Privacystatement HTM app

We process data entered by individuals themselves on online forms such as data for applying for an annual season ticket, data related to questions, complaints, claims, found and lost items. To monitor the safety of you as passengers and our employees, we use camera images and possibly bodycams in our vehicles and at bus stops. This privacy statement describes how we process personal data and what we use it for. First and foremost, HTM complies in all cases with the General Data Protection Regulation (AVG) and the AVG Implementation Act, the Police Data Act (WPG) and the Passenger Transport Act (and Decree) 2000.

HTM offers part of its services by means of apps. For the proper functioning of the app, HTM may request permission to access and process certain personal data upon installation. How we as HTM process data of our passengers in the app, and what we use this data for, you can read in our “privacy statement”

HTM always handles personal data with care and security. We process data entered by individuals themselves on online forms such as data for applying for an annual pass, data relating to questions, complaints, claims, found and lost and found. To monitor the safety of you as passengers and our employees, we use camera images and possibly bodycams in our vehicles and at bus stops. This privacy statement describes how we process personal data and what we use it for. First and foremost, HTM complies in all cases with the General Data Protection Regulation (AVG) and the AVG Implementation Act, the Police Data Act (WPG) and the Passenger Transport Act (and Decree) 2000.

The processing of personal data for the performance of police duties falls under the WPG. Extraordinary Investigating Officers (BOA) employed by HTM must comply with the statutory obligations of the WPG in appropriate cases and support the police (in their investigative tasks). This includes data we collect for the purpose of detecting criminal offenses, maintaining public order or providing assistance. This may require us to process personal data such as your contact details or camera images. If you travel without a valid ticket or otherwise fail to comply with applicable transport conditions, our BOAs may process your personal data in order to draw up an official report and impose a fine on you. The personal data that the BOAs process in this regard are covered by the WPG.

How do we process personal data?

The processing of personal data serves multiple -following- purposes. Personal data is not automatically used for all purposes at the same time.

Objectives:

• Performance of the contract entered into, e.g. purchase and use of season tickets and other tickets.
  Information and service: travel information (such as e-mails about works, timetable changes, detour and disruptions), for handling questions, requests, complaints, lost and found items or for requests for refunds when using the OV-chipkaart/OV-pas and/or bank card and for photo/film and sponsor requests, among other things.
• Social safety: to supervise the safety of passengers/employees in our streetcars and buses and stops, among other things, investigation of violent people.
• Offer improvement: processing of data that cannot be traced back to individuals for purposes such as market research, location determination for the use of HTM services, management information, analysis, general strategy, developing products and services to improve services and carrying out marketing campaigns.
• Fraud control: e.g. for investigation of unjustified use of the OV- chipkaart/paycard with an HTM subscription/HTM product on it or correct use of the 'Money back on delay' scheme.
• Financial administration: performing debtor management (such as calculating, collecting or crediting invoices for season tickets or other travel products and maintaining contact with debtors) and revenue administration.
• Historical & statistical purposes: including numbers of passengers boarding and disembarking.
• Compliance with applicable laws and regulations, including the Passenger Transport Act 2000 and tax laws and regulations.

HTM processes personal data under the following bases specified in the AVG:

• Consent of the individual;
• Performance of the agreement,
• Legitimate (business) interest
• Legal Obligation.

How long do we keep personal data?

HTM applies different retention periods, which are always in accordance with the AVG. The relevant retention periods are listed in the overviews below. Requests for photo/film and sponsorship requests with personal data are deleted after the request has been processed.

Personal data is secured

HTM has taken measures to protect personal data from loss or unlawful processing. These measures range from physical measures such as a burglar alarm and access control to various organizational and technical security measures. Random HTM employees or third parties do not have access to personal data. Access to your data is only available to authorized employees and only when necessary for the performance of their duties and based on an established authorization policy.

Provision of data to third parties

Pursuant to laws and regulations, HTM is obliged to cooperate with investigative agencies, such as the police, tax authorities or the Dutch Fiscal Information and Investigation Service, if they request personal data. In such cases, HTM carefully examines the competence of the investigative agency in question and will of course also comply with the requirements set out by the AVG/WPG in respect of this legal obligation. HTM may also independently provide personal data to the police or judicial authorities in order to protect HTM's rights and property. Furthermore, data may be used in legal proceedings or proceedings before the Public Transport Disputes Committee for substantiation purposes. HTM will not provide more data than necessary to third parties.

For the proper national operation of the processing of (travel) transactions and the financial settlement for revenue sharing between public transport companies, HTM will share your (transaction) data and product data with Translink Systems B.V. (Translink). You can find more information about this in this privacy statement and at https://www.ov-chipkaart.nl/ and https://www.ovpay.nl/nl/.

In addition, HTM engages other parties to perform services. These are processors who may process personal data at HTM's instructions and on HTM's behalf. HTM makes specific agreements with these processors about the processing of personal data, such as security and data retention, confidentiality and the fact that data may only be used to carry out the specific order received from HTM. Examples include payment service providers, debt collection agencies, cloud and hosting parties, IT service providers, etc.

When you use the weather service on the HTM app, a pop-up window opens. You will now enter the Buienalarm environment. You will not automatically return to the HTM app. For this you have to close the window of Buienalarm. When you click and view this weather service, your data is processed by Buienalarm.nl. See their privacy statement for this: https://www.infoplaza.com/nl/disclaimer-en-privacy

Your privacy rights

Everyone has the right to inspect his/her personal data that HTM processes about you. Upon request, HTM can provide a written overview of personal data known to HTM. A request can be submitted by e-mail (gegevensbescherming@htm.nl) accompanied by a copy of the proof of identity (cross out the BSN number and passport photo) and a copy of the public transport chip card (cross out the passport photo). You can also submit your request via the Personal Data Form at HTM. If you do not want to send a copy of your ID as indicated above, you can also identify yourself at the HTM desk with a completed form.They can forward this to gegevensbescherming@htm.nl and indicate that your ID has been checked by them. HTM will respond to the request within the legal deadline, even if HTM cannot fulfill the request. The above e-mail address can also be used for other privacy questions. Are personal data incorrect or incomplete? If so, please also use the form above. In personal accounts in HTM's webshop you can indicate which information you do or do not want to receive. Are you of the opinion that HTM has not acted correctly in response to your rights? Then make a report to the Personal Data Authority.

