Data protection

Information in accordance with Art. 13 GDPR on the occasion of data collection as part of the research project "Modeling the transport demand of holidaymakers and day visitors in large cities II" of the Department of Transport Planning and Transport Systems at the University of Kassel

Status: January 14, 2026

Responsible in terms of data protection law:

University of Kassel

The President

34109 Kassel

Phone: +49-561-804-0

Web: www.uni-kassel.de

E-mail: praesidentin[at]uni-kassel[dot]de

Contact details of the data protection officer:

The data protection officer

University of Kassel

34109 Kassel

Phone: +49-561-804-2011

Web: www.uni-kassel.de/go/datenschutz

E-mail: datenschutz[at]uni-kassel[dot]de

Contact details of the responsible institute and contact person:

Luka Jurišić

University of Kassel

Department of Transport Planning and Transportation Systems

Mönchebergstraße 7

34125 Kassel

Phone: +49-561-804-3631

Web: https://www.uni-kassel.de/go/vpvs

E-mail: tourismus[at]uni-kassel[dot]de

Purpose of the following information

If you are receiving this information sheet, you have already decided to take part in the research project, or you are about to do so. Personal data will be collected as part of the research project. We would therefore like to provide you with transparent and comprehensive information. The following information is intended to inform you as a person participating in the research project about the manner and scope of the processing of your personal data.

Purposes of the processing

Your personal data is processed in order to carry out the research project "Modeling the transport demand of holidaymakers and day visitors in major cities II" at the University of Kassel. Information on this can be found in the description of the research project(https://www.uni-kassel.de/go/tourismus).

The data will be scientifically analyzed. The aim is not to evaluate your personal data, but to make statements that are as generally valid as possible (e.g. "Solo travelers are significantly more likely to use rail passenger transport for their journey than non-solo travelers. If children are part of the travel group, they are even more likely to use the car."). The aim is to publish these generally valid statements for scientific purposes and to make the anonymized data available to third parties in a suitable online repository.

Your e-mail address is required to create a user account (see below). On the other hand, you have the option of allowing the University of Kassel to contact you via the e-mail address provided for queries, an incentive (a small thank you for participating) and participation in qualitative, guided in-depth interviews as part of a later phase of the research project. You can agree or disagree with each of these three points. The University of Kassel will not contact you for any other reason via the e-mail address collected. The e-mail addresses will not be passed on to anyone outside the University of Kassel and the named contractor for the creation of the user account.

Legal basis for processing

The legal basis for the processing of your personal data is your consent in accordance with Art. 6 para. 1 subpara. 1 a) GDPR (General Data Protection Regulation of the European Union).

Categories of personal data that are processed

In a personal survey, socio-demographic data (e.g. age groups, gender, household income classes, educational qualifications) and the zip code of the place of residence are collected. It is not possible to draw conclusions about individual natural persons.

In a second phase, data on your journeys, means of transport used and activities (location data) during your stay in Kassel or the comparison city are recorded and processed up to the time of the survey. Subsequently, our contractor MotionTag GmbH (see below) and its subcontractors will collect and process location data for the rest of your stay in Kassel or the comparison city via the special smartphone app "Mobil zum Ziel".

When recording the location data, the activity (e.g. visiting a restaurant, shopping), length, duration, source and destination of your trips and the means of transport used are stored. This is used for scientific research into the mobility behavior of overnight guests in large cities, which in turn provides a valuable basis for transport planning.

The app should record data for at least 24 hours and not exceed the duration of the stay in the city. A timely "switching off" of the recording after the end of the stay can only be done by the participating person (e.g. shortly after departure). If this is not done, it cannot be ruled out that data on everyday mobility and the associated location of residence or work, for example, may be inadvertently transmitted. Participants should be sent a push notification by the app to remind them to deactivate the recording. All recordings that are not part of the tourist stay will be deleted by the University of Kassel as soon as possible.

Participation in the second phase is only possible after participation in the first phase. In order to be able to use the "Mobil zum Ziel" app in the second phase, registration is required. In order to register, a password-protected user account must be created using a valid e-mail address. An e-mail address is therefore required to create the user account.

