Skip to content

Semester ticket app privacy policy

A. General information

Thank you for your interest in our semester ticket app. We take the protection of your personal data very seriously. We handle the personal data processed during the use of the semester ticket app confidentially and in accordance with applicable data protection laws and this privacy policy. We would like to give you detailed information about what personal data we process, for what purposes we process it, whom we share it with, and what control and information rights you may have. We therefore recommend that you read through this privacy policy carefully.

B. Responsibility and contact

Berliner Verkehrsbetriebe AöR, Holzmarktstraße 15-17, 10179 Berlin (referred to below as ‘BVG’ or ‘we’ or ‘our’ or ‘us’) is responsible for the semester ticket app. If you have any questions regarding this privacy policy or the processing of your personal data, please feel free to contact us by email at info-datenschutz@bvg.de.

If you have any questions or criticisms relating to our services, please contact us by email at appsupport@bvg.de.

C. General information on data processing

Eligible students are given the option to upgrade their semester ticket to the Deutschland ticket by paying the price difference between the two tickets. The semester ticket app provides its users with an intuitive and straightforward process for managing subscription matters related to the upgrade. This includes the application, authentication, billing, and issue of the actual eligibility to travel. We process personal data only to the extent necessary to ensure a functioning semester ticket app and provide our content and services.

D. Summary of our processing activities

  • Sign-up and the eligibility check are carried out in joint responsibility with your university, college, or other educational institution (referred to below as ‘institution’). We have entered into a separate agreement with your institution to protect your data. The legal basis is Article 6(1)(b) of the GDPR (see also D.I and D.V.2.a)). 
  • You can use the semester ticket app to upgrade your semester ticket to the Deutschland ticket. For this purpose, we use the data necessary to provide you with the Deutschland ticket in the app. The legal basis for this data processing is Article 6(1)(b) of the GDPR (see also D.II).
  • You can also save and display the Deutschland ticket in your Apple Wallet. For this purpose, your data is shared with Apple. The legal basis for this data processing is Article 6(1)(b) of the GDPR (see also D.II.2 and D.V.2.c))
  • If you contact our customer service, we will process data for the purpose of dealing with your request. The legal basis in this case is Article 6(1)(b) and (f) of the GDPR (see also D.IV.).
  • We use external service providers for some of these data processing operations. This is the case, for example, for payment processing (see also D.V.). 

Definitions

Personal data means any information relating to an identified or identifiable natural person (Article 4(1) of the GDPR). This includes information such as your name, your email address, your date of birth, and your matriculation number. It does not include information that cannot be linked directly to your identity, such as the number of users of a website.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

I. Processing of our data sign-up and eligibility check

You have the option to sign up with a user account in the semester ticket app in order to perform the upgrade to the Deutschland ticket and manage your subscription.  You can sign up either by manually entering and verifying your personal data or by using Shibboleth login if your institution utilises Shibboleth.

1. Manual sign-up and eligibility check

During the manual sign-up process, the following personal data entered in the input boxes in the semester ticket app will be processed:

  • First name and surname
  • Date of birth
  • Institution-related information (matriculation number, university attended, ID)

After you have entered your details, we will check your eligibility to apply for an upgrade of your semester ticket to a Deutschland ticket. The eligibility check is carried out by comparing your sign-up details with the details required to issue the upgrade, as sent to us by your institution. If the eligibility check is positive, you can apply for the upgrade.

The legal basis for this data processing is Article 6(1)(b) of the GDPR. The data is used to provide and manage your user account and to check your eligibility to use the Deutschland ticket.

2. Sign-up and eligibility check with Shibboleth

If your institution uses Shibboleth, you can also sign up with your institution data (username and password) via Shibboleth/SAML identity provider. In this case, the above categories of data will be taken directly from your institution’s student records to create your user account.

Shibboleth is software that can be used for web services and web applications. If Shibboleth is used for the eligibility check, your institution will provide us with the Shibboleth interface. The semester ticket app then offers a login via Shibboleth, which redirects to your institution’s website (as an identity provider). After entering your username and password, the identity provider will verify your identity. If login is successful and the eligibility check is positive, the above categories of data will be transmitted to us for the purpose of creating the upgrade.

