
Customer satisfaction is our top priority. This means that protecting your data is particularly important. We would like to thank you for the trust you place in us by submitting your data to us for processing. As a sign that we respect your rights as well as your privacy, we have formulated our policy, which applies when processing your data:
Our data privacy statement applies to anyone who makes use of one of our products or services, visits our websites or uses our apps. This includes: buying a ticket, including ancillary services, such as making a reservation, purchase of a customer card or use of our different services.
We are constantly continuing the development of our offers and services. This is also why we will constantly adapt our data protection declaration. We will, however, make sure that the latest version will always be available to you.
GDPR defines a controller as a natural person or legal entity, authority, institution or other body, which, on its own or in conjunction with others, decides on the purposes and means of processing personal data.
In general, ÖBB-Personenverkehr AG (ÖBB-PV AG), FN [company registration number] 248742y, Am Hauptbahnhof 2, 1100 Vienna, tel. +43 1 93000 0, is the controller under data protection law, as defined in Article 4(7) GDPR.
Please note that the distribution of certain products is carried out under joint controllership pursuant to Article 26 of the GDPR in conjunction with the One Mobility Act, Federal Law Gazette I No. 75/2021 as amended. See also the information in Section 5..
In the context of joint controllership, the following entities are joint controllers within the meaning of Article 4(7) of the GDPR:
| 
 | Data controller | Address | Contact | 
|---|---|---|---|
| 1. | One Mobility GmbH | Schwindgasse 4/3, 1040 Vienna | |
| 2. | Federal Ministry for Climate Action | Radetzkystraße 2, 1030 Vienna | |
| 3. | ÖBB-Personenverkehr AG | Am Hauptbahnhof 2, 1100 Vienna | |
| 4. | OÖ Verkehrsverbund-Organisations GmbH Nfg. & Co KG | Volksgartenstraße 23, 4020 Linz | 
By personal data we mean all information relating to an identified or identifiable natural person (hereinafter “data subjects”).
A natural person is regarded as identifiable if said person can be identified as precisely this natural person, in particular through allocation of an identifier such as a name, identification number, location data, online identification data or one or more other special features in the particular individual case (e.g. voice). Thus this includes, at the least, the data that can be associated with you as a customer. For example, your name, email address, telephone number, booking code, ticket code or your customer number are personal data.
Please note that product distribution and customer service are provided either
a) under the sole responsibility of ÖBB-Personenverkehr AG under data protection law, or
b) joint product distribution and customer service is provided under the One Mobility Act.
The special features of joint product distribution are explained below. In the data privacy statement, we have also differentiated between processing purposes that take place under sole or joint controllership (see Section 6.).
Joint controllership for product distribution and customer service
Background of joint product distribution and customer service
The One Mobility Act, Federal Law Gazette I No. 75/2021 as amended, provides for the assurance of uniform and customer-friendly access to public transport products. A shared sales system (ticket shop) and centralised payment processing are established to provide a single inter-company customer account, product portfolio, customer service and payment system for the customers of the participating transport companies and associations. This promotes easy access to public transport and a switch to climate-friendly mobility, while synergies make the use of tax revenues even more efficient.
Legal basis of joint controllership
The legal basis for this joint data processing is in particular Article 6(1) e) GDPR in conjunction with Art 2(1) of the One Mobility Act. The performance of duties in the public interest lies in the creation of a shared distribution system for public passenger transport in order to facilitate access to the public transport network and thereby contribute to climate protection and relieve the taxpayer thanks to the associated cost benefits. On the other hand, Article 6(1) f) GDPR also applies, as the data controllers have a legitimate interest in ensuring that integrated sales and customer services support the switch to public transport and enable comprehensive customer care and a wider range of products from each data controller. Individual data processing is also carried out on the legal basis of consent and contract fulfilment in accordance with Art. 6(1) a) and b).
Partners in joint controllership
The Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology, One Mobility GmbH, ÖBB-Personenverkehr AG and OÖ Verkehrsverbund-Organisations GmbH Nfg. & Co KG, as joint controllers of the joint distribution and billing system, have concluded a special agreement that defines which partner is responsible for which obligation in order to fulfil and comply with the provisions of the GDPR.
For this purpose, ÖBB-Personenverkehr AG makes its distribution system (the ÖBB ticket shop) available to the other joint controllers, and a central billing system provided by One Mobility GmbH is used by all joint controllers.
Purpose of the joint controllership
The purpose of this joint data processing is that
Data subjects
This joint data processing affects all persons who, from the start of the joint controllership, purchase a product or use a customer service to change customer master data or a product through the web, app or ticket counter sales channels of a joint controller in accordance with Section 1 (b). The data referred to in Section 3 will be shared between the partners as soon as the joint controllership comes into effect and can be viewed and processed by them for the purpose of cross-company product sales and customer service.
Data shared between partners
As part of the joint controllership, your customer data will be processed by all controllers as part of a joint customer base. The joint controllership applies to all processing activities carried out in the context of the joint product distribution, customer service and centralised payment processing. The joint processing concerns:
The rights of access and inspection of your data have been designed in such a way that a right of inspection or access is only granted to the extent strictly necessary in each case, in order to protect your privacy to the greatest extent possible.
Processors
All other IT service providers and data hosting solution providers, as well as other providers of tools and solutions (e.g. printers and plastic card manufacturers) who assist us in providing our products to you.
Pursuant to the provisions of Article 12 et seq. GDPR, we would like to inform you on the following topics:
Sole controllership by ÖBB-Personenverkehr AG:
If you have any questions regarding data protection or the use of your personal data, please contact the data protection officer of ÖBB-Personenverkehr AG, if the data processing is carried out under our sole controllership.
Contact details for the data protection officer at ÖBB-Personenverkehr AG:
ÖBB-Personenverkehr AG, 1100 Vienna, Am Hauptbahnhof 2
E-mail: datenschutz.personenverkehr@pv.oebb.at
Joint controllership
In addition, the following contact options are available in the context of joint controllership:
If a customer under the age of 14 uses the following services provided by ÖBB-Personenverkehr AG or its partners under joint controllership (e.g. tickets, newsletter subscriptions, push services), the respective customer must ensure that the necessary consent of his or her legal guardian was obtained in advance.
In addition to data processing under joint controllership (see Sections 5. and 6.3.), there are data processing activities that ÖBB-Personenverkehr AG continues to perform exclusively under its sole controllership under data protection law. Within the scope of our sole controllership, personal data is generally processed for the following purposes:
The rights of access and inspection of your data are designed in such a way that they are only granted to the extent strictly necessary in each case, in order to protect your privacy in the best possible way.
Personal data is collected for our own purposes in accordance with Article 13 of the GDPR for the following specific processing purposes:
In the following cases and for the following purposes, personal data will not be collected by ourselves but will be disclosed by third parties in accordance with Article 14 GDPR:
If
In the following cases and for the following purposes, personal data is collected under joint controllership and shared between the partners listed in Section 3.:
The data processed for the purposes outlined in Section 6.2. is disclosed to the following categories of recipients as required and depending on the intended use, ensuring that data is only disclosed to the extent absolutely necessary as required:
To
The joint controllers may have personal data processed by processors. Processors are understood to be contractual partners who process personal data on behalf of the controllers.
ÖBB-Personenverkehr AG and its partners under joint controllership only use processors for lawful data processing. All controllers have always verified in advance the suitability of the individual processor to provide the service, and in particular that the processor provides sufficient guarantees for the secure and lawful use of the data.
The processors selected by the joint controllers receive personal data only to the extent strictly necessary, and the processing is carried out exclusively for the specified purposes.
The joint controllers transfer personal data to the following processors:
In addition, the joint controllers transmit personal data to the following recipients (controllers) to the extent necessary:
Data processing under our sole controllership is carried out in particular on the basis of the following legal framework (as amended from time to time):
The ÖBB Group not only uses Microsoft Office products, but also Microsoft Cloud Services. In particular, Microsoft Cloud Services and other Microsoft products are used to provide the ÖBB ticket shop, the ÖBB ticket app, the complaints management system, CRM measures and other customer-related systems.
The central processors are ÖBB companies, namely
For the provision of technical services by our ÖBB processors, the use of Microsoft products involves transferring / disclosing data to Microsoft Ireland Operations Limited (Microsoft), 70 Sir John Rogersons’s Quay, Dublin 2, Ireland, whereby Microsoft itself uses sub-processors in individual cases for the provision of individual cloud services or the provision of Microsoft products, some of which are based in third countries.
Microsoft is a recipient in the United States that participates in the EU-US Privacy Framework, which has been found by the European Commission to provide an adequate level of privacy protection.
Please note that in some cases Microsoft uses sub-processors, some of which are located in third countries, to provide its cloud services or to deliver Microsoft products. An up-to-date list of these sub-processors is provided by Microsoft at the following link: https://servicetrust.microsoft.com/DocumentPage/badc200c-02ab-43d9-b092-ed9b93b9b4a8.
Where data is transferred from Microsoft to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, in the United States, Microsoft relies on Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequacy of the level of protection of personal data under the EU-US data privacy framework (the “EU-US Data Privacy Framework”). Microsoft Corporation has been certified under the EU-US Data Privacy Framework.
In addition, Microsoft relies on the standard data protection clauses for the transfer of personal data from processors in the EEA to processors in third countries that do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by the European Commission in Decision 2021/914/EC of 4 June 2021.
You can view the FAQs provided by Microsoft via the following link: GDPR – frequently asked questions, Microsoft Trust Centre
If we transfer data to other recipients outside the EU/EEA in the future, we will give priority to countries for which the EU Commission has issued an adequacy decision. For recipients in third countries without an adequacy decision, we will first enter into standard contractual clauses and implement appropriate security measures to establish an adequate level of data protection to ensure that your rights are protected in accordance with the provisions of the GDPR.
