Data protection

In this Data Protection Notice, we, Stadtwerke München, hereinafter referred to as SWM, provide information about which personal data we collect, process and use when you visit our www.swm.de website. We also explain the choices you have with regard to your data, and your options and ways to refuse certain actions.

The term 'personal data' means all individual data regarding a identified or identifiable natural person.

2.1 Controller
The controller in accordance with Art. 4 No. 7 of the General Data Protection Regulation (GDPR) is - unless otherwise expressly stated in this data protection information - Stadtwerke München GmbH, Emmy-Noether-Straße 2, 80992 Munich, datenschutz.stadtwerke@swm.de.

2.2 Data protection officer
You can contact the SWM Group Data Protection Officer appointed for all controllers at:

Stadtwerke München
Data protection officer
Emmy-Noether-Strasse 2
80992 Munich
E-mail: datenschutz@swm.de

Insofar as we collect, process or use personal data, we comply with the applicable legislation, in particular the General Data Protection Regulation (GDPR), Germany's Federal Data Protection Act (BDSG) and the Telemedia Act (TMG).

We forward personal data collected via websites to government entities, authorities and courts insofar as we are obligated to do so or insofar as this is necessary to ensure that legal defence can be carried out efficiently or that rights can be asserted.

When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, your name and telephone number if applicable) will be stored by us in order to answer your questions. We delete the data arising in this connection after storage is no longer necessary, or restrict processing if there are legal storage obligations.

To operate the website, we may use the services of technical service providers that involve contract data processing.

Unless explicitly indicated otherwise in this Data Protection Notice, we do not send personal data to countries outside the European Union (EU) or European Economic Area (EEA).

Each time the Website is accessed, our system automatically collects the following information from the computer system of the accessing computer, which is technically necessary for us to display our Website and to ensure its stability and security

• IP address
• Browser
• Operating system
• Language and version of the browser software.

In addition to the aforementioned data, cookies are stored on your computer when you use our website. A cookie is a small file stored on your hard drive assigned to the browser you are using, thereby the entity that sets the cookie (in this case SWM) receives certain information. Cookies cannot execute programs or transfer viruses to your computer. They are used to make the Internet offerings as a whole more user-friendly and effective.

a) The Website uses the following types of cookies, the scope and function of which are explained below:

• Transient cookies (see b)
• Persistent cookies (see c).

b) Transient cookies are automatically deleted when you close the browser. This includes in particular the session cookies. These store a so-called session ID, with which various requests from your browser can be assigned to the shared session. This allows your computer to be recognized when you return to our website. The session cookies are deleted when you log out or close the browser.

c) Persistent cookies are automatically deleted after a specified period of time, which may vary depending on the cookie. You can delete the cookies in the security settings of your browser at any time.

d) You can configure your browser settings according to your preferences and e.g. reject third-party cookies or all cookies. Please note that you will then not be able to use all the functions of this website (e. g. the “My SWM” section).

Next to it, we place a cookie to save information indicating that we have already displayed our notice about the use of cookies to you.

A further cookie is set when you visit www.swm.de. This is used to ensure system stability. The cookie expires after three minutes at the latest. 

The legal basis for this data processing is Art. 6 para. 1 p. 1 f) GDPR.

On our website swm.de data is collected and stored for marketing and optimization purposes using technologies of the web analysis tool Matomo (Piwik).

Third party information: https://matomo.org/privacy-policy/

You can decide here whether a unique web analysis cookie may be stored in your browser to enable the website operator to collect and analyze various statistical data. If you choose not to allow the Piwik deactivation cookie, click the following link to place the Piwik deactivation cookie in your browser

Opt-out option: Click here to stop tracking through Piwik/Matomo.

We use Matomo to analyze the use of our website and to improve it regularly. By means of the obtained statistics we can improve our offering and make them more interesting for you as a user. The collected data is stored permanently and analyzed pseudonymously.

The legal basis for the use of Matomo is Art. 6 para. 1 sentence 1 lit. f) GDPR.

4.2.1 Purpose of data processing
We include maps from Google Maps (www.google.de/maps) on our site. Google Maps is an offering of the external provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The parent company Google LLC, 1600 Amphitheater Parkway, Mountainview, California 94043, USA, is located in the USA.

