Data protection

In this Data Protection Notice, we, Stadtwerke München, hereinafter referred to as SWM, provide information about which personal data we collect, process and use when you visit our www.swm.de website. We also explain the choices you have with regard to your data, and your options and ways to refuse certain actions.

The term 'personal data' means all individual data regarding a identified or identifiable natural person.

2.1 Controller
The controller in accordance with Art. 4 No. 7 of the General Data Protection Regulation (GDPR) is - unless otherwise expressly stated in this data protection information - Stadtwerke München GmbH, Emmy-Noether-Straße 2, 80992 Munich, datenschutz.stadtwerke@swm.de.

2.2 Data protection officer
You can contact the SWM Group Data Protection Officer appointed for all controllers at:

Stadtwerke München
Data protection officer
Emmy-Noether-Strasse 2
80992 Munich
E-mail: datenschutz@swm.de

Insofar as we collect, process or use personal data, we comply with the applicable legislation, in particular the General Data Protection Regulation (GDPR), Germany's Federal Data Protection Act (BDSG) and the Telemedia Act (TMG).

We forward personal data collected via websites to government entities, authorities and courts insofar as we are obligated to do so or insofar as this is necessary to ensure that legal defence can be carried out efficiently or that rights can be asserted.

When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, your name and telephone number if applicable) will be stored by us in order to answer your questions. We delete the data arising in this connection after storage is no longer necessary, or restrict processing if there are legal storage obligations.

To operate the website, we may use the services of technical service providers that involve contract data processing.

Unless explicitly indicated otherwise in this Data Protection Notice, we do not send personal data to countries outside the European Union (EU) or European Economic Area (EEA).

Each time the Website is accessed, our system automatically collects the following information from the computer system of the accessing computer, which is technically necessary for us to display our Website and to ensure its stability and security

• IP address
• Browser
• Operating system
• Language and version of the browser software.

In addition to the aforementioned data, cookies are stored on your computer when you use our website. A cookie is a small file stored on your hard drive assigned to the browser you are using, thereby the entity that sets the cookie (in this case SWM) receives certain information. Cookies cannot execute programs or transfer viruses to your computer. They are used to make the Internet offerings as a whole more user-friendly and effective.

a) The Website uses the following types of cookies, the scope and function of which are explained below:

• Transient cookies (see b)
• Persistent cookies (see c).

b) Transient cookies are automatically deleted when you close the browser. This includes in particular the session cookies. These store a so-called session ID, with which various requests from your browser can be assigned to the shared session. This allows your computer to be recognized when you return to our website. The session cookies are deleted when you log out or close the browser.

c) Persistent cookies are automatically deleted after a specified period of time, which may vary depending on the cookie. You can delete the cookies in the security settings of your browser at any time.

d) You can configure your browser settings according to your preferences and e.g. reject third-party cookies or all cookies. Please note that you will then not be able to use all the functions of this website (e. g. the “My SWM” section).

Next to it, we place a cookie to save information indicating that we have already displayed our notice about the use of cookies to you.

A further cookie is set when you visit www.swm.de. This is used to ensure system stability. The cookie expires after three minutes at the latest. 

The legal basis for this data processing is Art. 6 para. 1 p. 1 f) GDPR.

On our website swm.de data is collected and stored for marketing and optimization purposes using technologies of the web analysis tool Matomo (Piwik).

Third party information: https://matomo.org/privacy-policy/

You can decide here whether a unique web analysis cookie may be stored in your browser to enable the website operator to collect and analyze various statistical data. If you choose not to allow the Piwik deactivation cookie, click the following link to place the Piwik deactivation cookie in your browser

Opt-out option: Click here to stop tracking through Piwik/Matomo.

We use Matomo to analyze the use of our website and to improve it regularly. By means of the obtained statistics we can improve our offering and make them more interesting for you as a user. The collected data is stored permanently and analyzed pseudonymously.

The legal basis for the use of Matomo is Art. 6 para. 1 sentence 1 lit. f) GDPR.

4.2.1 Purpose of data processing
We include maps from Google Maps (www.google.de/maps) on our site. Google Maps is an offering of the external provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The parent company Google LLC, 1600 Amphitheater Parkway, Mountainview, California 94043, USA, is located in the USA.

4.2.2 Consent to data processing
The contents of Google are inactive by default, i.e. no personal data will be transmitted to Google when you visit our website. The use of our website is also possible without the external contents. The contents, however, can be activated by the user by clicking on the "Activate now" button, which loads the contents from the Google servers.

The click on the button "Activate now" represents a data protection relevant consent:

By doing so, you agree that your personal data (utilization data, meta-communication data (especially IP address), possibly location data) can be transmitted to Google and possibly also processed in third countries such as the USA - where the level of data protection may fall short of data protection levels in the EU. Your consent will be requested again for each integrated content from Google. A cookie that stores your decision on our website is not set.

4.2.3 Processed data
If you activate the maps on our site, the embedding technology allows the following data types to be transferred to Google while the content is being used, as this is necessary for the content to be issued (e.g. websites visited, access times), meta/communication data (e.g. device information (e.g. browser, operating system, etc.), IP addresses), possibly location data (information on the geographical position of a device or person). If you have given your consent for this in the context of the settings on your (mobile) device, your location may also be transmitted to Google.

4.2.4 Further data processing by Google
Google will process your data for the purpose of providing the service, but will also process your data according to its own information in accordance with Art. 6 Para. 1 letter f) GDPR on the basis of its own legitimate interests for the purposes of advertising, market research and/or the design of its website in line with requirements, whereby information from other sources may also be used. This will be done regardless of whether you maintain a user account/profile with Google, where you are logged in while issuing and viewing the contents of Google on our website. If you are logged in at Google, your data will be assigned directly to your user account. If you do not wish to be assigned to your user account at Google, you must log out of Google before activating the service.