In addition, the technology of Emarsys eMarketing Systems AG is used to send advertising offers (Lassallestraße 7b 1, 1020 Vienna, see points 15 and 16). Emarsys eMarketing Systems AG itself uses other processors, some of which are based in third countries. These other processors primarily provide hosting and development services. The following list provides an overview of the other processors used by Emarsys eMarketing Systems AG:
| Name | Registered office | Role | Data protection level | Note | 
|---|---|---|---|---|
| Amazon Web Services, Inc. | 410 Terry Avenue North, Seattle, WA  | Hosting Provider (i.e. storage of personal data) for Cloud Service | Listed in the Data Privacy Framework | 
 | 
| Google LLC | 1600 Amphitheatre Parkway, Mountainview, CA 94043 United States | Hosting Provider (i.e. storage of personal data) for Cloud Service | Listed in the Data Privacy Framework | 
 | 
| MongoDB Limited | Building Two, Number One Ballsbridge, Ballsbridge, Dublin 4, Ireland | Cloud database handling on hosting provider for the Cloud Service | Registered office within the EU/EEA | 
 | 
| Emarsys eMarketing Systems GmbH | Lassallestrasse 7B, 1020 Vienna, Austria | Development and provision of the Emarsys marketing platform | Registered office within the EU/EEA | 
 | 
| Emarsys Technologies Kft. | Kossuth Lajos ztca 7-9, First Site Hotel & Business Compley Floor 2, 1053 Budapest, Hungary | Development and provision of the Emarsys marketing platform | Registered office within the EU/EEA | 
 | 
| Emarsys Interactive Service GmbH | Willi-Schwabe-Straßw 1, 12489 Berlin, Germany | Agency services in relation to the planning, execution and analysis of marketing communication | Registered office within the EU/EEA | 
 | 
| Emarsys UK Ltd | The Scalpel, 20th Floor, 52-54 lime Street, London, EC3m 7BS, United Kingdom | Customer Support | Adequacy decision of the EU Commission | 
 | 
| Emarsys Limited | 35/F, Tower 2 Times Square, 1 Matheson Street, Causeway Bay, Hong Kong | Customer Support | Not applicable | An international service is not used | 
| Emarsys North America, Inc. | 10 W. Market Street, Suite 1350, Indianapolis, IN 46204, Indiana, USA | Customer Support | Not applicable | An international service is not used | 
| SAP America, Inc. | 3999 West Chester Pike, Newton Square, PA 19073, USA | Development and provision of the Emarsys marketing platform | Standardvertragsklauseln der EU-Kommission | 
 | 
| SAP Canada, Inc. | 222 Bay St., Suite 1800, 1900, 2000, P.O. Box 41, Toronto, ON M5K 1B7, Canada | Development and provision of the Emarsys marketing platform | Adequacy decision of the EU Commission | 
 | 
Emarsys eMarketing Systems AG thus only uses other processors that are either based in the EU/EEA or whose data transfer is justified by an adequacy decision of the EU Commission, an EU-US Data Privacy Framework listing or by separately concluded standard data protection clauses.
We have taken care to ensure that the scope of the master data, forwarded to Emarsys and its other processors is limited to the absolute minimum. Only first and last names, email addresses, birth dates, cities, postcodes and customer number are subject to the data transfer.
In addition, services are only used to the extent necessary. For customer services, we therefore only choose national support as standard and do not transfer data to third countries.
Data about your purchases or preferences has been pseudonymised, so that neither Emarsys eMarketing Systems AG nor the other processors it uses can establish a personal reference to the information about the content of the segmentations carried out.
We do not intend to transmit personal data to an international organisation.
In accordance with legal requirements, personal data will generally not be retained for longer than is necessary to fulfil the purpose for which it was collected. The specific retention period may result from an applicable legal requirement or may be for the duration of your consent. If the purpose for which the personal data was stored no longer applies, or if a legal retention period has expired, the personal data will be routinely blocked or deleted in accordance with statutory provisions.
In particular, the following storage periods apply:
In addition, we may retain your personal information beyond the periods set out above for as long as is necessary to assert any legal claims arising from the relationship between you and us or until a specific matter or legal dispute has been finally resolved. This longer retention period is necessary to protect our legitimate interests in asserting, clarifying and defending legal claims. In the context of business case documentation, legal requirements may also provide for a longer retention period.
In general, data subjects are entitled to assert the following rights against the data controller:
As a data subject, you generally have the following rights:
a. Right of access (Article 15 GDPR)
You have the right to request information on which personal data are collected about you and held by us.
b. Right to rectification and deletion (Article 16 GDPR)
You have the right to rectify any incorrect data concerning your person (e.g. spelling mistakes).
c. Right to erasure (Article 17 GDPR)
You have the right for personal data to be deleted, provided such deletion is covered by the cases set out in Article 17 GDPR, for example if we were to wrongfully process data.
d. Right to restriction (Article 18 GDPR)
You have the right of a data subject to demand that the controller restrict the processing of personal data about you if the requirements under Article 18 GDPR are present.
e. Right to data portability (Article 20 GDPR)
You have the right of a data subject to receive the data provided by you in an interoperable format.
f. Right to object (Article 21 GDPR)
You have the right of a data subject to raise an objection to data processing, provided the requirements of Article 21 GDPR are present.
Sole controllership by ÖBB-Personenverkehr AG:
If you wish to assert a data subject’s right against ÖBB-Personenverkehr AG within the scope of its sole controllership, please contact us. To do so, the following contact options are available to you:
Contact details for customer service:
(Subject: assertion of rights of data subjects)
Postfach 222
1020 Vienna
E-mail: datenschutz.personenverkehr@pv.oebb.at
As soon as we receive your request and your identity is beyond doubt, we will respond to your request within four weeks. If we have any questions when responding to your enquiry, we will ask you to help us identify the relevant data.
We will only ask you to prove your identity if we are in any doubt. In this case, we will ask you to send us the following information:
This verification of identity means that we can determine your actual characteristic as a data subject, so as to ensure that personal data is not disclosed to unauthorised third parties (risk of abuse).
Joint controllership
If you wish to assert a right of a data subject under the joint controllership, please note the following specificity:
One Mobility GmbH processes and responds to requests for information regarding data processing under joint controllership on behalf of all controllers.
To obtain a full request for information under Article 15 of the GDPR, which should cover both the data processing under joint controllership and the data processing under the sole controllership of ÖBB-Personenverkehr AG, a request for information must be sent to both One Mobility GmbH for the data processing under joint controllership and to ÖBB-Personenverkehr AG for the data processing under its sole controllership. Answers will be sent separately. The contact details for One Mobility GmbH can be found in Section 6.1..
To exercise your data subject rights under Articles 16-22 of the GDPR, you should preferably contact the controller with whom you have a contractual relationship. Notwithstanding the foregoing, you may also exercise your rights in relation to the joint processing of your personal data with any of the controllers. In this case, the controller concerned will immediately forward the request to the controller in charge of the processing operation, provided that it is a case of joint controllership.
Reports to the supervisory authority pursuant to Article 33 of the GDPR shall be made by the controller in whose system or organisation the data protection incident has occurred. One Mobility GmbH will notify the data subjects in accordance with Article 34 of the GDPR on behalf of and with effect for all controllers. The joint controllers have contractually agreed to inform each other immediately if irregularities are detected in data processing activities and to take measures to mitigate any adverse consequences for data subjects.
In the event of data protection violations arising from the joint controllership, all controllers are jointly and severally liable vis-à-vis third parties.
Furthermore, you have the right to submit a complaint to the data protection authority, according to §§ 24 et seq. DSG [Data Protection Act] and Article 77 et seq. GDPR if you believe that we have breached obligations under the General Data Protection Regulation.
Contact data:
Austrian Data Protection Authority,
1030 Vienna, Barichgasse 40-42,
Telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at
If you have granted us your consent to the processing of your data for a specific purpose, you have the right to revoke your consent at any time without providing reasons. We have described the method for exercising the right of withdrawal in Section 16..
During the train or bus journey, our train attendants will validate (i.e. scan and check for validity) your customer card, digital discount products, physical or digital annual ticket and/or ticket or your boarding pass (Airrail pass).
When scanning, only those data are visible on the inspection staff’s device which can be found on your customer card or the ticket (e.g. card or ticket number, card validity, name and possibly the photo of the card holder, card type and comfort class, departure and arrival time, train number, boarding and exit station). In the case of our customer cards, the date of birth of the card holder is also displayed on the inspection staff’s device in order to facilitate identification. If the ticket/card has been cancelled or tickets/cards have been used multiple times without authorisation, our inspection staff will also be informed whether the customer card or ticket was valid at the time of validation.
The following data is collected when your boarding pass (Airrail pass) is validated: Name, operating carrier’s PNR code (= order number), airport code, operating carrier’s designator (corresponds to the RICS code for railroads, i.e. the identifier of the transport company), flight number, date of the flight, compartment code (travel class) and the document form/serial number (= ticket number)
Scanning allows for an electronic control of cards and the ticket (as opposed to a purely visual inspection) and in particular makes it possible to withdraw manipulated or wrongly used tickets or cards (for example if the validity period has already expired, the ticket/card has been cancelled or tickets/cards have been used multiple times without authorisation) from circulation.
Moreover, data are collected for our inspection staff, i.e. which employee performed validation when, where and how. Our train attendants are only able to view validation data for a limited amount of time.
In order to combat abuse in international and cross-border local and long-distance transport, we share travel authorisation data (ticket and card data) limited to what is absolutely necessary as well as control data with those partners who are involved in providing the transport service or who have a legitimate interest due to a control activity.
We do not automatically analyse possible movements of our customers. An evaluation of the existing data material is carried out in individual cases if a data subject should request this information as part of his or her request for information under Article 15 DSGVO.
The validation is based on two different but equivalent legal bases, namely
(1) the contract of carriage concluded with you, i.e. Article 6(1) b) GDPR, and
(2) overriding legitimate interests within the meaning of Article 6(1) f) GDPR, which consist of conducting a necessary authorisation check, decommissioning customer cards and tickets that are no longer valid, preventing further cases of abuse (general prevention) and complying with contractual obligations.
