Data Privacy Statement

Customer satisfaction is our top priority. This means that protecting your data is particularly important. We would like to thank you for the trust you place in us by submitting your data to us for processing. As a sign that we respect your rights as well as your privacy, we have formulated our policy, which applies when processing your data:

• We attach great importance to transparency when it comes to processing your data. This is why we have paid special attention to our data protection declaration in order to provide you with the necessary information on how we handle your data.

• It is important to us that you know for what purposes we use your data and when we store it. In our data protection declaration, we inform you how and to what extent we process your data.

• We process your data only to the extent necessary and use it exclusively for lawful and justified purposes.

• In certain cases, we ask you whether you consent to the use of your data. In these cases, you yourself decide how and when we use your data. For example, we will never send you electronic advertising if you do not desire it.

• In certain cases, we will also ask you on our website and in our app whether you would like to voluntarily store certain information. This may be beneficial to speed up your next ticket purchase.

• Similarly, we will only send you targeted special offers at your request. The decision is yours.

• Our goal is to continually improve ourselves. Please get in touch with us if you have concerns.

• We live our principles to the full, particularly in the area of data protection. In the following sections of this data protection declaration, find out how we process your data in the course of our various data applications.

Our data privacy statement applies to anyone who makes use of one of our products or services, visits our websites or uses our apps. This includes: buying a ticket, including ancillary services, such as making a reservation, purchase of a customer card or use of our services.

We are constantly continuing the development of our offers and services. This is also why we will constantly adapt our data protection declaration. We will, however, make sure that the latest version will always be available to you.

ÖBB-Personenverkehr AG (ÖBB-PV AG), FN [company registration number] 248742y, Am Hauptbahnhof 2, 1100 Vienna, tel. +43 1 93000 0, is the controller under data protection law, as defined in Article 4(7) GDPR.

GDPR defines a controller as a natural person or legal entity, authority, institution or other body, which, on its own or in conjunction with others, decides on the purposes and means of processing personal data.

By personal data we mean all information relating to an identified or identifiable natural person (hereinafter “data subjects”).

A natural person is regarded as identifiable if said person can be identified as precisely this natural person, in particular through allocation of an identifier such as a name, identification number, location data, online identification data or one or more other special features in the particular individual case (e.g. voice). Thus this includes, at the least, the data that can be associated with you as a customer. For example, your name, email address, telephone number, booking code, ticket code or your customer number are personal data.

The legal basis of data processing according to Article 6 GDPR comprises either the fulfilment of the contract, the fulfilment of a statutory obligation, your prior consent or our overriding legitimate interests, which may also include processing for a further purpose.

Data that can be associated with your person can stem from the following occasions, purposes and sources:

• If you buy a product from ÖBB or a cooperating partner or make use of another service (for example purchasing a ticket, buying a customer card, making a reservation or using the ÖBB mobility service). In general, this can be done at ticket vending machines, on site at ticket counters or in ÖBB lounges, by phone through our customer service, via one of our external sales partners, online in the ticket shop or using our app.

• If you purchase and use a digital discount product in your ÖBB account.

• If you use our Nightjet product. We will provide you with all known information about your journey. In particular, we will notify you of disruptions / cancellations by e-mail and text message, provided that we have this information (see Section “All you need to know about other services” / subsection: Statutory information pursuant to § 20 (3) of the Railway Transport and Passenger Rights Act”).
  At the time of loading, we record your telephone number and make a physical note of it on the documents assigned to you so that we can contact you in the event of an incident during unloading or a disruption during the journey. These documents can be viewed by the train attendants in charge as well as unloading personnel. These documents will be kept for a period of one year, after which time we will properly dispose of them.

• If you would like to book a trip via the private ÖBB account or the ÖBB business account and create or already use an ÖBB account / ÖBB business account for this purpose.

• If you use the SimplyGo! function in the ÖBB App.

• If your employer (company, school, etc.) or any other third party (e.g. association) has opened an ÖBB business account for you and you have confirmed this account.

• If you book a journey through our ÖBB travel agency.

• If you book or take out a cancellation/travel insurance.

• If you purchase an annual ticket or a single ticket for the Tauern motorail.

• If you register on our website or in our app and create an ÖBB account.

• If you use the SimplyGo! function in the ÖBB app.

• If you use our website shop.oebbtickets.at or our ÖBB app for timetable information, to buy a ticket or a customer card and use our new services.

• If we validate your ticket or customer card (i.e. scan and check for validity)

• If you buy a product from ÖBB or a cooperating partner through one of our external sales partners or on the booking platform of one of our third-party sales partners.

• If you assert your rights as a passenger or if a penalty fare is involved.

• If you make a request for reimbursement and compensation. Further information in connection with the assertion of passenger rights can be found on our website at https://www.oebb.at/de/reiseplanung-services/nach-ihrer-reise/fahrgastrechte
  For this purpose, we provide our customers with an electronic form on the website (oebb.at) with the option of uploading documents. In this context, data is collected that is necessary to process your request: Name, customer number, card details, address, national and international bank details, if no voucher is desired, as well as the documents relevant to the case processing, travel data and other relevant circumstances.

• If there are outstanding debts which have not been paid by a customer.

• If you contact our ÖBB customer service with any questions, requests, suggestions, complaints, criticism or other comments (e.g. malfunction of a ticket vending machine). This includes, among other things, the processing of complaints in the course of payment processing, in which case data is either provided by the responsible bank / payment service provider or feedback is provided by us to the bank / payment service provider in order to process your request.

• If you use our Chatbot / ÖBB.Bot for inquiries

• If we receive feedback from you with regard to our internal quality assurance in order to continually improve our service.

• If you use SCOTTY timetable information or a push service or any other additional service.

• If you use a rental car as a daytime user or commuter.

• If you avail yourself of our integrated mobility services or other services such as transfers to the hotel, a rail and drive service or a bicycle parking space.

• If customer cards, annual transport association tickets or other employee credentials are misused.

• For statistical surveys and internal risk analyses in order to improve our services or systems, in which case the results of these analysis under no circumstances allow us to deduce information concerning your person.

• As required – where possible – if it is necessary to contact you by e-mail or telephone and you have provided us with your contact details when booking a ticket (e.g. large-scale cancellation of trains or other disruptions, delays and other deviations, especially if you have booked a motorail train).

• Provided that we have received your prior consent: for the electronic distribution of offers and other general news about the ÖBB Group and its cooperating partners as well as information and recommendations tailored to your specific needs for direct marketing purposes. If we do not have your consent, we will only analyse your data anonymously.

• If you wish, we also offer location-based services, information and offers in our apps.

• The delivery of offers for the acquisition of new customers by mail, as long as you do not inform us that you do not wish to receive such offers.

• If you voluntarily participate in pilot projects, usability tests, sweepstakes and other campaigns or other customer loyalty measures.

• If you use the contact form on our website to assert a claim regarding personal injury or property damage in the event of a train accident.

• If you disclose your data to our train attendants (for example, due to personal injury or property damage, theft, or any other incident or concern).

• If a customer under the age of 14 uses ÖBB-Personenverkehr AG services (e.g. tickets, newsletter orders, push services), the respective customer must ensure that the necessary consent of his or her legal guardian was obtained in advance..

• If we issue a temporary or permanent exclusion from transport services.

• If you book and receive an online consultation from an ÖBB travel agency or an app date at a ticket counter.

• If you book and receive a Schulcard webinar.

• If you participate in one or several pilot projects of the controllers.

• If, as part of the process of issuing a penalty fare or data collection in connection with the issuance of an emergency ticket for displaced persons from Ukraine, your ID is scanned electronically on the train or at the ticket counter and further processed by means of automated systems. Only the necessary data from the ID card will be transferred (specific details of the ID card, title, name, date of birth, and, if applicable, the name and date of birth of the child, if the child used the train without a ticket). The ID card image is transferred only temporarily and is only displayed to the train attendant until the data has been cross-checked and confirmed to be correct.
  Data is only collected in the event of immediate payment (cash or ATM) on the train if you wish to reserve the right to subsequently lodge an objection and you present your photo ID for this purpose, which is scanned by the train attendants. In this case, we record your first and last name, date of birth, ID card number and voucher number.

