how we handle your personal data (section B),
what processing operations are involved (from section C), and
what rights you are entitled to as a data subject (section F).
Please note that some of the terms used here are taken from Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the so-called "General Data Protection Regulation", hereinafter abbreviated to "GDPR"). Most of the terms are defined in Art. 4 GDPR.
A. Our contact details
Nymphenburger Str. 3c
represented by the management:
Dr. Felix Wex, Mani Deihimi
The data protection officer can also be reached at:
B. Basic information on our data processing procedures
This section provides you with basic information on our handling of your personal data. The information presented here applies to all data processing procedures carried out by us as the data controller.
Insofar as we are able to provide further details in the context of individually listed data processing operations in section C, we will specify our explanations at the appropriate points.
I. Purpose limitation
We process your personal data only to the extent that we pursue legitimate purposes. As a rule, data is only processed for the provision of our services, including our online offers (e.g. maintenance of our website).
II. Legal basis
We process your personal data only if at least one of the following legal bases is applicable:
1. Consent (Art. 6 para. 1 sentence 1 lit. a GDPR)
In individual cases, we ask you for your consent to process certain personal data for previously defined and communicated purposes in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. We generally obtain consent electronically and record the content and the granting of consent. In this case, consent is given by way of an "opt-in" procedure (confirming action by placing a check mark in the corresponding field) or, if this is necessary to identify the data subject, by way of a "double-opt-in" procedure (additional confirmation of identity by receipt of an e-mail with a confirmation link that you must click on). Only when placing cookies do we use a different collection procedure (cookie bot).
If you give your consent, you can withdraw it. Please note the more detailed explanations regarding your right of withdrawal under section F.II.
2. Performance of a contract (Art. 6 para. 1 sentence 1 lit. b GDPR)
When taking steps prior to entering or when performing a contract with you, we rely on the legal basis of Art. 6 para. 1 sentence 1 lit. b GDPR. This concerns, for example, your contact data, which we need to perform the contract and for communication.
3. Compliance with a legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR)
If we process data to comply with a legal obligation (e.g. commercial or tax obligations), Art. 6 para. 1 sentence 1 lit. c GDPR is the legal basis.
4. Vital interests (Art. 6 para. 1 sentence 1 lit. d GDPR)
If vital interests of the data subject or another natural person make it necessary to process personal data, the legal basis is Article 6 para. 1 sentence 1 lit. d GDPR.
5. Performance of tasks in the public interest or in the exercise of official authority (Art. 6 para. 1 sentence 1 lit. e GDPR)
For the processing of personal data in the performance of tasks in the public interest or in the exercise of official authority, we invoke the legal basis of Art. 6 para. sentence 1 lit. e GDPR.
6. Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
Pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, we process personal data if we pursue our legitimate interests or those of a third party and these interests outweigh your interests, fundamental rights and freedoms. In these cases, you may have a right to object to the processing. Please refer to the more detailed explanations regarding your right to object under section F.I.
III. Deletion of data
We delete your personal data as soon as the purpose of processing has been achieved or otherwise ceases to apply, unless storage beyond this is provided for by law, for example in accordance with Article 17 para. 3 GDPR. In order to ensure timely deletion, if necessary, we follow a self-developed deletion concept based on the deletion of personal data after the expiration of certain storage and deletion periods, which we subdivide according to the following criteria:
We keep accounting vouchers and balance sheets for 10 years (section 257 para. 1, no. 4, para. 4 HGB, section 238 para. 1 HGB),
Commercial letters, contracts and correspondence in connection with the initiation and execution of contracts are kept for 6 years in accordance with section 257 para. 1 no. 2 and 3, para. 4 HGB,
Documents and associated personal data that may lead to claims (for example, warranty claims), we keep until the expiry of the relevant limitation period (in accordance with section 195 BGB generally three years),
In the case of other personal data that does not fall under the aforementioned categories, we delete data immediately after the purpose has been achieved.
