Privacy policy

Data protection information pursuant to Art. 13, 14 DSGVO for the M-Login

Status: 25.01.2024

1. Responsible entity

The service provider of the M-Login (login.muenchen.de) and the party responsible under data protection law is Stadtwerke München GmbH, Emmy-Noether-Straße 2, 80992 Munich, datenschutz.stadtwerke@swm.de („SWM“). For further so-called joint controllers according to Art. 26 GDPR, see section 4.2. M-Login is offered as a website (login.muenchen.de).

 

2. Contact details of the data protection officer

Stadtwerke München GmbH
Data Protection Officer
Emmy-Noether-Straße 2
80992 München
E-Mail: datenschutz@swm.de

 

3. Processing purposes

3.1. Access to and informational use of the website

Each time you visit this website, your browser automatically sends the following data to our website server: IP address of your requesting internet-capable device; date and time of your access to the website; website/application from which the access was made (referrer URL); your browser type with version and language; operating system of your internet-capable computer; your internet service provider; the sub-websites you are visiting; files downloaded from our website (e.g. PDF or Word documents); website accessed; website previously visited.

The temporary storage of the IP address for the duration of the use of our website is necessary to provide you with our website and its contents.

In addition, the further processing of the data described in 3.1. (1. paragraph) is performed in order to optimize our website, to ensure the long-term functionality, security and stability of our website and connected IT systems and to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

The legal foundation for this data processing is Art. 6 para. 1 lit. f DSGVO. The legitimate interest derives from the above-mentioned purposes of providing the content of the website accessed by the user, optimization of the website and system security and stability, as well as procedures in the event of cyber attacks.

The above data will be deleted as soon as the use of the service (use of the website) ends.

3.2 Registration for and use of M-Login

The M-Login is a single sign-on service of SWM, which provides you with clear and central user profile management as well as secure and central login (single sign-on) for connected services of the service companies ("connected services" such as HandyParken München, MVG Fahrinfo München etc.). For details, see item 6.

In order to use the M-Login, you must register.

We process the personal data you provide during registration to fulfill the contract for the use of our single sign-on service and, upon your approval, to perform pre-contractual measures for the use of the connected services. We will check if your given address exists. The legal foundation for this is Art. 6 para. 1 sentence 1 lit. b DSGVO.

SWM will process your above-mentioned data for as long as it is necessary for the aforementioned purposes.

3.3 Payment data

You have the option to store payment details on the website. You can share these details with connected services to pay for paid services. Your approval gives the respective connected service access to the payment data listed in detail below. Processing by the respective affiliated service is governed by its privacy and data protection policy.

3.3.1 SEPA Direct Debit

We will change our payment service provider for SEPA direct debit in February 2023. Therefore, in a transition period between 01.02.2023 and 28.02.2023, all users who use this payment method will be switched to the new payment service provider. You will be affected by the changeover from the time you submit a SEPA direct debit mandate in favor of our new payment service provider, Novalnet AG, upon request.

If you wish to deposit a SEPA direct debit as a means of payment, we will ask you to enter the following personal data: IBAN, account holder. This data is transmitted to the payment service provider Novalnet AG, which handles the payment processing. To reduce the risk of non-payment, Novalnet AG performs a credit check. For this purpose, we transmit the following information from your profile: Surname and first name, address and date of birth. In order to be able to pay by SEPA direct debit in the respective affiliated service, you must give Novalnet AG a direct debit authorization for your account, which we also store. In addition, we process the information about the decision as to whether Novalnet AG acquires or does not acquire the claim of the affiliated service. We store this data for as long as you have deposited the SEPA direct debit as a means of payment with us.

We process the above data to fulfill the contract with you on the use of the M-Login. The legal foundation for this is Art. 6 para. 1 sentence 1 lit. b DSGVO.

You can access the data protection information of Novalnet AG here.

3.3.2 Credit card

If you wish to deposit a credit card as a means of payment, we will ask you to enter the following personal data: Card number, expiration date, cardholder if applicable, and security code. Your card type (e.g. VISA, Mastercard, American Express) is determined from the card number. This data is received directly from the payment service provider First Data GmbH. We do not have access to this data and do not store this data. As part of the strong customer authentication according to PSD2, the bank that issued your credit card may ask you for additional information that you have agreed with it. We do not have access to this data either.