• If you book a bicycle parking place for private bicycles in the separated area of the Bike&Ride facility.

• If you use our ÖBB Bike App.

Pursuant to the provisions of Article 12 et seq. GDPR, we would like to inform you on the following topics:

ÖBB-Personenverkehr AG (ÖBB-PV AG), FN 248742 y, Am Hauptbahnhof 2, 1100 Vienna, telephone +43 1 93000 0 is the controller under data protection law, as defined in Article 4(7) GDPR.

If you have any questions regarding data protection or the use of your personal data, feel free to contact our data protection officer.

Contact details of the data protection officer:

ÖBB-Personenverkehr AG

Am Hauptbahnhof 2

1100 Vienna

E-Mail: datenschutz.personenverkehr@pv.oebb.at

We will collect personal data ourselves, pursuant to Article 13 GDPR, in the following cases and for the following purposes:

If

• you disclose your data to our train attendants (for example, due to personal injury or property damage, theft, or any other incident or concern). In this case, such data and information will be used for the specific purpose of case management as well as for conducting legal and official disputes.

• we collect a penalty fare through our train attendants, where we may scan your ID card, or make use of our right to file charges due to non-payment of the amount due;

• ou assert your statutory passenger rights under Regulation (EU) No. 1371/2007, the Railway Transport and Passenger Rights Act or the Fare Conditions and General Terms and Conditions of ÖBB-PV AG and for this purpose use our written refund application form.

• you make any other request for reimbursement and compensation

• you avail yourself of our mobility service;

• you purchase an ÖBB ticket or customer card in person at a ticket counter, in an ÖBB lounge or from one of our external sales partners, submit a refund application, assert your passenger rights (including receipt of a compensation for delays), submit complaints, make use of any other services that require the collection of personal data (e.g. a change in data or additional data, creation of a customer account, etc.);

• you contact the ÖBB customer service to book a ticket or any other service (e.g. mobility service, chatbot/ÖBB.Bot) by phone or contact the customer service for other issues (e.g. notification of malfunctions etc.);

• you open or register for a private ÖBB account or an ÖBB business account..

• you use the ÖBB Ticket Shop or the ÖBB App to book our products online, in particular the SimplyGo! function in the ÖBB App and trigger an electronic payment process (in this case, data must be transmitted to the payment service provider for the purpose of payment processing and, if necessary, for risk assessment);

• if there is a special entitlement check for a specific product (e.g. in the form of a data comparison in the case of products for students offered by a transport association)

• You book a bicycle parking place

• If you use one of our bike services

• you purchase a customer card;

• you contact one of our employees, our customer service, a ticket counter or train attendants with criticism or a concern;

• you opt for push services or any other service that we provide;

• you book a service offered by the ÖBB travel agency;

• you reserve and use the conference rooms of ÖBB Lounges.

• you participate in sweepstakes and other campaigns;

• you participate in a customer survey or the customer forum;

• you are a Rail & Drive customer and use a car;

• you have registered as a test user for usability testing;

• you participate in pilot projects

• you register for the newsletter (for example at www.nightjet.com);

• you have submitted an affidavit for proceedings by the competition authorities under the Unfair Competition ACT (UWG) and have agreed to act as a witness in the course of a regulatory dispute, where required

• you have given us your express consent in advance, we will process your data for direct marketing purposes in order to send you general information as well as offers and services tailored to your individual needs and your mobility and usage behaviour by e-mail or SMS or to contact you by telephone.

• If you use the contact form on our website to assert a claim regarding personal injury or property damage in the event of a train accident. There will be no further use of data for other purposes. Evaluations of a train accident are carried out exclusively in anonymous form so that no conclusion about a specific person is possible.

• If you present your ticket or customer card for validation purposes.

• If we issue a permanent or temporary exclusion from transport services.

• If you book and receive an online consultation from an ÖBB travel agency or an app date at a ticket counter.

• If you book and receive a Schulcard webinar.

In the following cases and for the following purposes, personal data will not be collected by ourselves but will be disclosed by third parties in accordance with Article 14 GDPR:

If

• you as a customer with an annual ticket want to participate in ÖBB’s process for compensation for delays, the competent transport association will send us the following personal data in advance every year:
  • Customer data of the buyer and/or user of the annual ticket: salutation, title, first and last name, address, country, date of birth (if available), e-mail address (if available), telephone number (if available), internal customer number with the transport association.
  • Contract data of the annual ticket including areas of validity: fare code of the annual ticket, number of the annual ticket, number of the primary ticket if applicable, number of the old annual ticket, first and last day of validity of the annual ticket, date of the last change of data.
  • The following data is provided by you yourself when you register: boarding station, exit station, bank details and number of an ÖBB customer card.
  • On this basis, we will calculate any compensation for delay, which will be automatically transferred to your designated bank account at the end of the period of validity of your annual ticket.

• If you as a caregiver and nurse take a special train from Vienna (Schwechat Airport/Vienna Central Station) to Timisoara and back. In this case, BTU Business Travel Unlimited Reisebürogesellschaft mit beschränkter Haftung, the controller under data protection law, will provide us with the following data:
  • Information on the passenger (first and last name, date of birth, nationality and number of the travel document, place of origin/region in Romania and telephone number)
  • Details of the agency and representative in Romania (name and title, address, contact details)
  • Travel details (carriage and train number, seat number, date, departure and arrival railway station in Romania, departure/destination (city) from/to Romania, means of transport from/to Timisoara Nord railway station)

The data processed for these purposes is disclosed to the following categories of recipients as required and depending on the intended use, ensuring that data is only disclosed to the extent absolutely necessary as required:

To

• the responsible bank / payment service provider for the purpose of secure payment processing in accordance with the legal requirements as well as the payment service provider's instructions or for the prevention or clarification of cases of abuse (for the purposes of contract execution, Article 6(1) b) and f) GDPR).

• the regulatory authorities in the case of arbitration (for the purposes of complying with the provisions and rights under railway law, Article 6(1) c) GDPR).

• the assigned legal representative in the event of disputes under civil law (based on our legitimate interests in defending legal claims, Article 6(1) f) GDPR).

• the local, competent administrative authority responsible in the individual case (in particular also financial authorities, driving licence authorities, the Austrian Regulatory Authority for Broadcasting and Telecommunications or trade authorities) for the purposes of complying with legal provisions and entitlements, Article 6 Para. 1 lit. c GDPR.

• the local, competent court responsible in the individual case or other authorities responsible in the individual case (based on our legitimate interests that exist in defence of legal entitlements, Article 6 Para. 1 lit. f GDPR).

• the competent executing contractors providing services in connection with a booked journey to the destination and/or at the destination itself (hotels, airlines, partner railways, bus or taxi companies or car rental agencies as part of an integrated mobility service, local organisers on site, etc.)

• the competent executing contractors providing services in connection with a booked journey to the destination and/or at the destination itself (hotels, airlines, partner railways, bus or taxi companies or car rental agencies as part of an integrated mobility service, local organisers on site, etc.)

• the visa-issuing authorities, as required in the course of long-distance journeys, in which case it should be noted that we provide the service of data collection and transfer to the competent authority in the individual case as a processor within the meaning of Article 28 et seq. GDPR. Visa and passport data are not automatically stored if the procurement of a visa forms part of the order placed by the data subject. Data storage is therefore usually carried out by the respective competent visa-issuing authority, which also assumes sole responsibility for the use of the data it stores.

• the domestic or foreign partner railway, as the case may be, responsible for handling the compensation case or the mobility service or in connection with an international journey (for the purposes of contract execution, Article 6(1) b) GDPR)

• the debt collection agency assigned by the controller for the recovery of outstanding debts based on our legitimate interests in the defence of legal claims, Article 6(1) f) GDPR).