To use all the functionalities of the joint distribution system (both under sole and joint controllership), i.e. the website and the app, you need to register and we will create a customer account for you.
In order to create a customer account, we will need at least the following information about you: e-mail address, password, salutation, your first and last name and your date of birth. When you register, we ask you whether you would like to continue to use the data previously used in the browser (e.g. recent trip searches, customer cards) as part of your customer account.
Following data entry and registration, you will receive an e-mail from us, to confirm your e-mail address and activate the customer account for ÖBB. As soon as you confirm the activation link and log in for the first time, your customer account is active.
In order to use our business services (website and app), business customers can create a business account. For example, you can register your company as a corporate customer and we will create an ÖBB business account for you.
This allows you to use all your stored data independent of devices and browsers and simplifies and accelerates timetable enquiries, ticket purchases, company structure management and the report function.
It’s as simple as this: name an administrator from your area who will handle the initial registration. For an initial registration, we need at least the following information: e-mail address, password, salutation, your first and last name, company name, address and an industry selection.
After entering the data and registering, the named administrator receives an e-mail from us to confirm the e-mail address, initiate the plausibility check and activate the ÖBB business account. Only after a positive plausibility check will the payment on account and the business tariff be activated. As soon as you confirm the activation link, your ÖBB business account is active.
In order to use or manage further advantages of the ÖBB business account, we optionally need additional data, such as: the structure of the company, employee names, e-mail addresses, employee role authorisation, employee discount cards, etc. This enables us to offer your employees or other persons assigned to the ÖBB business account relevant products.
The ÖBB business account also enables a pleasant and fast ticket purchase without repeated data entry by adding payment data in the administration. Payment data will be stored by our payment service provider, who processes your payment data using the international PCI DSS standard. The stored means of payment can be deleted at any time by persons who have received the corresponding authorisations by you.
For existing business customers, ÖBB-Personenverkehr AG offers webinars covering customer safety at the station and on the train. ÖBB-Personenverkehr AG shows what the company does for the safety of passengers and demonstrates how customers can also pay attention to their own safety. In addition, the various options for travel insurance are presented and explained.
The invitation to the webinar, including the invitation link, is sent by e-mail to the e-mail address provided by the business customer. For the avoidance of doubt: this is a training and information event, and the webinar does not include any promotional content.
If you use the Wegfinder app provided by our partner iMoblity GmbH to book a service (e.g. to purchase a ticket to travel to a congress), iMobility GmbH will provide us with your name, date of birth, wheelchair yes/no, discounts, travel preferences, booking details and the organizer’s business account ID, so that we can issue the ticket.
The individual bookings as well as any payments take place in iMobility GmbH’s Wegfinder app. The data on CO² savings is compiled and made available to the respective organizer of the booked service without personal reference.
For selected partners (Easy Tex), the business account can also be used as a service for customers. For this purpose, the partner uses a business account, in which the booking and billing takes place. If the booking is made through an international partner, data will be exchanged as part of an international data transfer for the purpose of completing the ticket purchase within the meaning of Article 49(1) b) GDPR. The data exchanged as part of the international data transfer has been limited to what is strictly necessary (this includes offer and order information, ticket information, billing information, passenger details).
For congress bookings, a separate booking area is created to which only a restricted group of users (organisers, participants as well as employees of the responsible parties) have access. The organiser receives a link and a TAN to the booking area created for the respective individual congress. The rights of access have been restricted so that neither the participants of a congress, nor the organisers themselves, nor participants or organisers of other congresses can access the information. Data is deleted two months after the end of the congress or finalisation of the accounts.
If an organiser assumes payment for participants’ travel to a convention, the organiser will be provided with the relevant participants’ booking details (first and last name, dates of travel, costs) for the purpose of reviewing the invoice.
By payment information we mean information that we require for processing the payment. As a matter of principle, we will never store any payment information, such as credit or debit card numbers, expiry date, the card validation code (CVC) or user account and password data. We will only store payment information to a limited extent, namely
In all other cases, payment information (e.g. expiry date or the card validation code (CVC)) will be processed and used by a tested and certified payment service provider (Terminal Service Provider and Payment Service Provider).
In order to handle the payment process, we employ tested and PCI-certified payment service providers who process and use the payment information (e.g. CVC code or expiry date) to complete the booking. Data will be processed only for the purposes of completing payments on certified payment terminals (e.g. ticket vending machine, ticket counter, etc.) or at shop.oebbtickets.at or via the ÖBB app. These payment service providers are usually independent entities and therefore process your data in accordance with their own privacy policy.
In order to clearly authorise a payment, the payment service provider will require various pieces of information from us, such as e.g. identification data for browser and operating system type, which are saved by us and forwarded to the payment service provider for processing the payment.
The European Banking Authority (EBA), Regulatory Technical Standards (RTS) and the revised Payment Services Directive (PSD2) prescribe strict authentication methods for combating online fraud. PSD2 aims at preventing online fraud with strict customer authentication rules applied to an increased number of transactions.
So-called Strong Customer Authentication (SCA) is an obligatory part of PSD2 and ensures a high level of customer protection and increased payment security. SCA is therefore required whenever you, the customer, start an electronic payment process or perform a transaction that poses a risk of payment fraud or other misconduct. In this case, you will be required to complete an identification process by providing a password and another identification factor as determined by the payment service provider. In certain exceptional cases, this authentication can be dispensed with. The decision to apply SCA or dispense with authentication rests with the payment service provider.
We are required to provide the payment service provider with the relevant data requested in order to secure your payment transaction.
More information on this can also be found on the payment service provider’s own website.
For the purposes of payment risk management, as required in the specific case and as part of the purchase transaction, personal data may be transmitted in the absolutely necessary extent to the payment service provider, which then uses this data to conduct a risk assessment. Payment-related data will also be consulted for anonymised analyses.
We have set ourselves the goal of allowing you to:
Our website Nightjet.com offers services customised to your personal needs, which simplify the purchase of tickets. For example, this website uses GeoLite2 data provided by Maxmind. This data uses your IP address to determine approximately from which country you are accessing the website in order to predefine the country of departure when displaying connections under the menu item “Destinations” as well as the country code when booking a ticket in order to increase your user comfort. No personal data is stored during this procedure.
The first offer you will find on our website Nightjet.com is always the one with the lowest current price available. If there is an additional offer for your travel request that offers more flexibility regarding travel time or ticket reimbursement, we will make you aware of this alternative. You can decide whether price or flexibility is more important to you for each journey.
For a specific journey we always bookmark the name of the person printed on tickets. This means we can be certain that a ticket is not used several times by different persons with fraudulent intent. As a result, please carry your photo ID for the ticket with you, to allow train staff to check on the correct use of the ticket on site.
If you are travelling with children or adolescents, we will bookmark the age of the children. The children’s age limits differ in individual transport authorities and countries. Only if we know the age of your children can we determine the right price for the ticket purchase and create the best offer for you. We are obliged to store the date of birth for international travel. Nightjet.com only asks for the children’s exact date of birth when booking a pre-connection and/or onward connection.
We will provide you with all known information about your journey. In this way, you will have the most detailed and current information about your journeys and are able to respond to changes on time. Your travel companion in the ÖBB app and the Nightjet.com website has the latest information for you at all times:
You can find detailed information on data processing for the purpose of payment processing via Nightjet.com under the heading “All you need to know about the ÖBB Ticket Shop and the ÖBB App” in the payment information section.
On the nightjet.com website, only technically necessary cookies that serve to ensure the usability of the website are used.
We have expanded our distribution channels for you. This means that you can now also find our connections on partner platforms and can, in part, also book your ticket directly on the platform of our partner. If the booking is made through a partner, we exchange only the schedule and ticket information with the partner that is required for the creation of the ticket. The respective partner is responsible for the protection of the data processed on the partner platform of the partner.
In certain municipalities throughout Austria, you can book a fast and comfortable shuttle service to your destination (ÖBB Transfer). This service picks you up directly from the train station, takes you to the accommodation selected during the booking process (e.g. hotel, spa) and also takes you back to the train station on your day of departure.
When booking a ticket for a specific train journey (i.e. booking a ticket to your destination and back), you will automatically be offered the ÖBB Transfer Service if this service is available at your destination. If you would like to avail yourself of this service, you can book it together with your train ticket as part of a booking process. Detailed provisions concerning the ÖBB Transfer can also be found in the Guide for travelling with ÖBB in Austria.
You will receive an email with the exact times and locations for the shuttle’s departure and arrival after the purchase is completed as well as prior to the journey.
The transfer service is provided by our cooperating partners (bus or taxi companies).
The driver will wait for you at the main exit of the station or outside your chosen accommodation.
In order to use this transfer service, the following data is collected during the booking process: first and last name, pick-up and drop-off location, number of passengers, train number, data for validation, price and chosen method of payment, e-mail address, mobile phone number, wheelchair, dog, bicycle (to determine whether or not the transfer service allows for the transport of a wheelchair, dog or bicycle).
In order to provide the transfer service, the required data will be passed on to the cooperating partners (bus or taxi companies) in the case of a booking and by the cooperating partner to the third party providing the service (e.g. other local taxi companies at the destination) in the event that the cooperating partner does not provide the transfer service itself.
For the purpose of providing the transfer service, ÖBB-Personenverkehr AG will pass on the following data to the cooperating partners:
ÖBB-Personenverkehr AG (as far as the train service is concerned) as well as the individual cooperating partner (as far as the transfer service is concerned) shall carry out this service under their own responsibility under data protection law. As a consequence, you must in particular exercise your claims/rights under data protection law (e.g. a request for information under data protection law) against ÖBB-Personenverkehr AG as well as against the respective cooperating partner.
If you wish, we will also be happy to forward enquiries to the cooperating partner or to the commissioned third party.
