Data protection

Toll Collect would like to thank you for visiting our website and for your interest in our company. We take the protection of your personal data very seriously; accordingly, our processing of your personal data always and exclusively takes place in compliance with the applicable data protection regulations.

Personal data is information about your identity, such as your name, postal address, e-mail address or phone number, but also usage information like the date and time you accessed our system, what services you used and for how long. Below, we explain what information Toll Collect collects within the scope of toll system operation and during your visit to our website.

Toll Collect processes your personal data for toll collection and enforcement purposes within the scope of operating the toll system for heavy industrial vehicles. The toll system is divided into:

• Automatic toll collection method
• Manual toll collection method
• Enforcement system

For toll collection and the enforcement system, the data listed in §§ 4 para. 3, 7 para. 2 German Federal Trunk Road Toll Act (BFStrMG) as well as in § 2 German Truck Toll Regulations are collected. Toll Collect additionally processes personal data on the basis of Art. 6 para. 1 subpara. 1 lit b GDPR for the following purposes:

• Use of the Toll Collect on-board unit
• Registration processes
• Receivables management
• Transactions with payment services providers
• Fraud investigation
• Dispute resolution
• Certification and training
• Toll collection in Austria

In order to participate in the automatic and manual log-on procedures it is necessary to specify the information relevant for toll collection and which is required according to §§ 4 paras. 2 and 3, 5 para.1 sentence 3 of the German Truck Toll Regulations. Failure to provide the data means that you cannot use the respective log-on procedure.

Toll Collect offers the option of registering toll-exempt vehicles and reporting online a tradesperson vehicle that is covered by the so-called tradesperson exemption. By registering toll-exempt vehicles and reporting tradesperson vehicles online, unnecessary checks, inspection procedures and official procedures can be avoided, but this does not mean that Toll Collect or the Federal Logistics and Mobility Office legally recognise the toll exemption.

The data collected when registering for exemption from tolls or when reporting tradesperson vehicles online is processed for the purpose of being able to offer the registration or online reporting of toll-exempt vehicles, to verify the requirements for toll exemption, and to subsequently take the toll exemption into account during the enforcement of compliance with the toll obligation. For this purpose, Toll Collect also transmits the necessary data to the Federal Office of Logistics and Mobility.

The legal basis for this processing is Art. 6(1, b) GDPR. If the requirements for toll exemption are met, the registration details for the toll exemption and online reporting of tradesperson vehicles are stored for four years. If the requirements for toll exemption are not met, the registration details for the toll exemption and online reporting of tradesperson vehicles are stored for one year.

The registration of toll-exempt vehicles and the online reporting of tradesperson vehicles is a voluntary offer. The provision of personal data is neither legally nor contractually required. However, it is required in order to register toll-exempt vehicles for the toll exemption and to report tradesperson vehicles. Failure to do so would therefore mean that the vehicle in question would not be registered for the toll exemption or the online reporting would not be implemented, and unnecessary discharges, inspection procedures and hearings could not be avoided.

If there is a fact-finding exercise (hearing) to determine whether the requirements for a context-specific toll-exemption apply or whether the inspected vehicle is permanently exempt from tolls, this information will be saved without separate registration in order to take these circumstances into account during enforcement of compliance with the toll obligation and to avoid unnecessary discharges, inspection procedures and hearings. For this purpose, Toll Collect also transmits the necessary data to the Federal Office of Logistics and Mobility.

Toll Collect also receives information from the Federal Logistics and Mobility Office, indicating that certain vehicles are sometimes (depending on the situation) or permanently exempt from tolls, and this information is then also saved to be taken into account during enforcement of compliance with the toll obligation and to avoid unnecessary discharges, inspection procedures and hearings.

The legal basis for this processing is section 7 para. 2 German Federal Trunk Road Toll Act (BFStrMG). Processing is carried out for a period of two years. If a vehicle check by the Federal Logistics and Mobility Office confirms that the conditions for the tradesperson exemption are met, the storage period for any data already stored about the tradesperson vehicle can be extended by an additional two years.

The obligation to provide this vehicle information and the potential consequences of a failure to provide the information are governed by the terms of the fact-finding exercise (hearing) carried out during the subsequent collection process.

Toll Collect stores the data required for toll exemption in lists that are used jointly by Toll Collect and the Federal Logistics and Mobility Office. As joint controllers pursuant to Art. 26 GDPR, Toll Collect and the Federal Logistics and Mobility Office are jointly responsible for the processing of this data. In order to guarantee the rights of data subjects and to take into account the requirements of the EU General Data Protection Regulation, an agreement has been concluded, which sets out rules for the joint processing of personal data.