You have a right of objection to the creation of these user profiles, whereby you must contact Google to exercise this right of objection.

It cannot be excluded that your data may also be transferred by Google to its parent company Google LLC, 1600 Amphitheater Parkway, Mountainview, California 94043, USA. This means that the data processing may also take place in a third country (mainly the USA), in which there is no adequate level of data protection and in which you may not be able to enforce your data subject rights. In terms of users in the EU, Google LLC is subject to the data protection laws applicable in the EU.

For more information on the purpose and scope of data collection and processing by Google, please see Google's privacy policy. There, you will also find further information about your rights and setting options to protect your privacy:
https://policies.google.com/privacy?hl=de&gl=de
Under the following link you can determine which of you data Google will use:
https://myaccount.google.com/intro/data-and-personalization .
We have no influence on how Google or Google LLC processes your data.

4.2.5 Legal basis for data processing
The legal basis for the transmission of your data from us to Google is your consent in accordance with Art. 6 para. 1 lit. a) and, if applicable, our legitimate interests in accordance with Art. 6 para. 1 lit. f) GDPR. Our legitimate interests are the ability to offer you the service on our website. We have weighed up our legitimate interests against your interests and have come to the conclusion that your interests do not outweigh ours.

We secure our website and other systems by technical and organizational measures against loss, destruction, access, modification or distribution of your data by unauthorized persons.
To ensure that during transfer your data cannot be read by unauthorized parties, we encrypt our forms for transfer. Therefor we use a modern, reliable Internet security standard. 

In accordance with Art. 15 GDPR, you have the right to request information at any time as to what personal data we have stored about you. This also applies to the recipients or categories of recipients to whom this data is passed on and the purpose of the storage. You may at any time, under the conditions of Art. 16 GDPR, request the correction and/or under the conditions of Art. 17 GDPR, the deletion and/or under the conditions of Art. 18 GDPR, the restriction of processing. In addition, you can request data transmission at any time in accordance with Art. 20 GDPR.

You have the right to object to the processing of your personal data if the conditions set out in Art. 21 GDPR are met.

You can exercise your rights as a data subject towards: Stadtwerke München GmbH, Emmy-Noether-Strasse 2, 80992 Munich, datenschutz.stadtwerke@swm.de.

In addition, according to Art. 77 GDPR, you have the possibility to lodge a complaint with a data protection supervisory authority.

Right to revoke consent: You can revoke your consent to the processing of your data at any time for the future. This also applies to declarations of consent that were issued before the GDPR came into force, i.e. before 25.05.2018. If Stadtwerke München GmbH is named in this data protection notice as the controller pursuant to Art. 4 No. 7 of the General Data Protection Regulation (GDPR), please send your revocation to Stadtwerke München GmbH, Emmy-Noether-Straße 2, 80992 Munich, datenschutz.stadtwerke@swm.de.

We delete your personal data as soon as they are no longer required for the purposes for which they were collected, unless their - temporary - further processing is necessary for the

• Fulfillment of legal storage obligations, which may result from the German Commercial Code (HGB) and the German Fiscal Code (AO). The periods specified therein are up to ten years.
• Preservation of evidence within the framework of legal statutes of limitation. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.

As a matter of principle, we do not use automated decision making in accordance with Art. 22 GDPR. Should we use these procedures in individual cases, we will inform you of this separately within the framework of the statutory provisions.

Since our data processing is subject to changes and the legal situation may change, we will also adapt our data protection information from time to time.

Status of this privacy policy: 22.10.2020

Guideline on Stadtwerke München's principles of data handling and progressive digitalization
(Corporate Digital Responsibility)

SWM is constantly developing its products and services in order to make all the advantages of networking and digitization available to Munich's citizens and visitors. Our vision: Munich as a shining example of a networked and liveable city. While progressive digitization and networking offer new opportunities, they also present challenges. This pertains to the protection of personal data of customers (hereinafter referred to as "customer data") and employees (hereinafter referred to as "employee data"), but also to the qualification of our employees and the further development of jobs.

This guideline applies to all companies as defined in Section 1 (1) of the SWM Group Guideline.

Customers and employees of SWM trust that their data will be handled with care. SWM is living up to its corporate and social responsibility within the context of increasing digitalization.

For this purpose, SWM commits itself to the following binding principles:

1. SWM customers can rely on SWM to handle their data fairly and in accordance with data protection regulations.
2. SWM informs its customers proactively, transparently and comprehensibly about the processing of their customer data.
3. SWM enables its customers to handle their data in a self-determined way.
4. If several departments of SWM are involved in the processing of customer data, SWM will inform its customers accordingly.
5. SWM will inform its customers if offers from SWM include the services of third parties.
6. SWM will also provide the best possible protection for customer data when using third-party services while maintaining its high quality and service standards. When selecting such services, the level of data protection is an essential selection criterion.
7. SWM will only pass on customer data to third parties if the customer agrees to this or if this is required by law.
8. For Big Data applications, SWM processes customer data only with the consent of the person concerned or in anonymized form. Big Data applications from SWM (e.g. in the area of traffic flow analysis) always deliver a concrete benefit for those customers whose data is processed.
9. The above principles also apply analogously to employees, insofar as these principles are transferable to the employment relationship.
10. We attach great importance to the qualification of our employees in IT and digitization issues so that every employee can act and move confidently and competently in the digital world. SWM takes the necessary steps at an early stage to qualify the employees involved in digitization and, if necessary, to offer new fields of activity. In this process, SWM is fully committed to co-determination.
11. SWM shall make this guideline publicly available. SWM will communicate any changes transparently.