After successful validation, First Data GmbH transmits the following personal data to us: a credit card replacement number, the card type, the last four end digits of the credit card number and the expiration date. We store this data as long as you have deposited the credit card as a means of payment with us.

We process the above data to fulfill the contract with you on the use of the M-Login. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b DSGVO.

You can access the data protection information of First Data GmbH here.

3.4 Driver's license data

You have the option to store information about your driver's license on the website.

To do this, you must have us verify your driver's license. For verification, we capture and analyze photos of the front and back of your driver's license. We delete the photos no later than 90 days after the verification is completed.

After successful verification of your driver's license, we store the following personal data from this:

  • Validity of the driver's license
  • Driver's license number
  • Place and authority of issue
  • Date of issue
  • Vehicle classes
  • Date of birth
  • Verification status
  • Verification date

You can share this information with connected services if a driver's license is required to use them (e.g., car rental). Processing by the respective affiliated service is governed by its privacy policy.

We store this data for as long as you have the information on your driver's license on file with us.

We process the above data to fulfill the contract with you on the use of the M-Login. The legal foundation for this is Art. 6 para. 1 sentence 1 lit. b DSGVO.

3.5 Anonymization and statistical analysis

Beyond the actual performance of the contract, we process your personal data in a permissible manner in order to anonymize it for analysis purposes.

The legal foundation for this is Art. 6 Para. 1 Sentence 1 lit. b in conjunction with. Art. 5 para. 1 lit. b, Art. 89 para. 1 DSGVO.

3.6 Consents ("approvals")

3.6.1 Consents in connection with market research and advertising

In the registration process we ask you if you

  • would like to subscribe to our newsletter;
  • consent to us contacting you by email for market research purposes;
  • agree that we may analyze whether and how you use the services connected to the M-Login for the purpose of creating offers that are optimally tailored to you and further agree that the services you use may transmit certain usage data to us for this purpose and that we may combine this data with our information about you from the M-Login and, in addition, with microgeographic data at the address level in accordance with your consent, and
  • consent to our sending you these offers, optimally tailored to you, from the services connected to the M-Login by e-mail.

You can also give these consents after completing registration. If you consent (activate one or more "approvals") on the "My approvals" page at login.muenchen.de, your personal data specified in the respective declaration of consent will be processed by us for the respective purpose (newsletter dispatch, contacting for market research, data analysis, dispatch of optimally tailored offers of the affiliated services).

Information specifically regarding consent to the transmission of your data by the services used to us for the purpose of creating and sending offers that are optimally tailored to you: You are free to decide whether usage data is transmitted to us by the services you use. If you give your consent to this, we will combine and evaluate the personal data you have provided in the declaration of consent. We analyze which connected services you use and how often, which goods or services you order or have ordered in the past on the services you use, and which search queries you perform on the services you use.

In addition, we use the location of your device for the analysis, if this is collected when you use the service (e.g., because you have a traffic app automatically determine your departure point), as well as other profile information (e.g., favorites, specified interests). We also supplement your user profile with address-level microgeographic data for this purpose. Exemplary characteristics of such aggregated data, information and features are - partly estimated or calculated - demographic information, affinities, milieu and household information, building information etc., which we take for example from the respective current census of the Federal Statistical Office. This allows conclusions to be drawn, such as whether a particular address is likely to be a single-family home or an apartment building, or whether there is probably an above-average affinity for e-cars.

An overview of the services connected to the M-Login can be found here in section 6 of this data protection notice. If you are registered with M-Login, you can see on the website under "Services" which of these connected services you are currently using and which you are not. The services used are covered by your consent.

3.6.2 Legal basis and revocation

The legal basis for data processing is Art. 6 para. 1 lit. a DSGVO if you have given your consent.

Your consent is voluntary. You may refuse this without any adverse consequences for you or revoke it at any time without giving reasons for the future by either logging in on our website and deactivating the corresponding approval under "Approvals" or use the unsubscribe link contained in every newsletter, every e-mail sent with offers optimally tailored to you and every contact e-mail for market research.

By such revocation to us, you simultaneously revoke your consent to the transmission of usage data by the services you use.