ÖBB-Personenverkehr AG uses
as a processor to provide this service.
In order to enhance the mobility chain within Austria, ÖBB Rail&Drive cars are made available at selected ÖBB train stations. This car sharing offer is available to all registered ÖBB Rail&Drive customers.
Please use the ÖBB Rail&Drive website to register. https://www.railanddrive.at/ The verification process can then be completed at selected sales offices of ÖBB-Personenverkehr AG (i.e. ÖBB ticket counters, ÖBB travel agencies and ÖBB lounges). The applicable sales offices are published on our website and can be accessed via the following link: https://www.oebb.at/de/reiseplanung-services/am-bahnhof/last-mile.html . Alternatively, you can also carry out the entire registration process at these locations. For this purpose we provide computers and tablets at selected sales points. This allows you to start the registration process and/or complete the verification process on site.
Disclosure of the following information is required to use the Rail&Drive service: driving licence data, first name, last name, address, date of birth.
Please make sure that you are able to verify the information you have provided by means of appropriate evidence on site. In particular, it must also be ensured that the driving licence issued to the customer in question was issued in a Member State of the European Union. A physical and/or digital copy of the driving licence is made on site. The collected data is kept for a period of one week and then deleted or destroyed.
ÖBB-Personenverkehr AG will forward the collected data and documents electronically to Rail Equipment GmbH & Co KG, which is responsible for this service under data protection law. In this case, ÖBB-Personenverkehr AG acts as the processor for Rail Equipment GmbH & Co KG.
Your data protection claims with regard to the ÖBB Rail&Drive service must therefore be asserted against Rail Equipment GmbH & Co KG.
Contact details:
Rail Equipment GmbH & Co KG 
z.Hd. Datenschutzbeauftragter 
Operngasse 24/4, 
A-1040 Vienna 
info.railanddrive@oebb.at
The data collected at the point of sale is recorded by the data controller, Rail Equipment GmbH, in its own data processing systems and used for the purpose of providing the service. Further information on the use of data can be found in the data privacy statement of Rail Equipment GmbH & Co KG (available at https://www.railanddrive.at/de/datenschutzerklaerung).
As a part of ÖBB 360, ÖBB-Personenverkehr AG, together with its subsidiary iMobility GmbH, offers a service for employees of companies.
Public transport, taxis, sharing services and micro-public transport throughout Austria can be booked using the “wegfinder” app provided by iMobility GmbH. This is an information and booking platform for a wide range of mobility services as alternatives to private cars.
The service offered under ÖBB 360 can be used for business and private purposes.
During the booking process, the employee selects whether it is a private trip or a business trip.
Settlement is made either by private credit or debit card or by the means of payment provided by the employer: “Mobility budget” and/or “Travel expenses”. In order to be able to make use of the “mobility budget” and/or the “travel expenses” options, the company must be linked to the employee’s wegfinder profile.
The mobility budget is a monthly amount provided by the employer at the beginning of each month in the form of vouchers on the wegfinder account. For all bookable mobility services in the app, users have the option to select either the mobility budget for private journeys or the “travel expenses” payment method as the means of payment for business journeys.
The respective company is also provided with your CO2 footprint for the trips made on a monthly basis.
The employer does not receive any information related to employees’ private mobility behaviour, in particular with regard to which means of transport were used for which routes for private purposes. Your employer can only see how much CO2 an employee has saved with the mobility budget they have made available.
ÖBB-Personenverkehr AG and iMobility GmbH each process personal data as independent data controllers pursuant to Article 4(7) GDPR.
ÖBB-Personenverkehr AG processes the following data:
Data collected on the company: company name incl. VAT number and company register number, address data, country, monthly invoice amount, customer number and contact person.
Data collected on the employee: e-mail address
Please be advised that ÖBB-Personenverkehr AG has no insight into the specific bookings of the individual mobility services. Booking and data processing for the mobility services used takes place in the app offered by iMobility GmbH, which operates it under its own responsibility. Further information on this topic can be found in the Data Privacy Statement, which you can access via the following link: https://wegfinder.at/datenschutz/
On our website, you have the opportunity to submit enquiries about corporate mobility and shared mobility via a separate input screen, and to opt in to receive information, news and offers by email, phone and text message.
In particular, the following data will be used: Company, title, first and last name, telephone number, e-mail address and federal state.
You may withdraw your consent at any time
.
We can organise optimal assistance for you at many stations upon free advance notice at ÖBB customer service, at the ÖBB ticket counter, or at an information point at the train station. Please let us know about your desired journey in good time (see https://www.oebb.at/de/reiseplanung-services/barrierefrei-reisen/mobilitaetsservice.html).
We require the following data for advance notice: (1) first and last name and address; (2) phone number for queries and communications; (3) journey date, route (departure/transfer/arrival station); (4) disclosure of whether you are travelling with a companion and/or luggage; (5) type of mobility restriction (wheelchair user, walking disability, visual impairment, other restriction); (6) disclosure of whether any railway aid is required (lifting device, railway wheelchair,...); (7) disclosure of the meeting point at the station; and (8) if already available, carriage and seat number.
Data on a provided service will be stored by ÖBB-Personenverkehr AG on a national level for a maximum period of three years and subsequently automatically deleted.
In the event of cross-border journeys, data are transferred to a database provided by the International Union of Railways (UIC, Union internationale des chemins de fer), to which only relevant partner railways (partner operators) have access for handling the mobility service. This is intended to ensure that appropriate assistance is provided at an international arrival station or stations by the responsible international partner railways (partner operators). The provision of a cross-border mobility service was agreed internationally within the framework of a separate agreement. In particular, the scope of data disclosed in the individual case and the intended use were restricted to the extent that is absolutely necessary. In order to provide a cross-border mobility service, the following data will be disclosed and stored in the UIC database until completion of the journey: journey data, title, first and last name, e-mail, language, type of mobility restriction, aid, other significant information, e.g. companion or service dog, luggage. The above data shall therefore be deleted immediately following completion of the journey in the event of cross-border journeys.
In combination with a ticket, you can make use of a luggage service for normal luggage items as well special baggage for journeys within Austria (see fare regulations).
The booking can be made through our company (i.e. at the ticket counters or by phone via the customer service). We are at your disposal as a contact for our cooperation partner (GO! Express & Logistics GmbH, 1230 Vienna, Pfarrgasse 81).
The cooperating partner shall perform this service at its own responsibility. In order to allow the cooperating partner to perform its logistical service, the following data - assignable to you - shall be disclosed to such a partner for the performance of the service, which you communicated to us when booking this service: first and last name, telephone number, e-mail address, pick-up and delivery address, date, time and time window of pick-up and delivery.
If you wish, we will be happy to pass on complaints and other queries to the cooperating partner as required.
As part of ÖBB Bike, ÖBB offers two products: ÖBB Bike:Rental (longer rental for day trips) and ÖBB:Bike Sharing (short-term rental for short distances).
The processor Digital Mobility Solutions GmbH, Vaalser Str. 17, 52064 Aachen, Germany, provides a web-based administration backend (MoQo platform) for the digitalisation of the bicycles and the operational processing of the bike rental service.
Bike rental takes place via the Wegfinder app provided by our cooperation partner iMobility GmbH, Weyringergasse 5/B4, 1040 Vienna, which provides this service under its own data protection responsibility. You can view our cooperation partner’s privacy statement via this link: https://wegfinder.at/datenschutz/
The rental relationship is established between the respective bike rental service and the operator. You can review the operator’s respective rental conditions in the Wegfinder app.
Prior to first-time use, an account must be created in the Wegfinder app and a means of payment must be registered. In the respective app, select a location, a date and a bike, accept the General Terms and Conditions of the respective bike rental service operator and rent the bicycle. The billing will be done by iMobility GmbH after the bike has been returned.
Data that is stored
In the event of a booking, data will be forwarded to the respective bike rental service operator.
The respective bike rental service operators can be found on the ÖBB website via the following link: https://www.oebb.at/de/reiseplanung-services/sharedmobility/oebbbike
The data is also transferred to our processors:
Differentiated deletion periods (between 1 year and 10 years, depending on the respective reason for storage) have been defined based on factual aspects. The deletions are carried out independently by the processor. In deviation from this, data may only be stored for a longer period in individual cases if there is a special reason for such storage (e.g. civil court proceedings).
Customers have the option of renting a bicycle parking space by the month or for an entire year via an app. The bike room can be opened/closed via the app (smart door control) using a QR code. Customers will be informed by e-mail / app prior to termination of the rental agreement.
Note: For this service, the controller uses the processor JUHUU BikeBox GmbH, which in turn uses processors located outside the EU. In particular, the processor uses Google Cloud Platform for its cloud computing services and has concluded the necessary data protection agreements and standard contractual clauses with Google Ireland Limited, with registered office at Gordon House, Barrow Street, Dublin 4, Ireland and Google LLC, with registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
For sending e-mails, the TÜV-approved processor Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin is used, whose processors have either concluded EU standard contractual clauses or have a server location in the EU.
The following personal data will be processed in the context of bike rental services
Differentiated deletion periods (between 1 year and 10 years, depending on the respective reason for storage) have been defined based on factual aspects. The deletions are carried out independently by the processor. In deviation from this, data may only be stored for a longer period in individual cases if there is a special reason for such storage (e.g. civil court proceedings).
We are introducing a new service for you with immediate effect: Consultation and sales talks are now also conducted online.
This procedure not only offers a good alternative for persons with restricted mobility, but also allows you to use the travel agency service of ÖBB-PV AG without restrictions from wherever you are.
Even if the sales and consultation meetings are held online, we will not record any of the conversations.
Online consultations in travel agencies are only provided at your request and are not mandatory. For this purpose, you have the option of booking an online consultation at https://reisebuero.oebb.at/ (registration for appointment). Registration generates an email that is delivered to the inbox of your selected branch.