Below is an overview of the various components where your data is also processed if you use them.

1. Privacy OV-Chipkaart
2. Privacy OVpay
3. Privacy Information Management
4. Privacy HTM Website and HTM Apps
5. Privacy HTM camera surveillance
6. Privacy when reporting damage
7. Privacy Law Police

1. Privacy OV-chipkaart

There are two different OV-chipkaart: the personal OV-chipkaart and the anonymous OV-chipkaart. There is also a one-time OV-chipkaart that is valid for a limited time or for a specific trip. This one-time OV-chipkaart is also for anonymous use. The personal OV-chipkaart is a card by name with a passport photo (the newer cards no longer contain a photo but then the photo is visible to the controller in his handheld at card check). The personal OV Chipkaart is used for so-called personal products such as an HTM annual season ticket or age discount. Users of a personal OV Chipkaart are known to the card issuer Trans Link Systems B.V. (Translink). Translink processes the personal data of OV-chip cards and related transactions. For more information about Translink's privacy policy, please visit the website https://www.ov-chipkaart.nl/privacy.

HTM is not liable for Translink's privacy policy. HTM, the other transport companies and Translink are jointly responsible for processing personal data with respect to the core processes within the OV-Chipkaartkaart system. To this end, we have entered into a cooperation agreement among ourselves in which the division of roles, responsibilities and agreements with respect to these core processes are laid down. For each core process it has been determined which data is necessary to process for an effective and efficient functioning of the OV-Chipkaart system and who needs this data.

HTM may use your chip card identification upon suspicion of non-payment/prevention of fraud/a suspicion and/or proven fraud. Providing your OV chip card identification involves Trans Link Systems (TLS) providing us with the internal card number (chip-id) belonging to the number printed on your card (engraved-id). TLS does not provide your name, address, place of residence or any other data that TLS processes about you. We have a legitimate interest in this as an OV company.

There is no link between subscription administration at HTM and travel data at Translink. Data such as name, address and residence on a personal OV-chip card containing an HTM subscription are processed in the HTM subscription administration. Transaction data (such as check-in/check-out data, location and chip ID) are processed in the OV-chip card system. The HTM subscription administration is not linked to the OV-chip card system and HTM may only view data in the OV-chip card system at your express request or in the event of (suspected) fraud with an OV-chip card and then only by authorized persons. Consultation of this data is done through an online portal. Access to this portal is made possible by Translink, which is jointly responsible for processing this data with the carriers. Without your consent, HTM will not be able to access the travel data relating to your journeys with other carriers.

How long do we keep personal data?

We distinguish between transaction data and data we use for our subscription administration.

Transaction data (data generated when using the OV-chipkaart) With regard to transaction data, related personal data are never kept for longer than 18 months.

Subscription administration Personal data (including contact details) required for the provision of a subscription are processed in the subscription administration. The retention periods for this data are 7 years in accordance with the General Tax Act.

See also https://www.ov-chipkaart.nl/ for more background information.

2. Privacy OVpay

The nine Dutch public transport operators1 (“Transport Operators”) and Translink are jointly introducing a new way to travel with public transport, namely to purchase a Ticket by checking in and out with your Debit Card or Credit Card. We are doing this in cooperation with a number of payment services. With these payment services, a public transport travel function in the Netherlands is attached to your Debit Card or Credit Card. You pay for your travel through the Bank Account associated with your Debit Card or through the spending limit of your Credit Card. If you travel on the basis of checking in and out with your Debit Card or Credit Card, you and HTM will enter into a transport agreement to which the General Terms and Conditions of City and Regional Transport and the 'OVpay Terms and Conditions for Checking in/out with your Debit Card and Credit Card' apply. The Processing of your Personal Data is necessary to execute that agreement. This allows you to travel and check out using your Debit Card or Credit Card on HTM public transport. HTM and Translink may also provide you with services.  Do you not want HTM and Translink to have the required Personal Data? Then you cannot travel and pay with your Debit Card or Credit Card and will have to use another regular Ticket. The design of the processes is based on Privacy by Design. This means that Translink and the Carriers have designed and set up the system to protect your privacy as a traveler as much as possible.

Pseudonymization, re-identification and use of tokens

Immediately after you check in, the unique identification number (“PAN”) of your Debit Card or Credit Card is pseudonymized. Each Debit Card or Credit Card hereby receives its own unique number, called a token. These unique tokens are used for various purposes such as travel, payment, service, inspection and summary reports.

The Generic Back Office (“GBO”) assigns each Carrier its own unique identification numbers for the tokens. As a result, Carriers have no mutual insight into travel patterns of trips made by a traveler using a Debit or Credit Card with other Carriers. The GBO is Translink's central administration system where Translink registers Tickets for Carriers, calculates the price a ride costs and keeps track of the total amount you traveled for that day. Pseudonymized data cannot be traced back to your Payment Card or Credit Card data without additional information. This Pseudonymization is a measure to reduce the risks to travelers when Processing your Personal Data. By combining Pseudonymized data with other data, an organization may be able to identify which Debit or Credit Card belongs to the pseudonym. This may then make it possible to view the travel history of a Debit Card or Credit Card. The Carriers and Translink have based the design of the processes on Privacy by Design and have made agreements with each other to prevent this risk of re-identification.

1 Arriva, Connexxion, EBS, GVB, HTM, Keolis, NS, Qbuzz and RET. See ovpay.nl for the most up-to-date overview.

2 Maestro, Mastercard, VPAY and VISA. See ovpay.nl for the most up-to-date overview.

Terms

Because traveling with your Debit Card or Credit Card is new, we may use terms that you are not (yet) familiar with. For convenience, we have listed these terms and their meanings here.