Both Toll Collect and the Federal Logistics and Mobility Office are responsible for fulfilling the information obligations pursuant to Art. 12 et seq. GDPR, and the provision of this information pursuant to Art. 26 (2, 2) GDPR is the responsibility of both Toll Collect and the Federal Logistics and Mobility Office. Toll Collect is responsible for processing and responding to requests to exercise the rights of the data subject pursuant to Art. 15 et seq. GDPR. Irrespective of this, data subjects may also contact the Federal Logistics and Mobility Office in order to exercise their rights as data subjects. In such a case, the Federal Logistics and Mobility Office will forward the request to Toll Collect.

In accordance with Section 8 (1) German Federal Trunk Road Toll Act (BFStrMG), Toll Collect carries out the retrospective collection of the toll in cases where, in accordance with Section 7 (1, 3) BFStrMG, use of a toll road within the meaning of Section 1 BFStrMG has been established and the toll owed has not been paid and not collected as part of the enforcement in accordance with Section 7 (7) BFStrMG.

The processing is carried out for the purpose of retrospective toll collection by means of the so-called retrospective collection notice. The legal basis for this processing is Art. 6(1, e) GDPR in conjunction with Section 8 (1) German Federal Trunk Road Toll Act (BFStrMG).

In cases where you submit an appeal to Toll Collect about a retrospective toll collection notice sent during the course of a retrospective toll collection and Toll Collect does not resolve the appeal, Toll Collect will hand over the appeal process to the Federal Logistics and Mobility Office.

The personal data processed for the purpose of retrospective toll collection will be deleted by Toll Collect in accordance with Section 9 (4, 1) German Federal Trunk Road Toll Act (BFStrMG) once the retrospective collection procedure has been completed.

You may refuse to provide the data listed in the hearing form if providing it would put you or a close relative, fiancé or partner at risk of being prosecuted for an administrative offence. If you wish to invoke a corresponding right to refuse to provide information, you must expressly declare this to the Federal Logistics and Mobility Office. If you do not comply with the request to name the person responsible, even though you do not have the right to refuse to provide this information, you must expect to be formally summoned for oral questioning in accordance with Section 161a (1, 1) of the Code of Criminal Procedure (StPO) in conjunction with Section 46 (1) and (2) of the Administrative Offences Act (OWiG).

Toll Collect processes the data required for implementing the retrospective collection process in a system used jointly by Toll Collect and the Federal Logistics and Mobility Office. In order to guarantee the rights of data subjects and to take into account the requirements of the EU General Data Protection Regulation, an agreement has been concluded, which sets out rules for the joint processing of personal data. As joint controllers pursuant to Art. 26 GDPR, the Federal Logistics and Mobility Office and Toll Collect are jointly responsible for the processing of the data.

Both Toll Collect and the Federal Logistics and Mobility Office are responsible for fulfilling the information obligations pursuant to Art. 13 and 14 GDPR. The Federal Logistics and Mobility Office is responsible for processing and responding to requests to exercise the rights of the data subject pursuant to Art. 15 et seq. GDPR. Irrespective of this, data subjects may also contact both parties, including Toll Collect, in order to exercise their rights as data subjects. In such a case, the request will be forwarded to the Federal Logistics and Mobility Office.

When you access the public website and portal applications, Toll Collect process the use data for the online offerings and web analytics data. This includes:

• IP address,
• date and time of the query,
• time zone difference relative to Greenwich Mean Time (GMT),
• content of the query (specific page),
• access status/HTTP status code,
• amount of data transferred,
• website from which the query originated,
• browser,
• operating system and its interface as well as
• language and version of browser software.

This processing is done for the purposes of conducting the web session, to respond to operational problems or in justified cases of abuse as well as to generate usage statistics. The usage statistics for visitors to the website are generated in order to provide a basis for designing the websites and services in accordance with users' needs. The legal basis of processing is Art. 6 para. 1 subpara. 1 lit. f of the EU General Data Protection Regulation (GDPR).

We additionally process the personal data that you provide to us — for example, to

• register with us,
• sign up for our newsletter,
• ask us a question,
• participate in one of our surveys,
• ask us to send you information material or,
• sign up to visit our Privacy Exhibition.