In the event of an app date at the ticket counter, your registration will be sent by email to an internal central coordination unit for appointment management.
The following data is collected as part of the registration for an appointment at a travel agency: First and last name, e-mail address, telephone number, date on which an appointment is requested, requested branch, time window and comments. This data is used exclusively for online consultation and the sale of travel products.
The following data is collected as part of the registration for an appointment at a ticket counter: First and last name, e-mail address, telephone number, date on which an appointment is requested, requested counter, time window, type of operating system (Apple or Android), areas of interest and comments. This data is used exclusively for on-site consultation.
General
Our timetable information service ÖBB Scotty offers you the opportunity to obtain information about timetables, stations or the current transport situation of ÖBB trains and several other transport operators. With the door-to-door timetable information you can query the fastest route from A to B throughout Austria and use other services. Moreover, additional relevant information is available, such as data on station or train equipment, as well as the opportunity to store journey data in your own calendar or to share it with other persons.
Data storage
ÖBB Scotty is a service which can be used without registration. This service is therefore generally anonymous, because as a matter of principle, ÖBB does not store your contact data, location data, calendar entries, query results, etc. The only exceptions are if you want to use our push notifications or share your connections with other people. As a result, ÖBB cannot and will not use data for any other purposes. Your query results remain completely anonymous and will not be stored, meaning that we cannot and do not create user profiles.
How does ÖBB Scotty work from a technical perspective?
An active internet connection is required to install ÖBB Scotty on your device or to access it via https://fahrplan.oebb.at/webapp and to communicate with our information server, which calculates the connection results for you.
In order to allow you to use all functions of ÖBB Scotty, it is necessary to grant further authorisations/cookies, allowing for access to specific data for your device. These rights can also be withdrawn again in the application or at https://fahrplan.oebb.at/webapp if desired. Depending on your operating system, you can disable them at any time by going to System Preferences/Application Management/Cookie Management.
In detail and depending on the device used, ÖBB Scotty explicitly requests you to grant the following rights:
Contact data: These will only be used to display the transport connection to or from a contact from your address book. Only city names, roads and house numbers are used for the search. We will not store (nor cache) such data.
Device location/location: Your current location can only be identified for an optimal connection search by ÖBB Scotty if you wish, in order to search for travel connections from there or to find stations nearby. No caching is carried out, either, and as a result the creation of movement profiles, etc. is not possible.
Calendar: ÖBB Scotty offers you an additional service to store travel data for your connection in your device’s calendar. This service is not compulsory, but is determined at your personal discretion. However, the actual contents of the calendar will not be read.
Share connection: ÖBB Scotty offers you the additional service of sharing your travel data for your connection with other people. This service is not compulsory, but is determined at your personal discretion. To share connections, the encrypted key data of a selected connection is stored on the server so that the connection can be reconstructed on other devices or by other people. However, the encrypted key data does not reveal who a link was shared with, through which channels it was shared, or how often it was shared.
Notifications: This right is required to receive and display push messages (e.g. information on delays).
How does the “alarm” function in ÖBB Scotty work?
A push alarm is available to you on the ÖBB Scotty app and website.
Registration
As a result, you can decide whether or not you wish to use the function.
Notifications are completely free of charge to you. We will inform you if we have the necessary information on delays, changed departure platforms, risky connections, train cancellations or deviations and recommendations for the connection selected by you. As soon as there is any change to your connection, you will receive a push notification, provided we hold such information.
Unsubscribing:
In addition, you can deactivate push notifications again at any time.
If you use the “Alarms” function, identification parameters, travel connection data, device IDs, relevant intervals and your e-mail address are stored in Scotty Web. Data are stored in case of one-off notification, as long as the selected connection is valid. If you have repeatedly set notifications on certain days, data shall be stored for as long as repeated notification is requested by you.
ÖBB Scotty analytics service
When you use ÖBB Scotty, it records user activity without being able to trace it back to a specific person. The anonymous analysis helps us to further improve ÖBB Scotty and adapt it in a targeted way to the needs of our customers. If you still do not want this analysis, you can disable it in the app or in the device system. In the web browser or in the Scotty web version, this is possible via the “cookie settings”.
The analysis is conducted via an anonymous user ID, which does not allow for traceability or an opportunity to draw conclusions about the identity of a specific person.
Google Firebase Analytics is not used in our analyses and has been deactivated by us.
Integration of the Scotty timetable widget:
If you embed the Scotty widget in your website, the widget generator creates a code and redirects the queries and the display of the query results to Scotty.
The only thing that happens is a query to the Scotty server, so it is not possible to identify the user, not even through logs.
Scotty does not place functional cookies in visitors’ browsers without their consent, and user activity is only recorded anonymously.
In particular, ÖBB-Personenverkehr AG does not create any digital fingerprints. ÖBB-Personenverkehr AG therefore has no personal information about visitors to the timetable enquiries.
Accordingly, the use of cookies does not require consent, since only cookies that are necessary for the operation are set, user activities are only recorded without the possibility of tracing them back to a specific person, and data is not passed on to third parties.
We are legally obliged to inform our passengers about any breakdowns, about activities that are expected to result in breakdowns such as delays or train cancellations from transport services and the anticipated impacts. In case of personal bookings, such as reservations, there is an enhanced information obligation for other information technologies, where contact data are known to us.
As a result, prior to the start of your journey, we will send you an e-mail or text message notification, regardless of whether you have registered for a push service, in the event of a ticket booked online or on a mobile device with a fixed departure data and time, if at the time of booking the timetable for the connection is not yet fixed and therefore the departure and/or arrival time of the booked train can still change and we are aware of new travel information. In the event that you have made a booking via customer service or at a ticket counter, you will only receive a notification if you have disclosed your e-mail address to us.
If you have booked a Nightjet connection, we will inform you by telephone in the event of any changes – provided that this is now possible. Therefore, a telephone number is a mandatory requirement when making a booking.
However, such notifications shall be issued at the earliest 180 days before the booked start of the journey.
If you no longer wish to receive such notifications for a journey, you can simply cancel further notifications by clicking on the link “Cancel notification” in the e-mail notification “New travel information on your booking”. In the event of a cancellation, you will not receive any notifications by e-mail or text message after technical implementation.
For the purpose of statutory customer information, we also receive data from other railway companies, ticket vendors and transport association organisations for the purpose of providing notifications regarding deviations.
If customers book tickets where the transport service is provided by a third party railway company, we will pass on the relevant data to the competent railway company so that you can be notified by the respective railway company in the event of any deviation.
For the purpose of notification, the following personal data will be processed by the data controller, if disclosed by you:
First and last name, e-mail address, telephone number, details of the timetable connection (departure stop, destination stop, date and departure time/arrival time, train number).
If connected to WiFi on your train (“OEBB”), the ÖBB onboard portal offers passengers access to service functions related to the train and the journey, to the ORF-TVthek (ORF TV library) as well as free access to over 100 digital Austria Kiosk newspapers and magazines, among other things.
In order to use the WiFi and the onboard portal with all its functions, you as the user must agree to the terms of use when connecting to the WiFi. The terms of use also inform you about the use of cookies on the ÖBB onboard portal.
Cookies are used by the onboard portal in order to allow for the provision of a comprehensive and customer-friendly service. Cookies are used for the following functions: journey preview, ORF TVthek, data analysis by Piwik (Matomo).
When using the ÖBB onboard portal, no personal data about customers will be collected and used by ÖBB-Personenverkehr AG. Therefore, the use of the ÖBB onboard portal is anonymous.
Google Maps /Apple Maps are online map services, which show the earth’s surface as a roadmap or an aerial or satellite image, on which locations of institutions or known structures are also displayed.
We use Google Maps for the following purposes:
We use Google Maps and Apple Maps to display stops near you when using the SimplyGo! feature.
For these purposes, “Google Maps JavaScript API” or “Google Maps SDK for Android” is used. No personalisation is implemented and no cookies are set by Google Maps-API.
In addition to telephone enquiries or requests via the contact form provided on www.oebb.at, you also have the possibility to use our chatbot / ÖBB.Bot. ÖBB.Bot is at your disposal for information and services regarding various topics:
a) Information on the subject of passenger rights (further details available at https://www.oebb.at/de/reiseplanung-services/kundenservice/refundierung-chatbot)
b) Information on the Klimaticket Ö (further details available at https://www.oebb.at/de/reiseplanung-services/kundenservice)
c) Information on the Vorteilscard (further details available at https://www.oebb.at/de/reiseplanung-services/kundenservice/vorteilscard-chatbot)
d) Information on ÖBB 360 and our mobility offers https://www.oebb.at/de/reiseplanung-services/sharedmobility/mobilitaetsservices)
e) Information regarding feedback and support (ÖBB Support.Bot) https://www.oebb.at/de/reiseplanung-services/kundenservice/beschwerde-lob-idee
f) Information on our Nightjet offer (ÖBB Nightjet Bot)
https://www.nightjet.com/ 
g) Information about our ÖBB loyalty campaign
https://www.oebb.at/de/vorzugspunkte 
Our ÖBB.Bots are text-based dialogue systems that allow you to chat with a technical system for standard enquiries and routine tasks.
This offers you a further option to get in touch with us quickly and easily. Your request can also be processed faster.
When you use the ÖBB website and the ÖBB.Bot embedded on the website, personal data will be automatically collected to the extent absolutely necessary for technical reasons (i.e. the IP address and device information) if the ÖBB.Bot is only used for information purposes and you do not disclose any additional personal data. In this case, data is processed on the basis of Article 6(1) f) GDPR (legitimate interest of ÖBB-PV AG, which consists in the provision of relevant customer information and the technical provision of the website) as well as on the basis of Article 6(1) b) GDPR, i.e. to process your request.
In the case of pure product information, no customer data is required by us and no such data is therefore collected. Only if you use ÖBB.Bot for data changes, for questions regarding the execution of contracts, or for the assertion of passenger rights or other rights will data – if this is required in individual cases to process your request – be collected and processed to the extent absolutely necessary.