General Terms and Conditions of Urban and Regional Transport: the General Terms and Conditions for the Use of Public Urban and Regional Transport by Bus, Tram, Light Rail, Metro and Regional Public Transport by Train.

App: a mobile application developed and offered by a Carrier individually or Carriers and Translink jointly (under the name OVpay) with which a passenger with a Debit Card or Credit Card can create and consult his online account, link the Debit Card or Credit Card to it and thus, among other things, easily view travel transactions and payments and submit service requests. Use of an App is subject to the terms of use of the App in question.

AVR-NS: the NS Transportation Conditions (the General Conditions for the Transport of Passengers and Hand Luggage by Dutch Railways). Bank: a financial institution that offers payment services and where the Bank Account is held to which the Passenger's Debit Card used in public transport is linked.

Debit Card: a contactless card issued by the Bank to pay with (physically or virtually on a smart device) with which you can use and pay for public transport by checking in and out at the designated card reader at the station, stop or in the vehicle. Credit Card: a contactless Credit Card issued by the Credit Card Company with which you as a traveler can use and pay for public transportation. Credit Card Company: a financial institution which offers payment services and which has issued the Credit Card to you.

Generic Back Office (“GBO”): Translink's digital back office where, among other things, Tickets are registered, fare prices are calculated and the daily total of trips and journeys is maintained.

Joint Controllers: When two or more Controllers jointly determine the purposes and means of Processing, they are Joint Controllers within the meaning of the AVG.

Payment Card Industry Data Security Standard (“PCI DSS”): an information security standard for organizations that handle Payment Cards or Credit Cards of the card schemes.

Personal Data: any information about an identified or identifiable natural person as referred to in the AVG. Pseudonymization: the Processing of Personal Data in such a way that the Personal Data can no longer be linked to a traveler without the use of additional data, provided that this additional data is kept separately and technical and organizational measures have been taken to ensure that the Personal Data is not linked to an identified or identifiable traveler as referred to in the AVG. Travel Day: the period beginning at 00:00 a.m. and ending at 03:05 a.m. the following day.

Reference number: this is a code consisting of a combination of a total of fourteen letters and numbers, which is unique for each payment. This code is linked to the amount debited from your bank account or spending limit.

Technical Payment Card or Credit Card data: this technical data consists of the numbers of the Payment Card or Credit Card, namely the PAN, the PAN sequence number and the validity date of the Payment Card or Credit Card. The PAN is a unique Payment Card or Credit Card identification number. The PAN sequence number is in the chip of the Debit Card or Credit Card and is not visible.

Translink: Trans Link Systems B.V. registered office and place of business in Amersfoort.

Ticket: the ticket which provides valid access to the train, bus, streetcar and metro and is purchased by a passenger by checking in with HTM for each journey using the Debit or Credit Card used for travel. A Ticket is valid only if all the requirements set out in the General Terms and Conditions for City and Regional Transport (in the case of travel on city and regional transport operators) or the AVR-NS (in the case of travel on NS) are met.

Carrier(s): the Dutch public transport companies listed on the OVpay.nl website.

Processing: an operation or set of operations involving Personal Data or a set of Personal Data, whether or not carried out through automated processes as referred to in the AVG. Processor: a natural or legal person, a government agency, a service or another body which Processes Personal Data on behalf of the Controller as referred to in the AVG.

Controller: a natural or legal person, a government authority, an agency or another body which, alone or jointly with others, determines the purpose of and the means for Processing Personal Data as referred to in the AVG.

2.1. How does traveling and paying with Debit Card of Credit Card work?

A. Travel

When checking in with your Debit or Credit Card, the card reader reads the Technical Data of this Debit or Credit Card. In doing so, we check whether the Debit or Credit Card can be used for travel and report this back to you via the card reader. This offering of a Debit Card or Credit Card to a card reader is a “tap.”

If you can travel with the Debit Card or Credit Card then when you check in and out, Personal Data is sent from the card readers of the Carrier you travel with to the GBO at Translink. In addition to the Technical Payment Card or Credit Card Data, this includes the date, time and stop or station where you checked in or out. This data is used to compile your trip and calculate the fare.

First time travelling with your Debit or Credit Card

The first time you check in with your Debit or Credit Card, an automatic check takes place to determine whether your Debit or Credit Card is linked to a public transport travel function in the Netherlands. This also occurs when you have not traveled with the Debit or Credit Card in question for a period of 14 days and then check in again.

The GBO also checks with the Bank or Credit Card company of your Debit Card or Credit Card whether it has been blocked. If so, the public transport travel function of your Debit or Credit Card will be (temporarily) blocked and you will not be able to travel with it. This is a decision of the Bank or Credit Card Company. The Carriers and Translink cannot change this.

Travelling with your Debit or Credit Card

Every time you check in with your Debit or Credit Card, an automatic check takes place on the signaling list at Translink whether the Debit or Credit Card is not (temporarily) blocked. This list is managed in the GBO and distributed to Carriers. A Debit Card or Credit Card is added to this list by Translink if

it appears that your Debit Card or Credit Card used in public transport is on an alert list of the Bank or Credit Card Company, for example because it is registered as stolen or missing;
a settlement of the Debit Card or Credit Card for the use of public transport has not taken place, for example because you did not have sufficient balance or spending limit on your Bank Account or Credit Card at the time of settlement.

B. Pay

Based on checking in and out with the Payment Card or Credit Card, the GBO calculates the fare for the trips you make. On the night after the Travel Day on which you have traveled, the amount due for all the trips you make on one Travel Day is presented to the Bank or Credit Card Company in one go. To process the payment, Translink provides the Technical Payment Card or Credit Card details and the Reference Number to the Bank or Credit Card Company.