• the chartered public accountant for the purpose of auditing (for the purpose of complying with legal provisions, in particular the applicable corporate law regulations, Article 6 Para. 1 lit. c GDPR).

• any affected cooperation partners, as the case may be, in the event of the sale of services provided by the cooperating partner by the controller (for purposes of contract execution, Article 6(1) b) GDPR).

• to other companies of the ÖBB Group or other cooperating partners, in the event that you purchase or use a product or service provided by the parties mentioned above.

• our commissioned data processors, if these process personal data on our behalf. (Based on our legitimate interests, in particular for the improvement, simplification and maintenance of our database systems, Article 6 Para. 1 lit. f GDPR).

• The competent competition authorities for the purpose of conducting antitrust proceedings, on the basis of a legal entitlement or a legitimate interest (Article 6(1) c) and f) GDPR).

• Bundesrechenzentrum GmbH, in the event that you purchase a special product for students from a transport association and an authorisation check is carried out for this purpose in the form of a data comparison (Article 6(1) b) GDPR)

• Wiener Linien GmbH & Co KG for the purpose of verifying the validity of the ticket presented by the data subject in the event that the data subject disputes the accuracy of the penalty fare issued by our train attendants (based on our legitimate interests consisting in the defence of legal claims, Article 6(1) f) GDPR).

Our data processing is therefore carried out in particular based on the legal framework conditions summarised again below (as amended):

• Regulation EU 2016/679 for the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation (GDPR)), in particular Article 6(1) a) (consent), b) (execution of contract), c) GDPR (legal entitlement or obligation), f) (legitimate interests) and (4) (processing for further purposes).

• Regulation (EU) No. 1371/2007 of the European Parliament and of the Council of 23 October 2007 on rail passengers’ rights and obligations;

• Federal Act on Rail Transport and Passenger Rights (Eisenbahn-Beförderungs- und Fahrgastrechtegesetz – EisbBFG)

• Federal Unfair Competition Act of 1984 (UWG)

• Trade Regulations of 1994

• Directive (EU) 2015/2302 of the European Parliament and of the Council of 25 November 2015 on package travel and linked travel arrangements

• Federal Act on Package Travel and Linked Travel Arrangements (Package Travel Act)

• Code of Criminal Procedure of 1975, as required

• Introductory Act to the Administrative Procedures Act of 2008

• Administrative Penal Act of 1991

• General Administrative Procedures Act of 1991

• General Austrian Civil Code of Law for all German hereditary lands of the Austrian monarchy

• Telecommunication Act of 2003

• Federal Act on General Regulations and Procedures for Fees Administered by the Tax Authorities of the Federal Government, Regional States and Municipalities (Federal Fiscal Code, BAO)

• Federal Act on Special Regulations of Civil Law for Companies (Austrian Commercial Code, UGB)

• Fare Conditions and General Terms and Conditions of ÖBB-PV AG, incl. the Guide for travelling with ÖBB in Austria, as well as any other general terms and conditions, contractual agreements and obligations that may apply.

• Terms of participation in the case of projects or special services.

• Federal Act of 21 January 1959 on Liability for the Compensation of Damages from Accidents in the Operation of Railways and the Operation of Motor Vehicles (Railways and Motor Vehicle Liability Act; Eisenbahn- und Kraftfahrzeughaftpflichtgesetz – EKHG) Federal Law Gazette No. 48/1959 as amended.

• Federal Act on distance sales and contracts concluded outside of business premises (FAGG) Federal Law Gazette I No. 33/2014 in this version Federal Law Gazette I No. 83/2015 as amended.

• Federal Act of 8 March 1979 laying down provisions for the protection of consumers (Consumer Protection Act; Konsumentenschutzgesetz – KSchG), Federal Law Gazette No. 140/1979 as amended.

• Federal Act on the Restructuring of the Legal Relationships of the Austrian Federal Railways (Federal Railway Act; Bundesbahngesetz), Federal Law Gazette No. 825/1992 as amended.

• EU Directive on Payment Services in the Internal Market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No. 1093/2010, and repealing Directive 2007/64/EC (PSD2)

The provision of the ÖBB ticket shop, the ÖBB ticket app, the complaints management system and other customer-relevant systems involves, among other things, the use of Microsoft Cloud Services and other Microsoft products.

ÖBB companies, namely ÖV Ticketshop GmbH, 1020 Vienna, Lassallestrasse 5 on the one hand and ÖBB-Business Competence Centre GmbH, 1020 Vienna, Lassallestrasse 5 on the other hand, act as central processors. For the provision of technical services by our ÖBB processors, the use of Microsoft products involves transferring / disclosing data to Microsoft Ireland Operations Limited (Microsoft), 70 Sir John Rogersons’s Quay, Dublin 2, Ireland, whereby Microsoft itself uses sub-processors in individual cases for the provision of individual cloud services or the provision of Microsoft products, some of which are based in third countries.

You can view the FAQs provided by Microsoft via the following link:

GDPR – frequently asked questions, Microsoft Trust Centre

We do not intend to transmit personal data to an international organisation.

In general, personal data are only stored by us to the extent that this is absolutely necessary and in principle are deleted following expiry of the statutory period of limitations under civil law of three years (e.g. customer correspondence) or in the case of invoice-relevant data, after ten years (e.g. booked tickets, customer cards) in accordance with § 212 UGB or §§ 132 et seq. BAO. A longer storage period is only implemented in justified individual cases, for example as a result of an ongoing civil law or regulatory dispute.

Specifically, we would like to emphasise the following various subject areas:

• For invoice-relevant data based on other ticket purchases, the acquisition of customer cards, booked journeys, applications for reimbursement, fare recovery claims, including scanned ID cards, or the rental of a car, etc., such data shall be stored for a period of ten years. The longer storage period serves to ensure that ÖBB-Personenverkehr AG can fulfil its legal obligations to provide evidence in the event of a possible financial audit (§ 209 (5) BAO).

• Other than this, we save data that can be assigned to you for a period of three years, such as customer correspondence, use of other services (e.g. mobility service, validation data, push services or any other service forming part of our integrated mobility offering), merely taking part in sweepstakes, campaigns or customer surveys.

• We will record you as a test user or subscription customer, if you have specifically registered for this. In the event of unsubscribing, such data will continue to be stored for a period of three years.

• We store timetable connections without tickets as long as you wish to see this information on your home page. If you delete it from the home page, it will also be deleted from our servers.

• We will remember information relating to relevant tips and information displayed by our software for as long as your ÖBB account exists or until your browser history is deleted. This is the only way we can guarantee that we will not provide you with irrelevant tips or tips that are displayed several times.

• Revocation of a declaration of consent or assertion of an objection to direct marketing pursuant to Article 21 et seq. GDPR (blacklist): deletion of this information may not occur, since we keep this as a negative list and thereby ensure precisely that you do not receive any advertising offers from us.

• In order to create customised offers, data on mobility and usage behaviour from the last 24 months is used.

• Data on the affidavit submitted by you will generally be retained and stored for three years, or as required until completion of the legal dispute.

• Information to customers pursuant to § 20 (3) of the Railway Transport and Passenger Rights Act is retained for a period of 18 months.

• Personal data that you have disclosed to us via the website for the purpose of handling personal injury or property damage shall be stored for a period of one year. A longer storage period shall only be implemented in the event of a longer lasting damage settlement (conducting legal or regulatory disputes).

• Personal data that you disclose to our train attendants for the handling of personal injury or property damage, theft or other incident or concern will be stored for the duration of processing and for an additional three years until completion of case handling.

• In the event that personal data is disclosed when using the chatbot / ÖBB.Bot, it will be stored for a period of 30 days.

• Data processed based on a legal or regulatory dispute will be kept available for a period of 30 years and may only be inspected and processed by certain employees.

