Data protection information

Dessauer Verkehrs GmbH (DVG) takes the protection of your personal data very seriously. We would like to inform you about the purposes for which we collect personal data (hereinafter referred to as "data") and how we use it in the context of your use of our services.

We only process your personal data to the extent that this is useful for the provision and convenient use of our app and the associated presentation of information and provision of services.

In this context, "processing" means the collection, use, disclosure and/or storage of personal data. According to the General Data Protection Regulation (hereinafter referred to as "GDPR"), "personal data" generally refers to all data that can be used to identify a natural person. The precise definitions of the terms are set out in Art. 4 GDPR.

The following statements inform you in particular about the type, scope, purpose, duration and legal basis of the processing of personal data in the context of the use of the DVGgo app. DVG decides on the purposes and means of processing either alone or together with others. Separate explanations on this can be found in a suitable place in the data protection information.

Common information on the controller

The controller within the meaning of Art. 4 No. 7 is:

Dessauer Verkehrs GmbH (DVG)
represented by the managing directors Mr. Torsten Ceglarek and Mr. Dino Höll
Albrechtstraße 48
06844 Dessau-Roßlau
Germany

Phone.: +49 (0)340 899-0
Fax: +49 (0)340 899-99

E-mail: dvg-info@dvv-dessau.de
Website: www.dvv-dessau.de/verkehr

We have appointed a data protection officer who you can contact if you have any questions about data protection:

Dessauer Versorgungs- und Verkehrsgesellschaft mbH
z. Hd. Datenschutzbeauftragter
Albrechtstraße 48
06844 Dessau-Roßlau

Phone.: +49 (0) 340 8991113
E-mail: dsb@dvv-dessau.de

Provision of the apps and creation of log files

1. description and scope of data processing

Each time our app is accessed, our system automatically collects data and information from the operating system of the accessing end device.

This data record consists of:

The requests are stored in the log files of our systems for sixty days. No further storage of this data together with other personal data of the user takes place.

2. Purpose of data processing

The temporary storage of your IP address is necessary to enable the delivery of our apps to the user's device. For this purpose, the IP address must remain stored for the duration of the session.

The data is stored in log files to ensure the functionality of our apps. We also use the data to ensure the security of our information technology systems. The data is not analyzed for marketing purposes in this context.

3. Legal basis for data processing

The legal basis for the temporary storage of your IP address and the log files is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.

Use of the app

1. description and scope of data processing

In principle, our app can be used without providing any further information about yourself.

Additional functions can be activated through individual authorizations on your part.

Depending on the operating system, maps from Google Maps (Google LLC) for Android and Apple Maps (Apple Inc.) for iOS are integrated for the use of our app and the associated primary services. By using these maps, information about your use (in particular the IP address of your end device) may be transmitted to a server of the respective third-party company in the USA and stored there. We have no influence on the further processing of data by the respective third-party companies. Please also read the terms of use of Google Maps or Apple Maps if you wish to use the service. If you do not agree to the data processing by the respective third-party company, please refrain from using the app.

2. Purposes and legal bases of data processing

Data processing in connection with the use of the map services provided is legitimized for the fulfillment of the contract in accordance with Art. 6 para. 1 lit. b GDPR.

The following app functions are always voluntary and are based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR:

a) The app requires access to your location so that you can find connections from your current location or in your vicinity, e.g. bus stops, car and bike sharing locations, etc.

b) The app needs access to your contacts in order to be able to use the function "Use contact addresses as start or destination".

c) The app requires access to the data services so that it can establish a connection to our server and calculate a travel connection.

d) The app requires access to the calendar so that you can save connections there.

e) If you use the push notifications ("alerts") function, an anonymized device ID will be stored on our servers. This makes it possible to notify you of the current traffic situation of the connections you have subscribed to in the event of a delay or disruption. To provide these push services, a product from Google LLC (USA) "Firebase Cloud Messaging" is used for Android and a product from Apple Inc.(USA) "Apple Push Notification service" is used for iOS to send a message to your device when new traffic reports are available. By using these services, information about your use may be transmitted to a Google or Apple server in the USA and stored there. We have no influence on the further processing of data by third parties. Please also read the terms of use of Google or Apple if you wish to use the service. If you do not agree to this data processing, please refrain from using the push notifications.