3.7 Cookies

We use cookies on our website. Cookies are small text files and contain a characteristic string that enables identification of the browser when the website is accessed again.

In our Cookie Banner you can make detailed cookie settings for this website and for example, you can allow only required cookies.

3.7.1 Use of required cookies

We use technically required cookies that ensure smooth use of the website and enable numerous basic functions. You can find more information about these cookies in the data protection settings (cookie symbol) at login.muenchen.de. In addition, the following cookies are technically required for login and registration:

  • MLOGIN_SESSION: expires after approx. 1 year, required for session management
  • mlogin: expires after the session ends, required for session management
  • lbmlogin: expires after the session ends, required for session management
  • mlogin-persistent: expires after approx. 6 months, required for session management

The legal foundation for the data processing is Art. 6 para. 1 lit. f DSGVO, § 25 para. 2 TTDSG. The legitimate interest to collect data derives from the purpose of providing the informational function of the website called up by the user and the simplification of the website.

You can also visit our website without cookies. If you do not want to use cookies, you can deactivate or restrict them completely in your browser. This may, however, lead to functional restrictions of our website. If you want to log in, cookies are required.

The following list provides more information on how to deactivate or manage your cookie settings in the browser you use:

Google Chrome

Firefox

Microsoft Edge

Safari

3.7.2 Use of cookies for web analysis

Our website uses the web analysis tool Matomo (Piwik) to statistically analyze usage. Through the statistics obtained, we can improve our offer and make it more interesting for you.

We process the following data:

  • the IP address (anonymized by zeros of an octet);
  • the accessed website, time and duration of stay;
  • the source from which the user arrived at the accessed website (e. g. search engine, social media, website or campaign);
  • the use of the website (which target pages are called up how often, click paths, view of and interaction with page elements such as links, buttons, navigation elements, videos, downloads, bounce rates and the time spent on the individual pages, search entries, scroll depth, return);
  • Conversion goals (e. g., number of newsletter subscriptions);
  • Information from the end device: operating systems, browsers and end devices (incl. resolution) with which the website is accessed.

The processing of the data takes place exclusively under our responsibility.

For more information about the analysis tool Matomo (Piwik), see the link.

The legal basis for the web analysis is Art. 6 para. 1 p. 1 lit. f DSGVO. The processing serves the purpose of evaluating visitor numbers and usage of our service and thus improving our service. We have a legitimate interest in this. If you wish to object to the processing, you can do so in the privacy settings (cookie icon at the edge of the browser).

We place a web analytics cookie on your browser. The legal basis is your consent according to Art. 6 para. 1 p. 1 lit. a DSGVO, § 25 para. 1 TTDSG.
In the privacy settings (cookie icon at the edge of the browser) you can get more information about the cookies set and their storage period.

The legal basis for the reading of your above-mentioned device information is your consent according to Art. 6 para. 1 p. 1 lit. a DSGVO, § 25 para. 1 TTDSG.

If you wish to revoke your consent, you can do so in the privacy settings (cookie icon at the edge of the browser).

 3.7.3 Use of cookies for advertising analysis

We use the web analysis tool Matomo on some pages of our website (esp. "landing pages", which you reach via links in promotional emails) to statistically evaluate the success of advertising campaigns (e.g. promotional emails). The following data are processed for this purpose:

  • the M login session ID
  • the IP address of the calling system of the user (anonymized by zeros of an octet);
  • the conversion rate
  • the bounce rate
  • the average session duration
  • the average number of page views
  • the average click-through rate / click-through rate

In addition, the following parameters are stored for campaign-specific tracking:

  • the website URL (https://login.muenchen.de)
  • the campaign name (e.g. LIMA-Jan2020)
  • the campaign source (e.g. LIMA)
  • the campaign medium (e.g. e-mail)
  • the campaign content (campaign content; to distinguish ads, e.g. Offer-Muenchen; Offer-SWM etc.),

A transmission of the data to third parties does not take place. Collection and evaluation of the data is carried out exclusively by SWM. SWM uses so-called session cookies for advertising analysis, which are deleted when you close your browser. The data will not be linked to your customer account (if any) and will only be used in aggregated, non-personal form for statistical analysis.