IV. Transfer of personal data to third parties
We only disclose personal data to third parties if we are legally obliged or authorized to do so. The following categories of recipients fall under these categories:
Our contractual partners who assist us in fulfilling our (pre)contractual obligations to you (e.g. logistics and payment service providers),
Administrative authorities (e.g. financial or supervisory authorities),
courts, and if you have given us your consent to do so,
Web services that support us in the presentation of our website (such as Google, see also section C.III)
If required, we can provide you with a list of the specific recipients of your personal data.
V. Data processing in so-called third countries
Your personal data will only be processed in countries within the EU or the European Economic Area that are subject to the scope of the GDPR. To all other, so-called "third countries", we only transfer your personal data if an appropriate level of data protection is guaranteed in the respective third country or at the respective recipient in the third country in accordance with Art. 44 et seq. GDPR is ensured. This is the case, for example
in case of a so-called "adequacy decision" of the European Commission pursuant to Art. 45 GDPR and
by establishing appropriate safeguards pursuant to Art. 46 of the GDPR, such as the use of so-called "EU standard contractual clauses" pursuant to Art. 46 para. 2 lit. c GDPR
C. Data processing when you visit our website
In this section, we inform you about the personal data processing that takes place when you visit our website.
When you call up our website, the browser you use on your end device automatically sends information to the server of our website. This information is temporarily stored in a so-called "log file".
1. Collected Data
The following information is automatically collected when our website is called up and stored until it is automatically deleted:
The anonymized IP address of the requesting computer,
information about the type of device (mobile device, desktop computer, etc.), the type of browser and the version used, as well as the operating system of your terminal device, if applicable,
the user's Internet service provider
Date and time of access to our website,
website from which the user accesses our website (so-called "referrer URL"),
websites that the user's system calls up via our website, and
Movements of the user on our website.
2. Purpose and legal basis
We pursue the following purposes with the collection and processing of the "log data" based on the following legal basis:
Provision of the content of our website to the user, which among other things also requires the temporary storage of the anonymized IP address to enable the user's communication with our website. The legal basis for this data processing – i.e. for the duration of your website visit – is Art. 6 para. 1 sentence 1 lit. b GDPR.
Ensuring a smooth connection and a proper, secure and comfortable use of our website, evaluation of system security and stability as well as for other administrative purposes. This is achieved by processing and storing the anonymized IP address in the log files beyond the communication process. The aforementioned purposes constitute a legitimate interest, the legal basis for data processing is therefore Art. 6 para. 1 sentence 1 lit. f GDPR (see section B.II.6). In addition, we fulfil legal obligations to secure our website and your data in accordance with Art. 6 para. 1 lit. c GDPR in conjunction with Art. 32 GDPR.
3. Duration of storage and deletion periods
The data is deleted when the purpose for which it was collected no longer applies. In the context of the provision of the content of our website, the data is therefore generally deleted when you leave our pages and the session is thus ended.
Insofar as the purposes of system security and stability are pursued, log data is stored for a maximum of four weeks beyond the end of the session.
4. Possibility of objection and removal
In principle, you have the right to object – as we will explain in section F.I – insofar as we rely on legitimate interests. However, since the data processing described above is absolutely necessary for the operation of our website, you can only assert your right to object if your particular situation gives rise to reasons that do not permit processing to the extent described above. As a rule, however, we can prove the compelling necessity of the data processing just mentioned.
5. Data security
Within the website visit, we use the widespread SSL procedure (Secure Socket Layer) in connection with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. You can tell whether an individual page of our website is encrypted by the closed key or lock symbol in the lower status bar of your browser.
We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
Cookies are small text files that your browser automatically creates and stores on your end device (PC, laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not contain viruses, Trojans or other malware, but information that enables the browser to be uniquely identified when you return to the same website. We do not obtain any direct knowledge of your identity by setting the cookies, but depending on the type of cookie placed and the possibility of assigning a cookie to an IP address, it is possible in principle to establish a personal reference to the user. However, we do not use this possibility of identifying the user. The following types of cookies can be used by us during the visit:
1. Cookies used, functions/purposes, storage periods
We use the following technically necessary cookies:
T4E Page-Settings (function/purpose: storage of the selection in the cookie banner and non-display of the cookie banner; storage period: 14 days)
We do not process any information from so-called third-party cookies. These are cookies whose information content is not provided by our web servers, but by third-party providers or third-party servers.
