Customer satisfaction is our top priority. This means protecting your data is especially important to us. We are grateful for the trust you have placed in us by handing over your data for processing. As a symbol of the fact that we respect your rights and your privacy, we have formulated principles that we apply to the processing of your data:
Our data privacy statement applies to anyone who makes use of one of our products or services, visits our websites or uses our apps. This includes: buying a ticket, including ancillary services, such as making a reservation, purchase of a customer card or use of our services.
We are continually developing our performance, provision and services. As a result we also continuously adapt the data privacy statement. However, we shall ensure that the latest effective version is always available to you.
ÖBB-Personenverkehr AG (ÖBB-PV AG), FN [company registration number] 248742y, Am Hauptbahnhof 2, 1100 Vienna, tel. +43 1 93000 0, is the controller under data protection law, as defined in Article 4(7) GDPR.
GDPR defines a controller as a natural person or legal entity, authority, institution or other body, which, on its own or in conjunction with others, decides on the purposes and means of processing personal data.
By personal data we mean all information relating to an identified or identifiable natural person (hereinafter “data subjects”).
A natural person shall be regarded as identifiable if he or she can be directly or indirectly identified as this particular natural person, especially by means of allocation to an identifier, such as name, identification number, location data, online identification or several other special features in the particular individual case (e.g. voice). As a result, this includes data which can be assigned to you as a customer. For example your name, email address, phone number, booking code, ticket code or customer number constitute personal data.
The legal basis for data processing under Article 6 GDPR consists of contractual performance, fulfilment of a statutory obligation, your prior consent or our prevailing legitimate interests, which may also include processing for other purposes.
Data which can be assigned to your person may be derived from the following causes, purposes and sources:
According to the provisions of Article 12 et seq. GDPR, we would like to inform you on the following topics:
ÖBB-Personenverkehr AG (ÖBB-PV AG), FN 248742 y, Am Hauptbahnhof 2, 1100 Vienna, tel. +43 1 93000 0, is the controller under data protection law, as defined in Article 4(7) GDPR.
In the event of any questions on data protection or the use of your personal data, feel free to contact our data protection officers.
Contact data for data protection officers:
Am Hautbahnhof 2
We will collect personal data ourselves, pursuant to Article 13 GDPR, in the following cases and for the following purposes:
Personal data, according to Article 14 GDPR, shall not be collected by our company, but disclosed by a third party in the following cases and for the following purposes:
Data processed for these purposes shall be disclosed as required and according to the intended use to the following categories of recipients:
Our data processing is therefore carried out in particular based on the legal framework conditions summarized again below (as amended):
We shall not transmit personal data to a third country or an international organization.
In general personal data are only stored by us to the extent that this absolutely necessary and are essentially deleted following expiry of the statutory period of limitations under civil law of three years (e.g. customer correspondence) or in the event of invoice-relevant data after nine years (e.g. booked tickets, customer cards) according to § 212 UGB or §§ 132 et seq. BAO. A longer storage period is only implemented in justified individual cases, for example as a result of an ongoing civil law or regulatory dispute.
In particular we would like to highlight the following different subject areas:
(1) Rights of data subjects
As the data subject in the individual case, you are entitled to assert the following rights of data subjects with us if we are the controller for the data processing:
You have the right to demand information on which personal data are collected about you and held by us.
You have the right to rectify any incorrect data concerning your person (e.g. spelling mistakes).
You have the right for personal data to be deleted, provided such deletion is covered by the cases set out in Article 17 GDPR, for example if we were to wrongfully process data.
You have the right of a data subject to demand that the controller restrict the processing of personal data about you if the requirements under Article 18 GDPR are present.
You have the right of a data subject to receive the data provided by you in an interoperable format.
You have the right of a data subject to raise an objection to data processing, provided the requirements of Article 21 GDPR are present.
If you wish to assert a right of the data subject, please contact us. The following contact options are available:
Contact data customer service:
ÖBB customer service
(Subject: assertion of rights of data subjects)
PO Box 222
Please attach the following information to your application:
This is because before we can reply to your request or make the necessary arrangements, we have to check your identity. The purpose of this identity check is to enable us to establish your actual capacity as a data subject, in order to ensure that personal data are not disclosed to unauthorized third parties (risk of misuse).
Once we have received your request and you have proven your identity, we will respond to your request within four weeks. In the event that we have specific questions as part of the reply, we will contact you and ask you to cooperate and assist.
Furthermore, you have the right to submit a complaint to the data protection authority, according to §§ 24 et seq. DSG [Data Protection Act] and Article 77 et seq. GDPR if you believe that we have breached obligations under the General Data Protection Regulation.
(3) Withdrawal of consent
If you have consented to your data being processed for a specific purpose, you have the right to withdraw your consent at any time, without indicating reasons. We have described the method for exercising the right of withdrawal in the Chapter “Direct marketing - general and personalized advertising offers”.