4.2.2 Consent to data processing
The contents of Google are inactive by default, i.e. no personal data will be transmitted to Google when you visit our website. The use of our website is also possible without the external contents. The contents, however, can be activated by the user by clicking on the "Activate now" button, which loads the contents from the Google servers.

The click on the button "Activate now" represents a data protection relevant consent:

By doing so, you agree that your personal data (utilization data, meta-communication data (especially IP address), possibly location data) can be transmitted to Google and possibly also processed in third countries such as the USA - where the level of data protection may fall short of data protection levels in the EU. Your consent will be requested again for each integrated content from Google. A cookie that stores your decision on our website is not set.

4.2.3 Processed data
If you activate the maps on our site, the embedding technology allows the following data types to be transferred to Google while the content is being used, as this is necessary for the content to be issued (e.g. websites visited, access times), meta/communication data (e.g. device information (e.g. browser, operating system, etc.), IP addresses), possibly location data (information on the geographical position of a device or person). If you have given your consent for this in the context of the settings on your (mobile) device, your location may also be transmitted to Google.

4.2.4 Further data processing by Google
Google will process your data for the purpose of providing the service, but will also process your data according to its own information in accordance with Art. 6 Para. 1 letter f) GDPR on the basis of its own legitimate interests for the purposes of advertising, market research and/or the design of its website in line with requirements, whereby information from other sources may also be used. This will be done regardless of whether you maintain a user account/profile with Google, where you are logged in while issuing and viewing the contents of Google on our website. If you are logged in at Google, your data will be assigned directly to your user account. If you do not wish to be assigned to your user account at Google, you must log out of Google before activating the service.

You have a right of objection to the creation of these user profiles, whereby you must contact Google to exercise this right of objection.

It cannot be excluded that your data may also be transferred by Google to its parent company Google LLC, 1600 Amphitheater Parkway, Mountainview, California 94043, USA. This means that the data processing may also take place in a third country (mainly the USA), in which there is no adequate level of data protection and in which you may not be able to enforce your data subject rights. In terms of users in the EU, Google LLC is subject to the data protection laws applicable in the EU.

For more information on the purpose and scope of data collection and processing by Google, please see Google's privacy policy. There, you will also find further information about your rights and setting options to protect your privacy:
https://policies.google.com/privacy?hl=de&gl=de
Under the following link you can determine which of you data Google will use:
https://myaccount.google.com/intro/data-and-personalization .
We have no influence on how Google or Google LLC processes your data.

4.2.5 Legal basis for data processing
The legal basis for the transmission of your data from us to Google is your consent in accordance with Art. 6 para. 1 lit. a) and, if applicable, our legitimate interests in accordance with Art. 6 para. 1 lit. f) GDPR. Our legitimate interests are the ability to offer you the service on our website. We have weighed up our legitimate interests against your interests and have come to the conclusion that your interests do not outweigh ours.

We secure our website and other systems by technical and organizational measures against loss, destruction, access, modification or distribution of your data by unauthorized persons.
To ensure that during transfer your data cannot be read by unauthorized parties, we encrypt our forms for transfer. Therefor we use a modern, reliable Internet security standard. 

In accordance with Art. 15 GDPR, you have the right to request information at any time as to what personal data we have stored about you. This also applies to the recipients or categories of recipients to whom this data is passed on and the purpose of the storage. You may at any time, under the conditions of Art. 16 GDPR, request the correction and/or under the conditions of Art. 17 GDPR, the deletion and/or under the conditions of Art. 18 GDPR, the restriction of processing. In addition, you can request data transmission at any time in accordance with Art. 20 GDPR.

You have the right to object to the processing of your personal data if the conditions set out in Art. 21 GDPR are met.

You can exercise your rights as a data subject towards: Stadtwerke München GmbH, Emmy-Noether-Strasse 2, 80992 Munich, datenschutz.stadtwerke@swm.de.

In addition, according to Art. 77 GDPR, you have the possibility to lodge a complaint with a data protection supervisory authority.

Right to revoke consent: You can revoke your consent to the processing of your data at any time for the future. This also applies to declarations of consent that were issued before the GDPR came into force, i.e. before 25.05.2018. If Stadtwerke München GmbH is named in this data protection notice as the controller pursuant to Art. 4 No. 7 of the General Data Protection Regulation (GDPR), please send your revocation to Stadtwerke München GmbH, Emmy-Noether-Straße 2, 80992 Munich, datenschutz.stadtwerke@swm.de.