If you wish (consent), a transcript of your chat can be made available to you at the e-mail address you have provided. Alternatively, you can download your chat transcript during the session. This consent is limited in time and only relates to your current enquiry, so that separate consent will be obtained for any subsequent enquiries. This consent can be revoked by closing the chat window.
Should data collection or disclosure be necessary, the following data that is required to process your enquiry in accordance with Article 6(1) b) GDPR may be collected, depending on the reason and subject of the enquiry:
Enquiries via the ÖBB-Bot regarding passenger rights: First and last name, full address, e-mail address, full bank details, ÖBB ticket codes, subject of the enquiry and the documents provided by the customer.
Enquiries via the ÖBB-Bot regarding customer cards: First and last name, date of birth, complete address, e-mail address, telephone number, card number, period of validity, subject of enquiry.
Enquiries via the ÖBB-Bot regarding the Klimaticket Ö: first and last name, date of birth, complete address, e-mail address, telephone number, type of customer card, card number, period of validity, complete bank details, ÖBB customer number, ÖBB ticket codes and the subject of enquiry.
Enquiries via the ÖBB-Bot on ÖBB 360, ÖBB loyalty campaign and the Nightjet are handled as a pure dialogue system. No customer data is collected. In the event that your request cannot be answered, we will provide you with the contact details of the respective mobility provider. In this case, we have no knowledge of the content of your coordination with the respective mobility provider.
For enquiries to the ÖBB Support Bot: First and last name, e-mail address, subject of the request and, if necessary for the processing of the request: Bank data, address data, ÖBB ticket code, transaction number, personal message
In ÖBB.Bot itself, this data is available for 30 days and will be automatically deleted following the lapse of this period. Depending on the subject of the request, these will be deleted in the downstream systems after the applicable statutory retention obligations have expired (i.e. either after three years or after ten years). This is due to accounting regulations, limitation periods under civil law or for reasons of preserving evidence.
As part of the development process for new bots, customers have the opportunity to test the chatbot in advance at the controller’s premises. This test is done anonymously. Neither responses nor other feedback are attributed to a specific customer. These tests are solely for the purpose of improving the service.
ÖBB quick help
In the event of an increased number of calls or enquiries, ÖBB also provides a live chat on the website. The following data is collected for this purpose: first and last name, full address, email address, full bank details, ÖBB ticket codes, subject of the enquiry, documents provided. This information is stored in accordance with Article 6 (1) point a GDPR (consent) and Article 6 (1) point b GDPR (contract performance) and Article 6 (1) point f GDPR (legitimate interests, which consist in enabling ÖBB customers to communicate quickly regarding their concerns). These data are deleted in the downstream systems after the statutory retention periods have expired, depending on the subject of the request (i.e. either after three years or after ten years).
SimplyGo! makes buying tickets with your customer account easier than ever. With the help of GPS location services and smartphone sensors, SimplyGo! automatically recognises your journeys on public transport in Austria and takes care of all the necessary ticket-purchasing steps. SimplyGo! takes care of all further steps after you check in at the start of your trip and check out at your destination, automatically charging your credit or debit card for the trip.
The following information is required from the customer for this optional convenience feature:
The following data is automatically collected by the controller during use:
This is used to determine reference values and points that help identify the start, course and end of the journey. The ÖBB App assigns a valid public transport timetable to this mobility behaviour and determines the fare.
For technical reasons, we require iOS devices to “always” grant permission to access the location. This is important so that ongoing journeys can also be recorded in cases where the ÖBB App is only running in the background.
Pseudonymised data is transferred to our data processor FAIRTIQ AG Aarbergergasse 29 3006 Bern Switzerland for the further development of SimplyGo! functionality. Our data processor itself is not able to establish a personal connection to you.
If a payment method is registered for the SimplyGo! function, we will store payment information for a period of 12 months, including in the event that the function is deactivated, for the purpose of processing any required corrections.
Data collected as a result of the use of our automatic ticketing will be deleted at different times:
1. Data relating to the processing of ticket purchases (incl. responses to customer enquiries and validation data) will be stored for the duration of the statutory limitation period of three years.
2. Accounting data must be retained for a period of ten years due to statutory retention requirements (§ 209 (5) BAO).
3. Collected data will also be used for the defence of legal claims (for example, fraud cases) and stored for a period of three years from the legally binding conclusion of the legal or regulatory dispute.
Selected data subjects have the opportunity to participate voluntarily and free of charge in the ÖBB preferential points programme. As part of the ÖBB preferential points programme, certain bookings made within an ÖBB account via relevant sales channels are rewarded with preferential points and subsequently with rewards and a status, once defined preferential point thresholds have been reached. The following link to the ÖBB Preferential Points Board provides more detailed information: www.oebb.at/vorzugspunkte.
The ÖBB rewards are deposited in the data subject’s ÖBB account by the controller. Rewards from external partners are stored on the ÖBB Preferential Points Board and will be sent to you by email when you unsubscribe from the programme. The calculation and allocation of the preferential points is based on the preferential points logic as set out in the terms and conditions of participation or further information at www.oebb.at/vorzugspunkte. You can see the current number of preferential points on the ÖBB Preferential Points Board.
When registering for ÖBB preferential points, you must accept the conditions of participation and give your consent to data processing. These can be accepted by clicking on the “Register with ÖBB account” button at www.oebb.at/vorzugspunkte.
Relevant information about ÖBB preferential points will be sent to the ÖBB account or the ÖBB Preferential Points Board by e-mail, SMS, post or push notification. This includes, in particular, the following information: Confirmation of my participation and/or termination of my participation, information on the crediting of rewards to my ÖBB account and updated information on the number of points, information on an upcoming deregistration from the programme; information on achieving Gold Rail status and provision of the associated benefits, information on technical errors or failures; information on new preferential points rounds, notification of changes to the ÖBB preferential points programme; information with promotional content, provided that you have also given your general consent to newsletters and Account+.
Analyses are also carried out to derive measures for the further development of the system and the optimisation of the ÖBB preferential points programme on the basis of aggregated data. This also includes examining which rewards are most popular with customers. Based on the rewards a data subject has redeemed, the subject of future rewards is assessed and sent so that the new rewards match the customer’s preferences.
The following data is processed as part of the ÖBB preferential points programme:
Regular data transfers to system partners for the provision of the ÖBB loyalty campaign are permitted:
| ÖBB Business Competence Center | Lassallestraße 5, 1020 Vienna | General ÖBB IT service provider | 
| Emarsys eMarketing Systems AG | Märzstrasse 1, 1150 Vienna | Communication and provision of vouchers | 
| ÖV Ticketshop GmbH | Am Hauptbahnhof 2, 1100 Vienna | Customer data and voucher management | 
| Accenture GmbH | Schottenring 16, Börsegebäude, 1010 Vienna | Provision and development of the necessary programme logic | 
| World-Direct eBusiness solutions GesmbH | Lassallestrasse 9, 1020 Vienna | Development of programme logic and technical operations management | 
| Microsoft Ireland Operations Limited | 70 Sir John Rogersons’s Quay, Dublin 2, Ireland | Provision of a cloud service and provision of data to any sub-processors based in third countries | 
In addition, data may be transferred to defend legal claims or to comply with legal obligations, in particular to legal representatives, courts and authorities involved in the case.
The data processing in question is based on Article 6(1)(a) GDPR (consent) and the legitimate interests of the controller pursuant to Article 6(1)(f) GDPR, which consist of (1) the operation of active customer relationship management, (2) the operation of efficient marketing and the needs-based further development of the product portfolio.
Data subjects can withdraw their consent at any time. To do this, log on to the ÖBB Preferential Points Board and use the “Cancel participation and declare revocation” button. If you decide to stop participating, it may take up to 48 hours for the cancellation to be reflected in any rewards credited. Rewards may be credited up to 48 hours after participation has ended.
Data must be retained for a period of 10 years for reasons of statutory accounting regulations (see Section 209 of the Federal Fiscal Code BAO) and is deleted as part of the implemented automated deletion routines at the end of the 11th year after data collection. In exceptional cases, the data may be kept for a longer period if the data is needed in the course of a legal or administrative dispute.
We use personal data in order to send you general information, offers and recommendations as well as information, offers and recommendations tailored specifically to your mobility needs and user behaviour or to have such information sent to you by our cooperating partners (customised offers). Furthermore, this data is used for the further development and optimisation of services relevant to customers. However, this is only the case if you grant your consent in advance to let us contact you by e-mail, telephone, SMS or other ÖBB channels (e.g. ÖBB account), in order to inform you in a timely manner about interesting offers, new developments and services.
Your personal data will exclusively be used by us in both cases and not transferred to cooperating partners or other affiliated companies.
Depending on the content of the consent granted by you, you will receive offers and other information from us concerning ÖBB-Personenverkehr AG (for example on general services, sweepstakes and customer surveys) and the ÖBB Group, i.e. including other affiliated companies (e.g. information on travel offers from Rail Tours Touristik GmbH or car sharing offers from Rail Equipment GmbH) or other cooperating partners.
If you wish to receive customised information and recommendations adapted to your needs (based on your previous purchasing and travel behaviour or your other personal preferences), we can forward these to you for:
.
The compilation of these contents is based on evaluation of the following data: first and last name, date of birth, address and contact data, details stored on your person regarding bookings, customer cards and season tickets, discounts, travel and voucher data, geodata, preferences and customer loyalty activities associated with you, device and browser information, including user behaviour assignable to you or data on any mobility preferences or restrictions.
Details on booking data include, for example, your selected travel date and time, the actual booking date, booked tickets or special additional offers for tourists, seat reservations, information on utilised offers or vouchers added to your account, information on the start and end station, the sales channel, selected timetable connections including intermediate stops, train types, wagon classes or compartments, information on booked night or day trains, currency used, vehicle data, bicycles, accompanying dogs, information on booked pieces of luggage, as well as information on whether you are travelling alone, with other people or with a child (or children).
