in our enterprise, in order, finally, to ensure an optimum level of protection for the personal data we process. The anonymous data in the server log files will be stored separately from all personal data provided by the data subject him or herself.

Analysis tools: Plausible Analytics

We use Plausible Analytics on our website. The provider is Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia.

Plausible Analytics allows us to analyze the behavior of our website visitors. For this purpose, the following data is collected: Page URL, HTTP request, HTTP referrer, browser, operating system, device type and IP address. The HTTP request and IP address are stored in a hash for 24 hours; within this period, a user can be recognized if he or she returns to the website. An identification of the person is not possible.

If consent has been obtained, the service is used exclusively on the basis of Art. 6(1)(a) GDPR and § 25 TDDDG. The consent can be revoked at any time. If no consent has been obtained, the use of this service is based on Art. 6(1)(f) GDPR; the website operator has a legitimate interest in analyzing the user behavior of our website visitors as effectively as possible.

Contact facility via the website

On the basis of statutory regulations, the website of the Verkehrsverbund Rhein-Sieg GmbH contains information which enables fast electronic contact to be made to our enterprise and direct communication with us, and that also includes a general address for so-called electronic post (e-mail address). If a data subject makes contact with the controller by e-mail, the personal data transmitted by the data subject are stored automatically. Such personal data, voluntarily transmitted to the controller by a data subject, are stored for the purposes of processing or making contact with the data subject. The data will remain with us until you request us to erase them, until you revoke your consent to the storage, or until the purpose of the data storage ceases to apply (for example when your enquiry has been dealt with). Mandatory legal requirements – in particular statutory archiving periods – are not prejudiced by this.

Routine erasure and disablement of personal data

The controller only processes and stores personal data of the data subject for as long as it takes to achieve the purpose of said storage or for as long as this was provided for by the makers of European Directives and Regulations or other legislators in laws or regulations to which the controller is subject.

If the purpose of storage ceases to apply or if a storage period as prescribed by the makers of European Directives and Regulations or other competent legislators expires, the personal data in question will be disabled or erased routinely and in accordance with the statutory provisions.

Rights of the data subject

a) Right to confirmation

Every data subject has the right, granted by the makers of European Directives and Regulations, to request confirmation from the controller as to whether personal data relating to him or her are being processed. If a data subject wishes to assert such right to confirmation, he or she can apply to an employee of the controller at any time.

b) Right of access

Any person affected by the processing of personal data has the right, granted by the makers of European Directives and Regulations, to receive from the controller – at any time and free of charge – information about the personal data stored relating to him or her and a copy of that information. Moreover, the makers of European Directives and Regulations have granted the data subject the right to receive the following information:

the purposes of the processing
the categories of personal data processed
the recipient or categories of recipients to whom the personal data have been or are still being disclosed, in particular recipients in third countries or international organisations
if possible the planned period over which the personal data will be stored, or, if that is not possible, the criteria for determining such period
the existence of a right to rectification or erasure of the personal data relating to him or her, or to restriction of the processing by the controller, or the existence of a right to object to said processing
the existence of a right to complain to a supervisory authority
if the personal data are not actually gathered from the data subject: all available information about the origin of the data
the presence of an automated decision-making facility including profiling pursuant to Art. 22 1. and 4. of the GDPR and – in those cases at least – meaningful information about the logic involved, the consequences and the intended impacts of that kind of processing on the data subject

Furthermore, the data subject has the right to receive information about whether personal data have been sent to a third country or an international organisation. If they have, he or she also has the right to receive information about the appropriate guarantees in connection with said transmission.

If a data subject wishes to assert this right of access, he or she can apply to an employee of the controller at any time.

c) Right to rectification

Any person affected by the processing of personal data has the right, granted by the makers of European Directives and Regulations, to request that inaccurate personal data relating to him or her be rectified without delay. The data subject also has the right, giving consideration to the purposes of the processing, to request the completion of incomplete personal data – also by means of a complementary declaration.

If a data subject wishes to assert this right to rectification, he or she can apply to an employee of the controller at any time.

d) Right to erasure (right to be forgotten)

Any person affected by the processing of personal data has the right, granted by the makers of European Directives and Regulations, to request the controller to erase personal data relating to him or her without delay if any of the following grounds apply and if the processing is not necessary:

the personal data were gathered for purposes for which they are no longer required or in a way that is no longer required
the data subject revokes the consent on which the processing pursuant to Art. 6 1. (a) or Art. 9 2. (a) of the GDPR was based, and there is no other legal basis for the processing
the data subject lodges an objection to the processing pursuant to Art. 21 1. of the GDPR, and there are no compelling legitimate grounds for it, or the data subject objects to the processing pursuant to Art. 21 2. of the GDPR
the personal data have been processed unlawfully
the erasure of the personal data is necessary in respect of a legal obligation under EU law or the law of the Member States to which the controller is subject
the personal data were gathered in relation to information society services pursuant to Art. 8 1. of the GDPR.