Upon successful payment, you can see on your (digital) account statement which amount has been debited and you will receive your unique Reference Number for each day you travel. A Reference Number is preceded by the letters “NLOV”. The digital account statement can be found by logging into your secure Banking environment.

Notwithstanding the above, if the amount of fare due exceeds an amount to be determined by Carriers, payment will not be made after the end of the Travel Day, but already during the Travel Day. The fare due will then be directly debited from your bank account or spending account. After successful payment, any rides you as a traveler make thereafter will be charged at the end of the Travel Day, unless the threshold amount is reached again in the interim.

Summary reports

Translink records all check-ins and check-outs in the GBO and takes care of trip reconstruction and determination of the fare. Translink, together with the financial institution EMS and your Bank or Credit Card Company, handles payment for the trips you make with your Payment Card or Credit Card. Translink also ensures that HTM and the other Carriers receive all payments for trips made on a daily basis. All Carriers each receive daily summary reports from Translink to check the accuracy of their own payments. This involves reports on transactions (such as check-in or check-out), journeys (combining check-in with a check-out) and payments within the domain of the relevant Carrier.

An unsuccessful payment

If the payment fails, for example because the balance or spending limit is too low, we will temporarily block the travel function associated with the Debit Card or Credit Card. You can then no longer travel with your Debit or Credit Card until the outstanding amount is paid.

Within a period of 62 calendar days, repeated payment requests are made by the GBO to debit the amount due from your account or spending limit. If this payment is successful, the (temporary) blockade will be lifted.

Both during and after this period you can also pay the outstanding amount yourself. You do this by presenting your debit or credit card at a card reader. Through the GBO, a payment request is then made to your Bank or Credit Card company. If the payment succeeds, you can travel again with your Debit or Credit Card about 15 minutes later.

(Temporary) blocking of the travel function

The (temporary) blocking of the travel function of a Debit or Credit Card can be checked by presenting your Debit or Credit Card at a card reader of a Carrier and paying attention to the message on the display or by contacting OVpay customer service.

Of course, as long as the travel function of the Debit or Credit Card is blocked, you can always use another Ticket to travel with public transportation.

C. Service

We understand that you may have questions about a trip, a charge or a missed check-in or check-out. Or perhaps you would like to see all your trips from the past period(s). You can do this by using the App or the HTM customer service with a Reference number and associated amount to view and request (parts of) your trips. You can also use the OVpay website, OVpay App and OVpay customer service to view and request (parts of) your journeys.

To be able to help you, you need the Reference Number in combination with the corresponding amount of your account debit. This is because we do not know your Bank Card or Credit Card number, nor can we search for your IBAN.

The Reference Number is created uniquely for each payment with your Debit Card or Credit Card. On your (digital) account statement you will receive your unique Reference Number for the rides belonging to that one payment (usually linked to one Travel Day). This means that if you share this Reference Number and associated amount with another person or organization, this person or organization can gain insight into the trips you have made.

App and website

Within both the HTM app and the OVpay app, it is possible to link your debit or credit card to the app. You first create an account with your own password. You can then, based on a Reference number and corresponding amount in the OVpay app, among other things, view all the travel history of your HTM trips made over the last 18 months. Via your online account you can see whether you have checked in and/or out, the fare for trips you have made, as well as your payments, payment status and any block on your debit or credit card. In the OVpay App you can view all trip history of your journeys made with your Debit or Credit Card throughout public transport over the last 18 months. In the account environment of a Carrier (web or App), you can only view the journeys you have made with your Debit Card or Credit Card at that Carrier, including those of the last 18 months. You can also set the OVpay app to receive notifications when checking in and out. On the website ovpay.nl you can use a Reference number and associated amount to view only the journeys you have made that belong to that specific payment.

Customer service

Questions about traveling with a Debit Card or Credit Card can be directed to HTM customer service or OVpay customer service. Customer service employees do not have access to your debit or credit card details or the details of your payment account. An employee will always explicitly ask for your details if this is necessary to answer your questions. Depending on the questions you ask customer service, customer service may ask for your Reference Number and the corresponding debit amount.

Cross service

The Carriers and Translink have made mutual agreements so that HTM can also serve you with questions about travel with other Carriers. It has been agreed that for questions about all trips and transactions you have made in the last 62 days you can contact the Customer Service Department of each Carrier. For questions about a missed check-in or check-out, please contact OVpay Customer Service. Depending on the questions you ask OVpay Customer Service, Customer Service may ask for your Reference Number and the corresponding debit amount.

D. Inspection

Everyone who uses public transportation must have a valid Ticket. If you check in with your Debit or Credit Card, your Ticket is linked to that Debit or Credit Card at that time through a digital registration in the GBO. Special Investigating Officers (“BOA”) regularly check passengers in the transport vehicles and at stops and stations for the presence of a valid Ticket. When a BOA checks your Ticket, you must hold your Debit Card or Credit Card against the BOA's card reader. The Technical Data of your Debit or Credit Card will be read and used in compliance with PCI DSS. In order for the BOA to provide you with courtesy and/or service, the BOA will ask your permission separately. The BOA can then view on his device the last 10 actions of the use of your Debit or Credit Card in public transport (up to 62 days back). These data are displayed on the device for a maximum of five minutes or disappear the moment another Debit or Credit Card is held against the card reader.

E. Information Management

Translink and the public transport operators want to ensure that public transport is as efficient and effective as possible. Therefore, the public transport companies and Translink have an interest in gaining insight into travel patterns of travelers. This insight is also important for third parties, such as governments that have (public) transport as a task and are committed to improving services for travelers. We obtain this insight through statistical research. Translink and the public transport companies have jointly decided which personal data may be used to obtain the insight and how the personal data may be used. We also call this the Information Management Agreement. These agreements are set out in a cooperation agreement between the public transport companies and Translink. The public transport companies and Translink are jointly responsible for the processing of personal data for the purposes of Information Management. More information about Information Management can be found further on in this Privacy Statement.