In order to provide you with customized information on customer cards and season tickets, we use details of valid/expired/extended customer cards, such as Vorteilscard [discount card], Österreichcard [Austria card] and any SEPA mandates, as well as details of acquired season tickets, e.g. hourly passes, weekly passes, monthly passes.
By discount data, we mean your discounts used in buying tickets, such as indication of a Vorteilscard, Österreichcard, city transport ticket, family pass, etc.
Travel data include information on already commenced or planned (booked) journeys, information on the duration of your journey, any delays, validation details regarding your ticket or your customer card, as well as details of such journeys referred to under booking data.
If (e.g. in the context of a campaign) a voucher was added to your ÖBB account, we will use such information to deliver reminders to you about its use, for example. Moreover, we will use the information once the voucher has been cashed, as well as details of the journey booked or the product purchased with such voucher.
Geodata are used for so-called location-based services. Location-based services provide you with selective information by means of position-dependent data.
By preferences assigned to you we mean, for example, your connection favourites, your stored payment favourites, timetable connections stored by you (including other passengers, selected timetable filters, 1st class journeys, request for a seat reservation, journeys on specific weekdays).
Customer loyalty activities include information and further details on previously sent sales and campaigns, vouchers, sweepstakes, customer surveys, recommendations and other information.
Device and browser information including user behaviour assignable to you includes information on your employed devices (computer, laptop, smartphone, etc.) with which you visit our websites and the associated web browsers (e.g. Internet Explorer, Firefox, Safari, etc.). This also includes information on whether you have downloaded and used the ÖBB App. Your assignable user behaviour includes, for example, details on the use of your ÖBB account with relevant devices and the ÖBB App (e.g. account creation details, settings implemented, such as e.g. gender and language, details of logins, added discounts and customer cards, deposited vouchers, ticket purchases and reservations, stored favourites, etc.). In addition, technical information (e.g. IP address, browser type and version, time of access by the visitor’s computer) is collected in order to determine whether an e-mail has reached you, which e-mails you have opened when and which links in the e-mail you have accessed.
We use data on any mobility preferences or restrictions in order to offer you relevant information, recommendations and services in the event of you needing a wheelchair place or if a companion or service dog is travelling along, etc.
We use the technologies of Emarsys eMarketing Systems AG (www.emarys.com), which acts as our contract processor, to create and send out customised offers. Emarsys supports us in the planning, implementation and analysis, especially in the technical implementation and handling of our measures, as follows:
This type of data processing also involves profiling as per Article 4 No. 4 GDPR, to the extent that it concerns the preparation and sending of customised offers.
Profiles are created about our customers, which
Our general and customised offers can be sent by mail, e-mail, as a push message, in your ÖBB account or via other ÖBB channels.
This special form of processing is based on your consent in accordance with Article 6(1) a) GDPR, to the extent that we are entitled to carry out such data processing.
We use profiling methods to optimise and personalise our advertising measures. Below, you will find information on the logic involved as well as on the scope and intended effects of these procedures.
You also have the opportunity to register for special offers and services, for example for the Nightjet newsletter, Scotty push service or information on usability tests.
Please note that any of these services which require separate consent must also be revoked separately. As a result, revocation of any individual consent does not apply automatically to all additionally submitted declarations of consent, but they must also be revoked separately.
If we are aware of your address due to purchases and services, or we are allowed to buy it from third parties (e.g. from Österreichische Post AG), we can send you event-driven information, offers and recommendations by post. You can prevent the sending of such information at any time, by declaring your objection (see explanations below). Following receipt of an objection, we will no longer send you any other announcements.
Postal deliveries will also be made to our stakeholders at regular intervals, for example prior to the annual timetable change as well as ad-hoc for relevant subjects.
Please note that the annual invitation to renew the contract does not constitute a direct advertising measure. Based on existing contractual obligations (see our fare conditions ÖBB Fares – Fare conditions), we will also continue to send you this invitation to renew the contract, and even if you had exercised your right to objection, especially as such a consignment is not subject to the right of objection to direct marketing.
If you no longer wish to be included in our direct marketing activities, you have the right to file an objection thereto (Article 21(2) and Article 22 GDPR) or to revoke your previously granted consent. The following options are available for you to make these declarations:
If you have exercised your right and decided against any use of your personal data for advertising purposes (in particular direct advertising), in accordance with your request, you will not receive any information, offers and news and can no longer log onto your ÖBB account for our “Newsletter, Info & Services” service.
If at a later point in time you wish to reactivate our services in your ÖBB account under “Newsletter, Info & Service”, please contact our customer service.
ÖBB-Personenverkehr AG uses AI technologies to record and analyse individual, selected enquiries as part of various project studies in customer service. The aim of the analysis is to determine whether different AI models can be used to address customer concerns more effectively.
It is ensured that selected requests are anonymised prior to analysis. Accordingly, no analysis of personal data is carried out. If you have any questions please contact datenschutz.personenverkehr@pv.oebb.at
ÖBB-Personenverkehr AG will again draw the attention of its customers to this fact when specific data is collected (e.g. when using the contact form).
Statistical analyses shall be conducted for the following purposes in particular:
We also create anonymised data analyses, in which we evaluate personal data and information about age, gender, region, postcode, products, driving, purchase and user behaviour, in order to draw conclusions on the development of new products and services or to improve our existing service portfolio.
Even if we store information about your person in the ticket shop, we will not conduct any personal analyses. We shall only use this information in anonymised form to identify any need for adjustment in our systems. This allows us to continually improve our applications and provide optimal support to our customers.
Market and opinion research, customer surveys
In order to improve our products and services and adapt them to the needs of our customers, we conduct surveys with various target groups:
1. with persons who do not use the railway
2. with persons who use a railway company (regardless of which one) or
3. with persons who use ÖBB.
We use different methods for this:
1. We commission a market research company to carry out a survey.
2. We carry out the surveys ourselves, usually using an online tool, or
3. we or an independent third party conduct an anonymous survey on our passenger trains.
Persons to be surveyed can be selected either completely randomly or based on social statistics or usage-specific factors.
Contact with the participants is established in different ways:
1. Contact is made via the respondent pools of the commissioned market research company (in this case, the selection is made without our involvement and under the sole responsibility of the partner companies).
2. We invite interested persons in general, without individually addressing participation in the survey.
3. For certain survey topics, we also contact selected customers of ÖBB PV AG if they have given us their prior consent.
The survey results never contain any personal references. This is true even if we write to you directly as customer or you have declared your consent in advance to participate in a survey. We only receive or compile an overall evaluation of data, which do not show individual interviews or persons.
If we address our customers directly, we will then exclusively contact people who have given prior consent thereto.
Should we conduct the survey in cooperation with a market research company in specific cases, we shall conclude a separate confidentiality agreement with said company in advance of a customer survey, laying down the secure handling of your data specifically for the individual case. In particular, this agreement shall ensure that the company will not transfer your data to other market research institutions and other third parties for surveys for their own purposes.
If we use our online survey tool, this tool is provided by our service provider enuvo GmbHt, Huobstrasse 10, CH-8808 Pfäffikon SZ https://www.enuvo.ch . We have instructed our processor to use privacy-friendly default settings when using this tool:
1. The use of Google Analytics has been disabled.
2. IP addresses are collected in a privacy-friendly manner by not storing them in conjunction with the survey data. IP addresses are only stored temporarily in server log files. This is done for technical reasons to ensure the functionality and security of the survey tool. Server log files are routinely deleted within a few weeks.
3. Only session cookies and technically necessary cookies are used. These cookies are necessary for the continuous processing of survey participation and also to minimise the possibility of multiple participation.
The following information is collected for the sole purpose of this survey: IP address, browser user agent and session details (started, last updated, completed, duration, subject).
The above data will be deleted after a period of one year at the latest.
You can stop participating in the survey at any time by closing the browser window. In this case, data will only be transmitted until you exit the survey.
In any case, you are never obliged to take part in any of our customer surveys.
Usability tests
If you apply as a test user, you can take part in usability tests conducted by our company for the further development and improvement of our ticket and timetable tools. Each test is subject to separate conditions of participation (see website). In this case, we will contact you as a possible test user and request your participation in future tests. Naturally, your participation in each individual test is voluntary.
You are entitled to revoke your consent at any time and declare that you no longer want to be contacted for further tests.
Cookies are small text files or codes, which contain information units. These text files are stored on your hard drive or in the main memory of your browser if you visit one of our websites. Thanks to cookies, the contents of our websites can be structured more easily and devices on which you have previously visited our websites can be identified. We use cookies to gain a better understanding of the functioning of applications and websites and to analyse and optimise the user experience when using our websites online and on mobile devices.
The cookies we use also allow us to display travel suggestions on the home page based on our customer’s queries and bookings.
Cookie categories
We primarily use cookies from the following categories on our websites:
Operationally necessary cookies
These cookies are necessary to allow you to use our websites as intended and make all functions available to you. Without such cookies the requested services cannot be provided. These cookies do not record information about you and do not store Internet locations. Absolutely necessary cookies cannot be deactivated on our site. However, they can be deactivated at any time on the browser that you use.
Functional Cookies
These cookies are necessary for certain applications or functions of the website, allowing them to be duly executed. This may for example include cookies, which store implemented settings such as a visitor’s language setting or even – assuming your prior consent – pre-completed forms.
Storage period: in the event of a session cookie for the period of the session, or in the event of your prior consent for the period of your consent.
Analytical cookies
These cookies collect information on user behaviour for visitors to our websites. For example, a record is kept of which websites are most frequently visited and which links are clicked on. All recorded data are stored anonymously together with information for other visitors. Using data obtained by these cookies, we can compile analytical evaluations on our website using Piwik and thereby continually improve the user experience.