With regard to your person we store the following data in particular:
We will store the following timetable settings:
We store the following other settings:
We store the following data centrally:
We have a wide range of customer cards on offer. Whether you’re looking to travel at reduced prices, explore Austria all year round without the stress, enjoy regular family excursions or simply commute, there’s a customer card to suit you.
When ordering an ÖBB customer card (Vorteilscard, Österreichcard), you will be required to provide your personal data. In particular, this includes personal details such as your name, date of birth and address and, in the case of a SEPA mandate, your bank details (IBAN and BIC). Providing a telephone number is optional and allows us to contact you if we have any questions. The above data will help us to personalise the customer card and are processed by ÖBB-Personenverkehr AG to complete your order. Entering your personal data is mandatory when ordering a customer card. Failure to provide the details mentioned above may result in your being refused a customer card (provision of a telephone number is optional).
You will need an ÖBB account to order online or via our ÖBB app. This requires you to enter an email address and password. This information will be saved.
Customer cards are produced by a reliable contractor. We take great care to ensure data are transmitted securely to the contractor. Data are exchanged in encrypted form only an access to them has been reduced to the minimum necessary extent.
During the journey, our train staff will validate your customer card or ticket (i.e. scan and check for validity).
When scanning, only those data are visible on the train personnel’s device which can be found on your customer card or the ticket (i.e. card number, card validity, name of cardholder, card type and comfort class, departure and arrival time, train number entry and exit station). Our train staff also receive information on whether the customer card or ticket was valid at the time of validation. Scanning allows for an electronic control of cards and the ticket (as against a purely visual inspection) and in particular makes it possible to withdraw manipulated or wrongly used tickets or cards (for example if the validity period has already expired) from circulation. This would not be possible with a mere visual inspection.
Moreover, data are collected for our train staff, i.e. which employee performed validation when, where and how.
We do not analyse possible movements of our customers.
Validation is based on two different legal principles of equal value, i.e. (1) on the contract of carriage concluded with you, i.e. Article 6(1) b) GDPR, and (2) on prevailing legitimate interests, as defined in Article 6(1) f) GDPR, which consist of the performance of a necessary authorization check, removal from circulation of no longer valid customer cards and tickets, as well as preventing additional cases of abuse (general prevention).
Private ÖBB account
In order to use all functions of our website and app, sign up and we will create an ÖBB account for you. This means you will use all your stored data independently of devices and browsers, and simplify and accelerate timetable queries and ticket purchase.
In order to create an ÖBB account, we need the following information about you at least: email address, password, form of address, your first name and surname and your date of birth.
Following data entry and registration, you will receive an email from us, to confirm your email address and activate the ÖBB account. Once you have confirmed the activation link, your ÖBB account will be active. The next time you log on, existing local data will be transferred onto your ÖBB account if you consent to this process.
In order to make use of additional benefits for your ÖBB account or to buy a personalized product, such as a customer card for example, we need additional personal data from you, i.e. date of birth and address, optionally also title and phone number. This means we can offer the relevant product for you. We will send your ÖBB customer card in credit card format by post and remind you of any renewal in a timely manner prior to expiry.
Your ÖBB account facilitates comfortable and quick ticket purchase without repeated data entry, by storing your payment data as favourite payment methods.
ÖBB business Account
In order to use our business services (website and app), business customers can create a business account. For example, you can register your company as a corporate customer and we will create an ÖBB business account for you.
This allows you to use all your stored data independent of devices and browsers and simplifies and accelerates timetable enquiries, ticket purchases, company structure management and the report function.
It's so simple: Name an administrator from your area who will do the initial registration. For an initial registration we need at least the following information: E-mail address, password, salutation, your first and last name, company name, address and a selection of industries.
After entering the data and registering, the named administrator receives an e-mail from us to confirm the e-mail address, initiate the plausibility check and activate the ÖBB business account. Only after a positive plausibility check will the payment on account and the business tariff be activated. As soon as you confirm the activation link, your ÖBB business account is active.
In order to use or manage further advantages of the ÖBB business account, we optionally need additional data, such as the structure of the company, employee names, e-mail addresses, employee role authorisation, employee discount cards, etc. This enables us to offer your employees or other persons assigned to the ÖBB business account relevant products.
The ÖBB business account also enables a pleasant and fast ticket purchase without repeated data entry by adding payment data in the administration. Payment data is stored by our payment service provider, which processes your payment data with the international standard PCI-DSS. The deposited means of payment can be deleted at any time by persons who have been provided with the corresponding authorisations on your site.
You have the opportunity to personalize your ÖBB account, by bookmarking yourself as ME and choosing a colour for your profile. Your customer account will be displayed in the colour that you have personally selected with immediate effect.
In the event that you no longer want to use your ÖBB account, you have the option of closing the ÖBB account again.