We will not use your access permissions for purposes other than those specified here.

3. duration of storage and revocation of consent given

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. Storage beyond this is possible if statutory retention periods make this necessary.
Data processing that is subject to your consent can be prevented at any time with your revocation. You can revoke your consent in the settings of the apps or the operating system of your device.

Purchase of cell phone tickets (valid for DVGgo app)

DVG operates a cell phone ticket system for the sale of cell phone tickets in the state of Saxony-Anhalt. For this reason, the following parties have jointly decided on the means and purposes of processing personal data within the DVGgo app. The parties have entered into a joint controllership agreement in accordance with Art. 26 GDPR, which regulates the existing data protection obligations between them.

When booking a mobile ticket via the app, we also refer to the validity of our General Terms and Conditions. You can access these under the following link: https://www.dvv-dessau.de/verkehr/tickets-und-tarife-bus-und-strassenbahn/

1. description and scope of data processing

The following applies to the registration and purchase of a mobile ticket:

To register as a user, it is initially only necessary to enter your e-mail address and assign a password.

To protect your customer account against third parties, we recommend that you assign a secure password. This means that your password should have a minimum length of 8 characters and contain upper and lower case letters, numbers and special characters.

In principle, registration is not mandatory for the purchase of cell phone tickets. If you do not wish to create a customer account for the purchase of mobile tickets, please use the guest order function.

The following information is required from both registered users and guest purchasers in order to purchase tickets:

The following applies to payment processing:

In addition to your personal master data, the following additional data must be entered for payment processing, depending on the payment method selected:

The following applies to ensure security:

2. purpose of data processing

The following applies to registration:

Your personal master data is processed for the purpose of generating a user account. This user account can be used to perform services such as canceling or refunding cell phone tickets. Furthermore, registration allows you to view purchase receipts online after the journey. In addition, your cell phone tickets (both those that have not yet been used and those that have already expired) are retained after a change of device or after the app cache has been emptied. If you do not register, your data will be irretrievably deleted if you uninstall the app or empty the app cache.

The following applies to the purchase of a mobile ticket:

Your personal master data is processed for the purpose of carrying out the ticket purchase. This includes the booking, payment processing, any refunds, the sending or retrieval of the purchase receipt and the personalization of your cell phone ticket for checking by the control staff in the vehicles.

The following applies to payment processing:

Your personal master data and information regarding account details or credit card details will be passed on to LogPay Financial Services GmbH for the purpose of payment processing and the assignment of claims against you that arise in connection with your purchase of a cell phone ticket. Furthermore, our legitimate interest lies in the outsourcing of payment processing and receivables management. LogPay Financial Services GmbH has a legitimate interest in collecting your data for the purpose of processing payments, managing receivables, assessing the admissibility of payment methods and avoiding payment defaults.

The following applies to ensure security:

The log files created in the event of errors help us to understand and rectify the errors that have occurred. Furthermore, the collection and processing of your personal data serves to prevent so-called brute force attacks. These are attempts by unauthorized persons or algorithms to gain access to a user's account by randomly entering email addresses and passwords. If this is the case, the IP address of the suspected external attacker is processed in the event of multiple failed log-in attempts and temporarily blocked to prevent further attempted attacks.

3. legal basis for data processing

The following applies to registration:

The legal basis for this is a contractual relationship (Art. 6 para. 1 lit. b GDPR) or your consent (Art. 6 para. 1 lit. a GDPR) when entering optional data.There is no legal or contractual obligation to provide optional data or to create a user account.