With your consent in accordance with Art. 6 para. 1 p.1 lit. f DSGVO, § 25 para. 2 TTDSG, we store advertising analysis cookies in your browser. If you wish to revoke your consent, you can do this in the data protection settings (cookie symbol at the bottom left of your browser). There you can also get more information about the cookies set and how long they are stored.

The legal foundation for the processing of the users' personal data is Art. 6 para. 1 p. 1 lit. f DSGVO. The purpose of the processing is to evaluate the number of visitors and utilization of our service and thereby to improve our service. Our legitimate interest in data processing is, in particular, the measurement of reach and statistical analysis, as well as the optimization of our services tailored to the respective users.

For more information on the functionalities of the web analysis tool Matomo (Piwik), see the link.

3.7.4 Analysis of e-mail usage

If you have signed up for our newsletter or other promotional emails, we analyze your use of the emails you receive as follows:

  • Open the email: How often the email was opened is determined by a so-called tracking pixel, which is included in the email. The download of the counting pixel is counted.
  • Clicks: The click-through rate is determined by creating links in the email as tracking links. This captures every click.
  • Bounces: A bounce occurs when delivery to an email address was not possible.
  • Sign offs. Unsubscribes via the unsubscribe link in the email are counted.

A transfer of data to third parties does not take place (outside of section 4.1). Collection and evaluation of the data is carried out exclusively by SWM. The data will not be linked to your customer account (if any) and will only be used in aggregated, non-personal form for statistical analysis.

If you do not want your user behavior to be evaluated, you can unsubscribe from the e-mails at any time with future effect. You will find an unsubscribe link at the bottom of each email.

The legal foundation for the processing of your personal data is Art. 6 para. 1 p. 1 lit. f DSGVO. We have a legitimate interest in measuring the use of our newsletter and other promotional emails. This allows us to optimize our offering and further tailor it to our users.

3.8 YouTube integration

3.8.1 Purpose of the data processing

We embed the video player from YouTube on our site. YouTube is a service of the external provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The parent company Google LLC, 1600 Amphitheater Parkway, Mountainview, California 94043, USA, is located in the USA.

3.8.2 Consent to data processing

Google content is inactive by default, i.e. no personal data is transmitted to Google when you visit our website. The use of our website is also possible without the external content. The content, however, can be activated by the user by clicking on the "Activate now" button, which will load the content from Google's servers.

Clicking the "Activate now" button constitutes consent under data protection law:

By doing so, you consent to your personal data (usage data, meta-communication data (especially IP address), location data, if applicable) being transmitted to Google and possibly also processed in third countries such as the USA - where the level of data protection may be lower than in the EU. Your consent will be requested again by Google for each embedded content. A cookie that stores your decision on our website is not set.

3.8.3 Processed data

If you activate the YouTube video player on our site, the following types of data may be transmitted to Google through the embedding technology during the use of the content, as this is necessary for the playout of the content: Usage data (e.g. websites visited, access times), meta/communication data (e.g. device information (e.g. browser, operating system, etc.), IP addresses), location data if applicable.

3.8.4 Further data processing by Google

Google processes your data to provide the service, but also processes your data according to its own information pursuant to Art. 6 (1) f) DSGVO on the basis of its own legitimate interests for the purposes of advertising, market research and/or demand-oriented design of its website, whereby information from other sources may also be used. This is done regardless of whether you maintain a user account/profile with Google, in which you are logged into during the playout of content from Google on our website. If you are logged into Google, your data is directly assigned to your user account. If you do not want the assignment to your user account with Google, you must log out of Google before activating the service.

You have a right to object to the creation of these user profiles, whereby you must contact Google to exercise your right to object.

It cannot be ruled out that your data will also be transmitted by Google to the parent company Google LLC, 1600 Amphitheater Parkway, Mountainview, California 94043, USA. This means that data processing may also take place in a third country (especially the USA) where there is no adequate level of data protection and where you may not be able to enforce your data subject rights. Google LLC is subject to the data protection laws applicable in the EU with respect to users in the EU.

For more information on the purpose and scope of data collection and processing by Google, please see Google's privacy policy. There, you will also receive further information about your rights and setting options to protect your privacy.

Under the following link you can determine which data Google uses from you:

We have no influence on how Google or Google LLC processes your data.