If one of the above-mentioned grounds applies and a data subject wishes to initiate the erasure of personal data stored with the Verkehrsverbund Rhein-Sieg GmbH, he or she can apply to an employee of the controller at any time. The employee of the Verkehrsverbund Rhein-Sieg GmbH will initiate compliance with the request for erasure without delay.

If the personal data have been made public by the Verkehrsverbund Rhein-Sieg GmbH and if our enterprise – as the controller pursuant to Art. 17 1. of the GDPR – is under obligation to erase them, the Verkehrsverbund Rhein-Sieg GmbH, taking account of the available technology and the costs of implementation, will take appropriate steps – also technical – to inform other controllers who or which process the personal data thus made public that the data subject has requested them to delete all links to the data and erase copies or replications thereof if the processing is not necessary. The employee of Verkehrsverbund Rhein-Sieg GmbH will organise what needs to be done in a given individual case.

e) Right to restriction of processing

Any person affected by the processing of personal data has the right, granted by the makers of European Directives and Regulations, to request the controller to restrict the processing if any of the following conditions are fulfilled:

the accuracy of the personal data is disputed by the data subject, and said disputation continues long enough to give the controller time to verify their accuracy
the processing is unlawful, but the data subject refuses to have the personal data erased and instead requests that their use be restricted
the controller no longer requires the personal data for purposes of processing, but the data subject needs them to assert, exercise or defend legal claims
the data subject has objected to the processing pursuant to Art. 21 1. of the GDPR and it is not yet clear whether or not the controller's legitimate grounds override those of the data subject.

If any of the above-mentioned conditions are fulfilled and a data subject wishes to request the restriction of the processing of personal data stored at the Verkehrsverbund Rhein-Sieg GmbH, he or she can apply to an employee of the controller at any time. The employee of the Verkehrsverbund Rhein-Sieg GmbH will initiate the restriction of the processing.

f) Right to data portability

Any person affected by the processing of personal data has the right, granted by the makers of European Directives and Regulations, to receive the personal data relating to him or her, which he or she has made available to a controller, in a structured, commonly used, machine-readable format. He or she also has the right to transmit those data to another controller without being impeded in any way by the controller to whom the personal data were made available, if the processing is based on consent pursuant to Art. 6 1. (a) or Art. 9 2. (a) of the GDPR or on a contract pursuant to Art. 6 1. (b) of the GDPR and is carried out with the aid of automated procedures, provided that the processing is not necessary to the fulfilment of a task which is in the public interest or carried out in the exercising of public authority devolved on the controller.

When exercising his or her right to data portability pursuant to Art. 20 1. of the GDPR, the data subject also has the right to obtain the transmission of personal data directly from one controller to another, if such is technically feasible and provided that it does not impair the rights and freedoms of other individuals.

To assert such right to data portability, the data subject can apply to an employee of the Verkehrsverbund Rhein-Sieg GmbH at any time.

g) Right to object

Any person affected by the processing of personal data has the right, granted by the makers of European Directives and Regulations, for reasons derived from his or her particular situation, to object at any time to the processing of personal data relating to him or her which is carried out on the basis of Art. 6 1. (e) or (f) of the GDPR. The same applies to any profiling based on these provisions.

The Verkehrsverbund Rhein-Sieg GmbH will stop processing the personal data if there is an objection, unless we can produce evidence of mandatory, legitimate reasons for it such as override the interests, rights and freedoms of the data subject, or the processing serves in the assertion, exercising or defence of legal claims.

If the Verkehrsverbund Rhein-Sieg GmbH processes personal data in order to practise direct advertising, the data subject has the right to object to the processing of the data for that kind of advertising at any time. This also applies to profiling if it is directly connected to that kind of direct advertising. If the data subject lodges an objection to said processing for the purposes of direct advertising with the Verkehrsverbund Rhein-Sieg GmbH, the latter will cease processing the personal data for those purposes.

The data subject also has the right, for reasons derived from his or her particular situation, to object to the processing of personal data relating to him or her such as is carried on at the Verkehrsverbund Rhein-Sieg GmbH for scientific or historical research purposes, or statistical purposes pursuant to Art. 89 1. of the GDPR, unless such processing is necessary to the fulfilment of a task which is in the public interest.