If you do not use your ÖBB account for longer than one year, we will automatically send a reminder to the email address that you have disclosed. You will then have two weeks to log onto your ÖBB account. We can close your ÖBB account automatically if you fail to use this account for a longer period, given that in this case we assume that you no longer want to use it.
We have set ourselves the goal of allowing you to:
Our website tickets.oebb.at and our ÖBB app offer services customized to your personal needs, which simplify ticket purchase.
Transport association tickets can be purchased throughout Austria based on the timetable. In order to do so, simply enter the start and end point of the journey and you will receive the right timetable and the associated ÖBB or transport association ticket. You can purchase tickets without needing to know all the individual fares in advance, whether it be for the bus, railway or tram.
Auto-completion for simple selection of the start and end point bookmarks your most recent entries. Your timetable query will therefore proceed more quickly the next time. Registered users can use this service on all sales channels and devices when logged in. Regardless of whether you book your journey on a computer, on the Internet or using the ÖBB app on the mobile phone, with a logged-in ÖBB account we will store your last start and end point entries and offer you them for selection in your top station hits.
Recently searched timetable connections are provided for you in the future timetable search as a personal quick selection.
Using the function “bookmark person”:
If you wish, when bookmarking your own travel data you can then advise us that this person is you. We will then store this information for your next journey as ME.
We store the route for your ticket purchase. This means you can check whether the travel data have changed in the journey preview at any time. If we are aware of a different updated timetable, we will display this. We will delete the planned time from the timetable and replace it with the actually forecast time. We aim to keep you informed as far as possible at all times, allowing you to react to changes in travel data in good time.
Shortly before the start of the journey, the journey preview for your booking will become your personal travel companion. We will then advise you of the next relevant actions to your journey, for example: “Change trains in 10 minutes.”
You can always find the offer with the best price as the first offer on our website and in our app. If there is an additional offer for your travel request, which offers more flexibility in travel time or the refunding of tickets, we will advise you of this alternative. You can decide whether price or flexibility is more important to you for each journey.
You can cancel a purchase within 3 minutes of payment at tickets.oebb.at or in the ÖBB app. This is only possible if you have not yet acquired your travel card in the form of a ticket. You can subsequently return to the shopping basket and make retrospective changes to your purchase.
You can buy your ticket quickly with 2 clicks, by registering and storing your payment data in your ÖBB account. Make a quick display of the requested offer on the home page and this function can already be used. We store your offer request for the requested timetable connection (e.g. best price, reservation request, requested travel class, number of passengers). Then all you have to do is place it in the shopping basket with a click, and pay with a second click.
Store special timetable connections as favourites if you regularly travel on the same route with the same preferences. This includes:
We only bookmark these data at your intentional request. This favourite is located on your personal home page and allows you to directly display timetable or offer information with one click when opening the application, without having to indicate data again for the current purchase or timetable request.
If you place your favourites on the home page, we will store your travel request.
But you can also store connection info as favourites for a specific timetable connection. In this case, you can use an additional practical service with location definition: “Only display if I am near the target destination and display the start if I am near the start location”
For a specific journey we always bookmark the name of the person printed on tickets. This means we can be certain that a ticket is not used several times by different persons with fraudulent intent. As a result, please carry your photo ID for the ticket with you, to allow train staff to check on the correct use of the ticket on site.
If you are travelling with children or young people, we will bookmark the age of the children. The children’s age limits differ in individual transport authorities and countries. Only if we know the age of your children can we determine the right price for the ticket purchase and create the best offer for you. We are obliged to store the date of birth for international travel.
We will provide you with all known information about your journey. In this way, you will have the most detailed and current information about your journeys and able to respond to changes on time. Your travel companion in the ÖBB app and website has the latest information for you at all times:
Your location information will only be used in the ÖBB app if you share it with us.
By payment information we mean information that we require for processing the payment. We will never store any payment information, such as credit or debit card numbers, expiry date, the card validation code (CVC) or user account and password data. We will only store payment information to a limited extent, i.e.
In all other cases, payment information (e.g. expiry date or the card validation code (CVC)) will be processed and used by a tested and certified payment service provider (Terminal Service Provider and Payment Service Provider).
In order to clearly authorise a payment, the payment service provider will require various pieces of information from us, such as e.g. identification data for browser and operating system type, which are saved by us and forwarded to the payment service provider for processing the payment.
The European Banking Authority (EBA), Regulatory Technical Standards (RTS) and the revised Payment Services Directive (PSD2) prescribe strict authentication methods for combating online fraud. PSD2 aims at preventing online fraud with strict customer authentication rules applied to an increased number of transactions.
So-called Strong Customer Authentication (SCA) is an obligatory part of PSD2 and ensures a high level of customer protection and increased payment security. SCA is therefore required whenever you, the customer, start an electronic payment process or perform a transaction that poses a risk of fraud or other misconduct. In this case, you will be required to complete an identification process by providing a password and another identification factor as determined by the payment service provider. In certain exceptional cases, this authentication can be dispensed with. The decision to apply SCA or dispense with authentication rests with the payment service provider.