The following applies to the purchase of a mobile ticket:

The legal basis for this is the concluded purchase contract between you and the customer contract partner (Art. 6 para. 1 lit. b GDPR) by consenting to the General Terms and Conditions (GTC).A further legal basis is our interest in fraud prevention (Art. 6 para. 1 lit. f GDPR).You are obliged to provide your personal data truthfully, otherwise you would not be able to purchase the desired cell phone ticket.

The following applies to payment processing:

The transfer of your personal data to the payment service provider is carried out for the purpose of executing the contract on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR.

The following applies to ensuring security:

The IP address of your end device contained in the error logs is processed for the purpose of error analysis and troubleshooting. Our legitimate interest lies in the error-free functioning of the mobile ticket system and the provision of all functions without problems with regard to your use (Art. 6 para. 1 lit. f GDPR). It is also in our and your interest to prevent misuse and the penetration of security measures (Art. 6 para. 1 lit. f GDPR).

4. recipient of the personal data

The following applies to registration:

The user account is stored by the contracted service provider for the ticket store (eos.uptrade GmbH). This service provider is contractually bound by an order processing agreement in accordance with Art. 28 GDPR.

The following applies to the purchase of a cell phone ticket:

The following recipients process your personal data when you purchase a cell phone ticket:

The following applies to payment processing:

Your personal details about the selected payment method will be forwarded directly to LogPay Financial Services GmbH. You can view and access the data protection information of LogPay Financial Services GmbH at the link https://documents.logpay.de/datenschutzinformationen.pdfLogPay Financial Services GmbH is responsible for the processing of your personal data for the purpose of payment processing from the time the claim is assigned to LogPay Financial Services GmbH.

The following applies to ensure security:

Your personal data will be passed on to our developers of the cell phone ticket system and processors, Hacon Ingenieurgesellschaft mbH and eos.uptrade GmbH.

5. duration of storage

The following applies to registration:

Your personal master data will be stored for as long as your user account exists. You can delete your user account in your profile settings. Your deletion request will then be automatically forwarded to our processors for enforcement. If statutory retention periods (Art. 6 para. 1 lit. c GDPR) exist, these will be taken into account.

The following applies to the purchase of a cell phone ticket:

Your data will be stored until the purpose has been fulfilled and beyond that due to possible statutory retention obligations. If your personal data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted, i.e. the data will be blocked and not processed for other purposes. This applies, for example, to user data that must be retained for commercial or tax law reasons. According to legal requirements, data is stored for 6 years in accordance with Section 257 (1) HGB (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with Section 147 (1) AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.). If the statutory retention obligations have expired or cease to apply for other reasons, your data will be deleted immediately.

The following applies to payment processing:

LogPay Financial Services GmbH is responsible for the duration of the storage of your personal data.

The following applies to ensuring security:

The IP addresses collected in the event of incorrect login entries are stored to detect attack patterns.

6. right of objection and removal

The following applies to payment processing:

You can object to the transfer of your personal data to LogPay Financial Services GmbH at any time. As a result, you will no longer be able to place orders via the mobile ticket system.

The following applies to the guarantee of security:

Your personal data will be deleted as soon as the retention of the error logs is no longer required for the analysis and resolution of error causes and error effects as well as stability problems in the cell phone ticket system.

Recipients of your data

1. group of recipients

In principle, we only use your personal data within our organization. If and insofar as we involve third parties in the fulfillment of contracts, they will only receive the personal data to the extent that the transfer is necessary for the corresponding service. In the event that we outsource certain parts of data processing ("order processing"), we contractually oblige processors in accordance with Art. 28 GDPR to use personal data only in accordance with the requirements of the applicable data protection laws and to ensure the protection of your data protection rights.

We would like to point out that some data processing may also take place in so-called insecure third countries, such as the USA, in particular through the integrated services of your operating system. US providers are legally obliged to disclose personal data to security authorities without the consent of the data subject. We would like to point out that it therefore cannot be ruled out that your data located on US servers may be processed, analyzed and permanently stored for monitoring purposes. We have no influence on this data processing.

