Data protection principles

Stage

Article: Data protection principles

For us, guaranteeing data protection and privacy is a mark of quality for our customers.

For us, guaranteeing data protection and privacy is a mark of quality for our customers.

To display our website for you, all we need is your IP address and other technical data. If you wish to use certain special services that we offer via our website, however, it may be necessary for us to process your personal data. If processing personal data is required and there is no legal basis for such processing, we must ask for your consent.

This notice tells you which data we collect from you, how we use it and how you can withdraw consent to the use of your data.


Who is responsible for collecting and processing my data?

DB Systel GmbH, Jurgen-Ponto-Platz 1, 60329 Frankfurt am Main collects and processes your data as the data controller.

The appointed data protection officer is Mr. Gerald Freitag.

If you have any questions or suggestions about privacy at www.dbsystel.de, please contact:

DB Systel GmbH

Jürgen-Ponto-Platz 1

60329 Frankfurt am Main, Germany


E-mail: db.systel.datenschutz@deutschebahn.com

What data do we collect and how and why do we process your data?

We collect and process your data only for specific purposes. These purposes may result from technical requirements, contractual obligations or express wishes of the user.

For technical reasons, however, we must collect and store specific data when you visit www.dbsystel.de. This data includes, for example, the date and duration of your visit, the web pages you used, the identification data of the browser and operating system type in use and the website from which you came to visit us.

Newsletter

If you subscribe to one of our newsletters, the following mandatory information is required:

  • E-mail address

In this case, you are allowing us to use your e-mail address for advertising purposes.

When you subscribe to our newsletter, we store the IP address of the computer system you were using at the time of subscribing. This is provided by the internet service provider (ISP). We also store the date and time at which you subscribed. The collection of this data is mandatory to detect (potential) misuse of the e-mail address of a data subject at a later point in time and therefore provides us with a legal safeguard.

You can unsubscribe from the newsletter at any time by clicking the unsubscribe link at the bottom of your newsletter.

If you object to the use of your data for advertising purposes, your data will be anonymised for use in statistical evaluations only.

When are cookies used?

It is generally possible to use www.dbsystel.de without cookies that are not for technical purposes. This means that you can prevent browser tracking by cookies (do-not-track, tracking protection list) or block storage of third-party cookies. In addition, we advise you to check the saved cookies regularly, unless they are expressly desired.

Please note that, if you delete all cookies, you are also deleting any opt-out cookies, meaning that you must opt out again.

We use session cookies to enable smooth navigation. This is necessary because we provide the website across multiple servers (clusters) for load balancing and increased availability. These cookies are automatically deleted when you close your browser.

Use of Matomo (formerly Piwik)

We use the analysis service Matomo (formerly Piwik) on our website to analyse how our website is used and to improve it regularly. The statistics we gain from this allow us to improve our services and make them more interesting for you as the user. With the help of small text files (cookies), we collect data on how you use our website, which includes your IP address. This data is anonymised and stored on our servers.

Please note that, if you delete all your cookies, you will also delete the deactivation cookie. This means that you will need to opt out of the analysis of your usage behaviour again.

Our website www.dbsystel.de contains integrated YouTube videos. The legal basis for this is point (f) of Article 6(1) of the GDPR.

When you visit www.dbsystel.de, you will find a link that ensures that we submit no data to Google, the operator of YouTube. Google only requests the information from our web server regarding how often the video was clicked.

When you click the link to play the video, you are leaving our website and are forwarded to YouTube. When you do this, Google, the operator of YouTube, sets cookies and pixel tags to personalise the adverts and search results. Google is solely responsible for this data processing as the operator of YouTube. We do not know nor can we influence which data is processed when this happens. Further information can be found here:

https://www.google.de/intl/de/policies/privacy (German only)

Our website, www.skydeck.deutschebahn.com, includes Twitter widgets to allow tweets from our Twitter account to be displayed. For this purpose, a connection to Twitter is established. Log data is transmitted to Twitter and a cookie is stored on your computer. According to the company's own statements, Twitter starts to delete, de-identify or aggregate this data after a maximum of ten days; this is usually instantaneous, but in some cases may take up to a week. For more information, see the Twitter privacy policy: https://twitter.com/privacy?lang=de

Legal basis of data processing:

If we ask for and receive your consent to perform processing operations on your personal data, your consent is considered, in accordance with point (a) of Article 6(1) of the GDPR, to give us the legal basis to perform such processing operations.

If we process personal data that is required in order to perform a contract that we have concluded with you, then the contract is the legal basis in accordance with point (b) of Article 6(1) of the GDPR. Point (b) of Article 6(1) of the GDPR also applies to processing operations that are required in order for us to take steps before a contract is entered into; for example, in the event of enquiries relating to our products or services.

If our company is subject to a legal obligation that requires us to process personal data – such as a tax obligation – then the legal basis for processing is point (c) of Article 6(1) of the GDPR.

In order to ensure the continuous improvement of our content, we store and analyse pseudonymised usage data from online activities. The legal basis for this is point (f) of Article 6(1) of the GDPR.

