For what purpose does GVB use your personal data?
To investigate, combat and prevent fraud or misuse, GVB may use personal data if there is a reason to do so. Such a reason includes refund requests, illegal or undesirable activities with the public transport chip card, or the purchase of travel products in the GVB web shop.
In addition, we may use personal data for security purposes. These include the investigation and estimation of security risks in GVB public transport chip card system and the investigation, research and remedy of technical disruptions in our (public transport chip card) systems and equipment or in the GVB web shop.
We can also process personal data of travellers for monitoring or investigating breaches of integrity (both internal and external).
Which personal data does GVB process?
To investigate, monitor and prevent fraud, misuse or breaches of integrity (both internally and externally), GVB may use data which are recorded in other processes. These may be claim or refund data, contact details, travel data, payment details, travel product data, camera images or public transport chip card data.
The personal data which is processed in this context depend on the circumstance or issue in question.
To resolve technical disruptions, GVB may use log data and back-up data.
Basis for processing
The basis for the processing of personal data for customer research is legitimate interest.
GVB has a business interest to prevent and remedy fraud and misuse and to ensure an ethical and secure organisation for employees and travellers.
In the interest of GVB and travellers, we investigate and remedy technical disruptions in our systems and equipment. This enables travellers to (continue to) make use of our transport and travel products without disturbance. In doing so, GVB processes personal data only if there is a reason or necessity to do so. In this process, we use as few data as possible and we safeguard your privacy.
Retention period
Data used for integrity screenings are retained until two (2) years after the case has been closed. In the context of fraud control, when fraud has been discovered, the data are retained until five (5) years after the case has been closed. Data for the investigation of technical disruptions are deleted after the remedy of the disruption.
With whom do we share the data?
If fraud has been discovered or if there is a strong suspicion of fraud or breaches of integrity, GVB can provide personal data to detective agencies or investigative authorities, such as the police or the Public Prosecution Service, for further research and settlement. We may also provide data to our attorney on account of legal proceedings.