Moovit-Intercity-privacy-policy

Distribusion Technologies GmbH

Privacy Policy

I. Introduction

Distribusion Technologies GmbH (hereinafter referred to as ‘Distribusion’ or the ‘Controller’) provides a global distribution system for ground transportation tickets. Distribusion strictly complies with the legal provisions of the General Data Protection Regulation and the Digital Services Act of the European Union when collecting, processing and using personal data.

This Privacy Policy is aimed at providing appropriate information on the personal data processing performed by Distribusion Technologies GmbH regarding the sale of tickets to end customers via Distribusion's booking engine via the Moovit Application (hereinafter referred to as the ‘Moovit App’). The up-to-date version of this policy is constantly available and retrievable

at https://moovit.com/legal/intercity-privacy-policy.

II. Information about the Data Controller. Contact Details

The corporate details of Distribusion are:

Distribusion Technologies GmbH
Wattstraße 10
13355 Berlin

Registration Court: Amtsgericht Berlin-Charlottenburg
Commercial Registry Number: HRB 176406 B

III. Our Data Protection Officer

We have designated a data protection officer who can be reached via:

Distribusion Technologies GmbH
Attn. DPO
Wattstraße 10
13355 Berlin

Or via email under: dpo@distribusion.com.

IV. What kind of Personal Data do we process if you use our ticketing system through the Moovit

1. If you only browse in the booking system within the Moovit App, the following data is collected for technical reasons to enable the booking system’s functionality:

IP address of the request;
Name of retrieved files;
Device data (e.g. operating system).

2. To handle a ticket booking, we need to process the following categories of data, depending on:

Your name;
Your contact details (e.g. mobile number);
Your email address;
The date and time of a purchase;
Payment data depending on the payment method you choose;
Travel data (e.g. origin and destination);
Identification data (e.g. national ID card details).

V. For what purposes do we process your Personal Data?

According to the applicable data protection laws, we may only process personal data if there is a legal basis for doing so. In the following, we describe the purposes for which we process the data mentioned in section IV:

1. Data processing for the performance of a contract (Art. 6(1)(b) GDPR)

If you wish to purchase a ticket, we – as a retailer – and the carrier issuing the ticket need the personal data described under section IV. 2. to process your booking and to create an individualized ticket for your selected journey.

Please note that the exact data may vary from case to case, depending on the carrier involved and the type of ticket you purchase.

2. Data processing due to legal obligation (Art. 6(1)(c) GDPR)

In order to settle our accounts with involved carriers and the provider of the Moovit App, we must keep certain books and accounts. Under the country-specific tax laws we must process such data to fulfil our obligations arising from such laws.

3. Data processing based on legitimate interests (Art. 6(1)(f) GDPR)

The provision of our ticketing system to search connections (i.e. the pre-booking phase) is a free service that we provide to each visitor utilizing these services via the Moovit App.

This processing is necessary to safeguard our legitimate interests, as we have an interest in presenting our services to an interested audience. The fundamental rights and freedoms of visitors through the Moovit App as data subjects do not prevail here, as the personal data processed are those that are inevitably collected for technical reasons when any web-based mobile app is accessed. It would only be necessary to draw conclusions about specific persons with additional knowledge that is not readily available (e.g. to draw conclusions about a possible user from a specific IP address via an Internet service provider).

VI. With whom will your Personal Data be shared?

We will share your personal data with the following categories of recipients:

1. Hosting providers

We do not host our ticketing system on our own servers but use a web hosting service provider. This is Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Irland (‘Google’). This is a data processor with whom we have entered into a data processing agreement in accordance with Art. 28 GDPR. If you have questions on how Google processes personal data, please refer to the Google Clould Privacy Notice, which can be found here: https://cloud.google.com/terms/cloud-privacy-notice.

2. Carrier

As we act as a retailer and the tickets are ultimately issued by the carrier, we also share your personal data with them.

3. Moovit

Since we are cooperating with Moovit App Global Ltd., 2 Ilan Ramon St., Nes-Zionna, Israel (“Moovit”), which offers the Moovit App, your personal data will also be shared with Moovit App Global Ltd., who will process your personal data to provide your ticket information in the Moovit App and set forth in Moovit’s Privacy Notice. If you have questions on how Moovit App Global Ltd. processes personal data, please refer to the Moovit Privacy Notice, which can be found here: https://moovit.com/legal/privacy-policy-en/.

4. Payment Service Provider (PSP)

We work together with various PSPs to process payments initiated through our ticketing system. To process such payments, the payment data (e.g. credit card number, name, security credentials) will be forwarded to and shared with the involved PSP. Distribusion will not retain your payment data.

VII. How long will we retain your personal data?

Data that is processed to perform a contract will be retained for three years from the end of the year in which the contract was fulfilled or completed due to the exchange of services.

Data that is necessarily collected when visiting the website is deleted 30 days after the log file is created.

We delete data that is retained to fulfil legal obligations as soon as the legal retention periods have expired. According to the German Commercial Code (HGB) and the German Tax Code (AO), this is six to ten years for business and commercial letters. We must adhere to these retention period as Distribusion is a company incorporated under German laws.

Data that we process on the basis of our legitimate interest is generally processed for as long as the legitimate interest exists. This depends on the specific individual case. If you would like more information on this, you are welcome to contact us. As it is unreasonable to check every day for each stored date whether the purpose for storage still exists, we may check this at regular intervals. Therefore, data may be retained for a limited period of time (deletion period), even if the legitimate interest has already ceased to exist. The data will not be processed for other purposes within the deletion period.