3.8.5 Legal foundation for data processing

The legal basis for the transfer of your data from us to Google is your consent according to Art. 6 (1) a) and, if applicable, our legitimate interests according to Art. 6 (1) f) DSGVO. Our legitimate interests are to be able to offer you the service on our website. We have weighed our legitimate interests against your interests and have come to the conclusion that your interests do not outweigh ours.

3.9 Compliance with legal requirements

We also process your personal data to fulfill other legal obligations. We may encounter these, among other things, in connection with the processing of a chargeable service or business communication. This includes, in particular, retention periods under commercial, trade or tax law.

We process your personal data for the fulfillment of a legal obligation to which we are subject pursuant to Art. 6 para. 1 lit. c DSGVO in connection with commercial, trade or tax law, insofar as we are obliged to record and store your data.

3.10 Enforcement of rights

We also process your personal data in order to be able to assert our rights and enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data insofar as this is necessary to prevent or prosecute criminal offenses.

In this context, we process your personal data to protect our legitimate interests pursuant to Art. 6 (1) lit. f DSGVO, insofar as we assert legal claims or defend ourselves in legal disputes or we prevent or investigate criminal acts.

 

4. Recipient categories

4.1. Processor

We have carefully selected the service providers who process data for us on behalf of our instructions as processors and are thereby recipients of personal data, provide sufficient guarantees for suitable technical and organizational measures and are contractually obligated by us in accordance with Art. 28 DSGVO.

SWM regularly transfers your personal data in particular to the following order processors:

Type of processing activity: Call Center Services
Processor: SWM Kundenservice GmbH, Emmy-Noether-Strasse 2, 80992 Munich
Registered office of the service provider: Germany

Type of processing activity: E-mail dispatch, e-mail analysis
Order processor: DYMATRIX CONSULTING GROUP GmbH, Lautenschlagerstraße 2, 70173 Stuttgart
Location of the service provider: Germany

Type of processing activity: Verification of driver's license data
Processor: IDnow GmbH, Auenstraße 100, 80469 Munich
Registered office of the service provider: Germany

If necessary, further processors are used who are not evident from the above list (e.g. for market research projects).

There is no transmission to third countries outside the EU/EEA.

4.2. Jointly responsible entities

SWM transfers your personal data - if you have consented and want to use the corresponding connected services (see item 6) with the M-Login - to the following "jointly responsible" service companies:

  • Münchner Verkehrsgesellschaft mbH (MVG)
  • Portal München Betriebs-GmbH & Co. KG.
  • Munich Ticket GmbH
  • SWM Versorgungs GmbH

SWM will be happy to provide you with the key elements of the joint responsibility agreements with the above-mentioned companies. For this purpose, you can contact us using the contact details provided in section 1.

4.3. Further recipients

Within SWM, access to your data is granted to those offices that need it for the purposes described. To the extent permitted by law (for example, as part of a contract processing), we may disclose personal data to third parties in the following categories:

  • (IT) service provider
  • Customer service provider
  • Logistics
  • Print service provider
  • Sales partner
  • Payment service provider
  • Collection service providers and lawyers
  • Public bodies and institutions (e.g. social insurance entities, financial authorities, police, public prosecutor's office, supervisory authorities) if there is a corresponding obligation/authorization

 

5. Transmission to third countries

For certain tasks, we use (IT) service providers who also use (IT) service providers who may have their headquarters, parent company or data center headquarters in a third country (outside the European Union and the European Economic Area).

The following must be given: The transfer is permissible because there is a legal authorisation or you have expressly consented to the transfer and the special requirements for a transfer to a third country are met. This means, in particular, that the European Commission has decided that there is an adequate level of data protection in the third country (Art. 45 GDPR) or that appropriate safeguards (e.g. through so-called EU standard contractual clauses specified by the European Commission or the supervisory authority) and that enforceable rights and effective remedies are provided.
 