We use the following additional cookies/tools:
- T4E Analytics (function/purpose: consent cookie for analysis and evaluation of the website; storage period: 14 days)
- Piwik PRO (function/purpose: analysis and evaluation of website use; storage period: 14 days)
- Google reCAPTCHA (function/purpose: improvement of website security, protection against spam)
- YouTube (function/purpose: integration of videos)
2. Legal basis
The legal basis for the initial reading and/or storage of data in the case of technically necessary cookies (including the cookie banner) is section 25 para. 2 no. 2 TTDSG, as the processing of the data is absolutely necessary so that we can enable the use of our website expressly requested by you (i.e. also without or with cookies). The legal basis for the use of the cookie banner is furthermore Art. 6 para. 1 lit. c) GDPR in order to comply with our accountability with regard to the proof of an effectively granted consent.
The legal basis for the initial readout and/or storage of data in the case of additional cookies is your consent pursuant to Section 25 para. 1 TTDSG. Further data processing (e.g. for analysis and evaluation of user behaviour) is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. The user's consent given via cookie management refers to both the TTDSG and the GDPR.
3. Possibility of objection and removal
You can revoke your consent at any time, free of charge and with effect for the future, by sending an e-mail to dataprotection[at]toll4europe.eu.
As a user, you can also use technical settings to decide whether and how cookies are used or stored by your browser. You can configure your browser to ensure that no cookies are stored on your computer or that a message always appears before a new cookie is created. You can delete cookies that have already been created or have them deleted automatically by your browser. However, the complete deactivation of cookies may mean that you cannot use all the functions of our website.
III. Web analysis service: Piwik PRO
In order to ensure that our website is designed to meet the needs of our users and is continuously optimized, and to adapt to the technical conditions of our users, we use Piwik PRO (Piwik PRO GmbH, Kurfürstendamm 21, 10719 Berlin, Deutschland) for web analysis. This tool collects information about the user behavior on our websites as well as technical details, such as the share of use of new technologies and the reach of our offers. Among other things, Piwik sets cookies, reads/stores corresponding data on your end device and, under certain circumstances, creates user profiles or assigns corresponding IDs to users.
If necessary, this information is transferred to third parties if this is required by law or if third parties process this data on our behalf. Piwik may also combine data from other sources with your data.
The legal basis for this is your consent in accordance with the TTDSG and the GDPR (see section C.II.2).
IV. Google reCaptcha
We use Google reCaptcha (reCaptcha) on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, "Google").
The purpose of reCaptcha is to check whether the data entry on our websites (e.g. in a contact form) is made by a human or an automated program. For this purpose, reCaptcha analyses the behaviour of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCaptcha evaluates various information (e.g. IP address, time spent by the website visitor on the website or computer mouse movements of the user). The data collected during the analysis is forwarded to Google.
In addition, reCaptcha processes the following data, among others:
- All cookies set by Google in the last 6 months,
- how many computer mouse clicks you make on the screen/touchscreen,
- CSS information of the website,
- date/time of use,
- browser language,
- plug-ins installed in the browser,
The legal basis for the initial reading and/or storage of data is Section 25 para. 2 no. 2 TTDSG, as the processing of the data is absolutely necessary so that we can safely and properly enable the use of our website that you have expressly requested. Further legal bases for automatically transmitted data (in particular of a technical nature) is Art. 6 para. 1 sentence 1 lit. f GDPR (cf. section B.II.6; our legitimate interest lies in the secure and proper provision of our website) as well as Art. 6 para. 1 lit. c GDPR in conjunction with Art. 32 GDPR for the purpose of fulfilling legal obligations to secure our website and your data.
When using reCaptcha, we also process your data to protect our legitimate interests, Art. 6 para. 1 lit. f GDPR; our legitimate interest is to protect web offers from abusive automated spying and from spam.
YouTube videos are integrated on our website in order to present our services to you in a visual manner. When these videos are played, they are accessed via YouTube itself (http://www.YouTube.com), a service of Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (subsidiary of Google Inc.1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google"). We use the "extended data protection mode" so that no data about you as a user is transmitted to YouTube if you do not play the videos. A data transmission to YouTube only occurs when you play the videos. We have no influence on this data transmission.
