Imprint

NMS New Mobility Solutions Hamburg GmbH
c/o Hamburger Hochbahn AG
Steinstraße 20
20095 Hamburg

Hamburg district court HRB 151785
Partner: Hamburger Hochbahn AG
Management: Harry Evers, Malte Auer
Authorised officer: Tobias Brzoskowski

VAT ID: DE318886503

E-Mail: contact@new-mobility-solutions.de
Telefon: +49 (0)40 3288 2157

Data protection information of NMS New Mobility Solutions Hamburg GmbH

By means of this privacy policy, we would like to inform you about the type, scope and purpose of the personal data collected, used and processed by us. Furthermore, data subjects are informed of their rights by means of this privacy policy.

A. Who is responsible for data processing and who can I contact?

The controller responsible for data processing is
NMS New Mobility Solutions Hamburg GmbH
c/o Hamburger Hochbahn AG
Steinstraße 20
20095 Hamburg
Germany
Tel.: +49 (40) 3288-2157
E-Mail: contact@new-mobility-solutions.de

In accordance with the provisions of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, hereinafter “BDSG”), the appointment of a data protection officer is not mandatory in every company. Our company does not process personal data to an extent that requires the appointment of a data protection officer. In particular, we are not a company that carries out extensive regular and systematic monitoring of data subjects as a core activity, or whose core activity consists of the extensive processing of special categories of data in accordance with Art. 9 GDPR or of data relating to criminal convictions and offences in accordance with Art. 10 GDPR.

For all data protection-related concerns or questions, please contact our data protection officers using the contact details given above.

B. What data do we process and for what purpose?

Below we describe for what purposes and how we process your data. We provide information here about:

1. Use of our website new-mobility-solutions.de
2. Project Management Office Dashboard
3. Our social media activities
4. Enquiry by e-mail, fax or telephone to NMS New Mobility Solutions Hamburg GmbH

1. Use of our internet offer new-mobility-solutions.de

As personal data is processed when you use our website (new-mobility-solutions.de), we would like to inform you below about how your data is handled.

1.1 Hosting

This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster’s servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access and other data generated via a website. The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR). If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 of the Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz; hereinafter “TDDDG”), insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time. Our hoster will only process your data to the extent necessary to fulfil its performance obligations and follow our instructions with regard to this data.

We use the following hoster:
Pixel X e.K.
Kuhstrasse 26-27
38100 Braunschweig
Germany

We have concluded a data processing agreement (DPA) with the above-mentioned provider. This is a contract prescribed by data protection law, which ensures that the provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

1.2 SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator.

You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

1.3 Cookies

1.3.1 General information

Our Internet pages use so-called “cookies”. Cookies are small text files and do not cause any damage to your end device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or they are automatically deleted by your web browser.

In some cases, cookies from third-party companies may also be stored on your device when you visit our website (third-party cookies). These enable us or you to use certain services of the third-party company (e.g. cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. displaying videos). Cookies that are required to carry out the electronic communication process (necessary cookies) or to provide certain functions that you have requested (functional cookies) or to optimise the website (e.g. cookies to measure the web audience) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. We have a legitimate interest in the storage of cookies for the technically error-free and optimised provision of our services. If consent to the storage of cookies has been requested, the cookies in question are stored exclusively on the basis of this consent (Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 TDDDG); consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

Insofar as cookies are used by third-party companies or for analysis purposes, we will inform you about this separately in the context of this data protection declaration and, if necessary, request your consent.

1.3.2 Consent with Cookiebot

Our website uses Cookiebot’s consent technology to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in compliance with data protection regulations. The provider of this technology is Cybot A/S, Havnegade 39, 1058

Copenhagen, Denmark (hereinafter referred to as “Cookiebot”).

When you enter our website, a connection is established to the Cookiebot servers in order to obtain your consent and other declarations regarding the use of cookies. Cookiebot then stores a cookie in your browser in order to be able to assign the consents given or their revocation to you. The data collected in this way is stored until you ask us to delete it, delete the Cookiebot cookie yourself or the purpose for data storage no longer applies. Mandatory statutory retention obligations remain unaffected. Cookiebot is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

You can edit the settings here: Changing the cookie settings

1.4 Collection of general data and information

The hoster of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are

• browser types and versions used, the operating system used by the accessing system,
• the website from which an accessing system reaches our website (so-called referrer),
• the sub-websites that are accessed via an accessing system on our website,
• the date and time of access to the website,
• an Internet Protocol address (IP address),
• the Internet service provider of the accessing system and
• other similar data and information used for security purposes in the event of attacks on our information technology systems.