We are also interested in maintaining the customer relationship with you and sending you information and offers that we believe match your wishes and interests. For this reason, we process your data on the basis of point (f) of Article 6(1) of the GDPR (also with the help of service providers) to send you information and offers. We use your contact data (last name, first name, postal address) to send advertising by post and for market research if you do not opt out of this kind of use of your data. We may also use the e-mail address that we have obtained from our business relationship with you for commercial purposes.

You can opt out of the use of your data for targeted advertising at any time, taking effect for the future. You can send your objection to:

DB Systel GmbH

Jürgen-Ponto-Platz 1

60329 Frankfurt, Germany

Alternatively, you can send us an e-mail at db.systel@deutschebahn.com

(advertising opt-out).

Do you share my data with other parties?

Processing contracts generally requires the involvement of order processing specialists working under orders, e.g. computer centre operators, printing service providers, delivery service providers or other parties involved in contract processing.

The external service providers that we hire to process data are carefully selected and subject to strict contractual obligations. The service providers follow our instructions, and this is guaranteed by contractual regulations, technical and organisational measures, as well as supplementary checks and controls.

Furthermore, transmission of your data only takes place where you have given your express consent or on the basis of a statutory requirement.

Data will not be transferred to third countries outside the EU/EEA or to an international organisation unless appropriate guarantees have been provided. These include the EU standard contractual clauses and an adequacy decision from the European Commission.

How long do you store my data?

We store your data only for as long as is necessary to fulfil the purpose for which the data was collected (for example in the context of a contractual relationship), or to comply with statutory requirements. Thus, in the context of a contractual relationship, we will store your data at least until full and final completion of the contract. The data will then be retained for the duration of the legal retention periods.

What rights do users of www.dbsystel.de have?
  • You can request information as to what personal data pertaining to you is stored.
  • You can request us to correct, delete or restrict the processing (block) of your personal data, provided these actions are permitted by law and in compliance with existing contractual conditions.
  • You have the right to file complaints with a supervisory authority. The supervisory authority responsible for DB Systel GmbH is: Der Hessische Datenschutzbeauftragte, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Poststelle@datenschutz.hessen.de
  • You have the right to the portability of data you have made available to us on the basis of consent or a contract (data portability).
  • If you have given us your consent to process your data, you can withdraw this consent at any time, using the same methods that you used to give your consent. Any processing of your personal data that took place from the time at which you granted your consent to the time at which you withdrew it will still be considered to have been lawful.
  • You have the right to object, on grounds arising from your particular situation, to the processing of your personal data based on our overriding legitimate interest or where it is necessary for the performance of a task carried out in the public interest.
  • You can opt out of targeted advertising at any time. This takes effect for the future (advertising opt-out).

To exercise this right, simply send a letter to the above-named controller or an e-mail to db.systel.datenschutz@deutschebahn.com.

Data protection notice for our social media channels

What data do we collect, and why and how do we process it?

We have our own presence on various social media platforms. Our objective is to provide you with a broad, multimedia offering and to interact with you on issues that are important to you. In addition to the respective provider of a given social network platform, we collect and process personal user data on our fan pages. In this notice, we will inform you about what data we collect from you on each social media platform, how we use it and how you can raise an objection to the use of the data. Please see each offering, detailed in the following, for the respective purposes of data processing and data categories. The activities that we operate, detailed in the following, on social media platforms are carried out on the basis of interests considered according to Art. 6 (1) (f) of the GDPR.

Instagram

https://www.instagram.com/db_skydeck/

If you visit our fan page, personal data is saved and processed by Facebook Ltd., 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland, the operator of Instagram, in accordance with the Data Privacy Policy of Instagram. You can find the Data Privacy Policy here.

We additionally process your data within a very limited scope:


For the purpose of appropriate design and continuous optimisation of our webpages, we utilise Instagram Insights, a statistics service. This service records your activities on our webpage and provides this data to us in the form of anonymous statistics. This service provides us with insights into, among other things, the interactions of the fans who visit us, calls of our pages, the coverage of posts, information about the activity of our subscribers and information about the countries and cities where our users are from and information about gender ratios of our users. It is not possible for the administrator to derive indications about individual users or to access user profiles.

In addition, we can save user names and comments that are deleted due to a breach of netiquette. These are retained only within the statutory period of limitation for the purpose of providing any required evidence in the case of legal disputes.

Having contacted users publicly and with no obligation, we ask them publicly for permission to repost their images on the Instagram channel DB_Skydeck. We store a screenshot of the declaration of consent and the image as a file along with the user's name. The photos and declaration of consent are stored for as long as the photo is posted on the channel or until consent is withdrawn. For technical reasons, the reposted photo is stored on the server of Instagram [Facebook Ltd., 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland]. Consent can be withdrawn at any time (see below for details). If consent is withdrawn, the image is immediately deleted along with the name of the user.

Twitter

The Twitter channel

is used for PR and media activities as well as interaction with our followers on all topics concerning our company.