The legal basis for this data processing is Article 6(1)(b) of the GDPR, as it is used to provide and manage your user account and check your eligibility to use the Deutschland ticket.

​​​​​​​II. P​​​​rocessing of your data for the Deutschland ticket upgrade

Following sign-up and a positive eligibility check, you can upgrade your semester ticket to a Deutschland ticket by paying the difference in the semester ticket app, i.e. by purchasing and using the Deutschland ticket in addition to your semester ticket. The purchased Deutschland ticket can be displayed in the semester ticket app or transferred to your Apple Wallet.

​​​​​​​​​​​​​​1. Purchase and issue of the Deutschland ticket in the semester ticket app

In addition to the categories of data listed in section I, the BVG processes the following data in order to complete the purchase and issue the Deutschland ticket in the semester ticket app:

  • Email address
  • Date of birth
  • Gender
  • Postcode:
  • Payment information
  • Information on the device used (e.g. operating system, browser, IP address)
  • Period and area of validity for the ticket

This data is required in order to process your ticket purchase and issue the Deutschland ticket. After this, the purchased Deutschland ticket can be displayed in the semester ticket app. The legal basis is Article 6(1)(b) of the GDPR. We will also process your contact data (including your email address) in order to provide you with information on contract-related changes relating to the services we offer in compliance with relevant legislation and provide you with other information required by law. 

2. Transferring the Deutschland ticket to Apple Wallet

In addition to issuing the Deutschland ticket in the semester ticket app, users can also save and display the Deutschland ticket in the Apple Wallet. In this case, the aforementioned categories of data are shared with Apple, which processes them as an independent controller. The legal basis is Article 6(1)(b) of the GDPR (see also D.V.2.c).).

III. ​​​​​​​​​​​​​​Processing of your data for troubleshooting purposes

If there is a problem with the connection between the app and the background system or if the connection is lost, we will save the data associated with the error in your user account in the semester ticket app. This data is collected and processed to troubleshoot the error, optimise the app, and ensure system security.

This information is processed to allow us to pursue our legitimate interest in ensuring the stability and security of both the app and our IT systems (Article 6(1)(f) of the GDPR).

IV. Processing of your data when you contact customer service

If you contact us by email or using the BVG contact form, we will process your personal data in order to determine your reason for contacting us and to allow us to assist or reply to you. This may include, for example, processing of your purchase history in order to find tickets for reimbursement. We will also store your reason for contacting us, your email address, and your name for the purpose of replying to your questions.

The legal bases for the data processing operations set out above are Articles 6(1)(b) and (f) of the GDPR. Article 6(1)(b) of the GDPR is the legal basis for processing requests from customers with whom we have a contract. In addition, we have a legitimate interest in ensuring a smooth customer service experience. We also use your data to ensure that our services function properly and to improve and expedite our data processing processes, e.g. by means of optimised assignment functions.

V. Disclosure of your data 

1. Processors

Personal data may be disclosed to our contracted service providers for processing in accordance with the purposes for which it was originally provided, e.g. to provide offered services or for technical support. Under statutory agreements, we contractually oblige our contracted service providers (‘Processors,’ Article 28 of the GDPR) to use personal data solely for the agreed purposes and not to disclose your personal data to other parties without our consent, unless this is required by law. We make use of the following external service providers to process your data:

  • Digital H GmbH (Am Bahndamm 2, D-41516 Grevenbroich) – semester ticket app operation and support

2. Controllers

We also disclose data to the following third parties, which act in joint responsibility with us or as separate controllers when processing the data:

​​​​​​​a. Your university, college, or educational institution

Sign-up and eligibility checks are carried out in cooperation with your university, college, or other educational institution (‘institution’) or with the student body of your institution. If you sign up manually, we receive from your institution the current data record of students entitled to upgrade to the Deutschland ticket. The data entered during sign-up will be compared with this data record for the purpose of checking eligibility. If your institution uses Shibboleth, the eligibility check is carried out directly via your institution’s Shibboleth interface. The legal basis for this data processing is Article 6(1)(b) of the GDPR. The data is used to provide and manage your user account and to check your eligibility to use the Deutschland ticket.