• In order to ensure the technical traceability of the transmission of customer communications, including troubleshooting, the email address, mobile phone number, time and subject of the transmission (without content data) will be stored in log files for a period of 21 days.

• In order to process customer enquiries relating to card printing, data relating to contract renewal requests will be stored for a period of three months by our service provider for printed matter (Paul Gerin GmbH & Co KG, A-2120 Wolkersdorf, Gerinstrasse 1-3) and will be deleted by the service provider at the end of this period.

(1) Rights of data subjects

As the data subject in the individual case, you are entitled to assert the following rights of data subjects with us if we are the controller for the data processing:

a. Right of access (Article 15 GDPR)

You have the right to request information on which personal data are collected about you and held by us.

b. Right to rectification and deletion (Article 16 GDPR)

You have the right to rectify any incorrect data concerning your person (e.g. spelling mistakes).

c. Right to erasure (Article 17 GDPR)

You have the right for personal data to be deleted, provided such deletion is covered by the cases set out in Article 17 GDPR, for example if we were to wrongfully process data.

d. Right to restriction (Article 18 GDPR)

You have the right of a data subject to demand that the controller restrict the processing of personal data about you if the requirements under Article 18 GDPR are present.

e. Right to data portability (Article 20 GDPR)

You have the right of a data subject to receive the data provided by you in an interoperable format.

f. Right to object (Article 21 GDPR)

You have the right of a data subject to raise an objection to data processing, provided the requirements of Article 21 GDPR are present.

If you wish to assert a data subject right, please contact us. To do so, the following contact options are available to you:

Contact details customer service:

ÖBB Customer Service

(Subject: assertion of rights of data subjects)

Postfach 222

1020 Vienna

E-Mail: datenschutz.personenverkehr@pv.oebb.at

Please include the following information in your request:

• A copy / scan of your official photo identification stating your date of birth (e.g. identity card, driver’s licence or passport) and
• if you have an existing customer account, the email address registered with us.

We require this in order to verify your identity before we are able to answer your request or make the necessary arrangements. This verification of identity means that we can determine your actual characteristic as a data subject, so as to ensure that personal data is not disclosed to unauthorised third parties (risk of abuse).

Once we have received your request and you have proven your identity, we will respond to your request within four weeks.. In the event that we have specific questions as part of the reply, we will contact you and ask you to cooperate and assist.

(2) Complaint

Furthermore, you have the right to submit a complaint to the data protection authority, according to §§ 24 et seq. DSG [Data Protection Act] and Article 77 et seq. GDPR if you believe that we have breached obligations under the General Data Protection Regulation.

Contact data:

Austrian Data Protection Authority,

1030 Vienna, Barichgasse 40-42,

Telephone: +43 1 52 152-0

E-Mail: dsb@dsb.gv.at

www.dsb.gv.at

(3) Withdrawal of consent

If you have granted us your consent to the processing of your data for a specific purpose, you have the right to revoke your consent at any time without providing reasons. We have described the method for exercising the right of withdrawal in the Chapter “Direct marketing – General and personalised advertising offers”.

With regard to your person we store the following data in particular:

• Name
• Date of birth if disclosed to us or if required for our products and services. If you store children as passengers, we will always ask for the date of birth. Given that the age limits are different for our transport association partners and international partner railways, this is the only way we are able to offer you the right ticket.
• Age of the child, but always only for the current ticket purchase. As soon as you try to bookmark a child locally in the ÖBB app, we will ask for the date of birth. This is the only way the right ticket can be offered again for any subsequent purchase.
• Colour for bookmarked passengers
• Colour and personal data for ME, if indicated
• Discount cards that you have disclosed to us
• Number of a customer card if a card purchase can be assigned to your ÖBB account. We do not store such information for travel companions.
• Assignment to a private ÖBB account or ÖBB business account
• Assignment to a customer type (private or business customer)
• In the business area: Assignment to a specific legal person or other third party
• Passenger (adult/child/young person)
• Information on journeys and mobility restrictions if you wish to save such information. This allows you to search automatically for transport connections for people with reduced mobility in your next ticket purchase
• If you wish to deliberately bookmark family discount cards for transport authorities, we shall store them. We will also store relevant family relationships, allowing us to apply the family rate of the transport association to the next ticket purchase

We will store the following timetable settings:

• Request for direct connections
• Request for extended transfer times
• Request for accessible connections
• Request for exclusive use of train or regional train connections
• Request for transport with option to carry a bike
• Request for a timetable connection with an indication of an intermediate stop and requested length of stay at the intermediate stop

We store the following other settings:

• Requested language
• Request to receive a ticket automatically as a mobile ticket on your mobile device upon purchase
• Animations on/off

We store the following data centrally:

• Data concerning the shopping basket
• Information on the frequent use of our website or app or
• Information for suggestions on frequently searched connections.

We have a wide range of customer cards on offer. Whether you are looking to travel at reduced prices, explore Austria all year round without the stress, enjoy regular family excursions or travel for business purposes, there is a customer card to suit you.

When ordering an ÖBB customer card (Vorteilscard, Österreichcard), you will be required to provide your personal data. In particular, this includes personal details such as your name, date of birth and address and, in the case of a SEPA mandate, your bank details (IBAN and BIC). Providing a telephone number is optional and allows us to contact you if we have any questions. The above data will help us to personalise the customer card and are processed by ÖBB-Personenverkehr AG to complete your order. Entering your personal data is mandatory when ordering a customer card. Failure to provide the details mentioned above may result in you being refused a customer card (provision of a telephone number is optional).

Ordering online, via our ÖBB app or at the ticket counter is subject to the existence of an ÖBB account. This requires you to enter an e-mail address and password. This information will be saved. The existence of a customer account is necessary to ensure that a valid e-mail address is stored for the customer, as the e-mail address must be verified again for the creation of the customer account. This ensures that information relevant to the contract is sent to a valid e-mail address and customers can also identify themselves with this e-mail address when submitting requests for information.

Customer cards are produced by a reliable contractor. We take great care to ensure data are transmitted securely to the contractor. Data are exchanged in encrypted form only, and access to them has been reduced to the minimum necessary extent.

During the journey, our train attendants will validate (i.e. scan and check for validity) your customer card, digital discount products, physical or digital annual ticket and/or ticket or your boarding pass (Airrail pass), for which ÖBB-PV AG or one of our cooperation partners (e.g. Federal Ministry for Climate Protection, Environment, Energy, Mobility, Innovation and Technology (BMK)) is responsible. Due to the temporary recognition of tickets issued by Westbahn Management GmbH, these tickets are also validated by our train attendants.

When scanning, only those data are visible on the train personnel’s device which can be found on your customer card or the ticket (e.g. card number, card validity, name of card holder, card type and comfort class, departure and arrival time, train number, boarding and exit station). When travelling on a passenger train using an authorisation issued by Westbahn Management GmbH, the URL contained in the QR code and therefore the ticket code and ticket number are scanned. In the case of our customer cards, the date of birth of the card holder is also displayed on the train crew’s device in order to facilitate identification. Our train attendants also receive information on whether the customer card or ticket was valid at the time of validation. The following data is collected when your boarding pass (Airrail pass) is validated: Name, operating carrier’s PNR code (= order number), airport code, operating carrier’s designator (corresponds to the RICS code for railroads, i.e. the identifier of the transport company), flight number, date of the flight, compartment code (travel class) and the document form/serial number (= ticket number)

Scanning allows for an electronic control of cards and the ticket (as opposed to a purely visual inspection) and in particular makes it possible to withdraw manipulated or wrongly used tickets or cards (for example if the validity period has already expired) from circulation.

Moreover, data are collected for our train staff, i.e. which employee performed validation when, where and how. Our train attendants are only able to view validation data for a limited amount of time.

We do not automatically analyse possible movements of our customers. An evaluation of the existing data material is carried out in individual cases if a data subject should request this information as part of his or her request for information under Article 15 DSGVO.