You can use a WLAN network provided by us to install the app. It cannot be ruled out that the mobile router we use will store the MAC address of your smartphone. These MAC addresses are not used by us.

Recipients or categories of recipients/third country transfer

As part of the research project, we, the Department of Transport Planning and Transport Systems at the University of Kassel, are working with a contractor (MotionTag GmbH). This company collects data on our behalf via the "Mobil zum Ziel" app.

MotionTag GmbH first processes your personal data on its own servers and then forwards it to the University of Kassel as soon as possible. MotionTag will NOT pass on your personal data to other persons or companies. You can find more detailed information on this in MotionTag's privacy policy and conditions of participation: https://api.motion-tag.de/de/privacy and https://api.motion-tag.de/de/terms.

The processing and preparation of mobility data is carried out exclusively in compliance with the GDPR on servers in the European Monetary Area (EEA). For support requests and internal processes, MotionTag has data processed in the USA (order processing), which is why your data transmitted in the context of support requests could be transmitted via servers in this third country (i.e. a country outside the EU). Other data processing laws may apply there. In order to achieve a GDPR-compliant level of data protection in cases where data is processed in third countries, MotionTag implements appropriate standard contractual clauses and additional security measures in relation to its processors (see api.motion-tag.de/de/priacy, paragraph "Data processing in third countries").

Contact details of the contractor

MotionTag GmbH

Rudolf-Breitscheid-Straße 162

14482 Potsdam

Website: https://www.motiontag.com/company/about-us

Duration of storage of personal data/criteria for determining the duration

The personal data must be stored by us until it has fulfilled its purpose and can be deleted. We carry out this deletion as quickly as possible. The following deletion periods are aimed for:

• Email addresses will be deleted at the latest by the end of the research project, probably on 15.08.2028. Data from the first survey wave (spring/summer 2026) will be deleted earlier if possible.
• Location data will probably be stored for one year longer than the project duration until August 31, 2029 in order to enable a doctoral thesis to be written in the department. After that, the data will be stored anonymously. To this end, the accuracy of the location data will be reduced to the level of traffic or grid cells. When the user account in the "Mobil zum Ziel" app is deleted, the location data is deleted from the MotionTag company. However, the University of Kassel can continue to use the data for research purposes. If the location data is also to be deleted for research purposes at the University of Kassel, the contact person responsible for the project at the University of Kassel (see contact under "Right to withdraw consent") must be informed of this, e.g. by email.
• Socio-demographic data is anonymized and stored by dividing it into classes (e.g. age classes, income classes, etc.).
• The aim is to delete the zip codes as soon as they have been replaced by other characteristics (e.g. area type of place of residence, travel time to the reference city). Deletion will take place at the latest at the end of the project on 15.08.2028.

• The MAC addresses are deleted after the end of each survey wave.

• Anonymized data will be archived in accordance with the rules of good scientific practice. It is intended to make anonymized data available for research purposes via a suitable online repository.

MotionTag reserves the right to use the personal data internally (e.g. to improve the app); however, the personal data will not be passed on to third parties. MotionTag will delete the personal data at the latest at the end of the research project, probably on 15.08.2028.

Note on the removal of the pseudonymization of data for the payment of incentives

Participants are free to choose whether they wish to receive an incentive (e.g. in the form of a voucher). In order to provide the voucher, the pseudonymization of the data collected for this purpose must be lifted once. If no incentive is claimed, the data collected remains pseudonymized throughout. The assignment of the pseudonym to the e-mail address is always stored separately from the other data. The same applies to the optional options for making contact regarding queries/reminders and recruitment for in-depth interviews.

No automated decision-making (including profiling)

Your personal data will NOT be processed for the purpose of automated decision-making (including profiling) in accordance with Art. 22 para. 1 GDPR.

Right to withdraw consent

You have the right to withdraw your consent at any time, unless the data has already been anonymized. This does not affect the lawfulness of the data processing carried out on the basis of the consent until revocation.