We are required to provide the payment service provider with the relevant data requested in order to secure your payment transaction (see in particular https://doc.wirecard.com/CreditCard.html#CreditCard_PSD2).
More information on this can also be found on the payment service provider’s own website (see, for example, https://www.wirecardbank.de/DSGVO or https://www.wirecardbank.de/datenschutzbestimmungen/).
For the purposes of payment risk management, as required in the specific case and as part of the purchase transaction, personal data may be transmitted in the absolutely necessary extent to the payment service provider, which then uses these data to conduct a risk assessment. Payment-related data will also be consulted for anonymised analyses.
The ÖBB App is distributed on the Apple App Store and Google Play Store (hereinafter (“Store”). Inclusion, distribution and use of the ÖBB App is therefore additionally subject to the separate conditions of these two stores, over which we have no influence, and which are compiled and asserted at the sole responsibility of the stores.
When using our website tickets.oebb.at or our ÖBB App, data on your ticket purchase will be stored by Html storage in the web browser or in local storage on your mobile phone. This ensures that all functions, such as “bookmark person” or personalized fast selection can also be used if you wish to use our software without registration. We will only store personal data for quicker transaction in future purchases if you wish to do so.
We would like you to learn the full scope of functions of our software. For this purpose, we have made sure that you will receive practical tips and information from us at an appropriate spot. We want to provide you with relevant information and not continually repeat this. This is why we store functions used by you for a maximum period of 18 months. As a result, you will always receive the right (not yet known to you) information in different web browsers and on different devices with the ÖBB App.
If you do not want us to store this information about your person, use our website or our ÖBB App without logging on. This means we will not be able to assign this information to your person.
Even if we store this information about your person, we will not conduct any personal analyses. We shall only use this information in anonymized form to identify any need for adjustment in our systems. This allows us to continually improve our applications and provide optimal support to our customers.
We have expanded our distribution channels for you. This means you can now also find our connections on partner platforms and in some cases directly book your ticket on our partner’s platform. If the booking is made at a partner, we merely exchange the necessary timetable and ticket information for ticket generation with the partner. Each partner is responsible for protecting data processed on its partner platform.
Our timetable information service SCOTTY mobile and web offers you the opportunity to obtain information about timetables, stations or the current transport situation of ÖBB trains and several other transport operators. With the door-to-door timetable information you can query the fastest route from A to B throughout Austria and use other services. Moreover, additional relevant information is available, such as data on station or train equipment, as well as the opportunity to store journey data in your own calendar.
SCOTTY mobile and web is a service which can be used without registration. This service is therefore always anonymous because storage of your contact data, location data, calendar entries, query results, etc. is not carried out by ÖBB. The only exception is if you make use of our push notifications. As a result, ÖBB cannot and will not use data for any other purposes. Your query results remain completely anonymous and will not be stored, meaning that we cannot and do not create user profiles.
How does SCOTTY mobile function from a technical perspective?
An active Internet connection is required for the installation of SCOTTY mobile on your device and to communicate with our information server, which calculates connection results for you. The right to use the Internet for this, depending on the operating system, is designated as “data services”, “Internet” or “access to all networks”.
Depending on the operating system used, many platforms (e.g. Android) display standardized security information as required by the operating system when first installing SCOTTY mobile or using the app. However, this explanatory information (e.g. reading confidential information, such as call records) do not refer to SCOTTY but to general default settings in the operating system and cannot therefore be modified by ÖBB.
In order to allow you to use all functions of SCOTTY mobile, it is necessary to grant further rights, allowing for access to specific data for your device. These rights may be withdrawn from the application again on request. There is an option for deactivation, depending on the operating system used, in the security and system settings and you can implement this personally.
In detail, depending on the operating system used, the granting of the following rights is explicitly requested by SCOTTY mobile:
Contact data: These will only be used to display the transport connection to or from a contact from your address book. Only city names, roads and house numbers are transferred. We will not store (nor cache) such data.
Position or location data: Your current location can only be identified for an optimal connection search by SCOTTY mobile if you wish, in order to search for travel connections from there or find stations nearby. Nor is caching carried out, and as a result the creation of movement profiles, etc. is not possible.
Movement and direction sensor, compass function: This function makes it easier to search for stations nearby. We will not store (nor cache) such data.
Calendar: SCOTTY mobile offers you an additional service to store travel data for your connection in your device’s calendar. This service is not compulsory, but is determined at your personal discretion. Depending on the operating system, the related security information “Read calendar dates and confidential information” or “Add or change calendar dates without the knowledge of the owners and send emails to guests” relate to this function. However, the actual contents of the calendar shall not be read.
Amend or delete USB memory contents: This access is only required if you wish to store SCOTTY mobile on the SD card.
Install links: This right is necessary in order to create shortcuts for connections and departure boards.