In these cases, we will need varying degrees of personal data from you. We may, for example, ask for your name, address, telephone number or e-mail address. It is your decision whether to send us this information by filling in the appropriate fields. We will use this information only to process your specific request.

Cookies

We only use “necessary cookies” to operate this web portal. These cookies are only stored for the duration of your Internet session. Without these cookies, you cannot use all of the functionality of our web portal.

“Necessary cookies” are used to implement the following functionalities:

• Loading and routing the website:
  The technology is used to get to and load the website. Without this technology, the website would not be accessible or would not be loaded. Users might receive an error message when they tried to load the page.
• User identification and authentication:
  The technology is used for user identification and authentication: e.g. for managing and transferring security tokens to different services within a website in order to identify the status of the user (e.g. whether they are logged in or not)
• Security of the website:
  The technology is used to ensure the security of the website and the users. (e.g. sessions timing out for security reasons)

You can subscribe to our email newsletter by providing your consent. To sign up for our newsletter, we use the "double opt-in procedure". This means that after you sign up, we send an email to the email address you provided, asking you to confirm that you want to receive the newsletter. If you do not confirm your subscription within fourteen days, your information will be automatically deleted. We additionally save the time of your subscription so that we can document it.

The only mandatory information required to receive the newsletter is your email address and desired language of correspondence. If you want to subscribe to the service partner newsletter on the service partner portal, we additionally require that you specify your country. After your confirmation, we save this data for the purposes of sending you the newsletter. The legal basis is Art. 6 para. 1 subpara. 1 lit. a of the EU General Data Protection Regulation (GDPR).

You can revoke your consent to receive the newsletter at any time and cancel delivery of the newsletter. To do so, simply follow the link that appears in every email newsletter, then enter your email address on the form.

Please note that Toll Collect analyses the usage behaviour of all newsletter recipients. To enable this analysis, the emails sent to you contain a feature known as tracking pixels. You can revoke this tracking at any time by clicking the link to cancel the newsletter that appears in every email, or inform us accordingly via a different communication channel.

During vehicle registrations and vehicle data changes, Toll Collect validates externally unrecognisable vehicle characteristics that are relevant for toll collection. Validation is carried out by comparing the vehicle data you have provided with the vehicle data contained in the verification documents you have provided. The legal basis for the validation of externally unrecognisable vehicle characteristics is Section 4 Para. 3 sentence 3 of the German Federal Trunk Road Toll Act (BFStrMG).

If the vehicle data you have provided cannot be confirmed on the basis of the evidence you have provided, Toll Collect will ask you to submit new evidence or to correct your vehicle data in order to eliminate the objection. If the objection has not been resolved within 14 days of the written request, Toll Collect will block the on-board unit of the vehicle in question from participating in the automatic toll collection system. The legal basis for this processing is Section 6 (1, b) GDPR.

The processing is also carried out for the purpose of supporting the enforcement of toll obligations by using the validation status for the externally unrecognisable vehicle characteristics as per Section 7 para. 2 sentence 1 no. 5 German Federal Trunk Road Toll Act (BFStrMG). For this purpose, Toll Collect also transmits the validation status of the externally unrecognisable vehicle characteristics to the Federal Logistics and Mobility Office. The legal basis for this processing is Section 7 Para. 2 sentence 1 German Federal Trunk Road Toll Act (BFStrMG).

Toll Collect uses an application for automated document recognition from adesso SE, Adessoplatz 1, Dortmund, Germany, which processes the personal data for Toll Collect as a processor within the meaning of Art. 4 No. 8 GDPR, to read the vehicle data from the verification documents provided by you. In the event of errors in document recognition, Toll Collect uses the incorrectly read evidence documents for training the application for automated document recognition on the basis of a compatibility check in accordance with Art. 6 Para. 4 GDPR.

No processing takes place in third countries in connection with the validation of externally unrecognisable vehicle characteristics.

Toll Collect deletes the verification documents provided by you eleven years from the date of deregistration of the vehicle, the validation status for the externally unrecognisable vehicle characteristics one year from the date of deregistration of the vehicle and the information about the On-Board Unit block in the event of non-validation four years from the date of the block or one year from the date of deregistration of the vehicle.

As a toll debtor, you are obliged under Section 5 (1) sentence 1 German Federal Trunk Road Toll Act (BFStrMG) to provide Toll Collect with evidence of the facts relevant to toll collection upon request. Failure to provide the evidence would result in Toll Collect being unable to validate the externally unrecognisable vehicle characteristics of your vehicle and therefore blocking your vehicle's on-board unit from participating in the automatic toll collection system after 14 days from the date of vehicle registration or vehicle data change.