Validation is based on two different legal principles of equal value, i.e. (1) on the contract of carriage concluded with you, i.e. Article 6(1) b) GDPR, and (2) on prevailing legitimate interests, as defined in Article 6(1) f) GDPR, which consist of the performance of a necessary authorisation check, removal from circulation of customer cards and tickets which are no longer valid, as well as preventing additional cases of abuse (general prevention) and compliance with contractual obligations. For the duration of the recognition of their tickets, Westbahn Management GmbH and Schieneninfrastruktur-Dienstleistungsgesellschaft mbH (SCHIG mbH) will pass on the following data for the aforementioned general preventive reasons: Train number, time of validation and details of the scanned QR code.

We have set ourselves the goal of allowing you to:

• easily use our Ticket Shop;
• as a business customer easily make ticket bookings in relation to your respective company structure;
• quickly receive your timetable and tickets;
• only receive relevant information on your journey; and
• gladly use our website and our app.

Our website shop.oebbtickets.at and our ÖBB app offer services customised to your personal needs, which simplify ticket purchase.

Transport association tickets can be purchased throughout Austria based on the timetable. In order to do so, simply enter the start and end point of the journey, and you will receive the right timetable and the associated ÖBB or transport association ticket. You can purchase tickets without needing to know all the individual fares in advance, be it for the bus, railway or tram.

for simple selection of the start and end point bookmarks your most recent entries. Your timetable query will therefore proceed more quickly the next time. Registered users can use this service on all sales channels and devices when logged in. Regardless of whether you book your journey on a computer on the Internet or using the ÖBB app on your mobile phone, with a logged-in ÖBB account we will store your last start and end point entries and offer you them for selection in your top station hits.

Recently searched timetable connections are provided for you in the future timetable search as a personal quick selection.

• This means you are able to access your regular timetable queries for the next ticket booking without having to enter the start and end point of your journey.

• If you make a timetable query, we will store the start and destination location (and the intermediate stop, if any) of your travel request for this purpose. In addition, we will store details on whether you have searched for a timetable connection for an offer for individual tickets or day passes, or for weekly or monthly passes, or for a seat reservation without a ticket.

• This means that you can access your regular timetable queries for the next ticket booking, even without selecting the start and end point of your journey.

• In this context however, we will not store your current location.

Using the function “bookmark person”.

• you can store data for all persons with whom you regularly travel. This means you can quickly add them to your journey for the next ticket purchase. This saves you having to re-enter data, such as names or numbers of necessary discount cards for ticket purchase.

• you can store data for all persons with whom you travel regularly. You can store the name, any discount cards and the date of birth of children and elderly people. This means you can quickly add these persons to your journey for the next ticket purchase without having to enter such data again. If you wish, you can also assign a colour to your passengers.

• You can store data on your employees or other persons assignable to you and assign them to a business unit. This gives you a better overview of your accounting and makes it easier to book tickets for stored persons.

If you wish, when bookmarking your own travel data, you can then advise us that this person is you. We will then store this information for your next journey as ME.

• With immediate effect we will give consideration to your “ME” for your future journeys in each bid preparation, with names, discounts, colour, and, if desired, date of birth.

• Each new journey that you book automatically has “ME” as the passenger. Then all you have to do is add any other passengers.

• If you ever buy a ticket for someone else, simply remove “ME” as a passenger for this journey.

• If you have added a discount card, for example a Vorteilscard, to your ME, you will immediately receive pricing information, including the relevant discount, for your future timetable queries.

• These data will be stored in the local memory of your computer or in the app if you use our applications without an ÖBB account.

• If you have an ÖBB account and use our services while logged in, these data will be stored centrally and can thereby be used across sales channels.

We store the route for your ticket purchase. This means you can check whether the travel data have changed in the journey preview at any time. If we are aware of a different updated timetable, we will display this. We will delete the planned time from the timetable and replace it with the actually forecast time. We aim to keep you informed as far as possible at all times, allowing you to react to changes in travel data in good time.

Shortly before the start of the journey, the journey preview for your booking will become your personal travel companion. We will then advise you of the next relevant actions to your journey, for example: “Change trains in 10 minutes.”

You can always find the offer with the best price as the first offer on our website and in our app. If there is an additional offer for your travel request, which offers more flexibility in travel time or the refunding of tickets, we will advise you of this alternative. You can decide whether price or flexibility is more important to you for each journey.

You can cancel a purchase within 3 minutes of payment at shop.oebbtickets.at or in the ÖBB app. This is only possible if you have not yet acquired your travel card in the form of a ticket. You can subsequently return to the shopping basket and make retrospective changes to your purchase.

You can buy your ticket quickly with 2 clicks, by registering and storing your payment data in your ÖBB account. Set up a quick display of the requested offer on the home page and this function can already be used. We store your offer request for the requested timetable connection (e.g. best price, reservation request, requested travel class, number of passengers). Then, all you have to do is place it in the shopping basket with a click, and pay with a second click.

Store special timetable connections as favourites if you regularly travel on the same route with the same preferences. This includes:

• Other passengers
• Selected timetable filters, such as “only direct connections” or “changed transfer time”
• 1st class journeys
• Request for a seat reservation
• Journeys on certain weekdays

We only bookmark these data at your intentional request. This favourite is located on your personal home page and allows you to directly display timetable or offer information with one click when opening the application, without having to indicate data again for the current purchase or timetable request.

If you place your favourites on the home page, we will store your travel request.

• You can enter this connection info manually and thereby set timetable filters, passengers and notice days.

• If you are registered, this connection info for your journey will be visible on all registered devices (regardless of whether mobile phone or Internet browser). This means you will find timetable data on your regular journeys on your home page whenever you open the app or website and you will quickly access the next timetable connections for your individual travel request.

But you can also store connection information as favourites for a specific timetable connection. In this case, you can use an additional practical service with location determination: “Only display if I am near the target destination and display the start if I am near the start location”

We also automatically create a selection for you based on your frequently searched and purchased routes and products, in order to allow you to make purchases faster. If you do not want a particular route or product to appear in this list, you can remove it by clicking on the options menu (three dots).

For a specific journey we always bookmark the name of the person printed on tickets. This means we can be certain that a ticket is not used several times by different persons with fraudulent intent. As a result, please carry your photo ID for the ticket with you, to allow train staff to check on the correct use of the ticket on site.

If you are travelling with children or young people, we will bookmark the age of the children. The children’s age limits differ in individual transport authorities and countries. Only if we know the age of your children can we determine the right price for the ticket purchase and create the best offer for you. We are obliged to store the date of birth for international travel.

We will provide you with all known information about your journey. In this way, you will have the most detailed and current information about your journeys and are able to respond to changes on time. Your travel companion in the ÖBB app and website has the latest information for you at all times:

• where you have to transfer next;
• how much time is left for transfer;
• whether the timetable connection or
• the platform has changed.

Your location information will only be used in the ÖBB app if you share it with us.

• By switching on location services, you can save time in the timetable query.
• This allows you to search for a connection from your current location.
• f you have stored a timetable or offer favourite, and selected the option that you would like the return journey to be displayed to you based on location, we will only use your calendar in the ÖBB App if you share it with us.
• If you enter your journey in the calendar, metable data for a booked journey will be imported into your calendar.
• In order to do so, you will have to allow the ÖBB App access to your calendar in the device settings.

By payment information we mean information that we require for processing the payment. As a matter of principle, we will never store any payment information, such as credit or debit card numbers, expiry date, the card validation code (CVC) or user account and password data. We will only store payment information to a limited extent, namely

• if we are unable to process a cancellation automatically and instead have to wire the cancelled amount subsequently (in such an event, we store the name of the applicant, IBAN, BIC, the name of the bank as well as the address (postal code, town/city, country, street and street number);
• in case of a specific booking, we will store the payment method (PayPal) or card type (VISA, MasterCard, etc.) and the last 4 digits.

In all other cases, payment information (e.g. expiry date or the card validation code (CVC)) will be processed and used by a tested and certified payment service provider (Terminal Service Provider and Payment Service Provider).