Read call list: This right is required as standard by the Android operating system if address data can be read from contacts. Information in the call list however shall not be read by SCOTTY mobile.
Photo, music and video libraries: This right is required for technical reasons in order to create live tile graphics (cards). No private data will be selected and no data written, which would be visible to other apps.
Camera: record photos and videos: this right is required in order to use augmented reality. No photos or videos will be stored.
Notifications: This right is required to receive and display push messages (e.g. delay information).
How does the “Notifications” function work in Scotty mobile and web?
A push notification is available to you both with Scotty mobile and Scotty web.
As a result, you can decide whether or not you wish to use the function.
Notifications are completely free of charge to you. We will inform you if we have the necessary information on delays, changed departure platforms, risky connections, train cancellations or deviations and recommendations for the connection selected by you. As soon as there is any change to your connection, you will receive a push notification, provided we hold such information.
In addition, you can deactivate push notifications again at any time.
If you use the “Notifications” function, identification parameters, travel connection data, device IDs, relevant intervals and your email address are stored in Scotty web. Data are stored in case of one-off notification, as long as the selected connection is valid. If you have repeatedly set notifications on certain days, data shall be stored for as long as repeated notification is requested by you.
Scotty mobile analytical service
In the event of app usage, it records user activities without the option to draw conclusions on a specific person. The anonymous analysis helps us to further improve the app and adapt it in a targeted way to the needs of our customers. If you still do not request this analysis, you can deactivate the analysis in the app (see menu item “Settings” → “Record anonymous user activities”).
The analysis is conducted via an anonymous user ID, which does not allow for traceability or an opportunity to draw conclusions about the identity of a specific person.
Google Firebase Analytics is not used in our analyses and has been deactivated by us.
We are legally obliged to inform our passengers about any breakdowns, about activities that are expected to result in breakdowns such as delays or train cancellations from transport services and the anticipated impacts. In case of personal bookings, such as reservations, there is an enhanced information obligation for other information technologies, where contact data are known to us.
As a result, we will send you email notification, regardless of whether you have registered for a push service, in the event of a ticket booked online or on a mobile device with a fixed departure data and time before the start of the journey, if we are aware of new travel information. In the event that you have made a booking in customer service or at a ticket office, you will only receive notification if and when you have disclosed your email address to us.
However, such notifications shall be issued at the earliest 3 days before the booked start of journey.
If you no longer wish to receive such notifications for a journey, you can simply cancel further notifications, by clicking on the link “Cancel notification” in the email notification “New travel information on your booking”.
Using ÖBB-Alexa Skill on Amazon train connections can be searched or departure information from railway stations queried (departure board).
Connection information contains detailed information on the journey, etc. Train number, duration of journey, platforms and the most affordable, currently available price. You can find further details on the functions of ÖBB-Alexa Skill in the description of the skill on Amazon.
Using ÖBB-Alexa Skill, only connections, pricing and other ÖBB information may be queried. Connections of other transport operators are not covered by this service.
In the course of use of ÖBB-Alexa Skill, no personal data of customers are collected and used by ÖBB-Personenverkehr AG. The ÖBB-Alexa Skill is used anonymously. ÖBB has no knowledge of whether you use ÖBB-Alexa Skill or which queries you make to the ÖBB-Alexa Skill, because ÖBB is unable to establish any personal reference to you.
In order for the service to be used, certain technical data are collected by ÖBB-Personenverkehr AG, which do not allow for any conclusion to be drawn on your person:
Only those technical data are exclusively forwarded to Amazon by ÖBB which are necessary to allow for use of ÖBB-Alexa Skill.
In order to protect your data, data will be transmitted by ÖBB to Amazon or encrypted from Amazon to ÖBB by TLS 1.2.
Data collected and processed when using ÖBB-Alexa Skill are stored for a period of one year and automatically deleted following the lapse of this period. Access to data has been reduced to the extent that is absolutely necessary.
The ÖBB onboard portal offers you as passenger access – if this is associated with WLAN on the train (“OEBB”) –, including service functions concerning the train and the journey, to the ORF-TVthek (ORF TV library) and free access to over 100 digital newspapers and magazines of Austria Kiosk.
Cookies are used by the onboard portal in order to allow for the provision of a comprehensive and customer-friendly service. Cookies are used for the following functions: journey preview, ORF TVthek, data analysis by Piwik (Matomo).
When using the ÖBB onboard portal, no personal data for customers will be collected and used by ÖBB-Personenverkehr AG. The ÖBB onboard portal is thereby used anonymously.
Google Maps constitutes an online map service, which looks at the earth’s surface as a roadmap or an aerial or satellite image, on which locations of institutions or known structures are also displayed.
We use Google Maps for the following purposes:
We can organize optimal assistance for you at the station upon free advance notice at ÖBB customer service, at the ÖBB ticket desk, or at an information point at the station. Please let us know about your desired journey in good time (see https://www.oebb.at/de/reiseplanung-services/barrierefrei-reisen/mobilitaetsservice.html).