VIII. Your Rights as a Data Subject and your withdrawal of Consent?

At any time while the Controller owns or processes their personal data, data subjects have the following rights:

1. Right to information

Data subjects have the right to be informed about the collection and use of their personal data which this Privacy Policy is aimed at.

2. Right of access

At the request of a data subject, the Controller will provide information as to whether personal data concerning them are being processed by it or by data processors according to its instructions, what categories of data are processed, what is their source, what are the purpose, legal basis and duration of processing, details of the processor and its activities related to processing, the circumstances and impacts of any personal data breach, the measures taken in order to eliminate them, and, where data are transferred - the legal basis of such transfer and the recipient of the data. Information will be provided free of charge, provided that the party’s request is not manifestly unfounded or excessive. Otherwise, a fee may be charged.

3. Right to rectification

The data subject has the right to request the updating (rectification) of incomplete, inaccurate, inappropriate or obsolete data about them. The Controller must notify of the rectification the data subject and any parties to whom the data were transferred for processing. The notification may be omitted if proved impossible or if it involves disproportionate effort.

4. Right to erasure

Personal data must be erased if they have been processed unlawfully; are no longer necessary in relation to the purposes for which they were processed; the data subject withdraws their consent when the processing was based on such and there is no other legal ground for the processing; if, on grounds relating to their particular situation, the data subject objects to the processing of their data which is performed on the basis of the legitimate interest of the Controller, and there are no overriding legitimate grounds for the processing; the period of data retention prescribed by the applicable legislation has expired; the erasure of personal data has been instructed by court or by the competent supervisory authority.

The Controller may be allowed to retain the data even in the cases listed above if the processing is necessary to ensure compliance with a statutory obligation or for the establishment, exercise or defence of legal claims.

The Controller must notify of the rectification of the data subject and any parties to whom the data were transferred for processing. The notification may be omitted if proved impossible or if it involves disproportionate effort.

5. Right to restriction

Instead of erasing personal data, the Controller may restrict their processing if: the data subject requests so or when the accuracy of the personal data is contested by the data subject - for a period enabling the Controller to verify the accuracy; the processing of the personal data is unlawful and the data subject opposes their erasure and requests the restriction of their processing instead; the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; the data subject has objected to processing of their personal data for direct marketing purposes; pending the verification whether the legitimate interests of the Controller override those of the data subject.

In cases of such restriction, the personal data may only be processed as long as the reason that prevented their erasure continues to exist.

The Controller must notify the data subject and any parties to whom the data were transferred for processing of the restriction of processing. The notification may be omitted if proved impossible or if it involves disproportionate effort.

6. Right to object

On grounds relating to their particular situation, data subjects have the right to object to the processing of personal data performed on the basis of the legitimate interest of the Controller or to the processing for direct marketing purposes. In the latter case, the Controller should suspend such processing immediately upon receiving the objection, without undue delay.

7. Right to object to automatic decision-making, including profiling

Data subjects have the right to object to a decision-making that is based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. If the Controller starts performing such decision-making, the Controller will notify the data subjects thereof.

8. Right to data portability

Data subjects have the right to request the Controller to provide them with the personal data held about them by the Controller in a structured, commonly used and machine-readable format, provided that the Controller processes data based on their consent or contract and the processing is carried out by automated means.

9. Right to withdraw consent for processing

When the Controller processes personal data on the basis of a data subject’s consent, the data subject has the right to withdraw their consent at any time and without paying any fees, bearing in mind that such withdrawal will not affect in any way the lawfulness of the processing performed based on their consent before the withdrawal.

10. Remedies in case of violations of data subject rights

If data subjects consider that their privacy and data protection rights have been violated, they may:

lodge a formal complaint with the respective supervisory authority, which in the case of Distribusion is the Berlin Commissionaire for Data Protection and Information Security (Berliner Beauftragte für Datenschutz und Informationssicherheit - BBDI). The contact details of the BBDI are, as follows:
- Name: Berliner Beauftragte für Datenschutz und Informationssicherheit
- Address: Alt-Moabit 59-61, 10555 Berlin
- E-Mail: mailbox@datenschutz-berlin.de
- Web-site: https://www.datenschutz-berlin.de/
- Phone No.: +49 30 13889-0

2. take legal action before a court to appeal the actions/decisions of the BBDI (after having previously lodged a complaint with the BBDI);

3. bring a legal action in court against the Controller and claim compensation for any damages incurred as a result of the processing of personal data carried out by the Controller.

IX. Am I obliged to provide my Personal Data?

In principle, you are not obliged to provide us with your personal data. However, without the personal data (especially as needed to fulfil our contract with you), we will not be able to provide our services or contact you.

If you view our ticketing system via the Moovit App, you cannot avoid providing the data mentioned under secion IV. 1., as the operation of the Moovit App, especially the implementation of our ticketing system, would otherwise not be technically possible. If you take technical precautions to prevent the transmission of this data, you may not be able to access our ticketing system via the Moovit App. However, you are free to disguise this data (e.g. by using a VPN service or masking) so that we cannot draw any conclusions from this technically necessary data.

X. Automated decision-making and profiling

We do not use automated decision-making or profiling.

XI. Data Security

We have implemented technical and organizational measures to ensure a high standard of data security, data availability and data integrity. All employees are subject to contractual confidentiality obligations and have been informed and instructed accordingly about the confidential handling of personal data.

Moovit, part of Mobileye, is a leading Mobility as a Service (MaaS) solutions provider and creator of the #1 urban mobility app.