In order to handle the payment process, we employ tested and PCI-certified payment service providers who process and use the payment information (e.g. CVC code or expiry date) to complete the booking. Data will be processed only for the purposes of completing payments on certified payment terminals (e.g. ticket vending machine, ticket counter, etc.) or at shop.oebbtickets.at or via the ÖBB app. These payment service providers are usually independent entities and therefore process your data in accordance with their own privacy policy.

In order to clearly authorise a payment, the payment service provider will require various pieces of information from us, such as e.g. identification data for browser and operating system type, which are saved by us and forwarded to the payment service provider for processing the payment.

The European Banking Authority (EBA), Regulatory Technical Standards (RTS) and the revised Payment Services Directive (PSD2) prescribe strict authentication methods for combating online fraud. PSD2 aims at preventing online fraud with strict customer authentication rules applied to an increased number of transactions.

o-called Strong Customer Authentication (SCA) is an obligatory part of PSD2 and ensures a high level of customer protection and increased payment security. SCA is therefore required whenever you, the customer, start an electronic payment process or perform a transaction that poses a risk of payment fraud or other misconduct. In this case, you will be required to complete an identification process by providing a password and another identification factor as determined by the payment service provider. In certain exceptional cases, this authentication can be dispensed with. The decision to apply SCA or dispense with authentication rests with the payment service provider.

We are required to provide the payment service provider with the relevant data requested in order to secure your payment transaction.

More information on this can also be found on the payment service provider’s own website.

For the purposes of payment risk management, as required in the specific case and as part of the purchase transaction, personal data may be transmitted in the absolutely necessary extent to the payment service provider, which then uses this data to conduct a risk assessment. Payment-related data will also be consulted for anonymised analyses.

The ÖBB App is distributed via the Apple App Store and the Google Play Store (hereinafter referred to as “Store”). Inclusion, distribution and use of the ÖBB App is therefore additionally subject to the separate conditions of these two stores, over which we have no influence, and which are compiled and asserted at the sole responsibility of the stores.

When using our website shop.oebbtickets.at or our ÖBB App, data on your ticket purchase will be stored by Html storage in the web browser or in local storage on your mobile phone. This ensures that all functions, such as “bookmark person” or personalised fast selection can also be used if you wish to use our software without registration. We will only store personal data for quicker processing of future purchases if you wish us to do so.

We would like you to learn the full scope of functions of our software. For this purpose, we have made sure that you will receive practical tips and information from us at an appropriate spot. We want to provide you with relevant information and not continually repeat this. This is why we store functions used by you for a maximum period of 18 months. As a result, you will always receive the right (not yet known to you) information in different web browsers and on different devices with the ÖBB App.

If you do not want us to store this information about your person, use our website or our ÖBB App without logging on. This means we will not be able to assign this information to your person.

Even if we store this information about your person, we will not conduct any personal analyses. We shall only use this information in anonymised form to identify any need for adjustment in our systems. This allows us to continually improve our applications and provide optimal support to our customers.

App support: When you submit an enquiry by email (oebbapp@pv.oebb.at) or via the “App Support” link, the following information is collected in order to process your enquiry: Name, e-mail address, support ID, device type, app version

This information is required to identify, reproduce or resolve your specific problem in the system. The data will be deleted as soon as it is no longer required for the purposes for which it was collected, at the latest after 6 months.

We have set ourselves the goal of allowing you to:

• use our booking site Nightjet.com easily,
• quickly receive your timetable and tickets for night trains;
• only receive relevant information on your journey; and
• enjoy using our Website.

Our website Nightjet.com offers services customised to your personal needs, which simplify the purchase of tickets. For example, this website uses GeoLite2 data provided by Maxmind. This data uses your IP address to determine approximately from which country you are accessing the website in order to predefine the country of departure when displaying connections under the menu item “Destinations” as well as the country code when booking a ticket in order to increase your user comfort. No personal data is stored during this procedure.

The first offer you will find on our website Nightjet.com is always the one with the lowest current price available. If there is an additional offer for your travel request that offers more flexibility regarding travel time or ticket reimbursement, we will make you aware of this alternative. You can decide whether price or flexibility is more important to you for each journey.

For a specific journey we always bookmark the name of the person printed on tickets. This means we can be certain that a ticket is not used several times by different persons with fraudulent intent. As a result, please carry your photo ID for the ticket with you, to allow train staff to check on the correct use of the ticket on site.

If you are travelling with children or adolescents, we will bookmark the age of the children. The children’s age limits differ in individual transport authorities and countries. Only if we know the age of your children can we determine the right price for the ticket purchase and create the best offer for you. We are obliged to store the date of birth for international travel. Nightjet.com only asks for the children’s exact date of birth when booking a pre-connection and/or onward connection.

We will provide you with all known information about your journey. In this way, you will have the most detailed and current information about your journeys and are able to respond to changes on time. Your travel companion in the ÖBB app and the Nightjet.com website has the latest information for you at all times:

• where you have to transfer next;
• how much time is left for transfer;
• whether the timetable connection or
• the platform has changed.

You can find detailed information on data processing for the purpose of payment processing via Nightjet.com under the heading “All you need to know about the ÖBB Ticket Shop and the ÖBB App” in the payment information section.

On the nightjet.com website, only technically necessary cookies that serve to ensure the usability of the website are used.

We have expanded our distribution channels for you. This means that you can now also find our connections on partner platforms and can, in part, also book your ticket directly on the platform of our partner. If the booking is made through a partner, we exchange only the schedule and ticket information with the partner that is required for the creation of the ticket. The respective partner is responsible for the protection of the data processed on the partner platform of the partner.

We are introducing a new service for you with immediate effect: Consultation and sales talks are now also conducted online.

This procedure not only offers a good alternative for persons with restricted mobility, but also allows you to use the travel agency service of ÖBB-PV AG without restrictions from wherever you are.

Even if the sales and consultation meetings are held online, we will not record any of the conversations.

Online consultations in travel agencies are only provided at your request and are not mandatory. For this purpose, you have the option of booking an online consultation at https://reisebuero.oebb.at/ (registration for appointment). Registration generates an email that is delivered to the inbox of your selected branch.

In the event of an app date at the ticket counter, your registration will be sent by email to an internal central coordination unit for appointment management.

The following data is collected as part of the registration for an appointment at a travel agency: First and last name, e-mail address, telephone number, date on which an appointment is requested, requested branch, time window and comments. This data is used exclusively for online consultation and the sale of travel products.

The following data is collected as part of the registration for an appointment at a ticket counter: First and last name, e-mail address, telephone number, date on which an appointment is requested, requested counter, time window, type of operating system (Apple or Android), areas of interest and comments. This data is used exclusively for on-site consultation.

ÖBB-Personenverkehr AG offers webinars for Schulcard customers, in which questions about booking with the Schulcard are answered and topics such as rail & environment, safety at the station and the range of offers for youth group travel with ÖBB are discussed.

Customers have the option of booking a webinar through a form (registration for appointment). The invitation to the webinar, including the invitation link, is then sent by e-mail to the e-mail address provided by the Schulcard customer. The webinar is only provided at your request and is not mandatory.

Registration generates an email that is delivered to the Schulcard Management inbox at www.schulcard.oebb.at.

The following data is collected as part of the registration for an appointment: First and last name, e-mail address, school, date on which an appointment is requested, requested time window. This data is used exclusively for the purposes of the webinar.

General and customised electronic offers

We use personal data in order to send you general information, offers and recommendations as well as information, offers and recommendations tailored specifically to your mobility needs and user behaviour or to have such information sent to you by our cooperating partners (customised offers). Furthermore, this data is used for the further development and optimisation of services relevant to customers. However, this is only the case if you grant your consent in advance to let us contact you by e-mail, telephone, SMS or other ÖBB channels (e.g. ÖBB account), in order to inform you in a timely manner about interesting offers, new developments and services.