When using this general data and information, NMS New Mobility Solutions Hamburg GmbH does not draw any conclusions about the data subject. This data is not merged with other data sources.

This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in order to:

• to deliver the content of our website correctly,
• to optimise the content of our website and the advertising for it,
• to ensure the long-term functionality of our information technology systems and the technology of our website, and
• to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber-attack.

Therefore, the NMS New Mobility Solutions Hamburg GmbH analyses anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

1.5 Google Analytics

This website uses Google Analytics. The provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, hereinafter referred to as “Google”.

Google Analytics uses cookies that enable us to analyse your use of our website. The information collected by the cookies about your use of this website is usually transferred to a Google server in the USA and stored there.

In Google Analytics 4, the anonymisation of IP addresses is activated by default. Due to IP anonymisation, your IP address will be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

During your visit to the website, the behaviour of your use is recorded in the form of “events”. Events can be

• Page views
• First visit to the website
• Start of the session
• Your “click path”, interaction with the website
• Scrolls (when users scroll to the bottom of the page (90%))
• Clicks on external links
• internal search queries
• Interaction with videos
• File downloads
• Viewed / clicked adverts
• Language setting

It is also recorded:

• Your approximate location (region)
• Your IP address (in abbreviated form)
• technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
• Your internet provider
• the referrer URL (via which website or advertising medium you came to this website)

Google uses this information on our behalf to analyse your use of our website and to compile reports on website activity. The reports provided by Google are used to analyse the performance of our website.

Data transfer to third countries

Insofar as data is processed outside the European Union (EU) or the European Economic Area (EEA) and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection.

Google is certified in accordance with the “EU-U.S. Data Privacy Framework”. You can find additional information on this under point C. EU-U.S. Data Privacy Framework.

Storage duration

The data sent by us and linked to cookies is automatically deleted after two months. Data that has reached the end of its retention period is automatically deleted once a month.

Legal basis

The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 lit. a GDPR. This consent also includes the use of your data in accordance with Section 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG.

You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. This does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

You can also prevent the storage of cookies from the outset by configuring your browser software accordingly. However, if you configure your browser to reject all cookies, this may restrict the functionality of this and other websites. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by clicking

prevent the transmission of data relating to your use of the website (including your IP address) to Google and the processing of this data by Google by clicking

• do not give your consent to the setting of the cookie or
• download and install the browser add-on to deactivate Google Analytics HERE.

2. portfolio management office dashboard

We operate a portfolio management office dashboard (hereinafter “PMO Dashboard”) for the Free and Hanseatic City of Hamburg under the domain https://dashboard.bwi.hamburg.de/. This is designed as a web application for the decentralised recording of projects, activities, etc.

As a central information platform, the PMO Dashboard can provide a quick and easy overview of known project activities through the structured presentation of topic areas (strategies, programmes, topic complexes) and underlying fields of action. The project information is stored in the form of a project profile, which contains all the key information about the project: Description and objective, milestone plan, opportunities and risks, project budget, milestone plan, project organisation, etc. Parallel to the project profile, project progress can be reported per subject area in a reporting period to be defined. This is presented in the form of a status report as a “traffic light chart”. As a companion to the “digital transformation”, the dashboard serves to share information and experiences across organisations.

Personal information can be found in the dashboard in the name of the project manager and, if applicable, in the description of the project organisation: team members, contact persons for responsibilities and partner companies.

The regular project information is mainly entered in free text fields. You should therefore be careful when entering and maintaining the data. Please avoid entering personal data wherever possible.

The purpose of data processing is to identify project managers, project staff, administrators and third parties involved, to create an overview of projects and to analyse project statuses. The following data categories are processed for this purpose:
a. Personal data (surname, first name, organisational unit, email addresses)
b. Personal tasks and activities within projects
c. Professional information

The legal basis for the processing is Art. 6 para. 1 lit. b GDPR (fulfilment of a contract to which the data subject is a party). By registering, the participant enters into a contract for a service with the controller, which we provide free of charge.

We use a service provider for data processing who has been carefully selected by us and fulfils the necessary data protection requirements. Your data will not be transferred outside the EU/EEA or to an international organisation.

Your data will only be collected and stored for the fulfilment of the purpose and then deleted.

3. our social media presence

This privacy policy applies to the following social media sites:

• https://www.instagram.com/newmobilitysolutions_hamburg/
• https://de.linkedin.com/company/nms-hamburg

3.1 Data processing by social networks

We maintain publicly accessible profiles on social networks. The individual social networks we use are listed below.

Social networks can generally analyse your user behaviour comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations.