Storage period: in the event of a session cookie for the period of the session, in all other cases (for example for our web analysis service PIWIK) for a maximum three years.
Preference cookies
These cookies allow us to display travel suggestions on the home page based on our customers’ queries and bookings.
First party cookies
First party cookies are generated by the website operator whose site the user is visiting. These are stored locally on the user’s computer. With a first party cookie, the user can only be recognised by the site from which the cookie originates, but not across multiple domains.
Third party cookies
Third party cookies, also called tracking cookies, are a common means of marking a visitor to a website so that they can be recognised at a later point in time.
These are data records that are stored in the user’s browser when they visit a page with advertising.
Third party cookies are used to monitor a user’s browsing behaviour over a longer period of time, including without explicit registration by the user on a website and across multiple web offerings, and to provide advertisers with useful information such as:
Currently, we only use first party cookies which are either
3rd party cookies are not used.
How long are cookies stored on my device?
The time that a cookie stays on your device depends on whether it is a persistent cookie or a session cookie. Session cookies only remain on your device until your browser session is finished. Persistent cookies remain stored on your device, even after you have completed a browser session, until such time as the preset time for the cookie has expired or it has been deleted.
For consent-based cookies, we retain a consent and revocation history for a period of three years.
Withdrawal of consent
The website provides a revocation option that you can use if you wish to withdraw your consent. Should you have any questions, please don’t hesitate to contact our customer service.
The provision of animated graphics does not result in any cookies being stored on the user’s computer. These graphics are used on the web and in the app to visualize content. In the hybrid LottieFiles apps (iOS, Android), the animations are not downloaded but delivered with the app. Therefore, no external links are accessed. For use on the website, our internal Consent Security Policy prevents external access/links. This ensures that no personal data is processed in this context.
Our websites and digital dialogue with our customers (e.g. newsletter) use Piwik, a web analysis service. Piwik uses cookies, which allow us to conduct an analysis of the use of our websites.
For this purpose, the usage information generated by the cookie (including your truncated IP address) is transferred to our server and stored for usage analysis purposes. This helps us in optimising our websites. During this procedure, your IP address is immediately anonymised, so that you remain anonymous to us.
The information generated by cookies on the usage of our websites is not passed on to third parties.
You can prevent the use of cookies through according settings in your browser software. This may, however, result in your not being able to fully use all functions provided by our websites.
If you do not agree to the storage and analysis of data in relation to your visit and the use of our websites, you can object to such storage and usage at any time (see terms of use for the website www.oebb.at). In this case, a so-called opt-out cookie will be stored in your browser. As a result, Piwik will not collect any session data.
For technical reasons, we have to collect and store certain data and information of your visit to our website, for instance the used websites, the time and duration of your visit as well as data provided by the browser you are using (e.g. on the operating system and the used system settings). Such data and information is used by us anonymously to allow us to make our offerings even more participant-friendly and to technically optimise them.
Should you provide personal data or information on our websites, we can continue to use them within the framework of the legal requirements of TKG [Telecommunications Act] without your further consent. An exception is the use for advertising or marketing purposes or forwarding data to third parties, which requires prior and separate consent. We will separately inform you about any communications to other ÖBB affiliated companies (e.g. in the event of a concern, complaint, etc.).
Should you access such offerings on our websites or visit these websites, the data provided by your browser will be transferred to the respective operator. We are not responsible for any contents on these websites, neither in terms of data protection nor in terms of the technical security of the data and information made available. In this context, please note that external providers may use ad personalisation technologies where required.
In case we provide a way to contact us via an input form on our website, we will encode this communication via the https protocol. Please note that other types of communication over the internet, in particular via e-mail, do not provide confidentiality. We therefore recommend to refrain from sending confidential data and information via e-mail.
Social media plugins
We have embedded contents from external providers, such as Facebook, YouTube, Twitter, on individual websites or we may transfer you to the websites of external providers. We could not identify any legal violations at the time of linking. Should we become aware of any such infringement, we will remove the link with immediate effect. In order to be able to recommend and share content on social networks such as Facebook, Twitter and Google+, corresponding buttons are integrated into the platform.
These buttons only transfer data to external providers or other third parties if you press the corresponding button as participant. We have prevented an immediate transfer of data to external providers or other third parties in case of mere access to our websites. As a result, it is completely up to you to activate transfer in the individual case.
Sweepstakes on social media and in the customer magazine
If personal data are recorded by participants within the framework of a sweepstake on social media, they shall exclusively be collected, processed and used for the purposes of implementing the sweepstake, unless you have specifically granted your consent for the use of your personal data for other purposes, or use of data is required in the individual case for legal or other overriding reasons (thus for example in the event of a legal or other regulatory request or in the event of legal or regulatory disputes).
We will delete or anonymise collected and processed data following expiry of the statutory period of limitation (i.e. usually after three years have elapsed). The same applies to any messaging history in social media. We cannot assume any responsibility for the correctness, timeliness and completeness of data that you have disclosed personally. In your own interests, please therefore ensure that data disclosed by you are correct, up-to-date and complete.
If you contact us by e-mail with requests, suggestions or criticism, we would also like to ensure that we have performed our service to your satisfaction. After replying to your concerns, we will therefore ask how satisfied you were with our service.
This constitutes an internal quality assurance measure. For reasons of objectivity and automated processing, we employ a processor for this purpose, to conduct this automated query on our behalf. In order to do so, we will exclusively hand over your e-mail address and customer number to the processor. We shall not provide this processor with the opportunity to inspect your data, to use your data for other purposes or to transfer them to third parties.
Before employing the processor, we have assured ourselves that it will provide a sufficient guarantee for lawful and secure use of data.
For us, information security means:
To ensure information security, we have established organisational frameworks, such as checking the professional qualifications of our employees, as well as their trustworthiness and reliability. Technical measures also ensure the protection of personal data, including access controls, access monitoring and access restrictions.
Concrete technical protective measures are, in particular:
Our employees are only granted access rights in accordance with their roles and to an extent that is absolutely necessary. The use of these access rights is recorded.
Your data is protected by a secure online connection (TLS) between your PC, tablet or smartphone and our servers, depending on the browser configuration, with at least 128 Bits.
Security measures for the system in the event of purchase on the ÖBB App or an online purchase were developed based on the following standards:
The system therefore fulfils the security standards of the Application Verification Standard 2010 (ASVS) and was also tested by an independent expert. ASVS 2010 represents the leading current standard for IT security. Moreover, the ÖBB App was developed in accordance with requirements of data protection law and continually adjusted to new requirements.
The ticket shop uses the “Friendly Captcha” service provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany (www.friendlycaptcha.com). Friendly Captcha GmbH acts as our data processor.
Friendly Captcha is a new, privacy-friendly solution to make it harder for automated programmes and scripts (known as “bots”) to use our website. In this way, Friendly Captcha protects our website from being abused.
How it works
During registration, the website visitor’s device connects to the Friendly Captcha servers.
The visitor’s browser receives a calculation task from Friendly Captcha. The complexity of the calculation depends on various risk factors. The website visitor’s device performs the calculation, which uses certain system resources, and sends the calculation result to our web server. It contacts the Friendly Captcha server via an interface and receives a response indicating whether the puzzle has been correctly solved by the end device.
In addition, the website visitor’s browser transmits the connection data, environment data, interaction data and functional data listed in more detail below to Friendly Captcha (for information on the data, see Section 4). Friendly Captcha analyses this data, determines how likely it is that the visitor is a human or a bot, and sends us the result.
Depending on this, we can treat access to our website or individual functions as either human or potentially machine based.
Purpose of use
All of the data mentioned is used exclusively for the detection and handling of potential bots and risks as described above. The purpose of the processing is therefore to ensure the security and functionality of our website.
We do not use the data to identify an individual or for marketing purposes.
Storage period
In the event that personal data is stored, such data will be deleted within 30 days.
Processed data
The following data is processed solely for the above security purposes:
Connection data:
Data on the environment:
Interaction data
Functional data
The following data is only stored in the browser’s session storage for the duration of the browser session and is essential to ensure the security of the website:
A random session ID (frc_sid), the number of times the protection software modules have been loaded (frc_sc), the number of requests and repeated connection attempts (frc_rc), and the solutions to the calculations and their solution context (frc_sol).
No HTTP cookies are set and no data is stored in the browser’s persistent memory.
Legal basis under the GDPR
To the extent that data can be linked to individuals, the legal basis for the processing is the legitimate interest in protecting our websites from unauthorised access by bots, thereby providing spam protection and protection against attacks (e.g. mass queries) within the meaning of Article 6(1)(f) of the GDPR.
Data recipients
Apart from the results of the risk categorisation as bot or human, our processor processes the above data. Friendly Captcha uses hosting services provided by Hetzner Online GmbH (Germany) and SCALEWAY S.A.S (France) to host and deliver content.
By processors we mean our contractual partners, who process personal data on our behalf (example: maintenance of our databases).
We currently employ processors, including for the following activities:
We only employ processors for our lawfully conducted data processing. We always assure ourselves in advance that the individual processor is suited to service performance, in particular that the processor provides a sufficient guarantee of secure and lawful use of data.
Processors that we have selected only receive personal data from us to the extent that is absolutely necessary.
Our processors have contractually undertaken:
Before employing a processor, we conclude a written agreement with the processor, in which special obligations are imposed on the processor and its employees, and they again are subject to a separate confidentiality obligation. We impose certain data security measures on the processor to ensure that customer data and data processing are adequately protected.
We have provided you with comprehensive information on the purposes of our data processing, categories of data recipients, the legal basis and legal framework, the storage period as well as the rights you are entitled to and the scope of data processing. In all data processing, we have taken care to ensure that data collection and data scope are limited to the extent that is absolutely necessary. Therefore, if we ask you to provide data, this is necessary in particular so that:
If you do not, or do not fully, comply with our request for data disclosure, it cannot be guaranteed that we will be able to fulfil or process your aforementioned purchase, service or other request(s).