Privacy Policy

Collecting general information

Privacy policy

I. Controller name and address

The controller within the meaning of the General Data Protection Regulation and other national data protection laws in the Member States, as well as other data protection provisions is:

Metroplan Holding GmbH
Ludwig-Erhard-Straße 18,
20459 Hamburg
Telephone +49 (0) 40 2000 07 - 01
Fax +49 (0) 40 2000 07 - 11
info@metroplan.de

Managing Directors with power of representation: Ulrich Dantzer, Friedrich-Wilhelm Düsing, Dr.-Ing. Oliver Lieske, Holger Lorenzen, Dr.-Ing. Thomas Mielke

II. Data protection officer name and address

The controller’s data protection officer is:

IITR Datenschutz GmbH
Marienplatz 2
D-80331 Munich
skraska@iitr.de and/or
datenschutz@metroplan.de

III. General data processing information

1. Scope of personal data processing

In principle, we only process our users’ personal data if this is required to provide a functional website and to provide our content and services. Our users’ personal data is generally only processed with users’ consent. An exception applies to cases in which prior consent cannot be obtained for practical reasons and legal provisions permit the processing of the data.

2. Legal basis for processing personal data

If we obtain the data subject’s consent to personal data processing, point (a) of Article 6(1) of the General Data Protection Regulation (GDPR) forms the legal basis for this.

When processing personal data that is required to perform a contract where the data subject is the contracting party, point (b) of Article 6(1) of the GDPR forms the legal basis for this. This also applies to processing that is required to implement pre-contractual measures.

If personal data must be processed to meet a legal obligation that our company is subject to, point (c) of Article 6(1) of the GDPR forms the legal basis for this.

If interests essential for the life of the data subject or another natural person mean that personal data must be processed, point (d) of Article 6(1) of the GDPR forms the legal basis for this.

If processing is required to safeguard our company’s legitimate interests or those of a third party, and such interests override the data subject’s interests, fundamental rights and freedoms, point (f) of Article 6(1) of the GDPR forms the legal basis for this.

3. Data erasure and storage period

The data subject’s personal data is erased or blocked as soon as the storage purpose no longer applies. The data may also be stored if this has been provided for by the European or national legislator in regulations, laws or other provisions under Union law that the controller is subject to. Data is also blocked or erased if a storage period prescribed by the specified standards expires, unless the data must continue to be stored to conclude a contract or to perform a contract.

IV. Provision of the website and creation of log files

1. Description and extent of data processing

Each time our website is accessed, our system automatically collects data and information from the accessing machine’s system.

The following data is collected:

  1. information relating to the browser type and the version used;
  2. the user’s operating system used;
  3. the user’s internet service provider;
  4. the user’s IP address;
  5. the date and time of access;
  6. websites the user visited to link him/her to our website; and
  7. websites the user visits from our website.

The data is also stored in our system’s log files. This data is not stored together with other personal data relating to the user.

2. Legal basis for data processing

The legal basis for temporarily storing data and log files is point (f) of Article 6(1) of the GDPR.

3. Purpose of data processing

It is necessary for the system to temporarily save the IP address to allow the website to be displayed on the user’s machine. The user’s IP address must be saved for the duration of the session in order to do so.

Storage in log files guarantees the functionality of the website. Data is also used to optimise the website and to guarantee the security of our IT systems. The data is not evaluated for marketing purposes in this instance.

Our legitimate interest in data processing is also based on these purposes, pursuant to point (f) of Article 6(1) of the GDPR.

4. Storage period

The data is erased as soon as it is no longer required for the purpose for which it was collected. If data is collected to provide the website, this applies when the session comes to an end.

If data is stored in log files, this is the case after seven days at the latest. It may also be stored for longer. In this case, the users’ IP addresses are erased or distorted such that it is no longer possible to make an association with the accessing client.

5. Option of objection and removal

The collection of data to provide the website and the storage of data in log files is absolutely necessary to operate the website. As such, there is no option for the user to object to this.

V. Using cookies

a) Description and extent of data processing

Our website uses cookies. Cookies are text files that are saved in the web browser or by the web browser on the user’s computer. If a user accesses a website, a cookie may be saved on their operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is visited again.

We use cookies to make our website more user-friendly. Specific elements of our website require the accessing browser to be identified even after the page is changed.

We also use cookies on our website that facilitate the analysis of the user’s surfing behaviour.

