Data privacy for eTicket Hesse
What is stored?
There are three separate areas on the storage chip: for ticket data, personal data and usage data. Just like on a paper ticket, specific information is saved, which identifies the holder of the eTicket (personal data) and determines which season ticket has been acquired (ticket data). As a service function in the sense of consumer protection, the last ten transactions with the chip card are saved in a kind of log book (usage data).
In the case of personalised tickets, name, gender and date of birth of the passenger are saved on the chip card, so that the ticket holder can be identified during a check. Here, the name is not saved in clear text; rather, it is 'masked' with letters, numbers and special characters, meaning it is encrypted. Thus, the name can be matched, for example, with the help of the ID card, but cannot be read without it (Example: "Max Mustermann, date of birth 01.03.2001, male" would be "M1x@M8n 03/2001 M"). Other data, such as a passport photo, has been deliberately waived for the purpose of data economy. Therefore, the following is applicable for season ticket holders: Always have your personal ID or another photo ID on you along with your eTicket. With regards to passengers, who buy only transferable season ticket products, no personal data is saved on the chip cards.
Obviously, the acquired season ticket is also stored, that is, what is the ticket type, for which fare zone it is applicable and for how long. During each ticket check, it is not just checked whether the travel permission is valid, but also whether the transferred data record is free of manipulations.
The chip card saves specific usage data in a log book: Always, when the eTicket is held to a checking device (so-called transactions) – for example in the bus or during a mobile ticket check. Only the ten most recent transactions are saved. This usage data includes time, place and type of the transaction, the terminal number, the ticket/product number, the line and trip number. The checking device sends the data record to the eTicket background system of the RMV and there it is checked whether a sales data record for the checked eTicket RheinMain also exists. With this, we check for possible misuse such as manipulations, duplicates or double registrations using one chip card. This checking data is only saved on the eTicket of the passenger. On the RMV servers, this data record is again immediately deleted after the checking analysis. This log book data helps the passenger in carrying out his own check: Afterwards, they can always check themselves what has been done with their eTicket. Thus, the highest possible data transparency exists in the sense of consumer protection. Per customer request, the log book entries can be deleted at a point of sale.