Your personal data will exclusively be used by us in both cases and not transferred to cooperating partners or other affiliated companies.

Depending on the content of the consent granted by you, you will receive offers and other information from us concerning ÖBB-Personenverkehr AG (for example on general services, sweepstakes and customer surveys) and the ÖBB Group, i.e. including other affiliated companies (e.g. information on travel offers from Rail Tours Touristik GmbH or car sharing offers from Rail Equipment GmbH) or other cooperating partners.

If you wish to receive customised information and recommendations adapted to your needs (based on your previous purchasing and travel behaviour or your other personal preferences), we can forward these to you for:

• our products and services;
• current or individually tailored offers;
• vouchers;
• sweepstakes and campaigns;
• customer surveys;
• relevant services (in particular information on the ÖBB account and our apps);
• product and travel recommendations (including travel insurance and additional offers for tourists); or
• other customer loyalty activities.

The compilation of these contents is based on evaluation of the following data: first and last name, date of birth, address and contact data, details stored on your person regarding bookings, customer cards and season tickets, discounts, travel and voucher data, geodata, preferences and customer loyalty activities associated with you, device and browser information, including user behaviour assignable to you or data on any mobility preferences or restrictions.

Details on booking data include, for example, your selected travel date and time, the actual booking date, booked tickets or special additional offers for tourists, seat reservations, information on utilised offers or vouchers added to your account, information on the start and end station, the sales channel, selected timetable connections including intermediate stops, train types, wagon classes or compartments, information on booked night or day trains, currency used, vehicle data, bicycles, accompanying dogs, information on booked pieces of luggage, as well as information on whether you are travelling alone, with other people or with a child (or children).

In order to provide you with customized information on customer cards and season tickets, we use details of valid/expired/extended customer cards, such as Vorteilscard [discount card], Österreichcard [Austria card] and any SEPA mandates, as well as details of acquired season tickets, e.g. hourly passes, weekly passes, monthly passes.

By discount data, we mean your discounts used in buying tickets, such as indication of a Vorteilscard, Österreichcard, city transport ticket, family pass, etc.

Travel data  include information on already commenced or planned (booked) journeys, information on the duration of your journey, any delays, validation details regarding your ticket or your customer card, as well as details of such journeys referred to under booking data.

If (e.g. in the context of a campaign) a voucher was added to your ÖBB account, we will use such information to deliver reminders to you about its use, for example. Moreover, we will use the information once the voucher has been cashed, as well as details of the journey booked or the product purchased with such voucher.

Geodata are used for so-called location-based services. Location-based services provide you with selective information by means of position-dependent data.

By preferences assigned to you we mean, for example, your connection favourites, your stored payment favourites, timetable connections stored by you (including other passengers, selected timetable filters, 1st class journeys, request for a seat reservation, journeys on specific weekdays).

Customer loyalty activities include information and further details on previously sent sales and campaigns, vouchers, sweepstakes, customer surveys, recommendations and other information.

Device and browser information including user behaviour assignable to you includes information on your employed devices (computer, laptop, smartphone, etc.) with which you visit our websites and the associated web browsers (e.g. Internet Explorer, Firefox, Safari, etc.). This also includes information on whether you have downloaded and used the ÖBB App. Your assignable user behaviour includes, for example, details on the use of your ÖBB account with relevant devices and the ÖBB App (e.g. account creation details, settings implemented, such as e.g. gender and language, details of logins, added discounts and customer cards, deposited vouchers, ticket purchases and reservations, stored favourites, etc.). In addition, technical information (e.g. IP address, browser type and version, time of access by the visitor’s computer) is collected in order to determine whether an e-mail has reached you, which e-mails you have opened when and which links in the e-mail you have accessed.

We use data on any mobility preferences or restrictions in order to offer you relevant information, recommendations and services in the event of you needing a wheelchair place or if a companion or service dog is travelling along, etc.

We use the technologies of Emarsys eMarketing Systems AG (Märzstraße 1, 1150 Vienna, www.emarys.com), which acts as our contract processor, to create and send out customised offers. Emarsys supports us in the planning, implementation and analysis, especially in the technical implementation and handling of our measures, as follows:

• The functionality of Emarsys Smart Insight allows us to tailor customised offers based on the history of your individual purchasing behaviour. Your data is analysed and categorised using mathematical-statistical methods (eRFM scoring parameters) in order to recognise typical purchasing behaviour patterns and to be able to tailor our information, offers and services to your individual interests.

• Our contract processor’s technology furthermore enables us to evaluate the use of our e-mail newsletters. Among other things, we receive information as to whether an e-mail has reached the recipient or has been rejected by the server. For the evaluation, the software uses a so-called tracking pixel (web beacon), which is retrieved from the Emarsys server when the e-mail is opened. The analyses also include determining whether our newsletters are opened, when they are opened and which links were clicked. In the process, technical information (e.g. IP address, browser type and version, time of access by the visitor’s computer) is collected. These evaluations help us to recognise our recipients’ reading habits and to adapt our content to reflect these or to send different content in accordance with our recipients’ interests.

This type of data processing also involves profiling as per Article 4 No. 4 GDPR, to the extent that it concerns the preparation and sending of customised offers.

Profiles are created about our customers, which

• allow conclusions on the probability of their future purchasing, booking and usage behaviour,
• allow for target group selections and aggregated or concrete evaluations regarding products and services.

Our general and customised offers can be sent by mail, e-mail, as a push message, in your ÖBB account or via other ÖBB channels.

This special form of processing is based on your consent in accordance with Article 6(1) a) GDPR, to the extent that we are entitled to carry out such data processing.

We use profiling methods to optimise and personalise our advertising measures. Below, you will find information on the logic involved as well as on the scope and intended effects of these procedures.

• In order to optimise and personalise our advertising measures, we create customer profiles and use these customer profiles to assign customers to specific customer segments. Based on this segmentation, we can control the type, content and frequency of certain advertising measures for specific target groups.

• For profiling, we use data that we receive from you within the scope of our customer relationship, provided that you have given us your consent for “Newsletter, Info & Service”. Address and contact data, purchase, booking and travel data, information on customer cards and season tickets, discount data, data on mobility preferences and usage data. Profiling can be based in particular on user profiles derived from usage data, which we create with the customer’s consent by measuring and evaluating the customer’s interaction with electronic advertising, in particular by measuring and evaluating the opening and click rate in e-mail newsletters.

• An important factor in the establishment of our customer segments is the so-called scoring, in which we evaluate customers according to scientifically recognised mathematical-statistical procedures based on aspects relevant to advertising.

• The scope and impact of customer segmentation based on profiling is limited to target-group-specific management of the type, content and frequency of our advertising measures and the level and value of potential incentives. This may result in you receiving or not receiving certain measures which may or may not be made available to other customers.

Special additional services and offers

You also have the opportunity to register for special offers and services, for example for the Nightjet newsletter, Scotty push service or information on usability tests.

Please note that any of these services which require separate consent must also be revoked separately. As a result, revocation of any individual consent does not apply automatically to all additionally submitted declarations of consent, but they must also be revoked separately.

Advertising sent by post

If we are aware of your address due to purchases and services, or we are allowed to buy it from third parties (e.g. from Österreichische Post AG), we can send you event-driven information, offers and recommendations by post. You can prevent the sending of such information at any time, by declaring your objection (see explanations below). Following receipt of an objection, we will no longer send you any other announcements.

Postal deliveries will also be made to our stakeholders at regular intervals, for example prior to the annual timetable change as well as ad-hoc for relevant subjects.

Please note that the annual invitation to renew the contract does not constitute a direct advertising measure. Based on existing contractual obligations (see our GTC [General Terms and Conditions] for the Vorteilscard or Österreichcard), we will also continue to send you this invitation to renew the contract, and even if you had exercised your right to objection, especially as such a consignment is not subject to the right of objection to direct marketing.