The revocation can be submitted to the following contact person

Mr. Luka Jurišić

E-mail: tourismus[at]uni-kassel[dot]de

Telephone: +49 561 804-3631

Available Mon. to Fri. 09:00 to 12:00 and 13:30 to 16:00

Your further rights

You can exercise the following rights at any time vis-à-vis the contact person named above or our data protection officer:

• Information about your data stored by us and its processing,
• Correction of incorrect personal data,
• erasure of personal data concerning you
• Restriction of data processing if we are not yet permitted to delete your data due to legal obligations,
• Objection to the processing of your data by us.

Right to lodge a complaint

Finally, you have the right to lodge a complaint with the competent supervisory authority in the event of data protection problems.

Contact address of the supervisory authority of the University of Kassel:

The Hessian Commissioner for Data Protection and Freedom of Information (HBDI)

P.O. Box 3163

65021 Wiesbaden

E-mail: poststelle[at]datenschutz.hessen[dot]de

Telephone: +49-611-1408-0

Important terms and further information

Personal data is individual information about the personal and factual circumstances of a specific or (with additional knowledge) identifiable natural person (e.g. address, e-mail address, telephone number, location data). Anonymized data for which no personal reference can be established and the data of deceased persons are outside the scope of the General Data Protection Regulation (GDPR). The Hessian Data Protection and Freedom of Information Act (HDSIG) applies in addition to the GDPR.

Processing is any handling of personal data, in particular also simple storage or transmission. No distinction is made between manual and automated processing.

Transmission: The transmission of personal data by the University of Kassel to other public bodies or non-public bodies is permitted under the conditions of § 22 HDSIG. An unauthorized transfer of personal data may result in claims for damages by the data subject.

Thecontroller in terms of data protection law is the University of Kassel. It bears overall responsibility for compliance with data protection. The respective data processing body is responsible for the implementation of the GDPR.

Lawfulness of data processing means that the processing of personal data is prohibited unless it is permitted. Permission can be granted either via opening clauses in the GDPR from the HDSIG and other legal provisions (e.g. law, regulation) or the consent of the data subject in accordance with Art. 6 para. 1 subpara. 1 a) GDPR. Consent must always be given in writing. Data subjects must be informed in an appropriate manner about the data processing, in particular about the purpose of the processing and, in the case of intended transmission, also about the recipients of the data. Consent must be combined with the information that participation is voluntary, that non-participation will not result in any disadvantage and that the consent given can be revoked at any time for the future (Art. 7 GDPR).

Purpose limitation means that personal data is only processed if it is necessary for the lawful performance of the tasks for which the data controller is responsible and the associated purpose. Therefore, the collection and further processing of any data is not permitted. Further data protection principles are transparency (information obligations at the time the data is collected), data economy (data minimization) and data security, which must be observed when processing personal data.

Data security means that personal data must be protected from unauthorized persons within and outside the university. Data carriers (including manual records, card indexes and files) must be secured accordingly.

The obligation to keep a processing register means that every data processing unit at the University of Kassel is obliged to keep a register of the data processing operations it carries out. In addition, for example, the existence of consent (Art. 7 para. 1 GDPR), the correctness of the entire processing (Art. 24 para. 1 GDPR) and the result of any data protection impact assessments (Art. 35 para. 7 GDPR) must be proven by appropriate documentation.

Rights of the data subjects: Persons whose data is processed have a right of access and, under certain conditions, a right to rectification, erasure, restriction of processing as well as a right of withdrawal, objection and complaint (Art. 15-21, 77 GDPR). There is also a right to compensation under certain conditions (Art. 82 GDPR). Anyone who assumes that their rights have been violated in the processing of their personal data can contact both the university's data protection officer (Section 6 (4) HDSIG) and the Hessian Commissioner for Data Protection and Freedom of Information directly (Section 13 HDSIG).

Data secrecy: Although the GDPR and the HDSIG do not expressly provide for a duty of confidentiality, data secrecy is also derived from the requirement of processing only in accordance with instructions in Art. 29 GDPR in conjunction with Art. 32 para. 4 GDPR. A duty of confidentiality under civil service law arises from civil service or collective bargaining law (Section 37 BeamtStG, Section 3 (2) TV-H). In principle, everyone who has access to personal data is obliged to maintain confidentiality and to comply with the data protection requirements under the GDPR. This obligation continues even after the termination of employment at the University of Kassel.