We require the following data for advance notice: (1) given name and surname and address; (2) phone number for queries and communications; (3) journey date, route (departure/transfer/arrival station); (4) disclosure of whether you are travelling with an attendant or luggage; (5) type of restricted mobility (wheelchair user, walking disability, visual impairment, other restriction); (6) disclosure of whether any aid is required (lifting device, railway wheelchair,...); and (7) disclosure of the meeting point at the station; and (8) wagon and seat number.
Data on a provided service shall be stored by ÖBB-Personenverkehr AG on a national level for a maximum period of three years and subsequently automatically deleted in order for data to be available in the event of customer queries.
In the event of cross-border journeys, data are transferred to a database provided by the International Union of Railways (UIC, Union internationale des chemins de fer), to which only relevant partner railways (partner operators) have access for handling the mobility service. This is intended to ensure that appropriate assistance is provided at an international arrival station or stations by the responsible international partner railways (partner operators). The provision of a cross-border mobility service was agreed internationally within the framework of a separate agreement. In particular, the scope of data disclosed in the individual case and the intended use were restricted to the extent that is absolutely necessary. In order to provide a cross-border mobility service, the following data shall be disclosed and stored in the UIC database until completion of the journey: journey data, title, first name and surname, email, language, type of restricted mobility, aid, other significant information, e.g. an aide or service dog, luggage, date of birth in the individual case, depending on the destination. The above data shall therefore be deleted immediately following completion of the journey in the event of cross-border journeys.
To improve the commuter situation and make it easier to access public transport and the related economic benefits, we want to do our part to protect the environment and manage resources sustainably. That’s why we hire vehicles and make these available to daytime users and commuters as part of a ‘Sharing Model’. They are made available to a limited group of users, and exclusively to persons who are named and authorised in relevant user contracts.
Daytime users can use the vehicle during the day on workdays. In contrast, commuters are authorised to use the vehicles on workdays in the early and evening hours and at weekends and on public holidays.
In addition to personal data (such as name, address, phone number), the duration and data for usage authorisation, ID data (driving licences, proof of ID), data relevant to payment, data on damage caused and traffic violations will be stored in respect of the daytime user or commuter.
The daytime users / commuters will be sent the respective other party’s user data in order to ensure handover of the vehicle. The data to be exchanged have been restricted to the absolutely necessary extent, i.e. name and phone number. We have explicitly prohibited the use of such data for other purposes in the contracts.
You have the opportunity to use a luggage service for normal luggage items and special baggage for journeys within Austria in relation to a ticket (see fare regulations).
The booking can be made through our company (i.e. at the ticket offices or by phone in customer service). We are available to you as a contact for our cooperating partner (Q Logistics GmbH, 1120 Vienna, Pottendorfer Strasse 23-25).
The cooperating partner shall perform this service at its own responsibility. In order to allow the cooperating partner to perform its logistical service, the following data - assignable to you - shall be disclosed to such a partner for performance of the service, which you communicated to us when booking this service: first name and surname, phone number, email address, collection and delivery address, date of collection and delivery.
If you wish, we will be happy to pass on complaints and other queries to the cooperating partner as required.
General and customized electronic offers
We use personal data in order to allow general information, offers and recommendations and information, offers and recommendations customized for your mobility and user behaviour to be forwarded to you by our company or our cooperating partners (customized offers). However, this is only the case if you grant your consent in advance to let us contact you by email, telephone, SMS or other ÖBB channels (e.g. ÖBB account), in order to inform you in a timely manner about interesting offers, new developments and services.
In order to allow you to receive personalized advertising offers, we have adapted our previous declaration of consent. With one click you can receive general information and customized offers from us.
We also provide our existing customers, who have already consented to receiving a newsletter, with the opportunity to receive personalized offers, by allowing you to supplement your consent. In the event that you have no interest in customized and relevant offers and services, but are only interested in general contents, you may continue to receive this newsletter by refusing to supplement the new declaration of consent.
Your personal data will exclusively be used by us in both cases and not transferred to cooperating partners or other affiliated companies.
Depending on the content of the consent granted by you, you will receive offers and other information from us concerning ÖBB-Personenverkehr AG (for example on general services, sweepstakes and customer surveys and the ÖBB Group, i.e. including other affiliated companies (e.g. information on travel offers from Rail Tours Touristik GmbH or car sharing offers from Rail Equipment GmbH)) or other cooperating partners.
If you wish to receive customized information and recommendations adapted to you (based on your previous purchase behaviour and handling or your other personal preferences), we can forward these to you for:
The compilation of contents is based on evaluation of the following data: first name/surname, date of birth, address and contact data, details stored on your person regarding booking and customer cards and season tickets, discount, travel and credit note data, geodata, preferences and customer loyalty activities assigned to you, device and browser information, including user behaviour assignable to you or data on any mobility preferences or restrictions.