If you have exercised your right and decided against any use of your personal data for advertising purposes (in particular direct advertising), in accordance with your request, you will not receive any information, offers and news and can no longer log onto your ÖBB account for our “Newsletter, Info & Services” service.

If at a later point in time you wish to reactivate our services in your ÖBB account under “Newsletter, Info & Service”, please contact our customer service at

ÖBB Customer Service

(Subject: Newsletter, Info & Service)

Postfach 222

1020 Vienna

Statistical analyses shall be conducted for the following purposes in particular:

• Are functions used regularly in our software? This allows us to check on whether specific functions are important for users of our website or app

• Which tickets are purchased? This allows us to check on whether our product portfolio meets the demands of our customers.

• Does navigation comply with the behaviour of software users? This allows us to check on whether we can design the purchase process in a way that is more agreeable for our customers.

We also create anonymised data analyses, in which we evaluate personal data and information about age, gender, region, postcode, products, driving, purchase and user behaviour, in order to draw conclusions on the development of new products and services or to improve our existing service portfolio.

Market and opinion research, customer surveys

In order to improve our products and services and adapt them to the needs of our customers, we conduct surveys with various target groups:

1. with persons who do not use the railway

2. with persons who use a railway company (regardless of which one) or

3. with persons who use ÖBB.

We use different methods for this:

1. We commission a market research company to carry out a survey.

2. We carry out the surveys ourselves, usually using an online tool, or

3. we or an independent third party conduct an anonymous survey on our passenger trains.

Persons to be surveyed can be selected either completely randomly or based on social statistics or usage-specific factors.

Contact with the participants is established in different ways:

1. Contact is made via the respondent pools of the commissioned market research company (in this case, the selection is made without our involvement and under the sole responsibility of the partner companies).

2. We invite interested persons in general, without individually addressing participation in the survey.

3. For certain survey topics, we also contact selected customers of ÖBB PV AG if they have given us their prior consent.

The survey results never contain any personal references. This is true even if we write to you directly as customer or you have declared your consent in advance to participate in a survey. We only receive or compile an overall evaluation of data, which do not show individual interviews or persons.

If we address our customers directly, we will then exclusively contact people who have given prior consent thereto.

Should we conduct the survey in cooperation with a market research company in specific cases, we shall conclude a separate confidentiality agreement with said company in advance of a customer survey, laying down the secure handling of your data specifically for the individual case. In particular, this agreement shall ensure that the company will not transfer your data to other market research institutions and other third parties for surveys for their own purposes.

If we use our online survey tool, this tool is provided by our service provider enuvo GmbHt, Huobstrasse 10, CH-8808 Pfäffikon SZ https://www.enuvo.ch . We have instructed our processor to use privacy-friendly default settings when using this tool:

1. The use of Google Analytics has been disabled.

2. IP addresses are collected in a privacy-friendly manner by not storing them in conjunction with the survey data. IP addresses are only stored temporarily in server log files. This is done for technical reasons to ensure the functionality and security of the survey tool. Server log files are routinely deleted within a few weeks.

3. Only session cookies and technically necessary cookies are used. These cookies are necessary for the continuous processing of survey participation and also to minimise the possibility of multiple participation.

The following information is collected for the sole purpose of this survey: IP address, browser user agent and session details (started, last updated, completed, duration, subject).

The above data will be deleted after a period of one year at the latest.

You can stop participating in the survey at any time by closing the browser window. In this case, data will only be transmitted until you exit the survey.

In any case, you are never obliged to take part in any of our customer surveys.

Usability tests

If you apply as a test user, you can take part in usability tests conducted by our company for the further development and improvement of our ticket and timetable tools. Each test is subject to separate conditions of participation (see website). In this case, we will contact you as a possible test user and request your participation in future tests. Naturally, your participation in each individual test is voluntary.

You are entitled to revoke your consent at any time and declare that you no longer want to be contacted for further tests.

If you contact us by e-mail with requests, suggestions or criticism, we would also like to ensure that we have performed our service to your satisfaction. After replying to your concerns, we will therefore ask how satisfied you were with our service.

This constitutes an internal quality assurance measure. For reasons of objectivity and automated processing, we employ a processor for this purpose, to conduct this automated query on our behalf. In order to do so, we will exclusively hand over your e-mail address and customer number to the processor. We shall not provide this processor with the opportunity to inspect your data, to use your data for other purposes or to transfer them to third parties.

Before employing the processor, we have assured ourselves that it will provide a sufficient guarantee for lawful and secure use of data.

For us, information security means:

• Confidentiality of data,
• Data integrity and
• Data availability

In order to guarantee information security, we have established organisational framework conditions and protective measures that confirm to the latest state of technology.

These include:

• Load distribution,
• Firewalls,
• Encryption,
• Security tests,
• System inspection and
• Constant monitoring.

Our employees are only granted access rights in accordance with their roles and to an extent that is absolutely necessary. The use of these access rights is recorded.

Your data is protected by a secure online connection (TLS) between your PC and our servers, depending on the browser configuration, with at least 128 Bits.

Security measures for the system in the event of purchase on the ÖBB App or an online purchase were developed based on the following standards:

• ÖNORM A 7700 (standard for the security of web applications);
• PCI DSS (Payment Card Industry Data Security Standard); and
• ASVS (Application Security Verification Standard).

The system therefore fulfils the security standards of the Application Verification Standard 2010 (ASVS) and was also tested by an independent expert. ASVS 2010 represents the leading current standard for IT security. Moreover, the ÖBB App was developed in accordance with requirements of data protection law and continually adjusted to new requirements.

By processors we mean our contractual partners, who process personal data on our behalf (example: maintenance of our databases).

We currently employ processors, including for the following activities:

• for customer card production and shipment thereof;
• for communication related to the contract renewal and the dispatch of other printed forms;
• for the implementation of quality measures and customer surveys;
• for ticket sales by cooperating partners distributing ÖBB tickets on our behalf;
• for the operation and maintenance of our customer databases; and
• for use in individual cases.

We only employ processors for our lawfully conducted data processing. We always assure ourselves in advance that the individual processor is suited to service performance, in particular that the processor provides a sufficient guarantee of secure and lawful use of data.

Processors that we have selected only receive personal data from us to the extent that is absolutely necessary.

Our processors have contractually undertaken:

• to solely use personal data for the purpose of the contract;
• To delete them after completion of the respective contract purpose,
• Not to forward data to third parties,
• not to use personal data for their own purposes; and
• to comply with new obligations under the General Data Protection Regulation (e.g. keeping a register of processing activities, conducting a data protection follow-up assessment as required, etc.).

Before employing a processor, we conclude a written agreement with the processor, in which special obligations are imposed on the processor and its employees, and they again are subject to a separate confidentiality obligation. We impose certain data security measures on the processor to ensure that customer data and data processing are sufficiently protected.

We have provided you with comprehensive information on the purposes of our data processing, categories of data recipients, the legal basis and legal framework, the storage period as well as the rights you are entitled to and the scope of data processing. In all data processing, we have taken care to ensure that data collection and data scope are limited to the extent that is absolutely necessary. Therefore, if we ask you to provide data, this is necessary in particular so that:

• you can purchase a product or service of ÖBB-Personenverkehr AG or a cooperating partner (e.g. tickets, customer card, transfer service, timetable query, mobility service, chatbot / ÖBB.Bot etc.)

• we can verify your eligibility (e.g. as part of validation, identification check for certain requests);

• you can assert your rights and other claims (e.g. passenger rights, assertion of any personal injury or damage to property, claims for reimbursement, etc.) or contact us with other concerns or complaints; the same applies to ÖBB-Personenverkehr AG;

• we can contact you in the event of a breakdown or any other event or circumstance of importance to you;

• we can include you – provided you have given your consent in advance – in our direct advertising measures and data and web analyses or involve you in our quality assurance or customer surveys.

If you do not or not fully comply with our request for data disclosure, it cannot be guaranteed that we will be able to comply with or process your aforementioned purchase or other request(s).