 

6. Separate data protection information when using the connected services

In order for you to use the services connected to M-Login and offered by the service companies (selected service apps and websites), in the case of service apps it is necessary that you download the app for the respective service beforehand. When using the connected services, their data protection information must be observed. You can find this information at:

HandyParken München App (handyparken-muenchen.de)
Provider (service company): Münchner Verkehrsgesellschaft mbH (MVG)
Offer: Purchase of parking tickets
Privacy information

M-Bäder Webshop (m-baedershop.swm.de)
Provider (service company): Stadtwerke München GmbH
Offer: M Baths Gift Certificate
Privacy information

Meine SWM (meine.swm.de)
Provider (service company): SWM Versorgungs GmbH
Offer: SWM Versorgungs GmbH Customer portal
Privacy information

München Ticket (muenchenticket.de)
Provider (service company): München Ticket GmbH
Offer: Ticket sales
Privacy information

MVG Fahrinfo München App (mvg.de)
Provider (service company): Münchner Verkehrsgesellschaft mbH (MVG)
Offer: Timetable information and ticket purchase
Privacy information

MVG Kundenportal (mvg.de)
Provider (service company): Münchner Verkehrsgesellschaft mbH (MVG)
Offer: Public transport
Privacy information

SWM more (more.swm.de)
Provider (service company): Stadtwerke München GmbH
Offer: digital management of the products M-Ladelösung, M-Partnerkraft, M-Solar Sonnenbausteine and C/sells
Privacy information

MVG Tickets 6091 (mvg.de)
Provider (service company): Münchner Verkehrsgesellschaft mbH (MVG)
Offer: Timetable information and ticket purchase
Privacy information

MVGO (mvg.de/mvgo)
Provider (service company): Münchner Verkehrsgesellschaft mbH (MVG)
Offer: Mobility
Privacy information

MVG Deutschland-App (mobility-inside.de)
Provider (service company): Münchner Verkehrsgesellschaft mbH (MVG)
Offer: Mobility
Privacy information

muenchen app (muenchen-app.swm.de)
Anbieter (Service-Gesellschaft): Stadtwerke München GmbH
Angebot: Ticketing
Privacy information

heyroom (https://www.heyroom.app/)
Anbieter (Service-Gesellschaft): HEYROOM LIMITED
Angebot: Studenten WG's
Privacy information

 

7. Storage duration

Unless otherwise specified, we delete your personal data after storage is no longer necessary (e.g. after final response to your request, for the duration of the contractual relationship with you until its final termination), or - in the case of statutory retention obligations - restrict processing. Please note that further processing is required in particular for:

  • Fulfillment of statutory retention obligations, which may arise from the German Commercial Code (HGB) and the German Fiscal Code (AO), for example. The periods specified therein are up to ten years.
  • Preservation of evidence under statutory limitation provisions. According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can extend up to 30 years, with the regular limitation period being 3 years.

 

8. Your rights

According to Art. 15 DSGVO, you have the right to request information at any time about which personal data we have stored about you. This also concerns the recipients or categories of recipients to whom this data is passed on and the purpose of the storage. You can at any time, under the conditions of Art. 16 DSGVO demand the correction and/or under the conditions of Art. 17 DSGVO demand the deletion and/or - under the conditions of Art. 18 DSGVO – request the restriction of processing. Furthermore, you can request data transmission at any time in accordance with Art. 20 DSGVO.

You have the right to object to the processing of your personal data if the conditions specified in Art. 21 DSGVO apply.

You can exercise your data protection rights vis-à-vis: Stadtwerke München GmbH, Emmy-Noether-Strasse 2, 80992 Munich, datenschutz.stadtwerke@swm.de
 

In addition, according to Art. 77 DSGVO, you have the possibility to lodge a complaint with a data protection supervisory authority.

Right to withdraw consent: You can revoke your consent to the processing of your data at any time for the future. This also applies to declarations of consent that were issued before the DSGVO came into force, i.e. before 25.05.2018. Please send your revocation to: Stadtwerke München GmbH, Emmy-Noether-Strasse 2, 80992 Munich, datenschutz.stadtwerke@swm.de

 

9. Automated decision making

As a matter of principle, we do not use automated decision-making pursuant to Art. 22 DSGVO. Should we use these procedures in individual cases, we will inform you of this separately within the framework of the legal provisions.

 

10. Modification clause

As our data processing is subject to change, we will adjust our privacy notice from time to time. Amended privacy notices will be published on our website. Unless otherwise specified, such amendments shall take effect immediately. Therefore, please check this privacy notices regularly to view the most current version.