During sign-up and eligibility checks, we and your institution act as joint controllers pursuant to Article 26 of the GDPR, as the means and purposes of data processing are determined jointly. For this purpose, we have concluded an agreement with your institution in which we specify in a transparent manner who fulfils which obligation under the GDPR. 

​​​​​​​​​​​​​​b. LogPay Financial Services GmbH

For all payment methods, your customer data or the data of the invoice addressee (first name and surname, date of birth, address, gender, email address) will be transmitted to our external financial services provider (currently LogPay Financial Services GmbH, Schwalbacher Straße 72, D-65760 Eschborn, referred to below as ‘LogPay’). The payment method data (account details, credit card details, information on your ticket purchases) is collected directly by LogPay, as claims against you are assigned to LogPay when you purchase a ticket. The legal basis for the data transmission is Article 6(1)(b) and (f) of the GDPR. We have a legitimate interest in outsourcing the handling of payments and the management of claims for the purpose of efficient invoicing, as payment processing involves considerable complexity.

LogPay is the sole controller responsible for processing your personal data. More information on how LogPay processes data can be found at https://www.LogPay.de/EN/datenschutzinformationen/.

Please note: as set out in these policies, if you are not yet a customer of LogPay, LogPay will transmit your data to credit agencies (e.g. Schufa) in order to check your details and creditworthiness to prevent payment defaults.

c. PayPal

You can pay for purchases in the semester ticket app using the online payment service provider PayPal. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A.., 22-24 Boulevard Royal, L-2449, Luxembourg (referred to below as “PayPal”). If you select PayPal as your payment method, you will be redirected to the PayPal website and the personal data you have entered will be transmitted to PayPal in encrypted form. These data include your name, your address, your telephone number, your IP address, your email address, and order amount.

PayPal is the controller responsible for processing your personal data. The legal basis for the data processing when using PayPal is Article 6(1)(f) of the GDPR. We have a legitimate interest in offering you a wide range of payment options and outsourcing payment processing.

If required for the purpose of completing the order, PayPal may also disclose data to third parties. PayPal will also transmit personal data to credit agencies, e.g. SCHUFA, in order to establish your identity and creditworthiness.

More information on how PayPal processes data can be found at https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.

d​​​​​​​​​​​​​. Apple Inc.

If you wish to save and display the Deutschland ticket in your Apple Wallet, we will disclose the data required for this to Apple (Apple Inc., Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland) after you have clicked on the corresponding link. We will also notify Apple if your subscription is renewed or cancelled so that the ticket is correctly displayed or removed in Wallet.

The legal basis for the data transfer to the Apple Wallet is Article 6(1)(b) of the GDPR. By activating the additional function to save the Deutschland ticket in your Apple Wallet by clicking on the corresponding link, you authorise us to transfer the data required to save and display the Deutschland ticket to Apple. If you do not activate the additional function or remove the Deutschland ticket from your Wallet, we will not transfer any further data to Apple.

In this case, Apple will act as an independent controller for the storage and display of the Deutschland ticket in the Wallet with regard to the data transferred to it. More information on how Apple processes data can be found at https://www.apple.com/legal/privacy/data/en/apple-pay/ .

3. Disclosure of personal data to the authorities

We will only transmit your personal data to public authorities if the information is requested on the basis of statutory requests for information or if the BVG is otherwise legally obliged to transmit the data (Article 6(1)(c) of the GDPR).

4. Disclosure of data within the BVG

We reserve the right to allow another company in the BVG Group to operate the semester ticket app in the future; in the event of such a change of operator, user data will also be disclosed to the new operator. The new operator will then assume all relevant rights and obligations and process personal data in accordance with this privacy policy.