You are entitled to revoke your consent at any time, without indicating reasons. In this case we will not send you any offers or information by email or SMS, display them in the ÖBB account or contact you by phone for this purpose.
Further special information and offers, including revocation
You also have the opportunity to register for special offers and services, for example for the Nightjet newsletter, Scotty push service or information on usability tests.
Please note that any of these services which require separate consent must also be revoked separately. As a result, revocation of any individual consent does not apply automatically to all additionally submitted declarations of consent, but they must also be revoked separately.
Advertising sent by post
If we are aware of your address due to purchases and services, or we are allowed to buy services from third parties (e.g. from Österreichische Post AG), we can send you event-driven information, offers and recommendations by post. You can prevent the sending of such information at any time, by declaring your objection (see explanations below). Following receipt of an objection, we will no longer send you any other announcements.
Postal deliveries will also be made to our stakeholders at regular intervals, for example before the annual timetable change and ad-hoc for relevant subjects.
Please note that the annual invitation to renew the contract does not constitute a direct advertising measure. Based on existing contractual obligations (see our GTC [General Terms and Conditions] for the Vorteilscard or Österreichcard), we will also continue to send you this invitation to renew the contract, and even if you had exercised your right to objection, especially as such a consignment is not subject to the right of objection.
General objection to direct marketing
If you do not wish to be included in our direct marketing activities, you have the right to file an objection thereto (Article 21(2) and Article 22 GDPR).
If you have exercised your right and decided against any further use of your personal data for advertising purposes (in particular direct advertising), in accordance with your request, you will not receive any information, offers and news and can no longer log onto your ÖBB account for our “Newsletter, Info & Services” service.
If you wish to reactivate our “Newsletter, Info & Services” service in your ÖBB account, please contact our customer service at
ÖBB customer service
(Subject: Newsletter, Info & Service)
PO Box 222
Statistical analyses shall be conducted for the following purposes in particular:
We also create anonymized data analyses, in which we evaluate personal data and information about age, gender, region, postcode, products, driving, purchase and user behaviour, in order to draw conclusions on the development of new products and services or to improve our existing service portfolio.
Market and opinion research, customer surveys
In order to improve our products and services and adapt them to customer requirements, we conduct surveys with different target groups: on the one hand with people who do not use the train and on the other hand with people who use a railway operator (irrespective of which) or people who use ÖBB. We thereby commission market research companies or conduct the surveys ourselves. Persons to be surveyed can be selected either completely randomly or based on social statistics or usage-specific factors. Contact with participants can be implemented via the pools of respondents for market research companies ‒ carried out without our input at the sole responsibility of partner operators. Or we invite interested persons in general, without individually addressing participation in the survey. In case of specific survey topics we also address customers of ÖBB PV AG.
Establishing personal reference is not intended for any surveys. All surveys are conducted completely anonymously. This is true even if we write to you directly as customer or you have declared your consent in advance to participate in a survey.
We only receive or compile an overall evaluation of data, which do not show individual interviews or persons.
If we address our customers directly, we will then exclusively contact people who have given consent thereto.
Should we conduct the survey in cooperation with a market research company in specific cases, we shall conclude a separate confidentiality agreement with said company in advance of a customer survey, laying down the secure handling of your data specifically for the individual case. In particular this Agreement shall ensure that the company will not transfer your data to other market research institutions and other third parties for surveys for their own purposes.
In any case you are not obliged to take part in any of our customer surveys.
If you apply as a test user, you can take part in usability tests conducted by our company for the further development and improvement of our ticket and timetable tools. Each test is subject to separate conditions of participation (see website). In this case we will contact you as a possible test user and request your participation in future tests. Naturally your participation in each individual test is voluntary.
You are entitled to revoke your consent at any time and declare that you no longer want to be contacted for further tests.
Operationally necessary cookies
These cookies are necessary to allow you to use our websites as intended and make all functions available to you. Without such cookies the requested services cannot be provided. These cookies do not record information about you and do not store Internet locations. Absolutely necessary cookies cannot be deactivated on our site. However, they can be deactivated at any time on the browser that you use.
These cookies are necessary for certain applications or functions of the website, allowing them to be duly executed. This may for example include cookies, which store implemented settings such as a visitor’s language setting or even – assuming your prior consent – pre-completed forms.
Storage period: in the event of a session cookie for the period of the session, or in the event of your prior consent for the period of your consent.
These cookies collect information on user behaviour for visitors to our websites. For example, a record is kept of which websites are most frequently visited and which links are clicked on. All recorded data are stored anonymously with information for other visitors. Using data obtained by these cookies, we can compile analytical evaluations on our website using Piwik and thereby continually improve the user experience.
Storage period: in the event of a session cookie for the period of the session, in all other cases (for example for our web analysis service PIWIK) for a maximum three years.
How long are cookies stored on my device?