The following data may be transmitted in such a way:

  1. search terms entered;
  2. frequency of page views; and
  3. use of website features.

The user’s data that is collected this way is pseudonymised using technical measures. This means that the data can no longer be assigned to the accessing user. Data is not stored together with other personal data relating to the user.

When accessing the website, users are informed about the use of cookies for analysis purposes via an info banner, and a reference is made to this privacy policy. Within this context, there is also a note about how the saving of cookies can be disabled in the browser settings.

b) Legal basis for data processing

The legal basis for processing personal data by using cookies required for technical purposes is point (f) of Article 6(1) of the GDPR.

The legal basis for processing personal data by using cookies for analysis purposes is point (a) of Article 6(1) of the GDPR if the user has consented to this.

c) Purpose of data processing

The purpose of using cookies required for technical purposes is to make the use of the website easier for users. Specific features of our website cannot be offered without the use of cookies. For such features, it is necessary for the browser to be recognised again even after the page has been changed.

User data collected by cookies required for technical purposes are not used to create user profiles.

Analysis cookies are used to improve the quality of our website and its content. Analysis cookies allow us to determine how the website is used, thus enabling us to constantly optimise our website.

We also have a legitimate interest in processing personal data with respect to these purposes pursuant to point (f) of Article 6(1) of the GDPR.

e) Storage period, option of objection and removal

Cookies are saved on the user’s machine and are sent from the machine to our site. As such, you as a user also have total control over the use of cookies. You can disable or restrict cookies being sent by changing your web browser settings. Cookies that are already saved can be deleted at any time. This can be done automatically. If cookies are disabled for our website, you may no longer be able to use all of the features of our website to their full extent.

VI. E-mail contact

1. Description and extent of data processing

You can contact us using the e-mail address provided. In this case, the user’s personal data sent in the e-mail will be stored.

Data is not shared with third parties in this case. Data is exclusively used to process the conversation.

2. Legal basis for data processing

The legal basis for processing data is point (a) of Article 6(1) of the GDPR if the user has consented to this.

The legal basis for processing data sent in an e-mail is point (f) of Article 6(1) of the GDPR. If the objective of e-mail contact is to conclude a contract, the additional legal basis for processing is point (b) of Article 6(1) of the GDPR.

3. Purpose of data processing

We solely process personal data to process your request. This also constitutes our required legitimate interest in data processing.

4. Storage period

The data is erased as soon as it is no longer required for the purpose for which it was collected. For personal data sent by e-mail, this is also the case if the respective conversation with the user has ended. The conversation has ended if it can be deduced from the circumstances that the matter has been clarified in a conclusive manner.

5. Option of objection and removal

The user has the option of withdrawing his or her consent to personal data processing at any time. If the user contacts us by e-mail, he or she can object to his or her personal data being stored at any time. If he or she does so, the conversation cannot be continued.

Any personal data that has been saved as part of the communication is erased in such a case.

VII. Web analysis by Google Analytics

This website uses Google Analytics, a web analysis service from Google Inc. (‘Google’). Google Analytics uses ‘cookies’, text files that are saved on users’ computers that allow website use to be analysed. Information collected by the cookie about users’ use of this website is generally sent to a Google server in the USA and saved there.

The following data is collected:

  1. two bytes of the IP address of the user’s accessing system;
  2. the website accessed;
  3. the website the user visited to link him/her to the website (referrer);
  4. the subpages accessed from the website;
  5. the length of stay on the website; and
  6. the frequency of website access.

We use IP anonymisation on our website. This means that your IP address is truncated by Google within the member states of the European Union or in other signatory states to the Agreement on the European Economic Area before it is stored. A full IP address is only sent to a Google server in the USA and truncated there in exceptional cases. By order of the operator of this website, Google will use this information to evaluate the use of the website by users, to compile reports about website activities and to provide other services to the website operator that relate to website and internet use. In relation to these purposes, our legitimate interests also lie in such data processing. The legal basis for using Google Analytics is Section 15 Paragraph 3 of the German Telemedia Act (Telemediengesetz, TMG) and point (f) of Article 6(1) of the GDPR. Data sent by us and data linked to cookies, user IDs or ad IDs is automatically erased after 14 months. Data is automatically erased once a month if the storage period has expired.