If you visit our channel, personal data is saved and processed by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, as the operator of Twitter, within the scope described in the Privacy Policy. You can find the Data Privacy Policy here.

Outside of this, we save and process none of your personal data. Your user name is saved only if you send us a direct message.

In addition, we save the user names and comments that are deleted due to a breach of netiquette. These are retained only within the statutory period of limitation for the purpose of providing any required evidence in the case of legal disputes.

YouTube

The YouTube channel "DB Systel GmbH" is used for presenting our products and services, in addition to making available specialist presentations by our experts. Also on YouTube, we post replies to users' questions and comments.

When you visit Youtube, personal data is saved and processed by Google LLC ("Google"), Amphitheatre Parkway, Mountain View, CA 94043, USA, which operates YouTube in accordance with the Google Privacy Policy. You can find the Data Privacy Policy here.

We additionally process your data to a very limited extent:

Where a user violates netiquette, we save the user names and comments that are deleted due to the breach of netiquette. These are retained only within the statutory period of limitation for the purpose of providing any required evidence in the case of legal disputes.

LinkedIn

When you visit our website at LinkedIn, personal data is saved and processed by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA, to the extent described in the Data Privacy Policy. You can find the Data Privacy Policy here.

Outside of this, we save and process none of your personal data. For the purpose of appropriate design and continuous optimisation of our webpages, we utilise Analytics, a statistics service. This service records your activities on our webpage and provides this data to us in the form of anonymous statistics. This service provides us with insights into, among other things, the interactions of the visitors who visit us, calls of our pages, the coverage of posts, information about the activity of our subscribers and information about the countries and cities where our users are from and information about gender ratios of our users. It is not possible for the administrator to derive indications about individual users or to access user profiles.

In addition, we can save user names and comments that are deleted due to a breach of netiquette. These are retained only within the statutory period of limitation for the purpose of providing any required evidence in the case of legal disputes.

Do you share my data with other parties?

Making our products and services available generally requires the involvement of order processing specialists working under orders, e.g. computer centre operators, printing service providers, delivery service providers or other parties involved in contract processing.

The external service providers that we hire to process data are carefully selected and subject to strict contractual obligations. The service providers follow our instructions, and this is guaranteed by contractual regulations, technical and organisational measures, as well as supplementary checks and controls.

Furthermore, transmission of your data only takes place where you have given your express consent or on the basis of a statutory requirement.

We wish to point out that, when data is processed by Instagram, Twitter and Youtube, user data may be processed outside the territory of the European Union. This may entail risks for users, e.g. by making it more difficult to enforce users' rights. For details, please read the privacy statements of Instagram, Twitter and Youtube. With regard to US providers certified under the Privacy Shield, we wish to point out that such providers thereby undertake to comply with EU data privacy standards.

We will not transfer data to third countries outside the EU/EEA or to an international organisation unless appropriate guarantees have been provided. These include the EU standard contractual clauses and an adequacy decision from the European Commission.

When will my data be deleted?

Where we have collected personal data from you, we store that data only for as long as necessary for fulfilling the purpose for which the data was collected (e.g. under a contract) or where this is provided for by law. Thus, in the context of a contractual relationship, we will store your data at least until full and final completion of the contract. The data is then stored for the mandatory retention period. 

What rights do users have?

You can request information as to what personal data pertaining to you is stored.

You can request us to correct, delete or restrict the processing (block) of your personal data, provided these actions are permitted by law and in compliance with existing contractual conditions.

You have the right to file complaints with a supervisory authority. The supervisory authority responsible for DB Systel GmbH is: Der Hessische Datenschutzbeauftragte, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Poststelle@datenschutz.hessen.de

You have the right to the portability of data you have made available to us on the basis of consent or a contract (data portability).

If you have given us your consent to process your data, you can withdraw this consent at any time, using the same methods that you used to give your consent. Any processing of your personal data that took place from the time at which you granted your consent until the time at which you withdrew it will be considered to have been lawful.

You have the right to object, on grounds arising from your particular situation, to the processing of your personal data based on our overriding legitimate interest or where it is necessary for the performance of a task carried out in the public interest.

You can opt out of targeted advertising at any time. This takes effect for the future (advertising opt-out).

To exercise this right, simply send a letter to the above-named controller or an e-mail to db.systel.datenschutz@deutschebahn.com.

With regard to data processing on social networks, we advise you to contact the relevant social network directly in case of information requests or other questions about user rights, such as a deletion request, since only the relevant social network [Instagram, Youtube, Twitter] has full access to your user data. If in future you no longer wish your data to be processed in the manner described here, you can remove the link between your user profile and our relevant page by using the functions "I no longer like this page" and/or "No longer subscribe to this page".


Update to the data privacy notice

We update our data protection notice whenever functions or legal situations change. For this reason, we recommend that you refer back to our data protection notice at regular intervals. In cases where your consent is required or parts of our data protection notice involve provisions in contractual relationships that we have with you, the changes will only take place with your consent.

Last modified 04.05.2020