The data that we have already mentioned in section C.I.1 will then be transferred to YouTube. If you maintain a user account with YouTube or Google and are also logged in when you call up our website, the data will also be assigned to your user account. You can prevent this assignment by logging out of YouTube and / or Google before playing the video.
Google uses the aforementioned information to evaluate the use of the website, to compile reports on website activity and to provide other services associated with the use of the website and the Internet for the purposes of market research and demand-oriented design of these websites. If necessary, this information is transferred to third parties if this is required by law or if third parties process this data on our behalf. Google may also combine data from other sources with your data.
We process your personal data for the needs-based design of our website on the following legal basis:
Your consent according to section 25 para. 1 TTDSG regarding the initial storage and reading of data; as well as
your consent according to Art. 6 para. 1 lit. a GDPR for further data processing (e.g. provision of the function).
Finally, we would like to inform you that we are joint controllers for data processing with Google (Art. 26 GDPR). The data collection on the website is initially carried out by us; subsequently, the website transmits the collected data to Google through the respective tool. Once the data has been transmitted, Google is in turn solely responsible for further processing.
We have concluded an agreement with Google, according to which you can exercise your rights as a data subject in accordance with this processing series both against us and against Google. If the assertion of your rights relates to a data processing operation that is the responsibility of the other jointly responsible party, we will forward your request accordingly so that the protection of your rights is guaranteed.
VI. Local integration of Google Web Fonts
This website uses so-called web fonts provided by Google (Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) for the standardized display of fonts. We have integrated the Google fonts locally, i.e. only via our web servers and not via Google's servers. When users call up our website, IP addresses are therefore not transmitted to Google, there is no connection to the Google servers and thus no data transmission to or storage by Google.
Google Web Fonts are used in the interest of a standardized and appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.
If your browser does not support web fonts, a standard font from your computer will be used.
VII. Social Media
We use links from social networks such as YouTube, Xing and LinkedIn on our website on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR. In doing so, we pursue the purpose of making our company better known on these networks as well as to promote our company on these networks and to give you the opportunity to visit our profiles on the respective social network, to find out about us and to interact with us.
Functions and services of the social network "Xing" are integrated on our pages. These are offered by XING AG, Gänsemarkt 43, 20354 Hamburg.
a) Data processing and controllerships
A processing of data takes place as soon as you call up our profile at Xing via the corresponding link on our website, marked by a Xing symbol. When you call up our Xing profile, Xing processes data stored in Cookies, if applicable, as well as log data, if applicable, that originate from our website and are transmitted to Xing.
However, when you visit our profile, Xing mainly processes data on how and whether you have interacted with our profile (for example, postings, followings, etc.).
If you are also a member of the social network Xing, Xing processes the data you have already provided (e.g., function, country, industry, seniority, company size and employment status), creates analyses and statistics, and then provides them to us in aggregated form. In doing so, Xing makes use of further analysis services (e.g. Adobe Digital Analytics, Google Analytics, etc.). These data aggregated for us do not have a personal reference.
We are jointly responsible with Xing for the data processing described above (Art. 26 GDPR). We have transparently defined our obligations and rights with regard to data processing in a contract with Xing.
Xing also primarily handles the task of addressing your data subject rights (see section F), if you wish to exercise them. You can do this easily via your profile settings on Xing or by contacting Xing directly. You are also free to contact us regarding your data subject rights. However, we would like to point out that due to a lack of insight into the concrete data processing, we will generally forward your request to Xing.
The data processing subsequent to the aforementioned (i.e., for example, the use of aggregated statistics and analyses) is carried out by us under our own responsibility. Likewise, we are responsible for the use and further processing of your personal and publicly viewable interactions on our profile page (e.g. likes, postings, sharing of posts, etc.) as well as for any contact made with us.
b) Purpose and legal basis
We operate our profile on Xing in order to present our services in an appealing manner and to be able to provide them with a relevant range as well as to give you the opportunity to visit our profiles on the respective social network, to inform yourself about us and to interact with us.
The analysis services of Xing are used to create aggregated statistics for us. This allows us to better understand our visitors and customers and improve our services. Likewise, we can target our advertising on this basis (which has no personal reference).