The IP address sent from your browser as part of Google Analytics is not merged with other Google data. You can prevent cookies from being saved by changing your browser settings; please note that in this case, you may be unable to use all of this website’s functions to their full extent. You can also prevent the data generated by the cookie relating to your use of the website (incl. your IP address) from being captured and processed by Google by downloading and installing the browser plug-in available at the following link:

http://tools.google.com/dlpage/gaoptout?hl=de

You can also prevent data from being collected by Google Analytics by clicking on the following link. This will place an opt-out cookie on your machine that will prevent your data from being collected when you visit our website in future:

Disable Google Analytics

If you delete cookies, then you must click on the link again.

VII. Application process

1. Description and extent of data processing

If you send an application to us, the personal data you send is stored.

The data may be shared with public bodies if overriding legal regulations apply. The data may also be shared with external service providers or other contractors for the purposes of data processing and hosting, etc.

Data is only shared with other external bodies if the data subject has consented to this, or if it is permitted based on an overriding interest. Data is exclusively used to process the application.

Processors outside the European Union may also be used within the scope of executing the contract, e.g. e-mail providers, etc.

2. Legal basis for data processing

The legal basis for processing data is point (a) of Article 6(1) of the GDPR if the user has consented to this. The additional legal basis for processing in the case of applications is point (b) of Article 6(1) of the GDPR.

3. Purpose of data processing

Personal data is only processed to process the application.

4. Storage period

The data is erased as soon as it is no longer required for the purpose for which it was collected.

5. Option of objection and removal

The applicant has the option of withdrawing his or her consent to personal data processing at any time. In this case, it is not permitted for the application to be processed further. Any personal data that has been saved as part of the application is erased in such a case.

IX. Client data/data relating to interested parties

1. Description and extent of data processing

If you contact us as a client or an interested party, the personal data you send to us is stored.

The data may be shared with public bodies if overriding legal regulations apply. The data may also be shared with external service providers, subcontractors or other contractors for the purposes of data processing, sending information to service providers for printing and sending, as well as call centres, etc.

Data is only shared with other external bodies if the data subject has consented to this, or if this is permitted based on an overriding interest, e.g. credit checks when buying on account or for sending information electronically, etc. 

2. Legal basis for data processing

The legal basis for data processing is point (b) of Article 6(1) of the GDPR.

3. Purpose of data processing

Personal data is processed to perform a contract.

4. Storage period

The data is erased as soon as it is no longer required for the purpose for which it was collected. Application data is generally deleted within four months of notification being given of the decision, unless consent has been given for a longer data storage period as part of being included in the pool of applicants.

5. Option of objection and removal

If processing is required to perform a contract, the data subject has no option to object.

X. Supplier data

1. Description and extent of data processing

We store our suppliers’ personal data. This includes data shared by the supplier to perform a contract and, where applicable, additional data for processing on the basis of your explicit consent.

The data may be shared with public bodies if overriding legal regulations apply, e.g. tax authorities, customs, etc.

The data may also be shared with external service providers or other contractors, e.g. for the purposes of data processing and hosting, accounting and payment processing, etc.

Data is only shared with other external bodies if the data subject has consented to this, or if this is permitted based on an overriding interest.

Processors outside the European Union may also be used within the scope of executing the contract, e.g. e-mail providers, etc.

2. Legal basis for data processing

The legal basis for data processing is point (b) of Article 6(1) of the GDPR.

3. Purpose of data processing

Personal data is processed to perform a contract.

4. Storage period

The data storage period is based on statutory retention duties and is generally 10 years.

5. Option of objection and removal

If processing is required to perform a contract, the data subject has no option to object.

XI. Data subject rights

If personal data relating to you is processed, you are a data subject within the meaning of the GDPR and you have the following rights with respect to the controller:

1. Right of access

You may request from the controller confirmation as to whether or not personal data concerning you is being processed.

If this is the case, you can request the following information from the controller:

(1)   the purposes intended for the processing of the personal data;

(2)   the categories of personal data processed;

(3)   the recipients and/or categories of recipients to whom the personal data relating to you has been or will be disclosed;

(4)   the planned storage period for the personal data relating to you or, if specific information is not available, criteria used to determine the storage period;

(5)   the existence of the right to request from the controller rectification or erasure of personal data, restriction of processing of personal data concerning you or to object to such processing;

(6)   the right to lodge a complaint with a supervisory authority;

(7)   any available information about the origin of the data, if the personal data was not collected from the data subject; and

(8)   the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and - at least in those cases - meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request confirmation as to whether the personal data relating to you has been transmitted to a third country or an international organisation. In this regard, you may request to be informed about suitable guarantees pursuant to Article 46 of the GDPR in connection with the transmission.