2.2. Basis of Processing.

If you check in and out using your Debit Card or Credit Card with HTM, the basis for the Processing of Personal Data is the performance of an agreement. This concerns the transport agreement to which the General Terms and Conditions of City and Regional Transport and the 'OVpay Terms and Conditions for Checking in and out with your Debit Card and Credit Card' apply. For the provision of cross service (see C. service/cross service), the basis is justified interests of the Carriers and Translink. Carriers and Translink would like your questions to be answered as well and efficiently as possible through one counter instead of multiple counters. It is in the interest of both you as a traveler and the Carriers and Translink that we can handle your questions about travel with multiple Carriers properly and efficiently. Our service employees are only given access to the data necessary to answer your questions. The basis for setting up check-in and check-out notifications in the OVpay app is your consent.

2.3. Who are the Processors?

What Personal Data do we use? Your Personal Data will be processed by: HTM and Translink. HTM, the other Carriers and Translink are joint data controllers for the processing of Personal Data in relation to travel with your Debit or Credit Card. The mutual arrangements are set out in a cooperation agreement between the Carriers and Translink. The joint Processing Responsibility concerns the following processes and associated Personal Data.

2.4. With whom do we share your data?

HTM, the other Transport Operators and Translink use the services of Processors, whereby we always make written agreements with external parties (such as IT suppliers) who process Personal Data on our instructions. We do this by entering into a so-called “Processor Agreement”, in which we lay down, inter alia, agreements on the security of your Personal Data and on the use of the Personal Data.

Translink uses the services of EMS (www.emspay.nl) for payment processing with your Bank or Credit Card Company. In doing so, Translink provides the Technical Payment Card or Credit Card Data and the Reference Number . EMS Processes this data in the capacity of Processor.

The carriers and Translink are additionally required in some cases by laws and regulations to provide your data to third parties, such as in the case of a criminal prosecution by the judiciary.

2.5. Security of Personal Data

HTM, the other Carriers and Translink secure your Personal Data, for example against unauthorized access, loss and theft. HTM, the other Carriers and Translink all have policies to set up payment by Debit Card or Credit Card in public transport in such a way that an appropriate level of security applies by default. For the security of Debit Card or Credit Card data, the Carriers and Translink apply the PCI DSS. This is an international security standard drawn up by Banks and Credit Card Companies. This standard seeks to protect payment card data and prevent misuse of card data, and therefore damage. Your Technical Payment Card or Credit Card data are processed in HTM's card readers and in Translink's GBO exclusively pseudonymized.

2.6. Automated Decision Making.

Automated decisions are made in two cases; for a fare still owed and for a Payment Card or Credit Card blocked by a Bank or Credit Card Company.

A fare still due

As a traveler, you should always pay the fare due. If your Bank or Credit Card company fails to process your payment, the travel function of the Debit Card or Credit Card is automatically (temporarily) blocked. You can then still check out for a trip, but you cannot check in (again) for a trip.

If the travel function of the Debit Card or Credit Card is blocked due to insufficient balance or spending limit, you cannot check in again with this Debit Card or Credit Card until your debt is paid. Within a period of 62 calendar days, multiple attempts will be made to debit the amount due from your account or spending limit. You can also do this yourself by presenting your Debit Card or Credit Card to a card reader of a Carrier. The check-in will then be rejected (and you will see an error message on the display), but then another attempt will be made to debit the amount. If it succeeds, you can check-in again and continue your journey after about 15 minutes. You can object to this automated decision to (temporarily) block your debit or credit card. This can be done through OVpay customer service, which will assess why your Debit or Credit Card has been blocked and unblock it if necessary.

A Debit or Credit Card blocked by a Bank or Credit Card Company

If a Debit Card or Credit Card used in public transport has been recorded as stolen or missing by a Bank or Credit Card Company, or if there is another reason why this card has been (temporarily) blocked by the Bank or Credit Card Company, the travel function of the Debit Card or Credit Card will also be automatically (temporarily) blocked. This is also part of the general conditions for the use of your Debit Card or Credit Card as agreed with your Bank or Credit Card Company. The Carriers and Translink cannot change this (temporary) blockage. For questions about this, please contact your Bank or Credit Card Company.

2.7. Contact point for questions or exercising your rights in relation to travel with a Debit Card or Credit Card Questions

If you have any questions about the Processing of your Personal Data in relation to travel with a Debit Card or Credit Card, you can contact the contact points at HTM and Translink for that purpose. In principle, HTM and Translink can only answer specific questions by using the features of your Debit Card or Credit Card. If you have created an account in an App, have your Debit Card or Credit Card attached to this account, and have provided your details in the process, HTM or Translink can also help you with these details. Before you can view your trips, you must provide the Reference Number and associated amount. For general questions about traveling with a Debit Card or Credit Card, you can contact OVpay customer service at 0900-1433 or the contact form at www.ovpay.nl/contact. If you want more information about how HTM or Translink handles your Personal Data, you can contact the data protection officer of either organization: For HTM: gegevensbescherming@htm.nl, for Translink: fg@translink.nl

2.8. Exercising your rights

If you wish to exercise your rights, you can make this known via the Personal Data at HTM rights of data subjects form or via OV Pay's Customer Service or via HTM's Data Protection Officer or Translink's Data Protection Officer, see contact details above.

3. Privacy Information Management

HTM, the other public transport companies and Translink want to ensure that public transport is as efficient and effective as possible. That is why the public transport companies and Translink have an interest in gaining insight into travel patterns of passengers. This insight is also important for third parties, such as governments that have (public) transport as their task and are committed to improving services for travelers. We obtain this insight through statistical research. HTM, the other public transport companies and Translink (collectively “us” or “we” or “our”) have jointly decided which personal data may be used to obtain the insight and how the personal data may be used. We also call this information management. These agreements are laid down in a cooperation agreement between the public transport companies and Translink. The public transport companies and Translink are joint controllers for the processing of personal data for the purposes of Information Management.