We base this processing on your consent (given to Xing) (Art. 6 para. 1 sentence 1 lit. a GDPR).
Insofar as we communicate with you as sole controller, the processing serves to answer the inquiries as well as to prepare the conclusion of a contract and, if necessary, even the implementation of a contract (Art. 6 para. 1 sentence 1 lit. b GDPR), as in other cases of contact (see section C). The remaining use is otherwise based on legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), which lie in being able to improve our offers and services in line with the target group. Please note your right of objection with regard to the processing of personal data that we base on our legitimate interests (see F.I.1).
c) Duration of storage
The storage of personal data by us when contacting you is carried out according to the general rules (see B.III). The storage period of the data processed by Xing can be found in the data protection policy of Xing (see link above).
We maintain our own profile on LinkedIn (LinkedIn Ireland Limited, 77 Sir John Rogerson's Quay, Dublin 2, Ireland), which you can access via the link on our website.
a) Data processing and controllerships
A processing of data takes place as soon as you call up our profile on LinkedIn via the corresponding link on our website, marked by a LinkedIn symbol. When you call up our LinkedIn profile, LinkedIn processes data stored in cookies, if applicable, as well as log data, if applicable, that originate from our website and are transmitted to LinkedIn.
Mainly, however, when you visit our profile, LinkedIn processes data on how and whether you have interacted with our profile (for example, postings, followings, etc.).
If you are also a member of the social network LinkedIn, LinkedIn processes the data you have already provided (e.g. function, country, industry, seniority, company size and employment status), creates analyses and statistics and then makes these available to us in aggregated form. This aggregated data has no personal reference. LinkedIn refers to this as "page insights". You can find more information about this at (https://www.linkedin.com/help/linkedin/answer/4499/linkedin-page-analytics-overview?lang=en).
For these "Page Insights" data processing operations described above, we are joint controllers with LinkedIn (Art. 26 GDPR). We have transparently defined the obligations and rights with regard to the data processing in a contract with LinkedIn ("Page Insights Joint Controller Addendum"), which can be accessed at https://legal.linkedin.com/pages-joint-controller-addendum
From this, you can see that LinkedIn has also primarily taken on the task of addressing your data subject rights (cf. Section F), insofar as you wish to exercise them. You can do this simply via your profile settings on LinkedIn or via a direct contact. You are also free to contact us regarding your data subject rights. However, we would like to point out that, in the absence of insights into the specific data processing, we will generally forward your request to LinkedIn.
The data processing subsequent to the "Page Insights" (i.e., for example, the use of aggregated statistics and analyses) is carried out by us under our own responsibility. We are also responsible for the use and further processing of your personal and publicly visible interactions on our profile page (e.g. likes, postings, sharing of posts, etc.) as well as for any contact made with us.
b) Purpose and legal basis
We operate our profile on LinkedIn in order to be able to present our services in an appealing manner and to provide them with a relevant reach as well as to give you the opportunity to visit our profiles on the respective social network, to inform yourself about us and to interact with us.
The analysis services provided by "Page Insights" are used to create aggregated statistics for us. This allows us to better understand our visitors and customers and to improve our offer. We can also target our advertising on this basis (which has no personal reference).
We base this processing on your consent (given to LinkedIn) (Art. 6 para. 1 sentence 1 lit. a GDPR).
Insofar as we communicate with you on our own controllership, the processing serves to answer the inquiries as well as to prepare the conclusion of a contract and, if necessary, even to execute it (Art. 6 para. 1 sentence 1 lit. b GDPR), as in other cases of contacting you (cf. section C). The remaining use is otherwise also based on legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), which lie in being able to improve our offers and services in line with the target group. Please note your right of objection with regard to the processing of personal data that we base on our legitimate interests (see F.I.1).
c) Duration of storage
The storage of personal data by us when contacting you is carried out according to the general rules (see section B.III).
The storage period of the data processed by LinkedIn can be found in the data protection policy of LinkedIn (see link above).