2. timetables

We integrate the services of HaCon Ingenieurgesellschaft mbH, Lister Straße 15, 30163 Hanover, Germany, into our applications.

When you use the functions of the app, a connection is established between your browser (end device) and the HaCon servers. Your data, such as your IP address and the device you are using, as well as your interactions within the applications are processed. This includes the following app areas: Start, Timetable, Departures, Map, Alarms, Settings, Tutorial and About the app.

3. forwarding to other telemedia providers

Our app may contain links to offers from other telemedia providers. If you access these links and thereby enable third parties to process your personal data (e.g. your IP address), we have no influence on this processing and can therefore accept no responsibility for it.

We indicate the forwarding to other telemedia providers in accordance with §19 para. 3 TTDSG at the appropriate places symbolically or by textual design.

Your rights as a user of our app

The GDPR grants you certain rights with regard to the processing of your personal data. If you would like to assert these rights, please send your request by e-mail - clearly identifying yourself - to the data protection officer named under II. or by post to our business address.

1. right to revoke the declaration of consent (Art. 7 para. 3 GDPR)

You have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

2. right to confirmation and information (Art. 15 GDPR)

You have the right to request confirmation as to whether personal data concerning you is being processed; if this is the case, you have a right to information about this personal data and to the information listed in detail in Art. 15 GDPR.

3. right to rectification (Art. 16 GDPR)

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and, where applicable, to have incomplete personal data completed.

4. right to erasure (Art. 17 GDPR)

You have the right to demand that personal data concerning you be deleted immediately if one of the reasons listed in Art. 17 GDPR applies.

5. right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR is met.

6. right to information (Art. 19 GDPR)

If you have asserted the right to rectification or erasure of your data or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this process, unless this proves impossible or involves a disproportionate effort. You have the right vis-à-vis the controller to be informed about these recipients on request.

7. right to data portability (Art. 20 GDPR)

In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, common and machine-readable format or to request the transfer of this data to a third party.

8. right to object (Art. 21 GDPR)

If data is collected on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR (data processing to protect the legitimate interests of the controller or a third party), you have the right to object to the processing at any time for reasons arising from your particular situation.We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or the processing serves the establishment, exercise or defense of legal claims.

9. right to lodge a complaint with a supervisory authority (Art. 77/78 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

In the state of Saxony-Anhalt, the competent supervisory authority is the State Commissioner for Data Protection of Saxony-Anhalt, Leiterstraße 9, 39104 Magdeburg.

10. Automated decision-making

We do not use automated decision-making or profiling.

External links

Our app may contain links to third-party websites under data protection law. If you access these links and thereby enable third parties to process your personal data (e.g. your IP address), we have no influence on this processing and can therefore accept no responsibility for it. We indicate the forwarding to other telemedia providers at the appropriate places in color, symbolically or by textual design.

Data security

We guarantee data security through state-of-the-art security standards. In order to protect your data from unauthorized access as comprehensively as possible, we take technical and organizational measures in accordance with the current state of the art. We use an encryption process in our app. Communication between the app and our server is transmitted over the internet using SSL/TLS encryption.

Objection to advertising emails

We hereby object to the use of contact data published as part of our duty to provide a legal notice for the purpose of sending unsolicited advertising and information material. The operators of the website expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.

Changes to the data protection information

In recognition of the fact that transparency is an ongoing obligation, we review this data protection information at regular intervals.

We reserve the right to adapt this information to changes in the functionality of the app or to changes in legal requirements in the event of changes to the service.

We therefore recommend that you take note of this data protection information at regular intervals to keep yourself informed of its content.

Status of the data protection information

Status: March 2025

Dessau-Roßlau, 1st March 2025

Dessauer Verkehrs GmbH