The validation of externally unrecognisable vehicle characteristics is not related to a decision based solely on automated processing – including profiling – within the meaning of Art. 22 GDPR.

Toll Collect generally offers its customers the option of using the “direct debit upon invoicing” payment method. When this payment method is used, Toll Collect provides services in advance of payment for the customer, which means that a risk of a payment default could arise for Toll Collect.

Toll Collect has a legitimate financial interest in minimising the risk of payment defaults. To this end, following selection of the “direct debit upon invoicing” payment method, Toll Collect assesses your likelihood of payment by means of a recognised mathematical statistical method. In order to do this, Toll Collect uses only its own internal information (including master data, payment behaviour, payment history, sales trends). Then an automated decision on whether approval for the payment method “direct debit upon invoicing” is granted and the amount of any deposit that may be required is made, based the calculated likelihood of payment and your individual credit needs.

If the necessary data is not available to allow internal evaluation of payment probability when the payment method "direct debit upon invoicing" is selected, Toll Collect has a legitimate interest in evaluating your payment probability based on a score calculated by a credit agency. For this purpose, your identity data will be transmitted to the credit agency, who will respond with the credit score. Based on this credit score, an automated decision will be made as to whether to approve the “direct debit upon invoicing” payment method and to determine any deposit that may be required.

The legal basis for this processing is Art. 6(1)(f) of the GDPR (General Data Protection Regulation).

Toll Collect carries out system tests before introducing new IT systems and to enhance existing IT systems in order to fix bugs, test performance and check whether all real-world exceptions have been taken into account by the IT system.

Toll Collect only processes personal data for system testing in cases where the objective of the system test cannot be achieved with anonymised data. If the objective of the system test can be achieved without the use of personal data, Toll Collect uses fictitious test data or anonymised personal data for system testing

In order to implement system tests and to anonymise personal data for subsequent use in system testing, Toll Collect will change the purpose for processing personal data as long as a compatibility check has shown that the further processing of personal data for these purposes is compatible with the purpose for which the personal data was originally collected in accordance with Art. 6 (4) GDPR.

The legal basis for processing personal data in system testing and for anonymising personal data for subsequent use in system testing is the legal basis for which the personal data was originally collected.

Toll Collect is supported in carrying out system tests by test service providers who handle personal data on behalf of Toll Collect as processors within the meaning of Art. 4 (8) GDPR.

Toll Collect does not transfer personal data to a third country or an international organisation for the purpose of carrying out system tests.

As soon as the system test is complete, Toll Collect deletes any copies of the personal data sent to test systems for carrying out system tests..

Providing personal data for system testing is neither required by law nor contractually, nor is it necessary for the conclusion of a contract. There is no obligation to provide this personal data. Accordingly, failure to provide personal data would have no consequences for you.

Automated decision-making, as defined in Art. 22 GDPR, is not conducted in connection with the system tests.

Toll Collect uses data stored in anonymised form in accordance with the German Federal Trunk Road Toll Act (BFStrMG) for statistical and traffic management purposes. For these purposes, Toll Collect anonymises the data collected in accordance with Sections 4 para. 3 sentence 3, para. 2 sentence 1 BFStrMG before using it for statistical or traffic management purposes.

The legal basis for this processing is Section 9 para. 6 BFStrMG in conjunction with Sections 4 para. 3, sentence 3, 7 para. 2 sentence 1 BFStrMG.

Toll Collect also uses the data stored in accordance with Section 4 (3) sentence 3 no. 2, 6, 8 and 10 German Federal Trunk Road Toll Act (BFStrMG) in pseudonymised form for statistical evaluations for the purpose of traffic management and improving traffic flow and road safety, insofar as use for these purposes in pseudonymised form is necessary and there is no reason to assume that the interests of the data subjects worthy of protection outweigh the exclusion of use. For these purposes, Toll Collect pseudonymises the data collected in accordance with Section 4 (3) sentence 3 no. 2, 6, 8 and 10 German Federal Trunk Road Toll Act (BFStrMG) immediately after collection.

The legal basis for the processing is Section 9 (6) sentence 2 in conjunction with Section 4 (3) sentence 3 no. 2, 6, 8 and 10 German Federal Trunk Road Toll Act (BFStrMG).