VIII. Contact form and e-mail contact
We offer you the possibility to contact us via our contact form on our website. In any case, the IP address of the user and the date and time of sending your message will be saved as part of the contact. We collect and store the following personal data as mandatory information (marked with a "*" as mandatory field):
- E-mail address
- Phone number
- Toll4Europe OBU user (yes/no)
- Your OBU sales partner
- Your company
- Number of trucks
If you decide to contact us via the e-mail address provided on our website, we will save your e-mail address and any other data you (voluntarily) provide. Your data will only be passed on to third parties if this is necessary to process your request.
1. Purpose and legal basis
We process the aforementioned data for the processing of your request. Other data is only processed for technical or security reasons (for example, abuse prevention and ensuring our system security). The legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR (consent), Art. 6 para. 1 sentence 1 lit. b GDPR (fulfillment of a contract or pre-contractual measures) and, with regard to the latter purpose, Art. 6 para. 1 sentence 1 lit. f GDPR, as we have a legitimate interest in the integrity of our website.
2. Duration of storage and deletion periods
All aforementioned data will be deleted as soon as we have processed your request and further clarification is no longer necessary. The deletion is subject to any obligations and rights pursuant to section B.III.
3. Possibility of objection and removal
After you have contacted us, you can withdraw your request at any time and object to further processing of the data. In addition, you may have the right to object in accordance with Art. 21 GDPR (see section F.I.1).
D. Data processing when using our app
In this section, we inform you about which personal data processing operations take place when you use our app.
I. Log files/technical provision
For the proper provision and use of our app, we process, among other things, technically required data. In this regard, the explanations on data processing on our websites for log files (including the explanations on the legal basis, cf. section C.I.) also apply accordingly to our app.
II. Coupling with On-Board-Unit
It is possible for you to connect the on-board unit ("OBU") of your vehicle to the app via Bluetooth. Bluetooth coupling enables you to view your own vehicle data and OBUs as well as toll services and their booking (duplication of data from the OBU). In principle, the app can also be used without coupling the OBU, but then only general information (e.g. user manual, FAQ, contact, etc.) is available, but no OBU services. For the provision of the OBU services, Bluetooth pairing data in particular, as well as other technical data for the provision of the app and its services (cf. section D.I and C.I.) are processed. Further personal information of the respective user (e.g. names) is not processed in the app.
The legal basis for the initial readout and/or storage is Section 25 para. 2 TTDSG, as the readout and/or storage of data is technically necessary for the provision of the functions (OBU services) expressly requested by you through the Bluetooth coupling. The further processing of data is based on the usage contract for the app with you in accordance with Art. 6 para. 1 lit. b GDPR and on our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, in order to be able to properly provide the services requested by you.
If you are our contractual partner, please note that in this context we also apply our General Information under section B for data processing in contracts. The following information is provided in addition to our General Terms and Conditions and our General Information under section B. If you have any further questions, please contact us using the contact details provided in section B.I.1 or B.I.2.
I. Purpose and legal basis
The purpose of collecting the personal data received in the course of concluding and executing the contract is to enable us to fulfil our obligations under the contract for the use of our toll collection system.
This includes, for example, registration for the toll collection system and the processing of toll payments. This also includes data processing for the purposes of failure analysis, abuse detection and ensuring IT security. Failure on your part to provide the data may mean that the contract cannot be concluded and/or executed. Mandatory data includes, for example, master data, payment data and such data as we require for the setup and operation of the "on-board unit" (e.g. truck license plate number, location and time of use of toll roads).
Furthermore, we use the data to serve you as a customer and for statistical market and opinion research purposes. This is necessary to continuously improve our products and services and to adapt them to the needs of our customers. We only engage in direct advertising if you have consented to this or if there is another legal basis for this under the Union law of the member states.
The legal basis for the aforementioned data processing is Article 6 para. 1 sentence 1 lit. a GDPR in the case of consent, Article 6 para. 1) sentence 1 lit. b GDPR insofar as this is necessary for the performance of the contract and the implementation of pre-contractual measures, and Article 6 para. 1 sentence 1 lit. f GDPR (protection of legitimate interests) in all other aforementioned cases, whereby our legitimate interest is the marketing and continuous improvement of our products and services as well as their adaptation to the needs of our customers.