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are logged in or were logged in.

Please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.

3.2 Legal basis

Our social media presence is intended to ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on different legal bases, which must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 para. 1 lit. a GDPR).

3.3 Controller and assertion of rights

If you visit one of our social media sites, we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can assert your rights (information, rectification, erasure, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal.

Please note that, despite our joint responsibility with the social media portal operators, we do not have full control over the data processing operations of the social media portals. Our options are largely determined by the company policy of the respective provider.

3.4 Storage period

The data collected directly by us via the social media presence will be deleted from our systems as soon as you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory provisions – in particular retention periods – remain unaffected.

We have no influence on the storage period of your data that is stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).

3.5 Your rights

You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to object, the right to data portability and the right to lodge a complaint with the competent supervisory authority. Furthermore, you can request the correction, blocking, deletion and, under certain circumstances, the restriction of the processing of your personal data.

3.6 Social networks in detail

3.6.1 Instagram

We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter “Meta”).

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://www.facebook.com/legal/EU_data_transfer_addendum and
https://de-de.facebook.com/help/566994660333381.

Details on how they handle your personal data can be found in Instagram’s privacy policy:
https://privacycenter.instagram.com/policy/.

Meta is certified in accordance with the “EU-U.S. Data Privacy Framework”. Additional information on this can be found under point C. EU-U.S. Data Privacy Framework.

3.6.2 LinkedIn

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter “LinkedIn”).

LinkedIn uses advertising cookies. If you wish to deactivate LinkedIn advertising cookies, please use the following link:
https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here:
https://www.linkedin.com/legal/l/dpa and
https://www.linkedin.com/legal/l/eu-sccs.

Details on how they handle your personal data can be found in LinkedIn’s privacy policy:
https://www.linkedin.com/legal/privacy-policy.

LinkedIn is certified in accordance with the “EU-U.S. Data Privacy Framework”. You can find additional information on this under point C. EU-U.S. Data Privacy Framework.

4. enquiry by e-mail, fax or telephone to NMS New Mobility Solutions Hamburg GmbH

If you contact us by e-mail or telephone, your enquiry, including all resulting personal data (name, enquiry), will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your enquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested.

The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

C. EU-U.S. Data Privacy Framework

We also use service providers that are certified in accordance with the “EU-U.S. Data Privacy Framework” (EU-U.S. DPF). The EU-U.S. DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the EU-U.S. DPF undertakes to comply with these data protection standards. Further information on this can be found at the following link: https://www.dataprivacyframework.gov/. If a company is certified according to the EU-U.S. DPF, the data transfer to the USA is carried out in accordance with Art. 45 GDPR on the basis of an adequacy decision of the European Commission of 10 July 2023. Such an adequacy decision makes it possible to transfer personal data from the EU to the corresponding third country without the need for further transfer instruments or additional measures.

D. What data protection rights do I have?

On request, we will be happy to inform you whether and which personal data we have stored about you (right to information). In addition, you can correct incorrect data (right to rectification) or have data deleted if its storage is unauthorised or no longer necessary (right to erasure). Under certain circumstances, you can also request that we restrict the processing of your personal data (right to restriction of processing) and object to the processing of your data if this processing is based on a legitimate interest.

• the legal basis of overriding legitimate interest (Art. 6 para. 1 lit. f GDPR) or the performance of a task carried out in the public interest (Art. 6 para. 1 lit. e GDPR) or
• is based on consent (Art. 6 para. 1 lit. a GDPR) (right of revocation).
• In particular, you can object to the use of your personal data for advertising and/or market and opinion research purposes at any time (right to object to advertising).

Furthermore, you may in principle request that we provide you with the personal data concerning you in a structured, commonly used and machine-readable format so that you can transmit this data to another controller without hindrance from us (right to data portability).

The aforementioned rights are conferred on you by Articles 15 – 21 of the GDPR. They are only presented here in very abbreviated form.

If you have any questions about the exact scope of the rights in question and the exercise of the rights mentioned, you can contact the responsible body named under point A. and/or the Hamburg Commissioner for Data Protection and Freedom of Information (see point D.).

E. Which supervisory authority can I complain to?

If you believe that the processing of personal data concerning you violates data protection law, you may – without prejudice to any other administrative or judicial remedy – lodge a complaint with the competent supervisory authority. The competent supervisory authority is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
(The Hamburg Commissioner for Data Protection and Freedom of Information)
Ludwig-Erhard-Str. 22
20459 Hamburg
E-Mail: mailbox@datenschutz.hamburg.de
Internet: datenschutz-hamburg.de

Status: June 2024