The time that a cookie stays on your device depends on whether it is a persistent cookie or a session cookie. Session cookies only remain on your device until your browser session is finished. Persistent cookies remain stored on your device, even after you have completed a browser session, until such time as the preset time for the cookie has expired or it has been deleted.
For this purpose, usage information generated by the cookie (including your abbreviated IP address) will be transferred to our server and stored for usage analysis purposes, which on our part serves for website optimization. Your IP address is immediately anonymized in this operation, meaning that you remain anonymous to us.
Information generated by cookies on the use of our websites shall not be transferred to third parties.
For technical reasons, specific data and information must be collected and stored for visits to our websites, e.g. websites used, time and duration of visit and data made available by the used browser (e.g. on the operating system and used system settings). We use such data and information anonymously in order to design our offer in a user-friendly way and technically optimize our offer.
Should you provide personal data or information on our websites, we can continue to use them within the framework of the legal requirements of TKG [Telecommunications Act] without your further consent. Use for advertising or marketing purposes, or transfer to third parties, which requires your separate prior consent, shall be exempt from this. We will separately inform you about any communications to other ÖBB affiliated companies (e.g. in the event of a concern, complaint, etc.).
Should you access the abovementioned offers on our websites or switch to these websites, we will share data provided by the browser with such operators. We are generally not responsible for contents offered on these external sites, both with regard to data protection and to the technical security of the data and information provided. Please note in this context that external providers use technologies for personalization of advertising.
If we provide a contact option through an input screen on our website, this communication is encrypted on the https protocol. Please note that the confidentiality of other communications on the Internet, in particular via email is not guaranteed, and we therefore recommend not transmitting confidential data and information by email.
Social media plugins
We have embedded contents from external providers, such as Facebook, youtube, Twitter, on individual websites or we will transfer you to the websites of external providers. We could not identify any legal violations at the time of linking. When disclosing such a legal violation, we will immediately remove the link. In order to be able to recommend and share contents in social networks, for example Facebook, Twitter and Google+, corresponding buttons are integrated into the platform.
These buttons only transfer data to external providers or other third parties if you press the corresponding button as participant. We have prevented an immediate transfer of data to external providers or other third parties in case of mere access to our websites. As a result, it is completely up to you to activate transfer in the individual case.
Sweepstakes on social media and in the customer magazine
If personal data are recorded by participants within the framework of a sweepstakes on social media, they shall exclusively be collected, processed and used for the purposes of implementing the sweepstakes, unless you have specifically granted your consent for the use of your personal data for other purposes, or use of data is required in the individual case for legal or other overriding reasons (thus for example in the event of a legal or other regulatory request or in the event of legal or regulatory disputes).
We will delete or anonymize collected and processed data following expiry of the statutory period of limitation (i.e. usually after three years have elapsed). The same applies to any messaging history in social media. We cannot assume any responsibility for the correctness, up-to-date nature and completeness of data that you have disclosed personally. In your own interests, please therefore ensure that data disclosed by you are correct, up-to-date and complete.
If you contact us by email with requests, suggestions or criticism, we would also like to ensure that we have performed our service to your satisfaction. After replying to your concerns, we will therefore ask how satisfied you were with our service.
This constitutes an internal quality assurance measure. For reasons of objectivity and automated processing, we employ a processor for this purpose, to conduct this automated query on our behalf. In order to do so, we will exclusively hand over your email address and customer number to the processor. We shall not provide this processor with the opportunity to inspect your data, to use your data for other purposes or transfer them to third parties.
Before employing the processor, we have assured ourselves that it will provide a sufficient guarantee for lawful and secure use of data.
By information security we mean:
In order to guarantee information security, we have established organizational framework conditions and protective measures, which conform to the latest technology.
Access rights are only granted to our employees in the absolutely necessary extent, specifically to the role. The use of such access rights is recorded.
Your data shall be protected by a secure online connection (TLS) between your PC and our servers, depending on the browser configuration, with at least 128 Bits.
Security measures for the system in the event of purchase on the ÖBB App or an online purchase were developed based on the following standards:
The system therefore fulfils the security standards of the Application Verification Standard 2010 (ASVS) and was also tested by an independent expert. ASVS 2010 represents the leading current standard for IT security. Moreover, the ÖBB App was developed in accordance with requirements of data protection law and continually adjusted to new requirements.
By processors we mean our contractual partners, who process personal data on our behalf (example: maintenance of our databases).
We currently employ processors for the following activities:
We only employ processors for our lawfully conducted data processing. We always assure ourselves in advance that the individual processor is suited to service performance, in particular that the processor provides a sufficient guarantee of secure and lawful use of data.
Processors that we have selected only receive personal data from us to the extent that is absolutely necessary.
Our processors have contractually undertaken:
Before employing a processor, we conclude a written agreement with the processor, in which special obligations are imposed on the processor and its employees, and they again are subject to a separate confidentiality obligation. We impose certain data security measures on the processor to ensure that customer data and data processing are sufficiently protected.