II. Transfer of personal data to third parties
We cooperate with partners who support us in this task as part of the implementation of our tolling services. These are, in particular, so-called service providers in the toll areas in which the toll is determined or collected using the so-called "Dedicated Short Range Communication technology" (DSRC). These ensure access to the toll areas in question.
We also cooperate with sales partners who use our services. This includes in particular your contractual toll service provider, who registers you with us and provides you with the OBU.
In the context of these cooperations, partial disclosure of your personal data may be necessary in order to enable you to access the requested toll areas and to process services and corresponding payments. All parties involved work on their own controllership with regard to their data processing operations.
With regard to other recipients of data, we ask you to note our explanations in accordance with section B.IV.
III. Duration of storage and deletion periods
We store the data collected by us and, if applicable, received from sales partners (your toll service provider) in accordance with our specifications in section B.III.
IV. Possibility of objection and removal
In particular, you have the right to withdraw your consent against the collection and further processing of data on the basis of consent (see Section F.II). Data processing required for the fulfilment of the contract or the performance of pre-contractual measures is not subject to any right of objection; however, you may object to data processing on the basis of legitimate interest under the conditions stated in section F.I.1.
With regard to our direct advertising, we refer to your right of withdrawal (in the case of granted consent) pursuant to Section F.II and to your right of objection pursuant to Section F.I.2.; in all other respects, you are entitled to the data subject rights already mentioned in section F.
F. Your rights as a data subject
If you are affected by our processing of your personal data, you may be entitled to the rights described below. To exercise your rights, please contact us at dataprotection[at]toll4europe.eu.
I. Right to object (Art. 21 GDPR)
In the case of data processing for specific purposes, you have the right to object in accordance with Art. 21 GDPR. For a possible objection, please contact us or our data protection officer using the contact details provided. You will not incur any costs for this other than the transmission costs according to the prime rates of your telecommunications provider. A right of objection exists in the following cases:
1. Processing for legitimate interests (Art. 6 para. 1 sentence 1 lit. f, Art. 21 para. 1 GDPR)
If personal data is processed for the purpose of legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), you may object to the processing of your personal data at any time on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can prove compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the purpose of asserting, exercising or defending legal claims.
2. Processing for the purpose of direct marketing (Art. 21 para. 2 GDPR, Section 7 para. 3 UWG)
Insofar as we process data for the purpose of direct marketing and/or profiling in connection with such, you may object at any time to the processing of personal data concerning you for the purpose of such advertising and/or profiling. If you object, we will refrain from any further processing of your data for the purpose of direct marketing and/or profiling.
3. Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art. 6 para. 1 sentence 1 lit. e, Art. 21 para. 1 GDPR)
If personal data is processed for the performance of tasks in the public interest or for the exercise of official authority (Art. 6 para. 1 sentence 1 lit. e GDPR), you may object to the processing of personal data relating to you at any time on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can prove compelling legitimate grounds for the processing which override your interests, rights and freedoms of you, or the processing serves the purpose of asserting, exercising or defending legal claims.
4. Processing for scientific or historical research purposes or for statistical purposes (Art. 21 para. 6 GDPR)
If personal data is processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89 para. 1 GDPR, you have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out in the public interest.
II. Right of withdrawal for granted consent (Art. 7 para. 3 GDPR)
You can withdraw consent once given at any time with effect for the future - in full or in part - without incurring any costs by contacting us using our contact details. The lawfulness of the processing of the data covered by the consent on the basis of the consent until the withdrawal remains unaffected by the withdrawal.
III. Right of access (Art. 15 GDPR)
You are entitled to request information about your personal data processed by us. This right to information includes
the purposes of processing;
the categories of personal data processed by us;
the categories of recipients to whom your data have been or will be disclosed;
in the event of a transfer of personal data to so-called "third countries" (cf. Section B.V) outside the scope of the GDPR, whether and in what way we ensure an adequate level of protection by means of appropriate safeguards (Art. 45, 46 GDPR) at the data recipient in the third country;
the planned storage period, insofar as we are able to assess this; if an assessment and indication of the storage period are not yet conclusively possible, we will at least provide information on the criteria for determining the storage period (e.g. periods of limitation, statutory retention periods, cf. also section B.III);
your right to rectification, deletion, restriction of processing and to object to the processing of personal data relating to you (details below);
the existence of a right of appeal to a supervisory authority;
the origin of the data, if it was not collected by us; and
the existence of an automated individual decision-making within the meaning of Article 22 GDPR, including profiling, which also includes details of the decision-making criteria (i.e. the logic used) of the automated decision and the effects and consequences for the data subject.