What personal data do we use?

We only use so-called transaction data to conduct statistical research into travel patterns of travelers. If we process customer data, such as your name or date of birth, we do not use this data for statistical research. Below you can read which personal data we process for statistical research when you travel with a public transport chip card, payment card or other ticket. We only use so-called transaction data for statistical research into travel patterns of travelers. If we process customer data, such as your name or date of birth, we do not use this data for statistical research. Below you can read which personal data we process for statistical research when you travel with a public transport chip card, payment card or other ticket. We are allowed by privacy law to use transaction data for statistical research because it is necessary for our legitimate interest and the legitimate interest of third parties, such as governments. The legitimate interest is to optimize public transport and improve services to travelers.

OV-chipkaart

Transaction data is created when you check in and out with your OV-chipkaart at a transportation company. This data is used to process your travel transactions. The transaction data are read out using the chip-ID in your card. You will find the transaction data in your transaction overview of your OV-chipkaart (Mijn OV- chipkaart.nl). We store the transaction data for statistical research in a separate database at Translink. Before we store the data there, we ensure that the data are pseudonymized. This pseudonymization involves encrypting the identifying characteristics in the data. As a result, the data cannot be traced back to a person without additional information. After the data has been pseudonymized, Translink creates research files on behalf of public transport operators. This involves a set of statistical data. With these aggregated, statistical research files, Translink or other companies specialized in this can create information products. These research files and information products do not contain any personal data.

Payment Card

Transaction data occurs when you check in and out with a transportation company using a payment card. This data is used to process your travel transactions. You can find the transaction data with your payment card in the OVpay app. If you do not use the OVpay app, you can view transaction data with your payment card on the OVpay website. There you can enter the so-called service reference ID that is mentioned for OV travel on your bank statement. We store the transaction data for statistical research in a separate database at Translink. Payment card transaction data cannot be traced to a person without additional information. Under Translink's management, we have research files created. This involves a set of statistical data. With these aggregated, statistical research files, Translink or other companies specialized in this can create information products. These research files and information products do not contain any personal data.

Central contact point

We have set up a central point of contact where you can address all your questions about the processing of your data for the compilation of research files and information products. You can contact us at privacy@ov-chipkaart.nl, where you can also submit a request to exercise your AVG rights. If you do not want us to use your transaction data for statistical research on travel patterns, you can indicate this by sending an email to privacy@ov-chipkaart.nl. You can request the form by sending email to privacy@ov-chipkaart.nl.

Who do we share data with?

HTM, the other public transport companies and Translink use the services of processors. We always make written agreements with processors by entering into a so-called processor agreement, in which we lay down, among other things, agreements about the security and use of your personal data. Pseudonymization makes it more difficult to link the data to individuals. Based on the research files, Translink or other specialized companies can create information products. For example, they can see trends in passenger flows, which can be used to determine where new public transport routes should be located. We can pass on this type of information products to government bodies and to third parties who have a task in the field of (public) transport and improving services for travelers. The information products do not contain personal data. We do not pass on your personal data for this purpose to (legal) persons outside the European Economic Area.

How long do we keep your data?

We keep transaction data and pseudonymized transaction data for up to 18 months after the trip you made. See also: Data analysis (translink.co.uk) for more background information.

4. Privacy HTM-website en apps

Data about the use of the website (htm.nl) and the apps (HTMapp and HTM Fietsapp)) and the feedback we receive from our visitors help us to further develop and improve our website and apps.

4.1. HTM Website

Click behavior

Our website records general statistics on the use of our website. The purpose of this is to see how many visitors view the HTM website, how much time they spend on the website, which pages are visited most frequently, which information is downloaded most frequently, etc. In this way we can optimize the layout of the website so that we can further improve our services via the website, for example to provide our customers with more targeted information. Personal data are never recorded via the Internet without explicit instruction or consent, for example when requesting information.

Use of cookies

Visitor data is tracked on the website to measure interest in the various sections of the site. This enables HTM to adapt the website to visitors' interests and experiences and to make access to and use of the website easier. HTM uses temporary cookies for this purpose; a small file stored on the hard drive of your computer. The cookies do not contain any personal data. Cookies can be disabled in any web browser (Chrome, Internet Explorer, Safari and/or Firefox). All parts of our website will still be readable, but the functionality may be reduced.

Google Analytics

We use the Google Analytics pixel but the information measured by it is made completely anonymous. The IP address is anonymized by default and this information is not shared with third parties, including Google itself. We do not create profiles based on user behavior for marketing purposes, nor do we track data across multiple devices. The cookie placed expires when the session is terminated.

Webshop HTM

HTM's webshop records personal data for which the user has given permission. This includes data such as contact details, date of birth (for certain travel products); payment details, debtor details, travel product details and card details of your OV-Chipkaart/bankpas. If requested and entered by the user, an overview of your travel products and OV-Chipkaart can be found within this section of our website. You can delete your account details yourself in the HTM webshop.

4.2. HTM App(s)

HTM offers part of its services through apps. For the proper functioning of the app, HTM may request permission to access and process certain personal data upon installation. The collection and processing of this data via apps is also covered by this privacy statement. The HTM app does not track click behavior and/or store cookies by HTM.

Positioning

There is an option to turn on positioning in the HTM app. This gives permission to plan a trip from that location. The permissions can be changed again by you as a user.

Notifications (found in section Favorites)

In the HTM app you will find a favorites section. Here you can specify your favorite lines and what you want to receive more about. You can turn this on and/or off yourself.

Buying barcode tickets in the app.

There is an option to purchase and pay for barcode tickets in the app. HTM uses processors to process barcode tickets. To ensure the confidential treatment of your personal data, a processor agreement has been entered into with these third party/parties. Tapconnect is the supplier of the mobile ticketing and Buckaroo is HTM's payment platform and in that capacity is a processor of HTM. After payment to Buckaroo, you will receive an overview of the tickets you have purchased in the HTM app under the Tickets section. Please note if you delete and reinstall the app, the ticket is no longer valid and no longer visible. You must activate the 2-hour ticket. The day ticket is valid immediately.

Basis and purposes of processing data for the purpose of barcode tickets.

Processing of the data by HTM is necessary to perform the agreement for the purchase and use of HTM Barcode feature while traveling with you. The purposes for which HTM processes your data for the performance of the agreement are:

• providing the agreed services;
• providing customer service for your questions or requests, for example with regard to - your purchases and rides;
• sending you information relating to the use of the HTM Barcode feature and - the products and services offered via this website;
• the improvement of services, which also includes inclusion in anonymous and aggregated form in management information and reports;
• keeping financial records, conducting audits and auditing.

4.3. Social media (Facebook & X (formerly Twitter) also accessible via HTM app and HTM website)

The website includes buttons to promote ('like') or share ('tweet') web pages on social networks such as Facebook and X. These buttons work by means of pieces of code that originate from Facebook and X respectively. Cookies are placed by means of this code. HTM has no influence on this. Please read the privacy statements of Facebook and X (which may change regularly) to find out how they process personal and other data through these cookies.

4.4. Technical security

In order to optimally protect personal data from unauthorized access or use, HTM uses security technology. The security meets the requirements imposed on us by the AVG.

4.5. Privacy policy of third parties

The website contains links to websites of other organizations such as ov-chipkaart.nl and denhaag.com HTM bears no responsibility for the way in which these parties handle personal data.

4.6. Contact and questions

Questions about our cookie consent or data modification are handled by our customer service department. We will ensure that the information is updated within one month.

5. Camera surveillance

One of the measures HTM takes to improve the safety of our passengers is to carry out surveillance, including through the use of cameras. This is an important tool in the detection and prosecution of criminal offenses or wrongful acts. In addition to your safety, this camera surveillance also serves the safety of our property and employees. In addition, the camera images are also used to investigate and reconstruct an accident. Where camera surveillance is used, this is indicated by images on stickers.

Camera surveillance in streetcars, buses and stops

Cameras are installed in and on all HTM streetcars and buses. Camera surveillance in the streetcars and buses is intended to increase the social safety of employees and passengers and to protect HTM's property. Camera surveillance at the bus stops is intended to increase social safety at the stops and to prevent unwanted or unsafe behavior by passengers. We use the recordings (image and sound) to trace and prosecute persons who have committed a criminal offense or wrongful act. Recordings can also be used in the event of injury or (im)material damage as a result of a criminal offence or unlawful act and for providing instruction to employees involved in camera surveillance. The camera images are viewed live by employees who are specifically authorized to do so and have a duty of confidentiality. This is done in an area inaccessible to other employees.

Bodycam

Some BOA inspectors have a bodycam. These are intended to increase the social safety of employees and passengers and to protect HTM property. We use the recordings when tracing and prosecuting persons who have committed a criminal offense or an unlawful act. Recordings may also be used in the event of injury or material or immaterial damage as a result of a criminal offence or unlawful act, and to provide instruction to employees involved in camera surveillance. The camera images are viewed by employees who are specifically authorized to do so and have a duty of confidentiality. This is done in an area inaccessible to other employees.

Goals for camera images are:

• Protecting persons from crime, nuisance and accidents;
• Securing stops, buildings, garages, grounds, yards, vehicles, platforms and all things therein against theft, burglaries, vandalism and the like;
• Supporting emergency services during emergencies;
• Crowd control at events and large crowds;
• Supporting a report to the police;
• Investigations by the police based on commandeered images;
• Investigations by the Security Department following incidents;
• Damage registration

We also use camera images for training employees involved in processing camera images. Camera images are also used for investigation and reconstruction of an accident.

What personal data are processed?

Cameras capture images on which people can be seen (and in some cases with sound). When incidents occur, we can act quickly to detect and prosecute violations and crimes. The camera recordings are only secured, viewed (and if necessary listened to and stored if an incident has occurred. Only employees authorized by HTM management may view (and listen to) the footage. This is done in an area that is not accessible to other employees. If the camera images are useful for an investigation and/or prosecution, only employees authorized to do so may secure the images. The employees in question have a duty of confidentiality.

Procedure in case of a (possible) incident

If there is an incident that may require follow-up (e.g., reporting it to the police), we immediately note the time. The recordings around the noted time are reviewed and listened to as soon as possible. If HTM decides to report the incident to the police, HTM will provide the recordings to the police if the recordings can serve as (supporting) evidence. In addition, the recordings may be made available to an investigative body upon request within the statutory framework.

Basis and purposes of processing camera images

The basis on which HTM processes camera images is the legitimate interest or the fulfillment of a legal obligation. Without camera images, it is not possible to subsequently investigate incidents or ensure the safety of our passengers and employees. We consider this interest to outweigh any infringement on the privacy of a traveler or an employee. Moreover, we take safeguards to protect your privacy: we store all images securely and only authorized employees have access to the images.

How long do we keep the data?

We keep the recordings from the vehicles and bodycam, if no incident has occurred for a maximum of 24 hours. Camera images from bus stops are stored for a maximum of 72 hours if no incidents have been reported. Camera images from the stops at the Central Station and Hollands Spoor locations are stored for 28 days.

With whom do we share personal data?

Is there an incident that we want to report to the police and do we expect the footage to provide (supporting) evidence? Then we review the camera images as soon as possible. In addition, we must also make the camera images available to (investigative) agencies within the legal framework if they require them on the basis of a legal authority. These include the Police, AIVD, Inspectorate SZW, the Environmental and Transport Inspectorate, insurance companies and lawyers and the courts in legal proceedings. In the context of damage cases, camera images are made available to insurers who handle damage cases for RET.