2. Right to rectification

You have a right to obtain from the controller the rectification and/or completeness if the processed personal data relating to you is inaccurate or incomplete. The controller must rectify the data without undue delay.

3. Right to restriction of processing

You may request the restriction of processing of personal data relating to you if the following conditions are met:

(1)   if the accuracy of the personal data relating to you is contested for a period enabling the controller to verify the accuracy of the personal data;

(2)   the processing is unlawful and you oppose the erasure of the personal data and request that its use is restricted instead;

(3)   the controller no longer needs the personal data for the purposes of the processing, but it is required by you to assert, exercise or defend legal claims; or

(4)   if you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override your reasons.

Where processing of the personal data relating to you has been restricted, this data may - with the exception of storage - only be processed with your consent or to assert, exercise or defend legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing has been restricted pursuant to the above conditions, you shall be informed by the controller before the restriction of processing is lifted.

4. Right to erasure

a) Erasure obligation

You may request from the controller the erasure of personal data concerning you without undue delay and the controller is obligated to erase this data without undue delay where one of the following grounds applies:

(1)   the personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

(2)   you withdraw consent on which the processing is based pursuant to point (a) of Article 6(1), or point (a) of Article 9 (2) of the GDPR, and where there is no other legal basis for the processing;

(3)   you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR;

(4)   the personal data relating to you has been unlawfully processed;

(5)   the personal data relating to you must be erased to comply with a legal obligation under Union or Member State law that the controller is subject to; or

(6)   the personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

b) Sharing information with third parties

Where the controller has made the personal data public and is obligated pursuant to Article 17(1) of the GDPR to erase the personal data, the controller, taking into account the available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you as a data subject have requested the erasure by such controllers of any links to, or copies or replications of, such personal data.

c) Exceptions

There is no right to erasure if the processing is required

(1)   to exercise the right of freedom of expression and information;

(2)   to comply with a legal obligation which requires processing under Union or Member State law that the controller is subject to, or to carry out a task that is in the public interest or exercises the official authority vested in the controller;

(3)   for reasons of public interest in the area of public health pursuant to points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;

(4)   for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR in so far as the right referred to in Section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(5)   to assert, exercise or defend legal claims.

5. Right of information

If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is obligated to communicate such rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data relating to you has been disclosed, unless this proves impossible or involves disproportionate effort.

You also have the right to be informed of these recipients by the controller.

6. Right to data portability

You have the right to request from the controller that you receive the personal data concerning you, which you have provided us, in a structured, commonly used and machine-readable format. You also have the right to have this data transmitted to another controller without hindrance from the controller to which the personal data has been provided, provided that:

(1)   processing is based on your consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and

(2)   the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons may not be compromised by this.

That right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions.

The controller will no longer process personal data relating to you unless it can prove that there are compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or if processing serves to assert, exercise or defend legal claims.

If the personal data relating to you is processed for direct marketing, you have the right to object to the processing of the personal data relating to you for such marketing at any time; this also applies to profiling if it relates to such direct marketing.

If you object to processing for the purposes of direct marketing, the personal data relating to you is no longer processed for these purposes.

You have the option of exercising by automated means your right to object to the use of information society services - notwithstanding Directive 2002/58/EC - where technical specifications are used.

8. Right to withdraw consent under data protection law

You have the right to withdraw your consent given under data protection regulations at any time. By withdrawing your consent, the lawfulness of processing previously carried out on the basis of consent will not be affected by this.

9. Automated individual decision-making, including profiling

You have the right to not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or which similarly significantly affects you. This does not apply if the decision:

(1)   is necessary for entering into, or the performance of, a contract between you and the controller;

(2)   is authorised under Union or Member State law that the controller is subject to and which also sets out suitable measures to safeguard your rights and freedoms and legitimate interests; or

(3)   which takes place with your explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) of the GDPR applies and suitable measures have been taken to safeguard your rights, freedoms and legitimate interests.

With respect to the cases referred to in points (1) and (3), the controller shall take suitable measures to safeguard your rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority for data protection, with particular reference to authorities in the Member State in which you work, reside or in which the suspected breach took place, if you are of the opinion that the processing of personal data relating to you breaches the GDPR, regardless of any other legal remedies under administrative law or through the courts.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.