You have the right to request a copy of your personal data processed by us. You will not incur any costs for the first copy of the data, but we will charge an appropriate fee for further copies of the data. If you exercise this right, we will provide the copy of the data in electronic form, unless otherwise specified. This provision is subject to the rights and freedoms of other persons who may be affected by the transmission of the data copy.
IV. Right to rectification (Art. 16 GDPR)
You have the right to demand that we correct your incorrect data without delay. Likewise, you may request that we complete your incomplete personal data by means of supplementary declarations or communications from you.
V. Right to erasure („Right to be forgotten“) (Art. 17 GDPR)
You have the right to demand that we delete your personal data stored with us without delay, insofar as
you have withdrawn your consent (see section B.II.1) to the processing of your data, unless there is another legal basis for the processing of your data;
the storage or other processing of your personal data is no longer necessary for the purposes for which they were collected and processed;
you have objected to data processing pursuant to Art. 21 GDPR and there are no overriding legitimate grounds for further processing; in the case of direct marketing pursuant to Art. 21 para. 2 GDPR, erasure shall take place unconditionally on the basis of objection;
your personal data have been processed unlawfully;
it is a child's data collected in relation to information society services pursuant to Art. 8 para. 1 GDPR.
If we have made personal data public, we will also inform other responsible parties of their request for erasure, including the erasure of links, copies and/or replications, to the extent technically possible and reasonable.
The aforementioned rights to erasure of your personal data do not exist insofar as the processing is carried out necessarily
for the exercise of the right to freedom of expression and information;
for compliance with a legal obligation which requires processing under Union or Member State law to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h and lit. i GDPR and Art. 9 para. 3 GDPR;
for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Art. 89 para.1 GDPR, insofar as your right to erasure is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
the assertion, exercise or defense of legal claims.
VI. Right to restriction of processing (Art. 18 GDPR)
You have the right to request that we restrict the processing of your personal data (i.e. restrict the processing to mere storage) if one of the following cases applies:
You have disputed the accuracy of your personal data. For the duration of our verification of accuracy, you may request that your data not be used for other purposes and be restricted to that extent.
The processing is unlawful and you refuse the erasure of the personal data Art. 17 para. 1 sentence 1 lit. d GDPR and request instead the restriction of the use of the personal data Art. 18 GDPR.
We no longer need the personal data for the purposes of processing, but you need it for the assertion, exercise or defense of legal claims. In this case, you may request the restriction of processing to the aforementioned purposes.
You have objected to the processing pursuant to Article 21 para. 1 GDPR. As long as it has not yet been determined whether our legitimate interests or reasons for processing outweigh yours, you may request that we process your data only for the purpose of examining the aforementioned assessment.
If we have restricted the processing of your personal data at your request, we may and will only process this data – apart from its storage – with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.
If a processing restriction is lifted, you will be informed of this in advance.
VII. Right to data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that
the processing is based on consent pursuant to Art. 6 para 1. Lit a or Art. 9 para. 2 lit a GDPR or on a contract pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR and
the processing is carried out with the aid of automated procedures.
Where technically feasible, you may also request us to transfer your personal data directly to another controller.
The exercise of the right to data portability does not affect the right to data erasure (Art. 17 GDPR). However, the right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
You may not exercise the right to data portability if this affects the rights and freedoms of other persons.
VIII. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
We always process personal data in accordance with the law. However, if you have reason to believe that we have violated applicable data protection law, you may at any time contact the competent supervisory authority of the Union or the member states and lodge a complaint. The competent supervisory authority is the supervisory authority of your habitual residence, your place of work or the place of the alleged infringement. The data processing of personal data carried out for us as a controller is supervised by the following supervisory authority:
Bayerisches Landesamt für Datenschutzaufsicht
The following link also provides a listing of all data protection supervisory authorities: