This data protection declaration informs you how hotsplots GmbH processes personal data and traffic data when you use our hotspots.
This data protection declaration can be printed or saved using the standard functions in your browser. You can also download and save this data protection declaration as a PDF file by clicking here: [PDF].
1. Responsible authority
Contact for and controller of the processing of your personal data when using our hotspots within the terms of the EU General Data Protection Regulation (GDPR) is
|Telephone: +49 30 — 29 77 348–0
Fax: +49 30 — 29 77 348–99
Should you have any questions regarding data protection in connection with our products and services, you can contact our data protection officer at any time. This can be done via the above postal address or the previously stated email address (heading: “FAO Data Protection Officer HOTSPLOTS”).
2. Data processing when using the HOTSPLOTS WLAN
2.1. Traffic data
We collect traffic data every time our hotspots are used. This includes:
- Hotspot name
- Time stamp (date and time) of logins with type of login
- Duration of use
- Amount of data transferred
- Session ID, tariff ID, time stamp of the last billing data for a session
- Hardware ID of the terminal (MAC address)
- Hardware ID of the hotspot router (MAC address)
- IP address of the requesting device in the LAN and the hotspot router on the Internet
- Name of the VPN server and IP address on the Internet can be determined with the help of (a), (b) and ©
- User name of a registered user or ticket number
- Time stamp (date and time) of unsuccessful login attempts with error type
- Average bandwidths of the last minutes (max. 10 min.), number of packets transferred.
The collection and processing of this traffic data is required for establishing and maintaining telecommunication and for the billing of charges. In addition to the purposes described above, the traffic data a to f is also temporarily stored internally (cf. section “Maximum storage time”) and statistically evaluated. During the storage period, and as an additional security measure, the traffic data is pseudonymised if possible using the hash algorithm.
In doing so, we protect the secrecy of communications, i.e. in particular, we do not evaluate the content of the telecommunication nor its specific circumstances and do not pass on the traffic data to third parties. The statistical evaluation of the data is necessary for operational reasons, in particular for the rectification of errors and for the purpose of identifying improper use. The data stored for the statistical evaluation does not allow for any information about your person to be directly inferred. The legal basis for these data processing operations is Art. 6.1.1.b of the GDPR.
2.2. Registered HOTSPLOTS users
It is possible to use your personally selected access data to log in to some of our hotspots, if you have previously registered with us. After registering you also have the option to top up your account for using our hotspots in the customer area. Further information about data collection and processing relating to registration can be found in the data protection declaration for our website. If you use our hotspots as a registered customer, in addition to the traffic data mentioned above, we will also collect billing data and your so-called inventory data for billing purposes and reasons of fraud prevention. The legal basis is Art. 6.1.1.b of the GDPR. The inventory data includes:
- Username and password
- First name and surname
- Email address
- Bank details (account holder, IBAN, BIC, bank).
Also, if specified by you:
- Telephone and fax number
- VAT no.
2.3. Users with location tickets
If you use our hotspots with a location ticket, in addition to the specified traffic data, we will also save the properties of the ticket such as ticket number and password as well as data on the validity of the ticket for billing purposes. The legal basis is Art. 6.1.1.b of the GDPR.
You have various options by which you can contact us, in particular by email or using the contact form on our website. In this context, we process data solely for the purpose of communicating with you. The legal basis is Art. 6.1.1.b of the GDPR. The data collected by us when you use the contact form will be automatically deleted after processing of your request is completed, unless we still need your request to fulfil contractual or legal obligations (cf. section “Maximum storage time”).
3. Disclosure of data
In principle, data collected by us shall be disclosed only if:
- You have given your express consent to this in accordance with Art. 6.1.1.a of the GDPR
- Disclosure as per Art. 6.1.1.f of the GDPR is required for the establishment, exercise or defence of legal claims and there is no reason to assume that you have an overriding and legitimate interest in preventing the disclosure of your data
- In accordance with Art. 6.1.1.c of the GDPR, we are required by law to disclose it or
- This is permissible by law and in accordance with Art. 6.1.1.b of the GDPR is required for the implementation of contractual relationships with you or for the execution of pre-contractual measures undertaken at your request.
A proportion of the data processing may be undertaken by our service providers. These include the operators of the data centres in which our database and web servers are located (Interxxion Deutschland GmbH and Plusserver GmbH). Although they are unable to log into the servers, they can come into contact with the hardware. The IT service provider who services our ERP system, Intero Technologies GmbH, is able to see part of the inventory data and the accounting system. If we disclose data to our service providers, they are only permitted to use the data to fulfil their tasks. The service providers were carefully selected and commissioned by us. They are contractually bound by our instructions, have access to appropriate technical and organisational measures to protect the rights of the persons concerned and are regularly monitored by us.
4. Maximum storage time
In principle, we store personal data only for as long as required to fulfil the contractual or statutory obligations for which we have collected the data. The data is then deleted immediately, unless we need the data until expiry of the statutory limitation period for evidentiary purposes for civil claims or for statutory retention requirements.
- Inventory data from our registered users (cf. also 2.2) is deleted in the fourth year following the end of the last expired contract or in the year following cancellation of the customer account, if no contract has been concluded.
- Inventory data from location tickets (cf. also 2.3) is deleted in the fourth year following the date of the last possible use.
- In principle, traffic data from successful logins is stored for up to 7 days. Otherwise, this data is generally already deleted if it is more than 3 days old. Only if we also need the traffic data for billing purposes, will we also save it for longer: Traffic data relevant to billing is deleted on a monthly basis if it is more than 3 months old.
5. Your rights
You have the right to request information regarding the processing of your personal data by us at any time. As part of the provision of information, we will explain the data processing and provide you with an overview of your personal data which we have stored.
If the data stored by us is incorrect or no longer current, you have the right to have this information corrected.
You may also restrict the processing of your data, for example, if you are of the opinion that the data stored by us is incorrect.
You also have the right to data portability, i.e. that we will send you a digital copy of the personal data provided by you if you so request.
In order to assert your rights as described here, contact us at the above mentioned address at any time. This also applies if you wish to obtain copies of guarantees verifying an adequate level of data protection.
Finally, you have the right to complain to the data protection supervisory authority responsible for us. You may assert this right with a supervisory authority in the Member State of your place of residence, your place of work or the location of the supposed breach. The responsible supervisory authority for Berlin, the location of the headquarters of hotsplots GmbH, is: State Commissioner for Data Protection and Freedom of Information Berlin, Friedrichstr. 219, DE-10969 Berlin.
6.Right of revocation and objection
At any time, you have the right to revoke consent previously given to us. As a consequence, we will cease processing any data based on this consent in the future. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent up to the revocation.
Insofar as we process your data based on legitimate interests, you have the right to object at any time to the processing of your data for reasons relating to their particular situation.
Should you wish to exercise your right of revocation or objection, it is sufficient to send an informal message to the address or email address stated above.
7. Data security
We maintain up-to-date technical measures to guarantee data security, in particular to protect your personal data against risks arising during data transfers as well as from acquisition by third parties. These are adjusted in accordance with the current state of the art. Our security concept is transmitted to the German Federal Network Agency at regular intervals and inspected by this body.
8. Changes to the data protection declaration
We may occasionally update this data protection declaration, for example, when we adapt our website or legal or regulatory requirements are changed.
Version 1.0 / Issue: June 2018