VI. Transfer of personal data to third countries

The BVG does not itself process any personal data in connection with the semester ticket app in countries outside the European Union or the European Economic Area where the GDPR does not apply (‘third countries’). Nevertheless, it is important to note that data processing by the service providers we employ may occur in third countries. Please note that data processed in other countries may be subject to foreign laws and may be accessible to the governments, courts, law enforcement authorities, and regulatory authorities of those countries. If your personal data is transferred to third countries, however, we will take appropriate measures to adequately secure your data.

Unless an adequacy decision has been adopted by the EU Commission for the recipient country, the transfer of your data to a third country is protected by the fact that EU standard contractual clauses (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) have been concluded with the recipient or that binding corporate rules exist. Otherwise, the data will only be transferred if a derogation pursuant to Article 49 of the GDPR is applicable. If standard contractual clauses have been agreed, we check that their provisions can generally be complied with in the recipient country. The BVG also takes additional protective measures where necessary to ensure an appropriate level of data protection in the recipient country.

In the case of the service providers we use as processors, we also ensure that these service providers only transfer your personal data to any data recipients in third countries under the conditions set out in Chapter V of the GDPR.

Please note that data processing when storing and displaying the Deutschland ticket in the Apple Wallet is governed by Apple’s specifications. The BVG has no influence on this, as Apple acts as an independent controller (see also D.V.2.c)). It is therefore possible that the data will be transmitted by Apple internally or externally to recipients in third countries.

 E. Data erasure and duration of storage

Your personal data will be stored as long as it is necessary for the fulfilment of the specific purpose. Subsequently, your data will be erased, unless there are legal obligations to retain the data beyond this time or there is legal justification to do so. The following time limits for storage and erasure generally apply:

  • Customer data from user account: storage while the subscription is active and for up to twelve months after erasure of the user account, unless there are legal reasons (e.g. tax reasons, HGB, etc.) to the contrary
  • Ticket purchase/upgrade data: storage for 10 years
  • Data on selected payment method: storage while the subscription is active and for up to twelve months after erasure of the user account, unless there are legal reasons (e.g. tax reasons, HGB, etc.) to the contrary
  • Data from customer service queries: storage for a maximum of three years following handling of the query (time starts at end of respective calendar year)

F. Your data protection rights

Depending on the circumstances in your specific case, you have the right

  • to obtain access to the personal data processed by us and/or request copies of these data. This includes information concerning the purpose of usage, the category of data used, their recipients and authorised users, and, where possible, the planned period for which the data will be stored or, if that is not possible, the criteria used to determine that period;
  • to request the rectification, erasure, or restriction of processing of your personal data, provided that its  use is impermissible under data protection law, in particular because (i) the data is incomplete or incorrect, (ii) the data is no longer required for the purposes for which they were collected, (iii) the consent on which processing is based was withdrawn, or (iv) you have made use of your right to object to processing of your personal data; in cases in which the data is processed by third parties, we will forward your request for rectification, erasure, or restriction of processing to these third parties, unless this proves to be impossible or would involve disproportionate effort;
  • to refuse consent or – without affecting the lawfulness of data processing carried out prior to withdrawal – to withdraw your consent to the processing of your personal data at any time;
  • to request the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and to transmit this data to another controller without hindrance from us; you also have the right to have the personal data transmitted directly from us to another controller, where technically feasible;
  • to take legal action or appeal to the data protection supervisory authorities, if you are of the opinion that your rights have been infringed due to processing of your personal data that is not in compliance with data protection regulations.
  • You also have the right to object to processing of your personal data at any time, free of charge, and with effect for the future:
  • where we process your personal data for direct marketing purposes
  • where we process your personal data in pursuance of our legitimate interests and on grounds relating to your particular situation

You can exercise your rights at any time by sending an email to  info-datenschutz@bvg.de.

If you would like to contact the BVG’s data protection officer directly, please send an email to datenschutz@bvg.de.

G. Amendment clause

We reserve the right to make changes to this privacy policy from time to time. Updated versions are published at https://www.bvg.de/de/deutschlandticket/datenschutz.

Last updated: 15 December 2023