6. Damage, investigation and redress

HTM makes every effort to get its passengers to their destinations as safely as possible and to ensure a safe working atmosphere. Unfortunately, incidents do occur which result in damage to equipment, property belonging to HTM or others, or injury to persons.

What do we use personal data for?

HTM uses personal data to investigate the facts and consequences of an incident, for example to determine the cause of the incident, which party is liable, to take witness statements and or to check the legitimacy of a claim, or to determine the extent of the damage. The investigation results can also be used to implement measures that can help prevent future incidents.

What personal data is processed?

Contact details of claimants, witnesses, experts, advocates, claims handlers, lawyers and other data subjects. In addition, travel data, camera images and chain-of-signs data may be processed, or medical, personal and financial data in case of personal injury. Only employees involved in claims handling have access to this data. The data is stored in segregated systems for which an authorization policy is applied.

Basis of processing

The basis on which personal data is processed in the context of damage handling and prevention is HTM's legitimate interest and/or you consent to the use of your personal data. Without data, it is not possible afterwards to investigate incidents, deal with damage and prevent further damage. This is also in the interest of the data subject who has been harmed by the incident. HTM has a business interest in the proper handling of damage, to protect its financial interests as well as possible, to provide information to the insurance company and to prevent future incidents as much as possible. We consider this interest to outweigh any breach of privacy of a person involved in the incident. Moreover, we take safeguards to protect your privacy: we store all data securely and only employees involved in claims handling have access to the data.

How long do we keep records?

The retention period is 10 years for material cases and 30 years for personal injury cases.

With whom do we share the personal data?

The personal data in a claim file is shared only with parties involved in the claim handling process, such as accident experts, medical experts, loss assessment agencies, lawyers, insurance companies and the agencies to which a dispute is submitted in the context of claim handling.

7. Implementation for Police Data Act

HTM employs special investigating officers ("BOAs") to enforce social safety in and around public transport.

What does a BOA do?

Among other things, a BOA checks at stations and in vehicles whether travelers are in possession of a valid ticket. In addition, a BOA also supervises public order, compliance with legal provisions and travel rules and transport conditions. In case of violations, the BOA takes enforcement action. If a BOA processes personal data when performing his police task (such as detecting criminal offenses and maintaining public order), the Police Data Act ("Wpg") applies and not the AVG. This also means that the BOA no longer processes personal data but police data. Like the AVG, the Wpg imposes requirements on the processing of police data.

What do we process personal data for under the Police Data Act?

We process police data under the Police Data Act (Wpg) for various purposes. These purposes are listed in article 8 Wpg. Consider:

• Writing an official report if you have committed an offence or if you travel without a valid ticket (black driving).
• The handling, administration and financial settlement of payments related to official reports, such as granting objections, applying the compensation scheme, applying reductions and payment arrangements.

What personal data are processed in the context of the WPG?

We collect contact details, place and date of birth, a description of the offence with its time and place, BSN number, type of identity document and number when a traffic report is issued. We also collect financial data when paying a speeding ticket and/or making payment arrangements. You can submit an objection or a request for leniency to us for an official report. We then collect, in addition to the data you have provided in your request, contact details, place and date of birth, copy of OV-chipcard and/or OV-Pay payment details and the official report number.

Basis of processing.

The basis on which the BOAs process your police data under the Wpg is the performance of daily police duties (Article 8 Wpg). The BOAs process personal data under:

• Code of Criminal Procedure;
• Besluit buitengewoon opsporingsambtenaar;
• General Local Bye-Law (APV). Finally, the BOAs process personal data for the execution of the agreement. The rules of:
• Passenger Transport Act and Decree 2000
• City and regional transport terms and conditions;
• HTM travel regulations.

How long do we keep your personal data?

The model below indicates the time limits as well as the authority that an investigating officer/BOA has within these legal time limits. The maximum period within which the police may process personal data in terms of art. 8 - processing is a maximum of 10 years. In addition, camera images are retained by HTM (see the section on cameras earlier in this statement).

With whom do we share personal data?

Only authorized employees are given access to this data. They may only view the data they need for their work. It is possible that we grant access to employees of the police or municipality. They too are given access only to the data they need for their work. The actions of employees in systems are logged. We thus keep track of who performs what action at what time in a particular file. When you are served with an official report, we check your data with the Basic Registration of Persons (BRP). We do this again after we have sent the first payment reminder due to non-payment of a speeding ticket. Sometimes it is necessary for HTM to provide your personal data to third parties. For example, to the Central Fine Collection Agency (CJIB) if you did not pay your fine on time, or to the Public Prosecution Service (OM) or the police because of an incident that HTM is reporting.

What are your rights under the Police Data Act?

Under the Police Data Act (Wpg), your rights differ from those under the AVG. You have the right to review the personal data HTM processes about you under the Wpg. To do so, you can request a written summary of your personal data from HTM by sending an email to gegevensbescherming@htm.nl.

If your personal data is incorrect or incomplete under the Wpg, you can ask HTM to amend your personal data. In addition, you can have personal data removed or request a restriction on the processing of your personal data. You can also lodge an objection or appeal against the preparation of an official report and the fine imposed (see the rules of the game on e HTM website) You will receive notification from us if your request for correction, deletion or restriction of the processing of your data has been complied with.

We have the right to reject your request if:

• The request would impede judicial investigations or proceedings;

• That would adversely affect the prevention of the commission of crimes, detection, investigation, prosecution or imposition of penalties;

• Public security is at stake;

• The rights and freedoms of third parties are violated;

• National security is at stake;

• HTM has a legal duty to retain this personal data;

• It is manifestly an unfounded or excessive request.

  ---------------------------------------------------------------------------------

Changes HTM reserves the right to modify this text if necessary. Changes will always be in accordance with the AVG.

HTM Personenvervoer NV 
Koningin Julianaplein 10
2595 AA The Hague
Registered in the Trade Register of the Chamber of Commerce under number 27014495

Privacy Statement HTM updated: October 2023