Toll Collect does not disclose the data collected in accordance with Sections 4 para. 3, sentence 3, 7 para. 2 sentence 1 BFStrMG to any other recipients in connection with its use for statistical or traffic management purposes. A disclosure will only take place in the form of anonymous statistical results or in the form of anonymous responses to traffic management surveys.

Toll Collect deletes the data collected pursuant to sections 4 (3) sentence 3, 7 (2) sentence 1 German Federal Trunk Road Toll Act (BFStrMG) in accordance with the deletion obligations of section 9 German Federal Trunk Road Toll Act (BFStrMG) after 120 days at the latest. Anonymisation for statistical and traffic management purposes takes place within these erasure deadlines.

Transfer to a third country or an international organisation does not take place.

Automated decision-making including profiling does not take place.

In the context of toll collection, automated individual decisions

• are made in order to block an account if necessary
• or to decide on the means of payment for a repayment on the basis of user activities.

Toll Collect only your personal data stores for as long as is permissible under data protection law. The specific time of deletion is determined according to the following criteria:

• If a fixed statutory deletion period applies, Toll Collect deletes your personal data no later than the end of the statutory period.
• If a statutory retention obligation applies, Toll Collect deletes your personal data once the data retention obligation ends and the data is no longer required for the business processes of Toll Collect.
• If neither a statutory deletion period nor a statutory retention period applies, Toll Collect deletes your personal data as soon as it is no longer required for the businesses processes of Toll Collect.

Timely deletion is safeguarded by a deletion concept in accordance with DIN 66398.

Toll Collect discloses – to the extent necessary – the personal data that relates to you, and which is processed within the scope of the automatic and manual toll collection procedure and their enforcement, to the following recipients and categories of recipients:

• The Federal Logistics and Mobility Office
• ASFINAG, an interoperability partner (Toll2GO participants)
• Those involved in payment processing
• Order processors

Personal data collected within the scope of your accessing our public website and the portal is not disclosed to any other recipients.

A transfer of your personal data to a third country occurs if you use the following functions of our website:

• Social media plugins
• Service partner search

You can find details on these transfers in the corresponding chapter of this data protection information.

Our website uses plugins for various social media, namely:

• Facebook plugins (like button), Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland
• LinkedIn button: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Pl, Dublin, 2, Ireland
• Twitter (Retweet): Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA
• WhatsApp button: WhatsApp Inc. 650 Castro Street, Suite 120-219, Mountain View, CA 94041, USA
• Xing button: Xing AG, Gänsemarkt 43, 20354 Hamburg, Germany

These plugins are identifiable by their respective logos.

Our solution for sharing content from our site on Facebook, LinkedIn, Twitter, WhatsApp and Xing using special buttons is provided by Shariff. You'll find these buttons at the bottom of each of our blog posts, for example. By default, these buttons do not transmit information to third parties. Only after clicking on the button is the relevant social network permitted to request data from users.

If you click the Facebook “Like” button while you are logged into your Facebook account, your Facebook profile will be linked to our site. This allows Facebook to track your visits to our site.

If you do not want Facebook to be able to track your activity on our site, log out of your Facebook account.

To learn how your personally identifiable information is used by these social media sites, please refer to the privacy policy of the corresponding provider.

• Facebook: https://www.facebook.com/policy.php
• LinkedIn: http://www.linkedin.com/legal/privacy-policy
• Twitter: http://twitter.com/privacy
• WhatsApp: https://www.whatsapp.com/legal/
• Xing: http://www.xing.com/privacy

Toll Collect has implemented extensive security measures to protect stored personally identifiable information against unauthorised access, misuse, destruction and loss. E-mails sent by Toll Collect while using the internet portal are not end-to-end encrypted. Our security measures are continuously adapted to reflect the latest changes in technology.

You have the following rights vis-a-vis Toll Collect with regard to personal data that relates to you:

• Right to information,
• Right to correction,
• Right to deletion ("right to be forgotten"),
• Right to restrict processing,
• Right to revoke permission for processing,
• Right to data communicability.

Once consent is granted, you have the right to revoke that consent at any time. The legality of processing remains unaffected before the time at which consent is revoked.

You have the right to file a complaint with a data protection supervisory authority regarding the processing of your personal data by Toll Collect.

Please direct any further questions about the processing of your personal data to:

info@toll-collect.de

The name and contact information for the party responsible for data processing can be found in our Imprint.

Data protection officer
Toll Collect GmbH
Linkstraße 4
10785 Berlin

If you would like to communicate with us using encrypted e-mails, you can download the public part of our PGP company key.