To exercise such right to object, the data subject can apply directly to any employee of the Verkehrsverbund Rhein-Sieg GmbH or any other employee. The data subject is also free, in connection with the use of services of the information society, and notwithstanding Directive 2002/58/EC, to exercise his or her right to object by means of automated procedures in which technical specifications are used.

h) Automated decision-making in individual cases including profiling

Any person affected by the processing of personal data has the right, granted by the makers of European Directives and Regulations, not to be subjected to a decision that is based purely on automated processing – including profiling – if it develops a legal effect on him or her or compromises him or her substantially in any similar way, provided that the decision (1) is not necessary to the conclusion or performance of a contract between the data subject and the controller, or (2) is permitted on the basis of legal requirements of the Union or the Member States to which the controller is subject, and said legal requirements entail appropriate measures for the safeguarding of the rights, freedoms and legitimate interests of the data subject or (3) is made with the latter's express consent.

If the decision (1) is necessary to the conclusion or performance of a contract between the data subject and the controller or (2) is made with the express consent of the latter, the Verkehrsverbund Rhein-Sieg GmbH will take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject. At the least, these include the right to obtain intervention by a person on the part of the controller, the right to explain one's own point of view and the right to challenge the decision.

If the data subject wishes to assert rights relating to automated decision-making, he or she can apply to an employee of the controller at any time.

i) Right to revoke consent given under data protection law

Any person affected by the processing of personal data has the right, granted by the makers of European Directives and Regulations, to revoke his or her consent to the processing of personal data at any time.

If the data subject wishes to assert such right to revoke consent, he or she can apply to an employee of the controller at any time.

Legal basis for processing

Art. 6 I. (a) of the GDPR serves our enterprise as a legal basis for operations in which we obtain consent for a certain processing purpose. If the processing of personal data is necessary to the performance of a contract to which the data subject is a party, as is for example the case with operations necessary to the supply of goods or the rendering of some other service or service in return, the processing is based on Art. 6 I. (b) of the GDPR. The same applies to operations which are necessary to the implementation of pre-contractual measures, for example in cases where enquiries are made about our products or services. If our enterprise is under a legal obligation because of which the processing of personal data becomes necessary, for example to fulfil fiscal obligations, the processing is based on Art. 6 1. (c) of the GDPR. In rare cases the processing of personal data could become necessary for the protection of the vital interests of the data subject or some other natural person. This would be the case, for example, if a visitor to our business premises were to suffer injury, as a consequence of which his or her name, age, health insurance details and/or other vital information had to be given to a doctor, a hospital or other third party or parties. Then the processing would be based on Art. 6 I. (d) of the GDPR. And finally, processing operations could be based on Art. 6 I. (f) of the GDPR. These are operations which are not covered by any of the above-mentioned legal bases, if the processing is necessary to the safeguarding of a legitimate interest of our enterprise or of a third party, provided that the interests, basic rights and basic freedoms of the data subject do not override them. We are allowed to carry out operations of this kind, in particular because they were given special mention by the European legislators. They expressed the opinion that a legitimate interest could exist if the data subject is a client of the controller (Recital 47 Sentence 2 of the GDPR).

Legitimate interests in processing pursued by the controller or a third party

If the processing of personal data is based on Art. 6 I. (f) of the GDPR, our legitimate interest is the pursuit of our business activities in favour of the wellbeing of all our employees and shareholders.

Storage period for personal data

The criterion for the storage period of personal data is the respective statutory archiving period. On expiry of that period, the data will be erased routinely, provided that they are no longer necessary to the performance or negotiation of a contract.

Statutory / contractual provisions for the making available of personal data; necessity to conclusion of a contract; obligation of the data subject to make personal data available; possible consequences of failure to do so

We would like to inform you that in some situations the provision of personal data is prescribed by law (e.g. fiscal laws) or can be derived from contractual provisions (e.g. information that needs to be conveyed to a contractual partner). In some cases it may be necessary to the conclusion of a contract for a data subject to make personal data available to us, and those data may need to be processed by us further down the line. The data subject is for example under obligation to make personal data available to us if our enterprise concludes a contract with him or her. Failure to make such personal data available would mean that the contract with the data subject could not be concluded. Before personal data are supplied by the data subject, the latter must apply to one of our staff. In individual cases, our staff will explain to the data subject whether provision of the data is prescribed by law or by contract, or necessary to the conclusion of a contract, or whether there is an obligation to make the personal data available, and what consequences failure to do so would have.

Automated decision-making

As a responsible-minded enterprise, we refrain from automatic decision-making and profiling.