We delete your personal data as soon as they are no longer required for the purposes for which they were collected, unless their - temporary - further processing is necessary for the

• Fulfillment of legal storage obligations, which may result from the German Commercial Code (HGB) and the German Fiscal Code (AO). The periods specified therein are up to ten years.
• Preservation of evidence within the framework of legal statutes of limitation. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.

As a matter of principle, we do not use automated decision making in accordance with Art. 22 GDPR. Should we use these procedures in individual cases, we will inform you of this separately within the framework of the statutory provisions.

Since our data processing is subject to changes and the legal situation may change, we will also adapt our data protection information from time to time.

Status of this privacy policy: 22.10.2020

Stadtwerke München is constantly refining its products, services and internal processes in order to make all the benefits of networking and digitalization available to employees, business partners and customers. SWM recognizes the opportunities offered by artificial intelligence (hereinafter “AI”) systems for enhancing business processes as well as the risks, particularly with regard to transparency, fairness and data protection. While digitalization and networking offer new opportunities, they also pose challenges. This also relates to the protection of customers’ and employees’ personal data (hereinafter “customer data” and “employee data”), as well as to giving employees the relevant qualifications and refining workplaces.

The present directive applies to all companies in the SWM Group (hereinafter “SWM”) as defined by Clause 1 (1) of the SWM Group directive. It defines the main principles in connection with advancing digitalization and the use of digital technologies at SWM.

SWM meets its corporate and social responsibility within the context of advancing digitalization. To this end, SWM has set out the following binding principles:

1. SWM’s customers can rely on SWM in treating their data fairly and in compliance with data protection legislation. SWM informs its customers actively, transparently and comprehensibly on the processing of their data.
2. SWM enables its customers to determine for themselves the manner in which their data are handled.
3. SWM informs its customers in accordance with data protection requirements whenever offers from SWM include the services of third parties or other SWM companies. Also when using third-party services, SWM will use its best endeavours to protect customer data while maintaining its high quality and service standards. When selecting such services, the level of data protection is a significant selection criterion.
4. SWM will only pass on customer data to third parties if the customer agrees to this specifically, or this is permitted under the law.
5. As part of big data applications, SWM will only process customer data with great care and respecting the rights and freedoms of the data subjects. SWM’s big data applications (e.g. in the area of traffic flow analyses) always offer a specific benefit to those customer groups whose data are processed.
6. The above-mentioned principles also apply analogously to employee data provided these principles can be applied to the employment relationship.
7. AI systems at SWM are used for the benefit of employees, business partners and customers in the interests of and for the good of SWM, while complying with the applicable statutory and internal specifications. SWM does not use AI for real-time biometric recognition or to manipulate behaviour, nor does it use any systems intended to deceive or mislead or which have the effect of doing so.
8. SWM undertakes to avoid both direct and indirect discrimination within the context of AI systems and it employs measures to detect and avoid any bias.
9. Every new application of AI systems is checked and documented in advance following a transparent, defined decision-making process.
10. AI systems with a high risk rating (corresponding to the risk categories of the EU AI Act) require thorough consultation and will only be introduced after careful review and a decision by management. Refinements to an AI system in operation are subject to a regulated, defined procedure.
11. SWM documents all datasets and process steps and maintains an overview of all systems deployed.
12. Before their introduction, the benefits of AI systems are reviewed and assessed. Risks are identified, classified, evaluated and actively managed with the highest standards applicable to high-risk systems.
13. SWM guarantees an appropriate level of human supervision and monitoring of AI systems. This applies both to the design process and to development and training procedures, as well as ongoing operations.
14. AI systems are only used in compliance with SWM’s internal rules and processes for ensuring information security. SWM employs comprehensive measures to prevent unwelcome interventions and ensure that AI systems take reliable decisions.
15. AI systems are deployed in compliance with applicable data protection laws and SWM’s internal rules and processes on data protection.
16. SWM initiates the necessary steps to ensure that its employees are qualified and, if applicable, to offer them new spheres of activity. In the process, SWM subscribes to co-determination without restriction. Employees and persons who deploy AI systems on behalf of SWM to fulfil their assignments or work with the results of such systems, are suitably trained on their functionalities and risks.